Legal · KYC/AML Privacy Notice

KYC/AML Privacy Notice

Version: 1.0 Effective: when verification is initiated Last updated: 22 April 2026 Governing law: Romania / EU
At a glance This notice explains how MICRO DIGITAL ELECTRONICS CORP S.R.L. (trading as VENDOR.Energy) processes your personal data when you request access to the investor data room. Verification is performed through an external identity verification service provider (a data processor acting on our instructions, limited to identity and address verification) and subject to internal human review. Biometric verification (liveness / face-match) is performed only with your explicit consent and has a non-biometric alternative. This notice is independent from our Privacy Policy and from the Non-Disclosure Agreement. This notice is informational only and does not create contractual rights or obligations.

01Controller

The data controller for the processing described in this notice is:

Legal nameMICRO DIGITAL ELECTRONICS CORP S.R.L.
Trading asVENDOR.Energy
Registered officeSplaiul Unirii nr. 16, Office 705, Bucharest Sector 4, 040036, Romania
Tax ID (CUI)50047468
Privacy contactinfo@vendor.energy (subject: [PRIVACY])

02Data Protection Contact

We have not appointed a Data Protection Officer under Article 37 GDPR, as our processing does not meet the mandatory appointment thresholds. Privacy-related queries are handled by our privacy contact above. You may raise any matter concerning your personal data by writing to info@vendor.energy with subject line [PRIVACY].

03Purposes of Processing

We process your personal data for the following specific and limited purposes:

  • Investor verification — to confirm your identity and residential address before granting access to our investor data room, in order to assess whether to enter into pre-contractual discussions.
  • Fraud prevention and IP protection — to protect against identity misrepresentation and to safeguard our confidential deep-tech materials prior to disclosure.
  • Legal claim establishment — to retain evidence sufficient to establish, exercise or defend legal claims arising from pre-contractual dealings.
  • Compliance — to fulfil specific legal obligations, only where and to the extent such obligations apply to us in the concrete circumstances of the verification.

We do not process your verification data for marketing, profiling unrelated to verification, or any purpose incompatible with those listed above.

04Legal Bases

Our processing relies on the following legal bases under the General Data Protection Regulation (GDPR, Regulation (EU) 2016/679):

Legal basisScope
Article 6(1)(b) — steps prior to entering into a contract Processing identity and address data as part of investor qualification preceding any possible investment or pilot agreement.
Article 6(1)(f) — legitimate interests Our legitimate interest in verifying the identity of counterparties before disclosing confidential information about our technology, and in protecting against fraud and reputational harm. A balancing assessment is available on request.
Article 6(1)(c) — legal obligation (where applicable) Only to the extent a specific legal obligation applies to us under Romanian or EU law in the concrete circumstances of the verification. As of the date of this notice, we do not rely on Romanian Law No. 129/2019 as a primary basis for ordinary investor access screening, as we are not currently a reporting entity under that law, unless and until such obligation becomes applicable.
Article 9(2)(a) — explicit consent (biometric data only) Where the verification includes a liveness check or face-match, this involves the processing of biometric data. We perform such processing only with your prior, explicit, specific, and separately granted consent. You may withdraw that consent at any time under Article 7(3).
If you refuse biometric verification. A non-biometric manual review path is available; if that path cannot establish your identity to a reasonable standard, access to the data room will not be granted. Refusal of biometric consent will not, by itself, produce any other adverse consequence.

05Categories of Personal Data

We collect and process the following categories, limited to what is necessary for verification:

  • Identity data — full name, date of birth, nationality, identification document type (passport or national ID), document number, issuing authority, and document expiry date, together with a scanned or photographed image of the document.
  • Address data — residential address and a supporting document evidencing it (for example, utility bill or bank statement not older than three months).
  • Contact data — email address and, where provided, phone number used for verification correspondence.
  • Biometric data (consent-based only) — a liveness selfie or short video compared with the photograph in your identification document. Processed by the identity verification service provider; we receive the verification result and only the limited verification evidence necessary for our review and record-keeping, unless additional information is strictly required for the establishment, exercise or defence of legal claims.
  • Verification metadata — technical records of the verification attempt, including timestamp, IP address, the verification decision, and any review notes.

We do not collect, through this notice, source-of-funds declarations, politically-exposed-person or sanctions screening data, beneficial-ownership information, or criminal-conviction data within the meaning of Article 10 GDPR. Should any such processing become necessary in the future, we will update this notice and, where required, obtain further specific consent.

06Recipients

Your personal data may be disclosed to the following categories of recipients, each bound by confidentiality and data protection obligations:

  • Internal personnel — our compliance, legal, and authorised executive staff on a strict need-to-know basis.
  • KYC/AML-style identity verification service provider — an external processor acting on our documented instructions under an Article 28 GDPR data processing agreement, limited to identity and address verification. The provider performs document authentication, liveness and face-match checks, and returns a verification outcome to us.
  • Professional advisers — where strictly necessary, external legal counsel bound by professional confidentiality.
  • Competent authorities — only in response to a valid legal order or lawful request, and only to the extent required to comply with it.

The identity of the current identity verification service provider is available on request to the privacy contact above.

07International Transfers

Where the identity verification service provider or any other recipient processes your data outside the European Economic Area, transfers are made only on the basis of appropriate safeguards under Chapter V of the GDPR, namely:

  • an adequacy decision of the European Commission under Article 45; or
  • Standard Contractual Clauses under Article 46(2)(c), supplemented where necessary by additional technical and organisational measures; or
  • an applicable derogation under Article 49, where no other basis applies and its conditions are met.

A copy of the safeguards in place for the current processor can be obtained on request.

08Retention

We retain personal data processed under this notice no longer than necessary for the purposes for which it was collected:

ScenarioRetention period
Access denied or the investor relationship does not proceed Up to 1 year from the verification decision, as evidence of the decision taken, unless longer retention is necessary for the establishment, exercise or defence of legal claims.
Investor relationship or pre-contractual discussions proceed Up to 3 years from the end of the relationship or discussions, aligned with the general limitation period for civil claims under Article 2517 of the Romanian Civil Code.
Legal claim, investigation or regulatory requirement As long as necessary to establish, exercise or defend legal claims, or to comply with applicable legal retention obligations, whichever is longer.

Biometric data processed by the identity verification service provider is retained for the minimum period required to complete and evidence the verification and is deleted, by the processor, thereafter in accordance with the data processing agreement.

09Your Rights

Subject to the conditions and exceptions set out in the GDPR, you have the following rights:

  • Access (Article 15) — to obtain confirmation of processing and a copy of your data.
  • Rectification (Article 16) — to have inaccurate data corrected without undue delay.
  • Erasure (Article 17) — subject to the exceptions in Article 17(3), notably where processing is necessary for the establishment, exercise or defence of legal claims.
  • Restriction (Article 18) — to limit processing in defined circumstances.
  • Portability (Article 20) — where applicable, namely where processing is based on consent or contract and is carried out by automated means.
  • Objection (Article 21) — to object, on grounds relating to your particular situation, to processing based on our legitimate interests; we will then cease unless we demonstrate compelling legitimate grounds.
  • Withdrawal of consent (Article 7(3)) — for biometric processing, at any time, without affecting the lawfulness of processing carried out before withdrawal.
  • Lodging a complaint (Article 77) — with a supervisory authority, in particular the Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP), or the authority of your habitual residence or place of work.

To exercise any of these rights, contact info@vendor.energy. We will respond within the time limits set out in Article 12(3) GDPR.

10Consequences of Not Providing Data

Providing the personal data described in this notice is a precondition for access to the investor data room, not a general legal or contractual obligation. You are not obliged to submit this data.

However, if you do not provide the required identity and address data, or if verification cannot be completed to a reasonable standard, we will not grant access to the data room. Your decision not to provide this data will not, in itself, produce any other adverse consequence.

11Automated Verification and Human Review

The identity verification service provider applies automated techniques to assess the authenticity of your identification document and, where biometric verification is used, the correspondence between your liveness image and the document photograph. The provider returns a recommendation, not a final decision.

The final decision whether to grant access to the investor data room is taken by a human reviewer within our team, who considers the provider's output together with any additional information. For that reason, this processing does not constitute a decision based solely on automated processing that produces legal effects concerning you or similarly significantly affects you within the meaning of Article 22(1) GDPR.

If you wish to contest the outcome or request further explanation of how the automated assessment contributed to the decision, please contact the privacy contact above; we will provide a substantive response.

12Complaints and Contact

If you believe that our processing of your personal data infringes the GDPR, we encourage you to contact us first at info@vendor.energy so that we can address your concerns.

You also have the right, at any time, to lodge a complaint with a supervisory authority, in particular:

Supervisory authorityAutoritatea Națională de Supraveghere a Prelucrării Datelor cu Caracter Personal (ANSPDCP)
AddressB-dul G-ral. Gheorghe Magheru nr. 28-30, Sector 1, 010336, Bucharest, Romania
Websitehttps://www.dataprotection.ro/

You may also lodge a complaint with the supervisory authority of your habitual residence or place of work within the European Union.

This KYC/AML Privacy Notice is a transparency instrument issued by MICRO DIGITAL ELECTRONICS CORP S.R.L. in accordance with Article 13 and, where applicable, Article 14 of the GDPR. It does not create, amend or replace any contract, including the Non-Disclosure Agreement, nor does it replace our general Privacy Policy. © 2024–2026 MICRO DIGITAL ELECTRONICS CORP S.R.L. All rights reserved. VENDOR is a registered trademark of MICRO DIGITAL ELECTRONICS CORP S.R.L. (EUIPO No. 019220462).