Cookies Policy

This Cookies Policy (the “Policy”) is issued by ARP Digital Bahrain B.S.C. (c), Commercial Registration No. 157134, Licensed as Capital Market-Crypto Assets Service Provider (Cat3) and regulated by the Central Bank of Bahrain under licence reference OG/438/2023 (“ARP Digital,” “we,” “us,” or “our”).

This Policy explains how ARP Digital uses cookies and similar technologies on our websites, platforms, and digital services (collectively, the “Sites”). It describes the categories of cookies we deploy, the purposes for which we use them, the third parties involved, and the rights available to you to control how your personal data is processed through these technologies.

ARP Digital is committed to protecting personal data and to complying with all applicable data protection and privacy laws. Where the legal frameworks governing our activities impose differing or overlapping requirements, ARP Digital applies the stricter standard in favour of the data subject.

This Policy applies to all visitors to and users of the Sites, including prospective clients, existing clients, counterparties, and members of the public.

This Policy does not apply to:

• Third-party websites or applications accessed through links from the Sites, which are governed by their own privacy and cookie policies;
• Offline processing of personal data by ARP Digital, which is governed by the ARP Digital Privacy Notice; or
• Internal processing of employee and contractor personal data, which is governed by the Human Resources Privacy Notice.

This Policy should be read together with the ARP Digital Privacy Notice and the Terms of Use of the Sites.

Cookies are small text files placed on your device (computer, tablet, or mobile) when you visit a website. They enable the website to recognise your device, remember information about your visit, and provide functionality tailored to you.

Cookies may be classified as:

• First-party cookies - set directly by ARP Digital.
• Third-party cookies - set by external service providers engaged by ARP Digital.
• Session cookies - temporary cookies deleted when you close your browser.
• Persistent cookies - cookies that remain on your device for a defined retention period.

ARP Digital also uses technologies that operate in a manner similar to cookies, including pixels, tags, web beacons, local storage, and software development kit (SDK) identifiers. References to “cookies” in this Policy include these similar technologies.

This Policy is issued in compliance with the following frameworks:

• Kingdom of Bahrain - Personal Data Protection Law No. (30) of 2018 and Ministerial Order No. (48) of 2022 regarding Data Subject Rights.
• European Union (where processing is subject to EU law) - Regulation (EU) 2016/679 (the General Data Protection Regulation, the “GDPR”) and Directive 2002/58/EC as amended (the “ePrivacy Directive”).

Where the requirements of Bahraini and European law differ, ARP Digital applies the higher standard of protection. In particular:

• Explicit, prior, and informed consent is obtained before any non-essential cookie is placed on your device.
• ARP Digital does not operate a “cookie wall”: access to the Sites is not conditional upon the acceptance of non-essential cookies.
• Consent can be withdrawn at any time, free of charge, and through the same mechanism by which it was given.

Detailed regulatory references are set out in Annex A.

ARP Digital groups cookies into four categories.

5.1 Strictly Necessary Cookies

Required for the Sites to function. They enable core features such as secure log-in, session management, cross-site request forgery (CSRF) protection, load balancing, security, and recording of your consent preferences. These cookies are placed without consent because the Sites cannot operate without them. They do not collect information used for marketing.

5.2 Functional Cookies

Enable enhanced functionality, such as remembering your language, region, or display preferences. Functional cookies are deployed only with your prior consent.

5.3 Analytics and Performance Cookies

Collect aggregated and, where possible, anonymised information about how visitors use the Sites (pages visited, time spent, navigation paths, errors encountered). This allows ARP Digital to improve performance and user experience. Analytics cookies are deployed only with your prior consent.

5.4 Marketing and Advertising Cookies

Used to measure the effectiveness of ARP Digital’s marketing activities, deliver relevant content, and prevent repeated delivery of the same information. Marketing cookies are deployed only with your prior consent and are never used in connection with profiling that has legal or similarly significant effects on you.

The table below sets out the specific cookies currently deployed on the Sites. The inventory is reviewed and updated periodically. The up-to-date list is always available through the cookie preference centre on the Sites.

This inventory is indicative pending confirmation by ARP Digital’s IT function. Items marked [Verify] must be validated against live site deployment before publication.

ARP Digital engages the following categories of third parties whose cookies may be placed on your device:

• Security and infrastructure - Cloudflare, Inc. (web application firewall, bot management, content delivery).
• Analytics - Google LLC (Google Analytics 4).
• Marketing and advertising - LinkedIn Ireland Unlimited Company.

Each third party processes personal data in accordance with its own privacy notice. Direct links to those notices are available through the cookie preference centre on the Sites.

ARP Digital ensures that all third-party processors engaged for cookie-related processing are bound by written data processing agreements and apply appropriate technical and organisational safeguards consistent with the frameworks referenced in this Policy.

8.1 When Consent is Required

ARP Digital obtains your prior, explicit, and informed consent before placing any cookie on your device other than a Strictly Necessary cookie.

8.2 How Consent is Obtained

On your first visit to the Sites, and periodically thereafter, you will be presented with a cookie banner. The banner:

• Clearly identifies ARP Digital as the data controller;
• Describes the categories of cookies used and their purposes;
• Offers granular choices by category, with all non-essential categories set to “off” by default;
• Presents “Accept All” and “Reject All” options with equal prominence; and
• Provides access to further information and to the cookie preference centre.

8.3 No Cookie Wall

Access to the Sites is not conditioned on the acceptance of non-essential cookies. Selecting “Reject All” or dismissing the banner does not prevent you from using the Sites.

8.4 Record of Consent

ARP Digital maintains a record of consent decisions, including the date, scope of consent, and the version of this Policy in force at the time of consent. These records are retained for the period set out in Section 14.

You may manage your cookie preferences at any time through:

• The cookie preference centre accessible via the “Cookie Settings” link in the footer of the Sites.
• Your browser settings - most browsers allow you to block, delete, or restrict cookies. Please note that disabling Strictly Necessary cookies may prevent certain features of the Sites from functioning.
• Industry opt-out mechanisms for online advertising, including the Digital Advertising Alliance (aboutads.info), the Network Advertising Initiative (networkadvertising.org), and, for EU users, Your Online Choices (youronlinechoices.eu).

You may withdraw your consent to non-essential cookies at any time, free of charge, through the cookie preference centre. Withdrawal is as straightforward as giving consent. Once withdrawn, ARP Digital will cease the relevant processing without undue delay.

Withdrawal of consent does not affect the lawfulness of processing carried out on the basis of consent before its withdrawal.

Where ARP Digital is permitted or required by law to retain certain data following withdrawal (for example, for record-keeping, regulatory, or legal-defence purposes), that data will be retained only for the period prescribed by law and subject to appropriate security and privacy safeguards.

Subject to applicable law, you have the right to:

• Access - obtain confirmation of whether ARP Digital processes your personal data and receive a copy of that data.
• Rectification - have inaccurate or incomplete personal data corrected.
• Erasure - request deletion of your personal data where no longer necessary for the purposes for which it was collected, where consent is withdrawn and no other lawful basis applies, or as otherwise permitted by law.
• Restriction - request that processing be limited in defined circumstances.
• Objection - object to processing, including for direct marketing purposes and, where applicable, profiling.
• Data Portability - receive your personal data in a structured, commonly used, machine-readable format and have it transmitted to another controller where technically feasible.
• Withdraw Consent - as set out in Section 10.
• Not Be Subject to Solely Automated Decisions - as set out in Section 12.
• Lodge a Complaint - with the competent supervisory authority (see Section 19).

To exercise any of these rights, please contact the Data Protection Officer using the details in Section 18. ARP Digital will respond within the timeframes prescribed by applicable law. A request will not be refused or charged for unless it is manifestly unfounded or excessive, in which case ARP Digital will explain the basis for any such determination.

ARP Digital does not use cookies to carry out decisions based solely on automated processing that produce legal or similarly significant effects concerning you.

Where any such processing is introduced in future, ARP Digital will:

• Inform you in advance of the processing, the logic involved, and the significance and envisaged consequences;
• Provide a clear electronic mechanism enabling you to raise objections and to request human review; and
• Notify you of the outcome of any objection within a reasonable period.

Personal data collected through cookies may be transferred to and processed in jurisdictions outside the Kingdom of Bahrain, including the European Economic Area, the United Kingdom, and the United States. Where such transfers occur, ARP Digital ensures that:

• The destination jurisdiction provides an adequate level of protection as recognised under applicable law;
• Appropriate safeguards are in place (including standard contractual clauses or equivalent mechanisms); or
• The transfer is otherwise permitted under an applicable statutory derogation.

Details of active transfers and the safeguards in place are available on request from the Data Protection Officer.

Cookie-specific retention periods are set out in Section 6. Data collected through cookies is retained for no longer than is necessary for the purposes described in this Policy, unless a longer retention period is required or permitted by law.

Consent records are retained for twenty-four (24) months from the date of the most recent consent action, or for such longer period as required by applicable law.

The Sites are not directed at persons under the age of eighteen (18). ARP Digital does not knowingly collect personal data from minors through cookies. If ARP Digital becomes aware that personal data of a minor has been collected, that data will be deleted promptly.

ARP Digital maintains appropriate technical and organisational measures to protect personal data collected through cookies against unauthorised access, alteration, disclosure, loss, or destruction. These measures are aligned with the ARP Digital Information Security Framework and are reviewed periodically.

ARP Digital may update this Policy from time to time to reflect changes in its practices, the cookies used, or applicable law. Material changes will be notified through the Sites and, where required, by requesting fresh consent. The version number and effective date appear at the beginning of this Policy.

To exercise any of the rights described in this Policy, to raise an objection, or to contact ARP Digital on any matter relating to this Policy, please contact:

ARP Digital will acknowledge your request within a reasonable period and respond within the timeframes prescribed by applicable law.

You have the right to lodge a complaint with the competent supervisory authority if you believe that ARP Digital’s processing of your personal data infringes applicable law.

• Kingdom of Bahrain - Personal Data Protection Authority (the administrative functions of which are exercised by the Ministry of Justice, Islamic Affairs and Waqf pursuant to Decree No. 78 of 2019).
• European Union - the supervisory authority in your Member State of habitual residence, place of work, or the place of the alleged infringement.

Exercising your right to lodge a complaint does not affect any other legal remedy available to you.