DATA PRIVACY NOTICE

I. INTRODUCTION

MIB Capital Corporation, formerly Multinational Investment Bancorporation, is committed to safeguarding the personal data entrusted to it by clients, partners, employees, applicants, and other stakeholders. Since its establishment in 1972, the organization has provided independent financial advisory, capital raising, valuation, and related services to corporate and institutional clients.

This Data Privacy Notice explains how personal data is collected, used, stored, shared, retained, and protected in the course of the organization’s operations. All personal data is processed in accordance with the Data Privacy Act of 2012 (Republic Act No. 10173), its Implementing Rules and Regulations, and applicable issuances of the National Privacy Commission.

MIB Capital Corporation is the Personal Information Controller (PIC) for personal data processed under this Notice.

II. SCOPE

This Notice applies to personal data collected from or relating to:

  • Corporate clients and prospective corporate clients

  • Corporate officers, directors, and employees of organizations engaged with the company

  • Business partners, counterparties, consultants, and service providers

  • Job applicants and current/former employees, where applicable

  • Representatives of regulators and government agencies

  • Individuals who communicate or interact with the company through meetings, correspondence, inquiries, or the website

  • Visitors or persons whose information may appear in visitor or security-related records, where applicable

III. PERSONAL DATA COLLECTED

Depending on the nature of the relationship or transaction, the company may collect personal data such as:

  • Name, address, email address, mobile or telephone number, and other contact details

  • Position, title, employer, and professional or corporate affiliation

  • Identification details where legitimately required

  • Transaction-related, due diligence, KYC, or engagement-related information for corporate accounts

  • Employment, recruitment, education, and qualification records

  • Correspondence, inquiry details, and communication records

  • Information submitted through website inquiry forms, which may include name, email address, company, and message details

  • Visitor, access, or security-related information where applicable

  • Other information voluntarily provided or lawfully obtained for legitimate purposes

The company collects only personal data that is relevant, necessary, and proportionate to the lawful purpose for which it is processed.

IV. MANNER OF COLLECTION OF DATA

Personal data may be collected through lawful and legitimate channels, including:

  • Website inquiry or contact forms

  • Emails, letters, calls, and other communications

  • Meetings, business discussions, and correspondence

  • Contracts, onboarding documents, and transaction submissions

  • Due diligence requests and supporting documentation

  • Employment applications, resumes, and HR processes

  • Visitor logs, CCTV, and access-related records where applicable

  • Publicly available sources or disclosures lawfully obtained

V. PURPOSE AND USE OF PERSONAL DATA

Primary Uses

Personal data may be processed for the following primary purposes:

  • To evaluate and onboard clients or engagements

  • To provide financial advisory, valuation, capital raising, and related services

  • To prepare fairness opinions, transaction documents, reports, and analyses

  • To conduct due diligence, conflict checks, and compliance reviews

  • To administer employment, recruitment, and personnel matters

  • To manage contracts, billing, and business relationships

  • To comply with legal, tax, regulatory, and reporting obligations

Secondary / Related Uses

Where appropriate and compatible with the original purpose, personal data may also be used for:

  • Internal administration and recordkeeping

  • Audit, governance, and risk management functions

  • Security monitoring and protection of records and assets

  • Legal claims, dispute management, and enforcement of rights

  • Service improvement and operational efficiency

  • Other lawful and compatible business purposes

The company does not process personal data for purposes incompatible with the purpose for which it was collected, unless otherwise permitted or required by law.

VI. LEGAL BASIS FOR PROCESSING

Personal data is processed only where there is a lawful basis to do so. Depending on the circumstances, processing may be based on:

  • Consent, where consent is required under applicable law

  • Performance of a contract or prior to entering into a contract

  • Compliance with legal and regulatory obligations

  • Protection of legitimate interests of the company or third parties, provided these do not override the rights and freedoms of the data subject

  • Other lawful grounds recognized under applicable law

Where consent is the basis of processing, consent may be withdrawn at any time, subject to applicable legal or operational limitations. Please note that withdrawal of consent may affect your continued engagement with the Company or access to certain services, where the processing of personal data is necessary for contractual, regulatory, or operational purposes.

VII. DATA SHARING AND DISCLOSURE

Personal data may be shared or disclosed only when necessary, lawful, proportionate, and subject to appropriate safeguards.

Where applicable, data may be shared with:

  • Regulators such as the Securities and Exchange Commission and other competent authorities

  • Professional advisers including legal, tax, and audit firms

  • Financial institutions involved in transactions

  • Service providers under written data processing or confidentiality arrangements

  • Multinational Foundation, Inc., when legitimately required for related operational or philanthropic purposes

  • Other parties where disclosure is required or permitted by law

The company does not sell personal data.

VIII. DATA STORAGE / MANNER OF STORAGE

Personal data may be stored in secure and controlled environments depending on the nature of the record, including:

  • Official email systems

  • Internal shared drives and electronic repositories

  • Cloud collaboration platforms such as OneDrive / SharePoint

  • Records-managed or document management systems

  • Secure devices and authorized business systems

  • Physical files stored in secured cabinets, drawers, records rooms, or controlled storage areas

  • Off-site archival storage where applicable

Access is restricted to authorized personnel with a legitimate business need.

IX. DATA RETENTION

Personal data is retained only for as long as necessary to:

  • Fulfill the purpose for which it was collected

  • Comply with legal, tax, accounting, employment, audit, and regulatory requirements

  • Establish, exercise, or defend legal claims

  • Support legitimate operational or records governance requirements

As a general guide:

  • Client and transaction-related records may be retained for up to ten (10) years from completion, termination, or closure of the engagement, or longer where required by law or proceedings

  • Employment-related records may be retained for the duration of employment and for up to ten (10) years thereafter, subject to applicable labor, tax, accounting, and legal requirements

  • Job applicant records may be retained for up to two (2) years, unless a longer retention period is required by law or consented to

  • Website inquiry or correspondence records may be retained for up to two (2) years, unless a longer period is justified

  • CCTV or visitor records may be retained for thirty (30) days only, unless preservation is required for investigation, legal hold, incident review, security inquiry, disciplinary review, or regulatory compliance

  • Other records may be retained based on the applicable retention schedule or lawful business need

X. SECURE DISPOSAL

After the applicable retention period, records are securely disposed of, deleted, anonymized, or otherwise rendered inaccessible through appropriate means, which may include:

  • Secure deletion of electronic files

  • Shredding or destruction of physical records

  • Anonymization or masking where appropriate

  • Disposal through authorized internal or external procedures

  • Removal of unnecessary duplicate or residual copies where reasonably practicable

XI. AUTOMATED ACCESS AND SECURITY MEASURES

The company implements reasonable and appropriate technical, organizational, and physical security measures to protect personal data against unauthorized access, disclosure, alteration, destruction, misuse, or loss.

These measures may include:

  • Authorized user accounts

  • Passwords and authentication controls

  • Role-based access permissions

  • Restricted repository access

  • Secure storage of physical and electronic records

  • Confidentiality obligations of personnel

  • Internal approval and access governance procedures

  • Antivirus, endpoint, and system security controls where applicable

  • Periodic review of internal policies and procedures

XII. RISKS AND PROTECTION MEASURES

As with any processing activity, risks may arise at different stages of processing, including unauthorized access, accidental disclosure, cyber threats, data loss, over-retention, or improper disposal.

To address such risks, the company maintains technical, physical, and organizational safeguards designed to reduce risk and support secure and lawful processing.

XIII. RIGHTS OF DATA SUBJECTS

Under applicable law, data subjects have the right to:

  • Be informed about the processing of personal data

  • Access personal data

  • Request correction of inaccurate or incomplete data

  • Object to processing under certain conditions

  • Request erasure or blocking when legally justified

  • Withdraw consent where processing is based on consent

  • Request data portability, where applicable

  • Claim damages, where applicable

  • Lodge a complaint with the National Privacy Commission

XIV. CONTACT INFORMATION / DATA PROTECTION OFFICER

To exercise these rights or withdraw consent, the data subject may submit a request through the contact details provided below. The data subject should indicate the nature of the request (e.g., access, correction, or withdrawal of consent) and include their full name and relevant details for verification.

Requests shall be acknowledged, evaluated, and acted upon within seven (7) business days from receipt, where reasonably practicable, subject to verification, complexity of the request, and applicable law.

Data Protection Officer

MIB Capital Corporation

Email: llopez@mib.com.ph

Phone: +63 (2) 8817‑1511 to 13

Address: 22/F Multinational Bancorporation Centre 6805 Ayala Avenue, Makati City 1226 Philippines

XV. COOKIES

The website may use basic cookies to support website functionality, security, and user experience. Users may manage or disable cookies through browser settings, subject to possible limitations in website performance.

XVI. POLICY UPDATES

This Notice may be updated from time to time to reflect changes in law, regulation, technology, or business operations. Updated versions shall be made available through appropriate channels.

XVII. COMMITMENT

MIB Capital Corporation remains committed to handling personal data responsibly, securely, and in accordance with law as part of its professional and corporate obligations.

+63(2) 8817-1511 to 13

© 2026 MIB Capital Corporation. All rights reserved

22/F Multinational Bancorporation Centre, 6805 Ayala Avenue Makati City 1226 Philippines

mib@mib.com.ph