AML/CFT & Source-of-Funds Policy

(An incorporated policy forming part of the Roster+ Portal Terms of Use — Part A)

---

0. Preamble & Status

0.2 What this Policy is. This is the "AML/CFT & Source-of-Funds Policy" (this "Policy") referred to in clause 0.4(b) of the Roster+ Portal Terms of Use (the "Terms" or "Part A") and incorporated into and binding under the Terms by clauses 5.4, 6.4, 21, and 29.4. It is a standalone Anti-Money-Laundering ("AML"), Counter-Terrorist-Financing ("CFT"), and sanctions Policy that sits alongside Part A and the role Schedules (Schedule B — Performer Engagement Terms; Schedule C — Client Terms; Schedule D — Organisation / Management Terms). Capitalised terms used but not defined here have the meanings given in clause 3 of Part A.

0.3 The Operator. This Policy is operated by, and applies to the Portal of, TRANSCENDA COMPUTER SYSTEMS & COMMUNICATION EQUIPMENT SOFTWARE DESIGN EST. (the "Operator", and in this Policy also "Roster+", "we", "us", or "our"), the entity defined as the Operator in clause 1.1 of Part A and the sole contracting party for all Services delivered through the Portal (transcenda.io is a website detail of the Operator and is not the contracting party; the Portal is at rosterplus.io).

0.4 Language. This Policy is made available in English and Arabic. Where a User is a consumer in the UAE, the Arabic version prevails in the event of any conflict, consistent with clause 0.3 of Part A. Any other translation is for convenience only.

0.5 Order of precedence. This Policy is an incorporated policy and ranks accordingly under clause 0.5 of Part A. Nothing in this Policy excludes, restricts, or limits any right or remedy that the law of the UAE makes mandatory and non-excludable for consumers, including the cause-based cash-refund rights in clause 16 of Part A; to the extent of any conflict, the mandatory right and Part A prevail. Where, however, an AML/CFT, sanctions, or court/regulatory obligation requires us to freeze, hold, decline, report, or not return funds or value, that legal obligation governs the timing and manner of any payment notwithstanding any service-level expectation, and we will act as the law requires.

---

1. Purpose & Policy Statement

1.1 Purpose. This Policy sets out how Roster+ identifies, verifies, screens, monitors, and reports activity on the Portal in order to prevent the Portal from being used for money laundering, terrorist financing, sanctions evasion, fraud, or any other financial crime, and to protect Users, the Operator, the Float, and the integrity of the financial system.

1.2 Risk-based, in substance. We apply AML/CFT and sanctions controls in substance, on a risk-based basis, independently of any stored-value exemption and regardless of whether we are formally a "designated non-financial business" or other obligated entity under UAE AML/CFT law. Our formal obligated-entity status, and any registration requirement, are reserved and are to be determined with UAE-licensed counsel (clause 8.5); the controls in this Policy apply in substance in the meantime. We will not wait for a formal status determination to do the right thing.

1.3 Zero tolerance. We operate zero tolerance for money laundering, terrorist financing, sanctions breaches, and the use of the Portal to launder, layer, integrate, or disguise the proceeds of crime, or to fund prohibited persons or causes. Suspected financial crime is escalated, may be reported, and may result in freeze, suspension, or termination (clauses 5, 6, 7) and reporting to the competent authorities.

---

2. The Single-Purpose SVF Model (why this Policy is calibrated as it is)

2.1 Roster+ is a principal operating a single-purpose stored-value facility. As set out in clauses 1.4, 6.1, and 25.3 of Part A, Roster+ contracts as principal for its own booking and engagement Services and operates Roster Coins as a single-purpose stored value facility where 1 Coin = 1 AED, redeemable only against our own catalogue of Services. A Client buys Coins to pay for our own Service; the Performer is engaged and paid by us as a supplier, and a Performer's balance is Earnings / accounts-payable, never a Wallet and never stored value (clause 6.9 of Part A).

2.2 Not a money-services business. Because Coins buy only the issuer's own Services and are not cash-redeemable to the buyer (clause 6.3 of Part A), Roster+ operates a single-purpose Stored Value Facility (SVF) that is exempt from the CBUAE SVF licensing requirement under the CBUAE Stored Value Facilities Regulation. Roster+ is not a bank, money-services business, money remitter, exchange house, payment institution, e-money issuer, or escrow agent, and Coins are not money, currency, e-money, a deposit, a security, or a claim on any third party (clause 6.11 of Part A). We do not hold money for others as an intermediary and we do not transmit value between Users: Coins are non-transferable between Users (clause 6.2 of Part A).

2.3 Why we still run an AML/CFT programme. The single-purpose exemption removes the SVF licensing requirement; it does not remove the need to manage financial-crime risk. Prepaid value, refunds, and supplier payouts can still be misused (for example to launder funds, to "wash" value through sham bookings, or to cash out through a refund or a payout). This Policy therefore applies AML/CFT, sanctions, and source-of-funds controls in substance and proportionate to that residual risk, independently of the exemption (clause 1.2). The exemption is preserved by, not weakened by, running these controls.

2.4 Payment gateways currently disabled. As at the date of this Policy, the live card/payment gateways are disabled and no live card money is being taken. The controls in this Policy are designed and staged to be fully operative before any gateway is enabled, so that no money moves on the Portal until identity verification, screening, monitoring, source-of-funds, and reporting controls are in place and have been confirmed with counsel and, where required, with the relevant licensed Payment Service Provider ("PSP", clause 14A of Part A) that processes payments and may hold the Float.

---

3. Scope & Who This Policy Applies To

3.1 Persons covered. This Policy applies to every User of the Portal in every capacity — Client / Promoter (Schedule C), Performer / Artist (Schedule B), and Organisation (Schedule D) — and to the artists managed by an Organisation, who exist as Claim Profiles under the Organisation's responsibility (clause 13.4 of Part A). It also binds our Owner, Admin, and other staff (clause 7).

3.2 Activity covered. This Policy applies across the full Portal money-flow described in clause 4.3 of Part A: registration → onboarding and Verification → Top-Up (purchase of Coins) → Booking Request and the Booking-Request Fee → Engagement → secured payment in Coins → completion → Payout to Performers/Organisations → and cancellation / refund (including any cash refund to the original instrument under clauses 16 and 14A.6 of Part A).

3.3 Both sides of the flow. Controls apply on the buy side (Clients funding and spending Coins) and on the pay-out side (Performers and Organisations receiving Earnings). A name-mismatched or third-party payout, a structured set of Top-Ups, or a Top-Up immediately followed by a refund or payout, are all in scope.

---

4. The AML/CFT Programme — Controls

This Policy operates a programme of seven control pillars: (4A) customer due diligence and identity verification; (4B) sanctions and PEP screening; (4C) source-of-funds for large or higher-risk top-ups; (4D) ongoing transaction monitoring; (4E) suspicious-activity handling and reporting; (4F) the right to freeze, suspend, hold, and report; and (4G) record retention.

---

4A. Customer Due Diligence (CDD) & Identity Verification (KYC)

4A.1 KYC before money moves. Consistent with clauses 5.4 and 21.2 of Part A, we carry out identity, document, and account-ownership verification ("KYC" / "CDD") on both sides of the flow, before any money moves and at any later time we consider appropriate. You authorise us to carry out such Verification and to use third-party identity-verification / KYC providers for it (clause 14B of Part A). KYC is also a precondition of account activation: an Account is not activated, listed, or shown until the applicable Terms/Schedule are accepted and all required documents are submitted (clause 5.5 of Part A).

4A.2 The document upload & review flow we operate. KYC is delivered through the document upload and review flow built into the Portal, in which: (a) a User uploads the required identity and standing documents through the Portal — for a Performer, at least a passport photograph, identity document, and flyer/artwork (clauses 5.5 and 8.1 of Part A); for a Client, the identity evidence required for the applicable verification tier; and for an Organisation, trade licence, authorised-signatory, and ultimate-beneficial-owner (UBO) evidence (clause 13.4 of Part A); (b) uploaded identity documents (passports, IDs, trade licences) are held in a private document store, never on a public URL, served download-only (Content-Disposition: attachment with X-Content-Type-Options: nosniff), with Owner/Admin access only, file type verified by magic-bytes, and per-user upload rate-limiting; (c) a member of staff reviews the documents against the applicable tier and standard before the account is activated or, where relevant, before a Payout is released; and (d) the review decision, reviewer identity, and timestamp are recorded in an audit trail (clause 4G; clause 2.7 of Part A).

4A.3 What we verify. Verification may include, proportionate to risk and tier: Emirates ID or passport; corporate / trade-licence documents and the identity of authorised signatories and UBOs (for Organisations); and ownership of any bank account used for Payout, including a name match to the Performer's or Organisation's own name (clauses 5.4 and 21.5 of Part A). We do not pay out to third-party or name-mismatched accounts, and we do not refund to any card other than the originating instrument (clauses 14A.6 and 21.5 of Part A).

4A.4 Tiered KYC. We apply tiered KYC, so that the depth of verification and the limits that apply scale with the value and risk of the activity. Standard due diligence applies to ordinary activity within tier limits; enhanced due diligence (EDD) applies above defined thresholds, to higher-risk Users (including PEPs and higher-risk jurisdictions), and to activity that monitoring flags as higher-risk. The precise verification tiers, transaction and balance limits, enhanced-diligence thresholds, and the documents required at each tier are maintained operationally and may be updated without amending Part A; the indicative thresholds and tier limits are to be set and confirmed with UAE-licensed counsel (clause 8.5). Until KYC for the relevant tier is complete, Top-Up, Booking, or Payout may be limited, held, or declined (clauses 6.4 and 21.2 of Part A).

4A.5 Your obligation to cooperate. You must cooperate with, and provide the evidence we request for, identity verification, ongoing due diligence, and (where applicable) source of funds. Refusal, failure, or delay in providing requested information, or the provision of false, misleading, or forged documents, may result in the Top-Up, Booking, or Payout being held, limited, or declined, and in suspension, freeze, or termination (clauses 5.7, 19, and 21.2 of Part A), and may itself be treated as a ground for a suspicious-activity escalation under clause 4E.

4A.6 Re-verification. We may require re-verification at any time, including on a change of risk profile, a change of payout account, a sanctions or fraud alert, an unauthorised-payment event (clause 14A.8 of Part A), or before releasing a held Payout.

---

4B. Sanctions & PEP Screening

4B.1 Screening intent. We screen Users for sanctions exposure and Politically Exposed Person ("PEP") status at onboarding and before any Payout, and we may re-screen on an ongoing basis and on any material change (clauses 21.3 and 5.4 of Part A). Screening covers the User, and for Organisations the authorised signatory and UBOs.

4B.2 Sanctions lists. Screening is intended to cover the applicable UAE sanctions regime (including the UAE Local Terrorist List and the lists implementing UN Security Council resolutions) and such other sanctions lists as we determine appropriate on a risk basis. The exact lists, the screening provider, and the screening methodology are maintained operationally and are to be confirmed with UAE-licensed counsel (clause 8.5).

4B.3 Restricted persons. Each User represents and warrants that it is not a person subject to sanctions, designated on any applicable sanctions list, otherwise restricted under UAE law, or barred from using services of this kind (clause 2.5 of Part A). We may decline, suspend, or revoke registration, and freeze or hold any Coins, Booking, refund, or Payout, on this basis.

4B.4 Effect of a hit. A blocking sanctions match stops the relevant Top-Up, Booking, refund, or Payout and triggers escalation and review (clause 4E). Where a true sanctions match is confirmed, we will act as the law requires, which may include freezing without prior notice, declining to return funds or value, and reporting to the competent authority; we will not tip off the subject of a report (clause 4E.6). A PEP hit does not by itself block activity but triggers enhanced due diligence (clause 4A.4) and, where required, senior approval.

4B.5 No service to prohibited persons. We will not knowingly provide the Service to, accept funds from, or make a Payout to, a sanctioned or otherwise prohibited person, and we may take any step in clause 6 to give effect to this.

---

4C. Source of Funds for Large or Higher-Risk Top-Ups

4C.1 Source-of-funds enquiry. For larger Top-Ups and for activity that monitoring flags as higher-risk, we carry out a source-of-funds (and, where relevant, source-of-wealth) enquiry as part of enhanced due diligence (clauses 6.4 and 21.2 of Part A). You must, on request, provide satisfactory evidence of the source of the funds used to purchase Coins.

4C.2 Threshold. Source-of-funds enquiry is triggered above a defined monetary threshold and/or on a risk-based basis (for example by aggregation of multiple Top-Ups, by velocity, or by risk indicators). The specific threshold(s) are maintained operationally and are to be set and confirmed with UAE-licensed counsel (clause 8.5); they are not fixed by this Policy.

4C.3 Effect of non-cooperation. If you do not provide satisfactory source-of-funds evidence when required, we may hold, limit, decline, or reverse the Top-Up (subject to the reversal limits in clause 14A.6 of Part A) and withhold any related Booking or Payout, and may escalate the matter under clause 4E, in each case subject to your mandatory consumer rights.

---

4D. Ongoing Transaction Monitoring

4D.1 We monitor. We monitor activity across the Portal money-flow on a risk-based basis to detect patterns that may indicate money laundering, terrorist financing, sanctions evasion, or fraud (clause 21.4 of Part A). This builds on the Communications monitoring and recording disclosed and consented to in clause 9.4 of Part A, and on the fraud controls in clause 14A.9 of Part A.

4D.2 Indicators we watch for. Monitoring focuses on indicators including, without limitation: (a) structuring / smurfing — breaking value into multiple Top-Ups to stay under a tier or source-of-funds threshold; (b) velocity and value anomalies — unusually rapid, frequent, or large Top-Ups, Bookings, or Payouts relative to the User's profile; (c) circular, wash, or sham bookings — Bookings between connected or colluding accounts with no genuine Service purpose, including connected Client/Performer pairs; (d) rapid in-out / layering — a Top-Up followed by an immediate refund request or by an immediate Payout with little or no genuine Service consumed; (e) third-party or name-mismatched funding or payout accounts, and changes of payout account that do not match the verified name; (f) chargeback, stolen-card, or unauthorised-payment signals (clause 14A.8 of Part A); and (g) links to higher-risk jurisdictions, sanctioned parties, or previously flagged accounts.

4D.3 Sham / wash bookings. A Booking found to be sham, wash, circular, or with no genuine Service purpose is not a genuine Booking, breaches clause 12.2 of Part A, and is dealt with accordingly — including reversal, forfeiture, set-off (clause 14D of Part A), suspension, and escalation under clause 4E. No delivery undertaking (clause 15 of Part A) and no consumer refund protection (clause 16 of Part A) attaches to a sham or wash booking, because no genuine Service was bought.

4D.4 Escalation. Where monitoring raises a flag, the matter is escalated to human review by, or under the supervision of, the compliance owner (clause 7.1), who decides whether to seek further information, apply enhanced due diligence, impose a hold or freeze, and/or make a report.

---

4E. Suspicious-Activity Handling & Reporting

4E.1 What is suspicious activity. Suspicious activity is any activity, transaction, attempted transaction, or pattern that gives rise to a reasonable suspicion of money laundering, terrorist financing, sanctions evasion, fraud, or other financial crime, or the use of the proceeds of crime, whether identified by monitoring, by a screening hit, by a source-of-funds failure, by staff, or by a third party (including the PSP, a bank, a card scheme, or a regulator).

4E.2 Internal escalation. Any member of staff who identifies or suspects such activity must escalate it internally without delay to the compliance owner (clause 7.1), and must not discuss it with, or tip off, the User or any person connected with them (clause 4E.6). Escalations and decisions are recorded (clause 4G).

4E.3 Investigation. The compliance owner reviews each escalation, gathers and preserves the relevant records and Communications (clause 9.4 of Part A), may request further information from the User, and may apply a hold, freeze, or other measure under clause 6 pending the review.

4E.4 Reporting — Suspicious Transaction / Activity Reports. Where, after review, a reportable suspicion remains, we will file the appropriate report with the competent UAE authority — a Suspicious Transaction Report or Suspicious Activity Report (an "STR/SAR") — and otherwise cooperate with the UAE authorities and the UAE Financial Intelligence Unit ("FIU"). Our reporting obligations — including any goAML registration and the filing of STRs/SARs — apply to the extent required by UAE AML/CFT law as determined with counsel (clause 8.5), and the controls are applied in substance in the meantime (clauses 1.2 and 21.8 of Part A).

4E.5 We may report financial crime and stolen-card use. Independently of an STR/SAR, we may report suspected fraud, stolen-card or unauthorised-payment use, and other criminal conduct to the PSP, card schemes, banks, regulators, the FIU, and law-enforcement authorities, and cooperate with their investigations, as permitted or required by law (clauses 14A.9, 9.10, and 12.4 of Part A). We may also report unlawful content (including child-sexual-abuse material and sexual offences) under clauses 9.10 and 12.3A of Part A.

4E.6 No tipping-off; confidentiality of reports. Where the law restricts disclosure, we will not tip off the subject of a report or any connected person, and we may be unable to tell you that a report has been made, that a freeze or hold is AML-related, or why an action was taken. We may be required by law to take, or refrain from, action, and to keep the existence and content of any report confidential. Our compliance with such a legal requirement is not a breach of the Terms or this Policy.

---

4F. Right to Freeze, Suspend, Hold, Decline & Report

4F.1 Our rights. Consistent with clauses 19.2, 21.6, 14A.8, and 14A.9 of Part A, where there is breach, suspected fraud, an AML/CFT or sanctions risk, a screening hit, a source-of-funds failure, a sham/wash booking, anti-circumvention, false or forged documents, or a legal or regulatory requirement, we may, including without prior notice for cause or risk and proportionate to the risk: (a) screen, hold, delay, decline, limit, or reverse any Top-Up, payment, Booking, refund, or Payout (subject to the reversal limits in clause 14A.6 of Part A); (b) freeze or suspend Coins, Earnings, an Account, or any activity, pending review; (c) claw back Coins (and any balance derived from them) credited from an unauthorised or fraudulent payment (clause 14A.8 of Part A); (d) withhold a Payout, including by holding it until the applicable dispute / chargeback window has passed (clause 14A.10 of Part A); (e) require additional identity verification or source-of-funds evidence before any further activity; (f) suspend or terminate the Account (clause 19 of Part A); (g) recover amounts owed, including by set-off under clause 14D of Part A; and (h) report to, and cooperate with, the competent authorities, the FIU, and law enforcement (clause 4E).

4F.2 Mandatory rights and legal obligations. The rights in clause 4F.1 are exercised subject to your mandatory consumer rights (clauses 0.5, 14.5, and 16 of Part A). Where, however, a sanctions, AML/CFT, court, or regulatory obligation requires us to freeze, hold, decline, not return, or report funds or value, that legal obligation governs and we will act as the law requires; a refund or Payout that would otherwise be due may be lawfully delayed or withheld for as long as, and to the extent that, the law requires.

4F.3 No release in breach of law. We will not release Coins, a refund, or a Payout where doing so would breach a sanctions measure, an AML/CFT obligation, or a court or regulatory order.

---

4G. Record Keeping & Retention

4G.1 Five-year retention. We retain AML/CFT, KYC/CDD, screening, source-of-funds, monitoring, escalation, and reporting records, together with the underlying transaction and financial records (Top-Ups, Coin transactions, Bookings, invoices, credit notes, and Payouts), on a tamper-evident basis for at least five (5) years after the relevant transaction or the end of the business relationship, consistent with clauses 21.6, 17, and the retention schedule referenced in Part A and the Privacy Policy. These financial / AML records are kept even after account deletion, pointing at an anonymised profile, as the law requires.

4G.2 KYC documents. Identity / KYC documents are retained while there is a verification need and are then deleted on account deletion, subject to any active dispute, AML hold, or legal-retention requirement that requires them to be kept longer (Privacy Policy retention schedule). This is consistent with PDPL data-minimisation (clause 22 of Part A): we keep what the law requires for the period the law requires, and no longer.

4G.3 Audit trail. The KYC review decision, the reviewer, and the timestamp (clause 4A.2(d)), and every AML escalation, decision, freeze, and report, are recorded in an auditable, sequenced, timestamped log (clauses 2.7 and 24.2 of Part A). Account-deletion scrubs are audited before the scrub.

4G.4 Availability to authorities. Retained records are made available to the competent UAE authorities, the FIU, and law enforcement on lawful request, in line with this Policy and the Privacy Policy.

---

5. Effect on Users — Limits, Holds & Cooperation

5.1 What you may experience. Application of this Policy may mean that: your Top-Up, Booking, refund, or Payout is limited, held, delayed, declined, or reversed; you are asked for further identity, due-diligence, or source-of-funds evidence; your activity limits are set by your verification tier; or your Account is suspended, frozen, or terminated. Where the law allows us to explain, we will give you a reason; where the law restricts disclosure (clause 4E.6), we may be unable to.

5.2 Cooperation is a condition of use. Providing accurate information and cooperating with KYC, screening, and source-of-funds requests is a condition of using the Portal and of any money moving (clauses 5.4, 21.2 of Part A). Refusal, failure, or the provision of false or forged information is a breach (clauses 2.6, 5.7, 12.2 of Part A) and may result in any of the measures in clause 4F.

5.3 Performer good-faith protection preserved. Nothing in this Policy displaces clause 14A.10 of Part A: where we have already paid a Performer who delivered the Service in good faith and the underlying Client payment is later reversed for fraud, we (as principal) bear that loss and do not claw back the good-faith Performer's earnings for a Service actually delivered; a Performer complicit in the fraud is not protected.

---

6. Coins, Refunds & Payouts — AML Interaction (summary)

6.1 Coins are not a cash-out route. Coins are non-transferable between Users, non-cash-redeemable to the buyer, bear no interest, and buy only our own Services (clauses 6.1–6.3, 6.11 of Part A). This structure itself reduces money-laundering risk: there is no peer-to-peer value transfer and no buyer cash-out.

6.2 Refunds. A cash refund arises only on a Seller-Side Failure or an applicable Cooling-Off (clause 16 of Part A) and is made only to the original payment instrument (clause 14A.6 of Part A) — never to a different card, account, or third party. A refund will not be used as a cash-out or layering route; refund requests that fit the rapid in-out pattern (clause 4D.2(d)) are monitored and may be held pending review.

6.3 Payouts. A Payout is a supplier settlement from our own funds, outside the Coin facility (clauses 6.9, 13.7 of Part A), made only to a verified account in the Performer's or Organisation's own name after screening (clauses 21.5, 4B). Earnings are never a withdrawable on-demand balance and are never pooled or netted with the Float (clause 6.10 of Part A), which removes a common laundering vector.

---

7. Governance, Staff Obligations & Training

7.1 Compliance owner (MLRO-equivalent). A named compliance owner, performing a role equivalent to a Money Laundering Reporting Officer ("MLRO"), is responsible for this AML/CFT programme: for overseeing CDD/KYC, screening, source-of-funds, and monitoring; for receiving internal escalations; for deciding on holds, freezes, and enhanced due diligence; and for the filing of any STR/SAR and liaison with the FIU and authorities (clauses 21.7, 21.8 of Part A). The identity and contact route of the compliance owner are maintained operationally; the appointment, mandate, and any deputy are to be confirmed with UAE-licensed counsel (clause 8.5).

7.2 Staff obligations. Owner, Admin, and all staff who handle onboarding, document review, payments, payouts, or Communications must: (a) apply this Policy, the KYC review flow (clause 4A.2), and the screening and source-of-funds steps before activating accounts or releasing money; (b) escalate suspicious activity to the compliance owner without delay, and not tip off the User (clauses 4E.2, 4E.6); (c) handle KYC and personal data strictly per the Privacy Policy and PDPL, with private-store, access-controlled handling of identity documents (clause 4A.2(b); clause 22 of Part A); (d) record their KYC decisions, escalations, and actions in the audit trail (clause 4G.3); and (e) complete AML/CFT and sanctions training at induction and periodically thereafter.

7.3 Independence and authority. The compliance owner has the authority to hold, freeze, decline, and report without commercial override, and to escalate to senior management and counsel. A decision to file or not file an STR/SAR is a compliance decision, not a commercial one.

7.4 Review of this Policy. This Policy is reviewed periodically and on any material change to the law, the business model, the risk profile, or the enabling of payment gateways, and is updated under clause 20 of Part A (changes apply prospectively). The substance — risk-based CDD, screening, source-of-funds, monitoring, suspicious-activity reporting, the right to freeze and report, and five-year retention — is not weakened by any update.

---

8. Legal Basis, Data Protection

8.1 Lawful basis for processing. Processing of personal data for KYC/CDD, screening, source-of-funds, monitoring, and reporting is carried out under the lawful bases set out in clauses 9.4, 21, and 22 of Part A and the Privacy Policy: your consent, the necessity of the processing for the performance of the Terms, our legal and compliance obligations, and our legitimate fraud-prevention, AML/CFT, safety, and compliance interests, in each case as permitted by the UAE Personal Data Protection Law (PDPL).

8.2 High-risk / sensitive data. Identity documents and certain KYC data are sensitive and are handled as high-risk processing under clause 22 of Part A and the Privacy Policy, with data-minimisation, access control, private storage, and the retention limits in clause 4G.

8.3 Disclosure to authorities. We may disclose personal data and records to the competent UAE authorities, the FIU, regulators, the PSP, banks, card schemes, and law enforcement where permitted or required for AML/CFT, sanctions, fraud-prevention, or legal-obligation purposes (clauses 4E, 4G.4, 22 of Part A).

8.4 Applicable law. This Policy is to be read with the laws referred to generally in clause 25.2 of Part A, including the UAE Anti-Money-Laundering and Counter-Terrorist-Financing Law, the applicable UAE sanctions regime, the CBUAE Stored Value Facilities Regulation, the UAE Personal Data Protection Law, and the UAE Consumer Protection Law. Precise legislative and regulatory references, designations, and numbering are subject to confirmation by UAE-licensed counsel.

---

9. Relationship to Part A and Other Documents

9.1 Incorporated and subordinate. This Policy is incorporated into and binding under the Terms (clauses 0.4(b), 29.4 of Part A) and is subordinate to Part A in the order of precedence (clause 0.5 of Part A). It supports and is cross-referenced by clauses 2.5, 5.4, 5.5, 6.4, 9.4, 12, 14A, 19, and 21 of Part A, and by Schedule B (Performer payout/verification), Schedule C (Client top-ups/payment-instrument), and Schedule D (Organisation trade-licence / UBO verification).

9.2 Survival. The record-keeping, retention, and reporting obligations in this Policy survive termination of any User's relationship with us, consistent with clause 28.7 of Part A (including the five-year records obligation).

9.3 No exclusion of mandatory rights. Nothing in this Policy excludes or limits any mandatory consumer right under UAE law; to the extent of any conflict the mandatory right and Part A prevail (clause 0.5), save where a sanctions, AML/CFT, court, or regulatory obligation requires otherwise as set out in clauses 0.5 and 4F.2.

---