Last revised on May 19, 2026.

1. Introduction

This Privacy Notice applies to the Vialto mobile application (the “Tool”) and should be read together with the Vialto Privacy Statement. In the event of any conflict between this Privacy Notice and the Vialto Privacy Statement, the terms of this Privacy Notice shall prevail.

This Privacy Notice will help you understand what Personal Data is collected through your use of the Tool, why this Personal Data is being collected, and what is being done with this Personal Data. For purposes of this Privacy Notice, “Personal Data” means information that identifies or could reasonably be used to identify an individual, including “personal data,” “personal information,” “personally identifiable information,” or an equivalent term, in each case as defined by applicable privacy laws.

For additional information that may apply to you based on the jurisdiction in which you reside, please refer to Appendix B (Jurisdiction Specific Provisions) of the Vialto Privacy Statement.

As used in this Privacy Notice, the terms “Vialto”, “us”, and “we” refer to the Vialto network and/or one or more of the entities within the Vialto network (collectively, “Vialto Entities” and each individually, a “Vialto Entity”) that may process your Personal Data. To see a list of Vialto Entities and the countries and regions in which Vialto Entities operate, please refer to the list of Vialto Entities available at www.vialto.com/about.

The “data controller(s)” of your Personal Data may be one or more of the Vialto Entities or, in some cases depending on the nature of the services being provided to you, may be your employer. For purposes of this Privacy Notice, “data controller(s)” refers to the entity (or entities) that determine the purposes and means for processing your Personal Data, or that have a similar role or status under your applicable local privacy laws and regulations (“Applicable Local Law”).

This Privacy Notice does not apply to any third-party applications, sites, tools or technologies that integrate with or are otherwise made accessible to you through the Tool (collectively, “Third Party Applications”). If you are redirected to a Third Party Application, you should review such Third Party Applications’ privacy policies (and any other relevant terms and conditions) to determine how your Personal Data will be used by such Third Party Application before sharing or allowing access to your Personal Data.

2. Our legal grounds for processing your Personal Data

Your Applicable Local Law may require us to set out in this Privacy Notice the legal grounds on which we rely in order to process your Personal Data. In such cases, we may rely on one or more of the following legal grounds (in each case, to the extent it is a valid legal ground under the Applicable Local Law):

• our legitimate interests in the effective delivery of information and services to you and in the effective and lawful operation of our businesses and the legitimate interests of our clients in receiving professional services from us as part of running their organisation (provided these do not interfere with your rights);
• our legitimate interests in developing and improving our businesses, services and offerings and in developing new Vialto technologies and offerings (provided these do not interfere with your rights);
• to satisfy any requirement of law, regulation or professional body of which we are a member;
• to perform our obligations under a contractual arrangement with you or to takes steps at your request prior to entering into a contractual arrangement with you;
• if you have consented to us processing your Personal Data for the relevant purpose. Consent will only serve as the legal basis for processing of Personal Data where (i) no other legal basis can be relied on, or (ii) where Applicable Local Law requires consent to be obtained for the processing of Personal Data for the relevant purpose to be permitted; or
• other legal grounds for processing as defined by Applicable Local Laws.

3. Transfers and disclosures of Personal Data

Cross-border transfers

If we process your Personal Data, your Personal Data may be transferred to, accessed in (including by remote access), and/or stored outside of the country where you are located. The country(ies) to which your Personal Data is transferred or in which your Personal Data is stored may not have laws that provide specific protections for Personal Data or may not have laws that provide an equivalent level of protection for Personal Data as the Applicable Local Laws of the country in which you are located, and your Personal Data may be subject to access by the courts, law enforcement or national security authorities of such jurisdiction.

Other Vialto Entities

We may share Personal Data with other Vialto Entities where necessary in connection with the purposes described in this Privacy Notice or the Vialto Privacy Statement. For details of Vialto Entity locations, please see www.vialto.com/about.

Third Party Providers

We may transfer or disclose Personal Data that we collect to third party vendors, contractors, subcontractors, and/or their subsidiaries and affiliates, including those located in a different country than where you are located. Third parties may support the Vialto network in providing our services and help provide, run, and manage our IT systems.

Examples of third parties that we may use include, without limitation, providers of: identity management, data hosting and storage services, email hosting, website hosting and management, cookie management, SMS and email communication tools and platforms, data analysis, data backup, security services, cloud storage services, project management services, technology services consultants, customer service request management, document management, secure file transfer services, customer relationship management services and vendor management services.

Although the Tool is hosted in our Microsoft Azure environment, with the primary hosting location being the Netherlands (and backup in Ireland), the servers powering and facilitating our IT infrastructure are located in secure data centers around the world and Personal Data may be stored in any one of them.

Our third-party providers may use their own third-party subcontractors or vendors that have access to Personal Data (sub-processors). It is our policy to use only third-party providers that are bound to maintain appropriate levels of security and confidentiality, to process Personal Data only as instructed and/or agreed in writing by Vialto, and to flow those same obligations down to their sub-processors.

Other disclosures

We may also disclose (including cross-border) Personal Data under the following circumstances:

• to our professional advisers (such as law firms, auditors, consultants or other professional advisors) as necessary to establish, exercise or defend our legal rights, obtain advice, or as otherwise necessary or relevant in connection with the running of our business. Personal Data may be shared with these advisers as necessary in connection with the services they have been engaged and contracted to provide;
• when explicitly requested by you;
• where your employer has retained Vialto to provide professional services to you, we may disclose Personal Data to your employer (or any affiliate thereof if requested by your employer);
• to law enforcement, regulatory and other government agencies and to professional bodies, as required by and/or in accordance with applicable law, regulation or our professional obligations. Vialto may also review and use your Personal Data to determine whether disclosure is required or permitted;
• where our services are being transitioned to a new provider, to your employer to facilitate such transition or directly to such new provider; or
• in connection with a corporate reorganization, merger, sale, joint venture, assignment, transfer or other disposition of all or any portion of our business, assets or capital (a “Corporate Event”), we may disclose your information to the acquiring entity or the target entity, as applicable, and to our consultants, outside counsel and other advisors assisting in such Corporate Event.

4. Our processing activities

Collection of Personal Data

Our policy is to collect only the Personal Data necessary for agreed purposes and we ask that you only share Personal Data with us where it is strictly needed for those purposes.

We may collect and process the following categories of Personal Data through the Tool:

• Personal details (e.g., name, signature, age/date of birth, gender, country of residence);
• Inferences drawn from other Personal Data (e.g., marital status);
• Contact details (e.g., email address, contact number, postal address);
• Financial details (e.g., salary and other income and investments, benefits, tax status, bank accounts, payroll records, pensions);
• Government issued ID numbers (e.g., social security number, passport number, driver’s license number, national health ID, tax ID);
• Alternate identifiers (e.g., non-sensitive identifiers used to identify parties, such as employee ID);
• Travel calendar data;
• GPS / location data to the extent enabled by you (for example, if you allow the Tool to use your device location to automatically update your calendar within the Tool for tax or other compliance purposes or to prompt you to complete certain steps required for entry into a specific country);
• IP address, which may be used for security, technical and similar purposes and may also be used to prompt you to complete certain steps required for entry into a specific country where you have enabled this feature;
• Job details (e.g., role, grade, experience and performance information);
• Types of relationships (e.g., contact is a family member)
• Technical data (e.g., log data, data collected by cookies); and
• Images containing Personal Data (including images containing any of the foregoing Personal Data categories) through use of your mobile device camera, where you elect to enable access to your camera for such purposes.

For purposes of certain services, we may process “special” or “sensitive” categories of Personal Data. The scope of what qualifies as “special” or “sensitive” category data will be determined by Applicable Local Law, but may include, without limitation, biometric data, health data (e.g., information related to medical history, medical conditions or disabilities), financial account information, actual or alleged criminal history, trade union membership, sexual life or sexual orientation, political opinions, data revealing religious or philosophical beliefs or data revealing racial or ethnic origin.

Use of Personal Data

We use your Personal Data for the following purposes:

• Providing professional services
  We provide a diverse range of professional services. Some of our services require us to process Personal Data to provide advice and deliverables.
• Administering, managing and developing our businesses and services
  This includes:
  • managing our relationship with clients;
  • developing our businesses and services (such as identifying client needs and improvements in service delivery); and
  • administering and managing IT systems, websites, and applications.
• Security, quality and risk management activities

  We have security measures in place to protect our and our clients’ information (including Personal Data), which involve detecting, investigating and resolving security threats. Personal Data may be processed as part of the security monitoring that we undertake. We also monitor the services provided to clients for quality purposes, which may involve processing Personal Data stored on the relevant client file. We have policies and procedures in place to monitor the quality of our services and manage risks in relation to client engagements.

• Complying with any requirement of law, regulation or a professional body of which we are a member
  As with any provider of professional services, we are subject to legal, regulatory and professional obligations. We need to keep certain records to demonstrate that our services are provided in compliance with those obligations, and those records may contain Personal Data.
• Improving and developing our services
  We are continually looking for ways to help our clients and improve our business and services. We may use information that we receive in the course of providing professional services for other lawful purposes, including (i) analysis to better understand a particular issue, industry or sector, (ii) to provide insights back to our clients, (iii) to improve our business, services, service delivery and offerings and (iv) to develop new Vialto technologies and offerings. To the extent that the information that we receive in the course of providing professional services contains Personal Data, we will de-identify or aggregate the data in connection with using such information for these purposes.

Data retention

We retain the Personal Data processed by us for as long as is considered necessary for the purpose for which it was collected. Personal Data may be held for longer periods where extended retention periods are required by law, regulation, governmental directive or professional obligations and to establish, exercise or defend our legal rights in accordance with our data retention policy.

Cookies and Beacons

We utilize cookies and other online identification technologies (such as web beacons or pixels) to provide users with improved user experience. For more information, please see our Cookie Policy.

5. Security

We have implemented appropriate and generally accepted standards of technology and operational security designed to protect Personal Data from loss, misuse, alteration, or destruction. Only authorised persons are provided access to Personal Data, and such individuals have agreed to maintain the confidentiality of Personal Data. Although we use appropriate security measures once we have received your Personal Data, the transmission of data over the internet is never completely secure. We endeavor to protect Personal Data, but we cannot guarantee the security of data transmitted to or by us.

6. Your legal rights in relation to personal data

You may have certain rights under your Applicable Local Law in relation to the Personal Data we hold about you. Where applicable, for additional information on rights that may be available to you under your Applicable Local Law, please refer to the section of Appendix B (Jurisdiction Specific Provisions) to the Vialto Privacy Statement applicable to you.

In particular, depending on your Applicable Local Law, you may have a legal right to:

• obtain confirmation as to whether we process Personal Data about you, receive a copy of your Personal Data and obtain certain other information about how and why we process your Personal Data;
• request for your Personal Data to be amended or rectified where it is inaccurate (for example, if you change your address) and to have incomplete Personal Data completed;
• request deletion of your Personal Data;
• restrict the processing of your Personal Data;
• object to the processing of your Personal Data;
• data portability; and
• withdraw consent where we process your Personal Data based on consent.

If you consider that the processing of your Personal Data infringes the law, you may have certain rights available to you under your Applicable Local Law, including but not limited to the right to lodge a complaint with the applicable data protection regulatory authority responsible for enforcement of data protection law in the country where you normally reside or work, or in the place where the alleged infringement occurred.

To exercise the rights described above, to the extent applicable to you, please submit a verifiable request to us at privacy@vialto.com.

7. Use of AI Technologies

We may use artificial intelligence (“AI”) technology including (without limitation) large language models (LLMs), machine learning (ML) and generative AI (collectively, “AI Technologies”) (i) to improve and enhance our services, tools and offerings, (ii) to provide insights to our clients, (iii) for content generation for marketing, (iv) for Vialto product development and research, (v) for time-saving and reduction of administrative tasks, or (vi) for other legitimate activities. Any such use of AI Technologies shall adhere to and be in accordance with applicable laws and regulations regarding the use of such AI Technologies.

8. Changes to this Privacy Notice

We may update this Privacy Notice at any time by publishing an updated version in the Tool. To make you aware of when changes to this Privacy Notice were made, we will amend the revision date listed at the start of this Privacy Notice. The new modified or amended Privacy Notice will apply from that revision date. Therefore, we encourage you to review this Privacy Notice periodically to be informed about how we are protecting your information.

9. Contact us

• Please submit requests (including requests to exercise the rights set forth under Section 6 of this Privacy Notice) or enquiries about your personal data to: privacy@vialto.com.
• Depending on the jurisdiction in which you reside, you may also submit enquiries about your personal data to our Data Protection Officer (DPO) (or individual or entity serving in a similar role). Please refer to Appendix C (Data Protection Officer Details) to the Vialto Privacy Statement for additional details regarding the jurisdictions in which we leverage a DPO (or similar role).