Privacy Notice

This Privacy Notice (the "Notice") describes how OmhuAI AB, a company registered in Sweden ("BondGovernance", "we", "us"), processes personal data in connection with the BondGovernance website at bondgovernance.com and the related governance-infrastructure service (collectively, the "Service").

For the processing described in this Notice, OmhuAI AB acts as the data controller within the meaning of Regulation (EU) 2016/679 (the "GDPR"). Where BondGovernance processes personal data on behalf of an institutional customer as part of the Service, it acts as a processor and the processing is governed by a separate Data Processing Agreement.

We process the following categories of personal data:

• Identification and contact data — name, business email, business telephone, job title, employer and jurisdiction, where provided through forms, access requests or correspondence.
• Access and credential data — account identifiers, authentication events, role assignments and entitlement records for users of the Service.
• Usage and technical data — IP address, device and browser characteristics, access timestamps, request metadata and audit logs generated by interaction with the Service.
• Counterparty data — professional information about individuals identified in transaction documentation (issuers, trustees, agents, advisers) where strictly necessary for the operation of the Service.

We do not seek to process special categories of personal data within the meaning of Article 9 GDPR. The Service is not directed at children.

Personal data is processed for the following purposes, on the legal bases set out in Article 6(1) GDPR:

• Providing and securing the Service — performance of a contract (Art. 6(1)(b)) or our legitimate interest in operating a secure, reliable infrastructure service (Art. 6(1)(f)).
• Managing access and onboarding — performance of a contract (Art. 6(1)(b)) and our legitimate interest in restricting access to verified professional counterparties (Art. 6(1)(f)).
• Compliance with legal obligations — including obligations under sanctions, anti-money-laundering, market-abuse, accounting and tax law (Art. 6(1)(c)).
• Audit, logging and dispute defence — our legitimate interest in maintaining a defensible audit trail and establishing, exercising or defending legal claims (Art. 6(1)(f), Art. 9(2)(f) where applicable).
• Institutional communication — our legitimate interest in communicating with professional counterparties about the Service (Art. 6(1)(f)).

Personal data may be disclosed to (i) authorised personnel of OmhuAI AB and its affiliates on a need-to-know basis, (ii) vetted third-party processors providing hosting, infrastructure, identity, analytics, observability and support services under written processing agreements compliant with Article 28 GDPR, (iii) the relevant institutional customer where BondGovernance acts as processor, and (iv) competent authorities, courts or regulators where required by law.

Personal data is hosted within the European Union / European Economic Area where reasonably practicable. Where processing involves a transfer of personal data to a third country outside the EEA, such transfer is carried out on the basis of an adequacy decision under Article 45 GDPR or, in its absence, appropriate safeguards under Article 46 GDPR, including the European Commission's Standard Contractual Clauses (Decision 2021/914) supplemented by transfer impact assessments and, where required, additional technical and organisational measures.

Personal data is retained only for as long as necessary for the purposes for which it was collected, including to meet contractual, legal, accounting, audit and regulatory requirements. Audit logs, access records and transaction-related governance data are retained for the period required to demonstrate compliance with applicable law and with the relevant institutional customer agreement, after which they are securely deleted or anonymised.

BondGovernance implements technical and organisational measures appropriate to the risk under Article 32 GDPR, including encryption of personal data in transit and at rest, strict access control on a least-privilege basis, segregation of environments, secure software-development practices, continuous logging and monitoring, and documented incident-response procedures. No method of transmission or storage is perfectly secure; accordingly, the Service is provided without guarantee of cryptographic perfection.

Subject to the conditions set out in the GDPR, you have the right to (i) access your personal data, (ii) request rectification of inaccurate data, (iii) request erasure, (iv) request restriction of processing, (v) object to processing carried out on the basis of our legitimate interests, (vi) data portability and (vii) withdraw consent where processing is based on consent, without affecting the lawfulness of prior processing.

You also have the right to lodge a complaint with the Swedish Authority for Privacy Protection (Integritetsskyddsmyndigheten, IMY) or with the supervisory authority of your habitual residence or place of work.

The Service uses strictly necessary cookies and equivalent technologies required to deliver the Service, maintain session integrity and protect against abuse. Non-essential analytics, where used, are deployed on a privacy-preserving basis. Detailed information on each cookie category, purpose and retention is set out in the Cookie Policy.

BondGovernance does not use personal data to make decisions about individuals that produce legal or similarly significant effects on them within the meaning of Article 22 GDPR. Analytical outputs of the Service are produced for institutional governance purposes and are intended to support — not replace — independent professional judgement.

BondGovernance may update this Notice from time to time to reflect changes in the Service, in applicable law or in operational practice. The version published on this page is the version in force. Where changes are material, we will take reasonable steps to bring them to the attention of affected counterparties.

Privacy enquiries and requests in relation to this Notice should be addressed to OmhuAI AB, Stockholm, Sweden, via the channels listed on the Contact page, marked for the attention of the Data Protection contact.