Version 2026.4   Effective from April 2026

We comply with the requirements of the General Data Protection Regulation (GDPR). Your data will be processed only in ways compatible with the purposes for which it was given.

1. Who Controls Your Personal Data & How Can You Contact Them

The data controller for your personal data is Finplan Limited, trading as Finplan, Finplan Mortgages and Finlife, Bankside, Charlemont Place, Dublin 2, D02 H590. If you have any questions about how we handle your personal data, please contact us by email at online@finplan.ie or by telephone on +353 1 443 3010. We control your Personal Data to allow us to give you advice and recommendations on your financial affairs, your data is then passed on to the relevant company/companies we have agencies with by way of application forms, by post email or through their secure websites online.

2. Data We May Collect About You

In order for us to give you a recommendation and information on financial products, we need to collect and process personal information about you. If you do not provide the information we need, we may not be able to offer you advice or provide our services to you. The types of personal data that are processed may include:

• Individual details – Name, address (including proof of address), other contact details (e.g. email and telephone numbers), gender, marital status, date and place of birth, nationality, employer, job title and employment history, and family details, including their relationship to you.
• Financial detail – full details on your income, debts, & assets you may own.
• Identification details – Identification numbers issued by government bodies or agencies, including your PPS Number, passport number, tax identification number.

3. Special Categories of Personal Data

We process health information where you provide it as part of an application for life assurance or protection products. This processing is carried out on the basis of your explicit consent under Article 9(2)(a) GDPR. This information is passed to the relevant insurer for underwriting purposes. We do not retain or use health data beyond what is necessary for that purpose. Life insurers process and control your health data to underwrite your policy or decide to decline cover. Claims information and policy information are also processed as necessary.

4. Where We May Collect Your Personal Data From

We may collect your personal data from various sources, including:

• Information you give us on application forms (written and via our online portal), email, phone, video call, in-person meetings, file sharing, and publicly available information on websites.
• Your employer or other representatives.
• Life companies we have agencies with, and any other records you have or had any other contracts of insurance with or sought a quote from us.

5. Legal Bases for Processing Your Information

We will only use your Personal Data for lawful reasons. These are:

• The use is necessary for the performance of a contract to which you are a party or in order to take steps at your request prior to entering a contract (such as providing a recommendation).
• The use is necessary to comply with our legal obligations.
• You have consented to us using your information in such a way.
• The use is necessary for the purpose of our legitimate interests.
• The use is necessary for the performance of a task carried out in the public interest, such as assisting a regulatory authority’s investigation of a criminal offence.

6. The Purpose of Processing Your Information

• To give you information on and provide you with recommended financial products.
• Disclose data to the policyholder, the life assured, beneficiary, trustee, assignee, successors, group company or to other parties.
• To comply with legal and regulatory requirements including Anti-Money Laundering and Sanctions compliance.
• To understand how people interact with our websites (if applicable).
• To carry out and determine the effectiveness of advertising, and of marketing campaigns. This processing is carried out on the basis of our legitimate interests in communicating relevant services to existing clients.

7. Who We Share Your Information With

In order to provide our services and to comply with legal obligations imposed on us, we may share your information with:

• Banks & Lenders for the purpose of mortgage applications
• Insurance and Assurance companies we have agencies with
• Legal, financial, investment, medical, & other professional advisors in the process of submitting your applications
• Pension Trustees, & beneficiaries of Pensions & other Financial Products, Relatives & guardians, (in certain circumstances and within the law)
• Employers – past, present and prospective for the purpose of pensions
• The Pensions Authority
• Investment Companies we have agencies with
• Central Bank of Ireland – We are authorised by Central Bank and they have the right to inspect our files
• Any business which we are required by law to share the information with, i.e. compliance resource companies
• An Garda Síochána (Anti Money Laundering)
• The Financial Services and Pensions Ombudsman (FSPO) – In the event of a complaint
• Data Protection Commission
• The Revenue Commissioners – Re pensions and DIRT
• Businesses that refer your business to us
• Companies we may outsource our printing and post to
• Database providers – all data encrypted

8. Third-Party Data Transfers

We have Data Processing Agreements (DPAs) in place with all third-party providers who process personal data on our behalf. These include, but are not limited to: Adobe, Anthropic, Atlassian, ClickUp, DocuSign, Google Workspace, IonData Limited, Microsoft, Notion, OpenAI, Pipedrive, Salesforce (including Slack), and Zoom. DPAs with these providers may be accepted electronically through their published terms rather than as separately signed agreements. A full and current list of our data processors is available on request. No personal data is transferred to third countries outside the EEA without appropriate safeguards. Where AI processing involves the transfer of personal data outside the European Economic Area (EEA), including to the United States, these transfers are safeguarded using the EU Commission’s Standard Contractual Clauses and supplementary measures.

9. How Long Do We Keep Your Information

When providing products to you it may be necessary to retain your information for an extended period of time. We keep your information for as long as required by law for the purpose that you gave it to us for. As a general rule for legal and best practice reasons, we are required to keep your information for 6 years from the date on which the business is completed. Where you engage with us but do not proceed to a recommendation or product, we will retain relevant records for 12 months with your consent, in accordance with the Consumer Protection Regulations 2025 (S.I. No. 81 of 2025). If you do not provide consent, records relating to that engagement will be deleted at its conclusion, subject to any overriding legal obligation to retain them.

10. Your Rights to Access, Transport, Correct, Delete & Restrict the Use of Your Personal Data

You have the right to access a copy of your Personal Data which we hold on you. In the case of Personal Data, you provided to us to process on the basis of your consent or for automated processing, you have the right to have it provided in a commonly used electronic format to you or to another Data Controller (subject to applicable Data Protection Law). If you would like a copy of your Personal Data, please contact us. Your request will be dealt with as quickly as possible and in any event, within a month for us to respond. If at that stage we are unable to provide the data you require (due to the complexity or number of requests) we may extend the period to provide the data by a further two months but shall explain the reason why. There is no charge for the request for your data but it must be in writing or email.

Correcting Your Personal Data

You have the right to have your Personal Data corrected if you feel we have incorrect data held on you.

Deleting Your Personal Data

Subject to any overriding legal obligation requiring us to retain it, you have the right to have your Personal Data deleted, however erasing your information may make it difficult or impossible for us to give you information on, provide you with, or administer our financial products. If you want your information deleted please contact us.

Restricting Our Use of Your Personal Data

You have the right to restrict our use of your Personal Data in certain circumstances. If you wish to exercise your rights in this regard please contact us.

11. Automated/Profiling Decision Making

Where we use automated decision-making or profiling you will always be informed, and you are entitled to have a person review the decision so that you can contest it and put your point of view and circumstances forward. For example:

• When we produce quotes for the business you are contacting us about.
• When we market to you by identifying clients who fit certain criteria.
• Where you have given your explicit consent, we may use AI tools to assist in the review of financial documents such as bank statements and income records as part of a mortgage application. In all cases, a qualified adviser will review AI outputs and make the final assessment and recommendation. No decision about you is made solely on the basis of automated processing. You may request that your application be assessed without the use of AI.

12. Your Right to Object & Withdraw Your Consent to Data Processing

Where our lawful basis for processing your Personal Data is based on our legitimate interests, you have the right to object. You also have the right to withdraw your consent to any processing at any time. However, if we cannot process your data it may make it difficult, impossible or unlawful for us to give you information on, provide you with advice on financial products. If you want to object or withdraw your consent to processing please contact us.

13. Obtaining and Managing Consent

This Data Privacy Notice is provided to clients at the outset of the relationship as an information obligation under the GDPR. A copy is provided to each client by email and a link to the current version is available on our website. Where we require consent for a specific processing activity (such as direct marketing), this is obtained separately, clearly, and independently of any other agreement. When clients sign a Statement of Suitability, we record that they have received the Terms of Business and this Data Privacy Notice.

14. Use of Artificial Intelligence (AI)

We use AI technology to enhance the efficiency and accuracy of our services. AI may assist in various functions, including but not limited to, the review and analysis of documents, assisting in underwriting processes, and the drafting of communications.

Ensuring Data Protection: We operate on business or enterprise subscription tiers with all AI service providers, all of which include opt-outs from the use of client data for AI training purposes. We have disabled data training across all such tools. Your personal data is not used to train or improve AI models by any of our providers. We keep our providers’ data processing terms and settings under review and will update our practices if any relevant changes are made. All AI systems are used responsibly with robust data protection measures in place. A human is always involved in overseeing AI-assisted tasks to ensure accuracy, compliance with security standards, and the protection of your personal data. If you have concerns about how your data is handled by any specific provider, please contact us.

Compliance with the EU AI Act: We are committed to complying with the EU AI Act (Regulation (EU) 2024/1689), which entered into force in August 2024. We continuously review and update our practices to ensure they meet the latest regulatory standards and best practices in AI usage and data protection.

15. Record-Keeping and Oversight of AI Systems

We maintain records of when AI tools are used in underwriting support, the outputs generated, and the human review undertaken. This ensures transparency and compliance with the EU AI Act and allows us to demonstrate appropriate human oversight of all AI-assisted processes.

16. Data Breach Notification

We follow the guidelines set by the Data Protection Commission of Ireland for handling data breaches. In the event of a data breach, we have procedures in place to:

• Identify and contain the breach quickly.
• Assess the risk to individuals and determine whether the breach is likely to result in a high risk to their rights and freedoms.
• Notify the Data Protection Commission within 72 hours of becoming aware of the breach, if required.
• Inform affected individuals without undue delay if the breach is likely to result in a high risk to their rights and freedoms.
• Document all breaches, regardless of whether notification is required.

17. Vulnerable Circumstances and Trusted Contact Person Data

Where we identify or you inform us that you may be in vulnerable circumstances, we will record relevant information on your client file. This processing is carried out on the basis of our legal obligations under the Consumer Protection Regulations 2025 (S.I. No. 81 of 2025) and our legitimate interest in providing appropriate care and support to clients who may require additional assistance. This information will be treated with the utmost sensitivity and will only be shared with staff who need it to provide you with appropriate service.

If you nominate a Trusted Contact Person (TCP), we will collect and record the name and contact details of your nominated TCP and their written consent to act in that role. This processing is carried out on the basis of your consent and our obligations under the Consumer Protection Regulations 2025 (S.I. No. 81 of 2025). TCP information will only be used to contact the nominated individual in the specific circumstances set out in our Terms of Business and will not be used for any other purpose. You may withdraw your consent and remove your TCP nomination at any time by notifying us in writing.

18. Your Right to Make a Complaint About Your Data

If you are dissatisfied with the way we handle your Personal Data please contact us. We will do our best to address your concerns swiftly and resolve any issues you have. You have the right to complain to the Data Protection Commission, 6 Pembroke Row, Dublin 2, D02 X963. Website: www.dataprotection.ie. E-Mail: info@dataprotection.ie