Privacy Notice

About processing of personal data

A significant part of our mission here in Lunar is to be transparent about our business operations, including how we process personal information about you. We are therefore very focused on our obligations to protect your rights according to the data protection regulation (that consists of among other the General Data Protection Regulation also known as the GDPR and supplementary national regulation). In the following sections, you can read more about which information we collect about you, for what purposes, how we store and share it, and what rights you - as a data subject - can assert.

We also use AI tools in our case handling and customer service. You can read more about this in sections 5, 6, 7, 8, 9 and 11 below.

About ShareIt users

This notice also applies to the users of ShareIt. Each section below has been elaborated with information relevant to the specific use of ShareIt. ShareIt is developed by Lunar Way A/S, which is part of Lunar Group A/S, which also owns Lunar Bank A/S. You do not need to be a Lunar Bank customer to be a user of ShareIt.

Version: 7 April 2026

Table of contents

1. More about the application and use of cookies

2. Data protection officer (DPO)

3. Data controller

4. Who is covered by this privacy notice?

5. Why and on what legal basis do we process personal data about you?

To comply with legal requirements

To fulfil an agreement with you

For the purpose of our own legitimate interests

About recording of telephone conversations and storing chat conversations

About video surveillance

Specifically about the use of AI tools (Claude Enterprise)

6. Types of information we process about you

7. Who do we share your personal data with, and where do we collect it from?

8. Do we transfer your personal data to third countries?

9. Automatic decision making

10. For how long a period of time do we process information about you?

11. Your rights as a data subject

Right of access

Right to rectification

Right to erasure

Right to restriction of processing

Right to data portability

Right to object

Right to human review (Article 22)

12. Changes to this policy

13. Complaints or questions about the processing of personal data

1. More about the application and use of cookies

You can read more about our application and use of cookies on our website by accessing this link.

2. Data protection officer (DPO)

If you have any questions or complaints about our processing of personal data or this policy, please contact our DPO at dpo@lunar.app.

3. Data controller

Lunar Bank A/S ("we", "us", "our"), CVR (company number) 39697696 with headquarters at Hack Kampmanns Plads 10, 8000 Aarhus C is the data controller for the processing of your personal data, even if you are only a ShareIt user.

4. Who is covered by this privacy notice?

When we refer to "you" in this policy, we mean you as our private customer, owner of an individually owned company, beneficial owners with an ownership interest of more than 25% in other types of companies than individually owned companies, an employee of our customer, a recipient of payments from Lunar Bank and a sender of payments to a Lunar Bank customer. However, you may also be another relevant party such as an authorised representative, beneficiary, guarantor, shareholder or related party.

We also mean you as a user of ShareIt.

5. Why and on what legal basis do we process personal data about you?

In short, we process personal data about you for several purposes and on several different legal grounds, which are described in the following sections below:

To comply with legal requirements

First and foremost, as a bank and financial services provider, we are subject to a number of legal regulations that determine how and what personal data must be processed, including how long it must be stored. We are therefore subjected to legal obligations that include:

Know your customer requirements
In connection with the onboarding of business customers, we may perform a credit assessment of the company. In the onboarding of sole proprietorships, we may perform credit assessments of the company and the company owner. The purpose of the credit assessment of business customers is to meet our "Know Your Customer" requirements in accordance with anti-money laundering legislation.
Prevention of money laundering and terrorist financing
Sanctions screening
Bookkeeping
Reporting to law enforcement authorities such as: police, tax and regulatory authorities in all the three respective Scandinavian countries
Credit-, risk-, solvency and risk management hereunder assessment
Credit worthiness assessment
Fraud monitoring and reporting

The processing of personal data is carried out in accordance with Article 6(1)(c) of the GDPR, cf. the above-mentioned respective legal obligations.

To fulfil an agreement with you

We also process personal data about you so that we - as a provider of a specific service or product - can fulfil our contractual agreement with you. This need includes the following processing activities:

Internal documentation of completed tasks or requests
Delivery and administration of our services and products, including cooperation with our partners
Customer care and assistance
Establishment of users and user profiles in Lunar Bank App and ShareIt App
Opening of account(s) and issuing of payment cards
Verification of your identity as a customer

The processing of personal data takes place in accordance with Article 6(1)(b) of the GDPR.

For the purpose of our own legitimate interests

We also need to process information about you for the purposes of our own legitimate interests, which include:

Establishing and defending legal claims
Profiling of transactions for the purpose of detecting possible fraud
Protection and development of our business and systems
Marketing, product and customer analysis
Credit assessment

The processing of personal data takes place in accordance with Article 6(1)(f) of the GDPR and only as long as our legitimate interests do not override your interests or fundamental freedoms.

Consent

Prior to processing data about you in the following situations, we will ask for your consent pursuant to Article 6(1)(a) (and if applicable according to Article 9(2)(a)) of the GDPR:

Processing of data in connection with payment transactions
Processing of payment data containing sensitive personal data as defined in Article 9(1) in connection with a single payment or the establishment of a payment service agreement
Sending direct marketing by email
Recording of telephone conversations for internal learning and development purposes

The given consent can always be withdrawn (in the Lunar Bank App), but does not affect the conducted processing prior to the withdrawal of consent.

Sensitive personal data as defined in Article 9(1) of the GDPR that derives from your transactional history or your Lunar account(s) is also processed on the ground of your consent in accordance with Article 6(1)(a) and Article 9(2)(a) of the GDPR.

About recording of telephone conversations

We record telephone conversations with you in order for us to document and execute on the following:

implementing know-your-customer procedures (processing of personal data takes place in accordance with Article 6(1)(c) of the GDPR)
preventing/managing fraud and fraud attempts (processing of personal data takes place in accordance with Article 6(1)(c) of the GDPR)
documenting entered agreements with you (processing of personal data takes place in accordance with Article 6(1)(f) of the GDPR and only as long as our legitimate interests do not override your interests or fundamental freedoms)
welcoming you as a Lunar Bank customer (processing of personal data takes place in accordance with Article 6(1)(f) of the GDPR and only as long as our legitimate interests do not override your interests or fundamental freedoms)
having concrete educational and training material for our Customer Support employees (for this purpose, conversations will only be recorded if you consent to this in accordance with Article 6(1)(a) of the GDPR)

About video surveillance

For security and crime prevention reasons, our office buildings are monitored by video surveillance.

Specifically about the use of AI tools (Claude Enterprise)

Lunar uses an AI tool (Claude Enterprise, provided by Anthropic) as a work aid for our employees in connection with case handling, customer service and compliance tasks. The processing of personal data takes place in accordance with Article 6(1)(f) (legitimate interests). We have a legitimate interest in using efficient AI work tools to improve the quality and speed of case handling, customer service and compliance tasks.

The use of AI assistance does not change the legal basis for the processing of your personal data otherwise. The relevant processing purposes and legal bases are:

AI-assisted customer service and complaint handling

Our employees may use Claude to draft responses to your enquiries, summarise case history or analyse documentation in connection with your case — in order to handle your case more efficiently and accurately.

Claude does not replace our employees. All responses to enquiries, complaint outcomes and account decisions are reviewed and approved by a Lunar employee before being communicated to you.

The processing of personal data for the purpose of handling your enquiry takes place in accordance with Article 6(1)(b) of the GDPR, as also stated above.

AI-assisted anti-money laundering and KYC processing

In connection with anti-money laundering (AML), know-your-customer (KYC), sanctions screening and prevention of financial crime, our employees may use Claude to help process case information, structure analyses and prepare documentation.

The processing of personal data takes place in accordance with Article 6(1)(c) (legal obligation) of the GDPR, pursuant to applicable anti-money laundering legislation and EU AML Directives.

Your national identification number is processed in accordance with applicable national data protection legislation governing national identification numbers, pursuant to anti-money laundering identification requirements.

Where data concerning criminal offences is involved, the processing is based on Article 10 of the GDPR and applicable national data protection legislation.

AI-assisted credit assessment support

For business customers and sole proprietorships, Claude may be used by our employees to help organise or summarise information in connection with credit assessments, and the tool is used solely as decision support. Human review is mandatory before any credit decision is communicated to you, and the processing does not replace the primary credit assessment process.

The processing of personal data takes place in accordance with Article 6(1)(b) (fulfilment of contract), Article 6(1)(c) (legal obligation) pursuant to applicable consumer credit legislation, and Article 6(1)(f) (legitimate interests) — our legitimate interest in protecting our interests when lending.

Administrative assistance and internal support

Our employees use Claude Enterprise for internal administrative tasks such as drafting emails, meeting summaries, translation and internal Q&A. This activity is primarily internally focused and does not in principle affect your personal data. In cases where you are a party to an internal communication (e.g. as a counterpart in an enquiry), data about you may however be included.

The processing of personal data takes place in accordance with Article 6(1)(f) (legitimate interests) — our legitimate interest in internal efficiency.

6. Types of information we process about you

For the above mentioned purposes, we process different types of data about you. In certain situations, we may also need to process data about persons related to you, such as your representatives, guarantors, payers, employees, etc.

The list of types of data is not exhaustive, as the type of data we collect depends on the type of service or product we need to provide:

Identification information: social security number, full name, copy of passport/driver's license, IP address, verification relevant to Lunar Bank App
Contact information: Residential address, phone number and email address
Personal: Citizenship, marital status and employment
Financial information (does not apply to just ShareIt users): Information about income, accounts, assets, debt and transaction history, purpose of using Lunar Bank, historical information about the customer relationship with Lunar Bank and country of taxation, purchase/registration for products/services offered in cooperation with Lunar Bank's partners
Use of Lunar Bank App: time and duration of use of the application including selected windows
Use of ShareIt App: time and duration of use of the application including selected windows

Special categories of personal data

We note that the subscriptions and other payment agreements that you may link to your Lunar Bank account may relate to matters that may be covered by the concept of "special categories of personal data" in Article 9 of the GDPR (e.g. trade union membership, health information, political orientation, etc.).

Specifically about information processed via AI tools

In cases where our employees use Claude Enterprise in connection with your case, relevant information from the case may be included in the information provided to the AI system. The specific data types depend on the purpose of use:

General case handling: Name, contact details, case number and case content.
AML/KYC and compliance cases: Identification information, including national identification number (processed pursuant to applicable national data protection legislation and anti-money laundering identification requirements), as well as PEP/sanctions status and AML case description. Full transaction histories are not part of AI prompts.
Credit assessment cases: Relevant financial indicators in connection with the assessment in question.

The following types of data are not processed in the AI system:

Payment data; i.e. personally identifiable information about where you have used a payment service and what was purchased.
Special categories of personal data (health, religion, political beliefs, trade union membership, etc.).

7. Who do we share your personal data with, and where do we collect it from?

We disclose information about you if:

we are required to do so by law to which we are subjected,
we have a legitimate interest and as long as it does not override your interests or fundamental freedoms, and/or
it is necessary for us to fulfil the agreement we have entered into with you.

Where, as a result of one or more of the above circumstances, it is necessary to disclose information about you, the disclosure is made to the following categories of recipients:

Public authorities in either Denmark, Sweden or Norway (e.g. tax, police, law enforcement and supervisory authorities)
External business partners (e.g. other banks, credit agencies, correspondent banks, finance companies)
External suppliers of e.g. IT development, hosting, support and maintenance
Anthropic Ireland Limited (AI provider — see below)

In addition to collecting information directly from you, we also collect personal data from third parties such as publicly available and other external sources. This collection is necessary for us to offer you our products, services, process correct information about you and fulfil the legal obligations to which we are subject.

Third parties from which we collect personal data may be, for example:

Public registers (e.g. population registers, tax registers, business registers and other law enforcement agencies' registers)
Economic sanction lists (e.g. within national and international organisations such as the EU and UN)
Registers of credit rating agencies and other commercial providers of information on e.g. beneficial owners
Money transfer services, merchants, banks and others in relation to payments

Specifically about Anthropic Ireland Limited as data processor

When one of our employees uses Claude Enterprise in connection with your case, relevant case information is transmitted to Anthropic Ireland Limited, 1 Windmill Lane, Dublin 2, Ireland, which operates the Claude Enterprise service for Lunar. Anthropic processes your personal data solely as a data processor — on our instructions and under a data processing agreement in accordance with Article 28 of the GDPR.

Anthropic does not use your personal data to train AI models. Data processed via the Enterprise service is not used for model improvement.

We have entered into a data processing agreement (DPA) with Anthropic in accordance with Article 28 of the GDPR.

Anthropic Ireland Limited uses sub-processors to provide the Claude service, primarily for cloud infrastructure. A current list of Anthropic's sub-processors is available at trust.anthropic.com/subprocessors. We receive advance notice of changes to sub-processors and may raise objections to their use.

8. Do we transfer your personal data to third countries?

In certain specific cases - as part of our use of a data processor or sub-processor - information about you is transferred to a third country. Such transfers are only carried out in the following cases:

The EU Commission has determined that the country in question has an adequate level of protection.
The EU Commission's Standard Contractual Clauses 2021 have been entered and additional security measures have been implemented.
The applied data processor's processing activity is certified under the EU-US Data Privacy Framework that has been adopted in 2023.

You can find the current EU Standard Contractual Clauses by clicking here.

In connection with our use of the AI tool Claude Enterprise, information about you is transferred to the USA. Anthropic Ireland Limited uses infrastructure operated by Anthropic PBC in the USA, and your personal data may therefore be transferred there as part of AI-assisted case handling.

The transfer takes place on the basis of the EU's Standard Contractual Clauses (SCC), Module 2 (controller to processor). We have implemented supplementary security measures including encryption during transfer and storage, data segregation and a contractual obligation for Anthropic to challenge unauthorised governmental requests for data access.

You can request a copy of the Standard Contractual Clauses by contacting dpo@lunar.app.

9. Automatic decision making

In certain situations - like in order to make our customer management more efficient and thus improve your customer experience - Lunar Bank will make decisions based on automatic processing, including profiling. This happens especially in relation to ongoing customer due diligence and offboarding you as a customer.

All automated decisions concerning credit assessments and loan applications that result in a rejection will however always be reviewed by a Lunar Bank employee.

Specifically about AI-assisted case handling

Claude Enterprise is used as a work aid for our employees — not as an autonomous decision-making system. A qualified Lunar employee always reviews and approves any decision or communication that has legal effect or other material significance for you. Claude does not have the authority to make binding decisions concerning you.

Lunar will upon request inform you whether Claude has been involved in the handling of your case. You can also read about your rights in connection with AI-assisted processing in section 11.

10. For how long a period of time do we process information about you?

We retain information about you for as long as:

the rules we are subjected to require retention for a certain period of time (e.g. accounting rules or prevention of money laundering and terrorist financing),
retention is necessary for the purposes for which we have collected and processed the data (e.g. to fulfil our contract with you), or
you have not withdrawn your consent to the processing of data.

The deadlines for erasing data, that we must oblige to, are not only different across borders but also among themselves depending on the purpose with the processing.

11. Your rights as a data subject

According to the GDPR you as the data subject have the following rights you can exercise by contacting us. Your request will always be assessed as soon as possible and specifically based on the circumstances.

Right of access

You have the right to access the personal data we process about you. This means that you have the right to receive a copy of the data we process about you. Furthermore, you have the right to receive specific information about the processing to which the data is subjected. However, your right of access may be limited by law, protection of other people's privacy and considerations of protection of our business concept, trade secrets and know-how.

Right to rectification

If any information about you is incorrect or incomplete, you have the right to have it corrected and/or updated.

Right to erasure ("right to be forgotten")

You have the right to request the erasure of your data in the following cases, as set out in the GDPR:

You withdraw the consent you have given for the processing of personal data.
Information about you is no longer necessary to fulfil the purpose for which it was collected or otherwise processed.
You object to the processing and the processing does not serve legitimate grounds.
Information about you has been processed unlawfully.
The processing concerns minors and the data has been collected in connection with the provision of information services.
You object to the processing of data in direct marketing and the processing is unlawful.

Right to restriction of processing

If you believe that the processing of data about you is unlawful or that the data is incorrect, or you have objected to the processing of the data, you can ask us to restrict the processing of that data. The restriction may then include retention until the accuracy of the data is established, or we demonstrate that we have a legitimate interest in processing personal data that overrides your interests.

Right to data portability

You have the right to request to receive information about you in a machine-readable format. This right only applies to personal data that is processed automatically and where valid consent has been given or for the purpose of fulfilling a contract.

Right to object

Where we process personal data about you on the basis of legitimate interests (Article 6(1)(f)) — including in connection with AI-assisted customer service and complaint handling — you have the right to object to the processing on grounds relating to your particular situation. Contact dpo@lunar.app.

Right to human review (Article 22)

Where decisions are based on automated processing, or AI output has formed the basis for a material decision about you, you have the right to:

Human review: you may request that the decision be reviewed by a qualified Lunar employee.
To present your point of view: you may provide additional context or information relevant to the decision.
To contest the decision: you may contest an outcome that you believe is incorrect or unfair.

Contact our customer service via the Lunar app or our DPO at dpo@lunar.app to exercise these rights.

Claude Enterprise is used as a work aid for our employees — not as an autonomous decision-making system. A qualified Lunar employee always reviews and approves any decision or communication that has legal effect or other material significance for you. Claude does not have the authority to make binding decisions concerning you.

12. Changes to this policy

As with everything else in our business, we are constantly improving and developing. We may therefore change this data processing policy from time to time.

The current information is updated with effect from 7 April 2026.

13. Complaints or questions about the processing of personal data

If you are dissatisfied with this policy or our processing of personal data, then you are welcome to contact our Data Protection Officer (DPO) at dpo@lunar.app.

If you wish to complain about the processing of your personal data, you can contact the supervisory authority in your country of residence:

Denmark:

Datatilsynet
Carl Jacobsens Vej 35
2500 Valby
Telefon: 33 19 32 00
E-mail: dt@datatilsynet.dk

Sweden:

Integritetsskyddsmyndigheten (IMY)
Box 8114
104 20 Stockholm
Telefon: 08-657 61 00
E-post: imy@imy.se
www.imy.se

Norway:

Datatilsynet
Postboks 458 Sentrum
0105 Oslo
Telefon: 22 39 69 00
E-post: postkasse@datatilsynet.no
www.datatilsynet.no

Lunar Bank A/S, Hack Kampmanns Plads 10 DK-8000 Aarhus C, CVR nr. 39697696

Lunar Bank A/S, Hack Kampmanns Plads 10 DK-8000 Aarhus C, CVR nr. 39697696