1. Important Information

PAPER ROCK MANAGEMENT LIMITED, (collectively referred to as “PAPER ROCK”, “we”, “us” or “our” in this privacy policy) respects your privacy and is committed to protecting your personal data. The personal data that we collect depends on the service requested and agreed in each case. This privacy policy explains as to how we collect and process your personal data and informs you about your privacy rights under the Processing of Personal Data (Protection of individuals) Law 125 (I)/2018) as amended from time to time and the EU General Data Protection Regulation (“GDPR”) 2016/679.

This Privacy Policy is directed to natural persons who are either current or potential clients of The Firm or are authorised representatives/agents or beneficial owners of legal entities of natural persons. It is also directed to natural persons who had such a contractual or other legal relationship with PAPER ROCK in the past. It also contains information about sharing your personal data with other members of PAPER ROCK and other third parties, such us other service providers or suppliers.

This Privacy Policy aims to provide you with information on how we collect and process your personal data through your use of this website, including any data you may provide through this website when signing up to our newsletter and/or during our contractual relationship. It is important that you read this privacy policy together with any other privacy policy or fair processing notice we may provide on specific occasions when we are collecting or processing your personal data so that you are fully aware of how and why your data is being used. This privacy policy supplements the other policies and it is not intended to override them.

2. Who We Are

PAPER ROCK MANAGEMENT LIMITED, incorporated and registered in Cyprus under Registration No. HE XXXXXX whose registered office is at Christaki Kranou 69, Potamos Germasogeias, Floor 2, Office 1, 4042, Limassol, Cyprus.

We have appointed a Data Protection Officer (DPO) who is responsible for overseeing questions in relation to privacy issues. If you have any questions about this privacy policy, including any requests to exercise your legal rights, please contact the DPO using the details set out below:

Name: Evros Economou Email address: evros.e@paperrock.eu Postal address: Christaki Kranou 69, Potamos Germasogeias, Floor 2, Office 1, 4042, Limassol, Cyprus.

3. Your Duty to Inform Us of Changes

It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during your relationship with us.

4. Collection of Your Data

Personal data, or personal information, means any information about an individual from which that person can be identified. This can include a wide range of information, such as:

Name, identification number and more. Contact Information: Email address, phone number or address. Age, gender, marital status, or nationality. Financial Information: Bank account details, credit card numbers or financial records.

If you are a prospective client, or a non-client counterparty in a transaction of a client or an authorised representative/agent or beneficial owner of a legal entity or of a natural person which/who is a prospective client, the relevant personal data which we collect may include Identity Data (names, title, DOB, gender), Contact Data (addresses, emails, phone numbers), and Marketing/Communications Data.

Additionally, we may collect banking information, employment status, PEP status, FATCA/CRS information, authentication data, IP addresses, insurance information, and professional/educational background. We may also obtain personal data that arises from fulfilling our contractual obligations, including tax residency and source of wealth details.

5. Children’s Data

We understand the importance of protecting children’s privacy. We may collect personal data in relation to children, only provided that we have first obtained their parents’ or legal guardian’s consent or unless otherwise permitted under the law.

6. If You Fail to Provide Personal Data

Where we need to collect personal data by law, or under the terms of a contract we have with you and you fail to provide information when requested, we may not be able to perform our contractual obligations (for example, to provide you with our services). In this case, we may have to abort all contractual obligations, but we will notify you if this is the case at the time.

7. Whether You Have an Obligation to Provide Us with Your Personal Data

For us to enter into a contractual relationship with you, you must provide your personal data to us. We are furthermore obligated to collect such personal data given the provisions of the money laundering law, which require that we verify your identity before we enter into a business relationship. If you do not provide us with the required data, we will not be allowed to commence or continue our contractual relationship.

8. How Your Personal Data is Collected

We collect and process different types of personal data, which we receive from our clients (potential and current) in person or via their representative in the context of the contractual relationship.

9. Purpose of Data Processing and Legal Basis

Personal data may be processed to fulfill our obligation in combating money laundering and terrorist financing, as well as to comply with tax reporting requirements (FATCA, CRS). Most commonly, we use your personal data for:

Performance of a contract: To fulfill the terms of our agreement. Legitimate interests: For business reasons such as litigation defense, service development, and internal sharing within PAPER ROCK for compliance updates. Legal/Regulatory obligations: To comply with Cyprus Banking Law, Money Laundering Law, Tax Laws, and rules from supervisory authorities like the Cyprus Bar Association. Consent: Where you have given specific consent, which you have the right to revoke at any time.

10. Change of Purpose

We will only use your personal data for the purposes for which we have collected it, unless we reasonably consider that we need to use it for another reason compatible with the original purpose. If we need to use your personal data for an unrelated purpose, we will notify you and explain the legal basis.

11. Marketing

We may process your personal data to inform you about our services and newsletters. You may “opt out” at any time by clicking the “unsubscribe” link in our emails or by contacting us in writing.

12. Third-Party Links

This website may include links to third-party websites. We do not control these third-party websites and are not responsible for their privacy statements. We encourage you to read the privacy policy of every website you visit.

13. Cookies

Our website uses small files known as cookies to improve service and site functionality. You can set your browser to reject cookies, though this may affect your ability to use our website.

14. Who Do We Share Your Personal Data With

In the course of performing our obligations, your personal data may be provided to different departments within PAPER ROCK and third-party agents, service providers, or suppliers (e.g., auditors, IT companies, cloud storage, legal consultants). Such third parties are bound by confidentiality and data protection laws and are only permitted to process data according to our instructions.

15. International Transfers

Your personal data may be transferred to countries outside of the European Economic Area (EEA). We ensure protection through “binding corporate rules,” Standard Contractual Clauses (SCCs) approved by the European Commission, or other appropriate safeguards for transfers to countries like the US.

16. Data Security

Appropriate security measures are in place to prevent your personal data from being accidentally lost, used, or accessed in an unauthorised way. Access is limited to authorized personnel subject to a duty of confidentiality.

17. Data Retention

We will only retain your personal data for as long as necessary to fulfill the purposes we collected it for, considering the length of our relationship, legal obligations, and our legal position (such as potential litigation).

18. Your Legal Rights

You have rights to: Request access to your data. Request correction of inaccurate data. Request erasure (the ‘right to be forgotten’). Object to or restrict processing. Request transfer of your data. Withdraw consent.

To exercise these rights, contact our DPO at: evros.e@paperrock.eu

19. Right to Lodge a Complaint

You have the right to make a complaint at any time to the Office of the Commissioner for Personal Data in Cyprus. We would, however, appreciate the chance to address your concerns first via legal@paperrock.eu.

20. Changes to the Privacy Policy

This version was last updated on 10/04/2026. This Privacy Policy may be amended from time to time, and we encourage you to review it periodically.