FirstKey Mortgage

EEA AND UK Privacy Policy

Last updated: January 27, 2025

EEA AND UK PRIVACY POLICY

This EEA and UK Data Privacy Policy ("Privacy Policy") explains how FirstKey Mortgage, LLC (“FirstKey”) uses your personal data and which rights and options you have in this respect. This Privacy Policy applies only if and where FirstKey processes your personal data under the EU General Data Protection Regulation ("GDPR") or the GDPR as incorporated into UK law by the Data Protection Act 2018 or under the Swiss Federal Data Protection Act (together "Data Protection Laws").

Where the processing of your personal data is not subject to the Data Protection Laws, different rules will apply under your applicable law. You may refer to our US Privacy Policy if we process your personal data under federal and state laws and governmental regulations in the United States.

As an introductory remark, please note that due to the nature of our business, we process personal data under the GDPR only to a limited extent. In particular, as securitization sponsor and asset manager for U.S. securitization activities and structuring agent and co-sponsor for non-U.S. securitization activities, we do not process any personal data of individual borrowers or related persons. We encourage you to refer to the Privacy Policy of your relevant lender or other controllers which may have been identified to you by your lender. For further information on our business, please refer to our website.

This Privacy Policy covers the following topics.

01. Who is responsible for your personal data?
02. What categories of personal data do we collect?
03. How do we use your personal data?
04. How do we collect your personal data?
05. Where do we process your personal data?
06. How do we protect your personal data?
07. Who do we share your personal data with?
08. How long do we store your personal data?
09. What are your rights under the Data Protection Laws?
10. Are you required to provide personal data?
11. What if I am under 16?
12. Changes to this Privacy Policy
13. How to get in touch with us

WHO IS RESPONSIBLE FOR YOUR PERSONAL DATA?

We, FirstKey, with offices located at 900 Third Avenue, Suite 500, New York, NY 10022 are the responsible controller for the processing of your personal data as set out in this Privacy Policy.

Where FirstKey processes your personal data as a processor on behalf of and as instructed by any of our affiliates or other third parties, please refer to the Privacy Policy of the relevant responsible controller for further information.

WHAT CATEGORIES OF PERSONAL DATA DO WE COLLECT?

Depending on the nature of our business relationship with you or your organization, we may collect and process in particular the following categories of personal data:

• Private or professional contact information, such as full name, work address, work telephone number, work mobile phone number, work fax number and work email address, job title, department and company name;

• Information on our business interactions with you or your organization such as date, time, place or channel of any communication or other interaction with you and other data which may be generated by such business interactions and the nature of which depends on the nature or such business interaction;

• If legally required for compliance purposes: information about relevant and significant litigation or other legal proceedings against you or your organization or a third party related to you and any interaction with you which may be relevant for antitrust purposes or other legal diligence processes including reputational risk management.

HOW DO WE USE YOUR PERSONAL DATA?

Depending on the nature of our business relationship with your or your organization, we may process your personal data for the following purposes ("Permitted Purposes").

The following table sets out the Permitted Purposes and the legal basis we rely upon:

PERMITTED PURPOSES LEGAL BASIS

Planning, performing, managing and administering your or your organization's contractual or other business relationship with FirstKey
• Performance of our contract with you or your organization

• Legitimate interest: to perform our contract with you or your organization

Responding to any enquiries you have made to us
• Legitimate interest: to respond to your enquiries

Ensuring compliance with our legal and regulatory obligations. This may include sales and business record keeping obligations for tax or other purposes and sending required notices or other disclosures, compliance screening or recording obligations (e.g. under antitrust laws, export laws, trade sanction and embargo laws or to prevent white-collar or money laundering crimes). In this context we may be required to conduct automated checks of your contact data or other information you provide about your identity against applicable sanctioned-party lists and to contact you to confirm your identity in case of a potential match, to record interaction with you which may be relevant for antitrust purposes and to report to or support investigations by competent supervisory, law enforcement or other public authorities
• Legal or regulatory obligation

• Legitimate Interest: to comply with our legal obligations

Investigating and resolving disputes, enforcing our website terms of use and other contractual agreements, and to establish, exercise or defend legal claims
• Legitimate interest: to protect and enforce our legal rights and claims

PERMITTED PURPOSES	LEGAL BASIS
Planning, performing, managing and administering your or your organization's contractual or other business relationship with FirstKey	• Performance of our contract with you or your organization • Legitimate interest: to perform our contract with you or your organization
Responding to any enquiries you have made to us	• Legitimate interest: to respond to your enquiries
Ensuring compliance with our legal and regulatory obligations. This may include sales and business record keeping obligations for tax or other purposes and sending required notices or other disclosures, compliance screening or recording obligations (e.g. under antitrust laws, export laws, trade sanction and embargo laws or to prevent white-collar or money laundering crimes). In this context we may be required to conduct automated checks of your contact data or other information you provide about your identity against applicable sanctioned-party lists and to contact you to confirm your identity in case of a potential match, to record interaction with you which may be relevant for antitrust purposes and to report to or support investigations by competent supervisory, law enforcement or other public authorities	• Legal or regulatory obligation • Legitimate Interest: to comply with our legal obligations
Investigating and resolving disputes, enforcing our website terms of use and other contractual agreements, and to establish, exercise or defend legal claims	• Legitimate interest: to protect and enforce our legal rights and claims

HOW DO WE COLLECT YOUR PERSONAL DATA?

We will typically collect your personal data directly from you or your organization or related business parties where that is required and permitted due to the nature of our business dealings, in particular when you communicate with us or when your organization gets in contact with us. We will typically not obtain personal data from any other third parties.

WHERE DO WE PROCESS YOUR PERSONAL DATA?

FirstKey is a globally active enterprise. In the course of our business activities, we may transfer your personal data also to recipients in countries outside of the European Economic Area, United Kingdom or Switzerland, in which applicable laws do not offer the same level of data protection as the laws of your home country. Where we do so we, will apply appropriate safeguards to ensure the security and integrity of your personal data, in particular by relying on the Data Privacy Framework (see below) and entering into the EU Standard Contractual Clauses which are available here or the UK International Data Transfer Addendum which is available here. You may contact us anytime using the contact details below if you would like further information on such safeguards.

HOW DO WE PROTECT YOUR PERSONAL DATA?

We maintain appropriate physical, electronic and procedural safeguards in accordance with the technical state of the art and legal data protection requirements to protect your personal data from unauthorized access or intrusion. These safeguards include implementing specific technologies and procedures designed to protect your privacy, such as secure servers, firewalls and SSL encryption.

WHO DO WE SHARE YOUR PERSONAL DATA WITH?

We may share your personal data with third parties where that is required and permitted by Data Protection Laws in connection with our business relationship with you or your organization. We may further share your personal data in relevant situations with courts, law enforcement authorities, regulators or attorneys if legally permitted and necessary to comply with a legal obligation or for the establishment, exercise or defense of legal claims.

We may further share your personal data with our third-party service providers or vendors contracted to provide services on our behalf (for example, due diligence and transaction services, IT and hosting or data analytics services). These third-party service providers (so called processors) may use personal information we provide to them only as instructed by us.

Otherwise, we will only disclose your personal data when you direct or give us permission, when we are required by applicable law or regulations or judicial or official request to do so, or when we suspect fraudulent or criminal activities.

HOW LONG DO WE STORE YOUR PERSONAL DATA?

We will retain your personal data for as long as required for the Permitted Purposes and as long as we are required or permitted under applicable laws to retain such data (e.g. for the duration of any record retention periods under applicable law). We will promptly delete your personal data when it is no longer required for the Permitted Purposes, and we are no longer legally required or otherwise permitted under the applicable law to retain such data.

WHAT ARE YOUR RIGHTS UNDER THE DATA PROTECTION LAWS?

Subject to certain legal conditions, you may request access to, rectification, erasure or restriction of processing of your personal data. You may also object to processing or request data portability. In particular you have the right to request a copy of the personal data that we hold about you. As we want to make sure that your personal data is accurate and up to date you may also ask us to correct or remove any information which you think is inaccurate. If your request is unfounded or excessive, we reserve the right to charge an administrative fee to process your request. Under the Data Privacy Framework (see below), you may object (opt out) to the disclosure of your personal data to a third party or to the use of your personal data for a different purpose unless disclosure is made to one of our processors on behalf of us and under our instructions (see above).

If you have given us your consent for the processing of your personal data, you can withdraw your consent at any time with future effect, i.e. the withdrawal of the consent does not affect the lawfulness of processing based on the consent before its withdrawal. If you withdraw your consent, we will promptly delete the relevant data unless there is another legal ground permitting us to continue processing such data or where we are legally required to do so.

For any of the above requests, please send a description of your personal data concerned stating your name and your relationship to FirstKey (if applicable) to the contact details below. We may require proof of identity to protect your personal data against unauthorized access. We will carefully consider your request and may discuss with you how it can best be fulfilled.

If you have any concerns about how your personal data is handled by us or wish to raise a complaint on how we have handled your personal data, you can contact us at the contact details below to have the matter investigated. If you are not satisfied with our response or believe we are processing your personal data not in accordance with the law you can complain to the competent data protection supervisory authority in your country. For example, if you are in the UK, you may contact the Information Commissioners Office via their website (ico.org.uk).

Your rights under the Swiss Federal Data Protection Act are materially the same as set out above with the exception of the right to data portability, which does not exist in Switzerland. If you are not satisfied with our responses to your requests or if you believe we are processing your personal data not in accordance with the law you can file a complaint to the Swiss Federal Data Protection and Information Commissioner (www.edoeb.admin.ch).

ARE YOU REQUIRED TO PROVIDE PERSONAL DATA?

As a general principle, you will provide us with your personal data entirely voluntary; there are generally no detrimental effects on you if you choose not to consent or to provide personal data. However, there are circumstances in which FirstKey cannot take action or cannot process any relevant business transaction with you or your organization without your personal data, for example where such data is required to carry out a legally required compliance screening.

WHAT IF I AM UNDER 16?

If you are under 16, please make sure that you obtain your parent/guardian's permission prior to providing us with any of your personal data. Persons under the age of 16 are not permitted to provide us with their personal data without such consent.

CHANGES TO THIS PRIVACY POLICY

From time to time, we may make change or amend this Privacy Policy as required to reflect any changes to the way in which we use your personal data or changing legal requirements. So you may wish to check back from time to time. Any amended Privacy Policy will apply from the date it is posted on our website.

HOW TO GET IN TOUCH WITH US

For any questions and comments or in case you want to assert your rights, you can contact us by sending an email or in writing at the address below:

Data Protection at FirstKey 900 Third Avenue, Suite 500 New York, NY 10022 1-866-209-2576

[email protected]

Data Privacy Framework Notice

FirstKey Holdings, LLC, FirstKey Mortgage, LLC, and Harvest Innovations, LLC complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce. FirstKey has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union in reliance on the EU-U.S. DPF and from the United Kingdom (and Gibraltar) under the UK Extension to the EU-U.S. DPF. FirstKey has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles (Swiss-U.S. DPF Principles) with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF. If there is any conflict between the terms in this privacy policy and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework (DPF) program, and to view our certification, please visit https://www.dataprivacyframework.gov.

FirstKey is responsible for the processing of personal data it receives, under the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and Swiss-U.S. DPF and subsequently transfers to a third party acting as an agent on its behalf. FirstKey complies with the EU-U.S. DPF Principles and the Swiss-U.S. DPF Principles for all onward transfers of personal data from the EU, UK, and Switzerland, including the onward transfer liability provisions.

The Federal Trade Commission has jurisdiction over FirstKey's compliance with the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF. In certain situations, FirstKey may be required to disclose personal data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.

In compliance with the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF, FirstKey commits to refer unresolved complaints concerning our handling of personal data received in reliance on the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF to TRUSTe, an alternative dispute resolution provider based in the United States. If you do not receive timely acknowledgment of your DPF Principles-related complaint from us, or if we have not addressed your DPF Principles-related complaint to your satisfaction, please visit https://feedback-form.truste.com/watchdog/request for more information or to file a complaint. These dispute resolution services are provided at no cost to you.

For complaints regarding EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and Swiss-U.S. DPF compliance not resolved by any of the other DPF mechanisms, you have the possibility, under certain conditions, to invoke binding arbitration. Further information can be found on the official DPF website: https://www.dataprivacyframework.gov/s/article/ANNEX-I-introduction-dpf?tabset-35584=2.