Zurich International Pensions Administration Limited Privacy Notice

We are Zurich International Pensions Administration Limited (referred to as ‘ZIPAL’ or ‘We’), a company incorporated under the laws of the Isle of Man with registered number 132210C whose registered office is at Zurich House, Isle of Man Business Park, Douglas, Isle of Man IM2 2QZ.

ZIPAL is registered by the Isle of Man Financial Services Authority as a Scheme Administrator pursuant to Section 45 of the Retirement Benefits Schemes Act 2000. It is a wholly owned subsidiary of Zurich International Life Limited and has been established to undertake trustee and scheme administration duties in respect of the Zurich International Personal Pension Scheme. ZIPAL acts as the Professional Scheme Administrator and corporate trustee to the Zurich International Personal Pension Scheme.

Our website is www.zurichinternational.com

ZIPAL is a member of the global Zurich Insurance Group and is ultimately owned by Zurich Insurance Company Ltd, a company incorporated in Switzerland.

Their website is www.zurich.com

In this notice, ‘personal data’ (also known as ‘personal information’ in some jurisdictions) refers to any information relating to an identifiable individual.

How We Collect Your Data

During the course of our business activities, we will need to collect, store, and process your personal data. This may be collected in a number of ways, including:

• Directly from you (e.g. application forms, phone calls, emails, websites, online portals, and applications).
• From third parties (e.g. your employer, appointed financial advisor, intermediary, other pension providers or trustees, His Majesty’s Revenue and Customs (HMRC) and the Isle of Man Income Tax Division).
• From public sources, credit reference agencies, electronic service providers, or regulatory bodies.

If you provide information on another individual to us, you must first ensure that you have the authority and appropriate legal basis to do so. If we are provided with personal data on other individuals e.g. where we are instructed to appoint a beneficiary to your pension, please ensure that they are made aware of this Privacy Notice before you provide their information to us.

Please ensure that any data you give us or ask third parties to provide to us is up to date, accurate, and complete in all respects. Kindly inform us about any changes as soon as reasonably possible.

What Personal Data We Collect

Different types of personal data are required when carrying out our business activities. This includes identity data, contact details, financial information, pension and taxation information, and where necessary, special category data such as health information. Further details on the types of data that we collect are listed below:

1. Personal Identification Information
These are data elements that can directly or indirectly identify you such as full name, date of birth, nationality, residential address, contact email address, IP address, contact telephone numbers and tax identification numbers.

2. Special Categories of Information
These are special categories of personal data that require higher protection such as biometric information, genetic information, racial or ethnic information, health information, medical history, and body mass index (BMI).

3. Financial Information
Includes data related to financial accounts and transactions such as bank account information, International Bank Account Number (IBAN), transaction history, pension details, payment number, salary, and other income information.

4. Background Information
Screening information - such as applicable sanctions or convictions and whether you are a Politically Exposed Person (PEP).

5. Business Information
Includes identifiers and data related to business operations and third parties such as Zurich business identifiers, interested parties’ information, policy number, claim number, and financial advisor information.

Lawful Basis

In order to process personal data lawfully, ZIPAL must ensure that there is a lawful basis for each purpose of processing. The following lawful bases as prescribed in data protection legislation apply to the processing of personal data by ZIPAL depending on circumstances and context of the processing.

• Performance of your pension contract – activities relating to setting up and administering your pension, allocating contributions, processing pension transfers, provision of benefit statements and handling of pension benefit payments and tax payments and reporting for these payments.
• Legal Obligation – to abide by relevant legal obligations.
• Consent – where you are informed of an activity and your consent is received.
• Legitimate Interest – for our legitimate interests but only when those interests do not outweigh your rights and freedoms. Examples of the legitimate interests that apply to the processing of your data are as follows:
• to administer our website and for internal operations including management of IT risk through trouble shooting, data analysis, testing, research, and statistical review
• to improve and develop our business, products, and services, e.g. to ensure the accuracy of customer data and to develop our pricing and risk methods and models
• to help us better understand you, to answer queries and obtain feedback on the service we provide to you including surveys and the use of analytics
• to prevent, detect and investigate fraud and deal with legal claims and complaints
• to carry out market research and product development, including surveys, which can include creating customer demographics and/or profiling
• to facilitate the purchase, sale, transfer, or disposal of any part of our business
• Public Interest – in limited circumstance processing personal data in the public interest such as processing of special category data for the following:
• Prevention and detecting unlawful acts.
• Protecting public against dishonesty.
• Preventing fraud.
• Suspicion of terrorist financing or money laundering.

Processing of sensitive ‘Special Category’ data.
Additional safeguards are applied when we collect and use Special Category data. We ensure that there is a valid legal basis for processing this information, which is typically your explicit consent or another condition permitted under Data Protection legislation.

Purposes of Processing
We collect your personal data, to provide you with our products, to market our products, to transact business, and to develop or enhance our online service.

Details on the purposes for processing your data and primary associated lawful bases are listed below:

 

Websites, applications, email, and online portals
When you visit one of our websites, applications, and/or online portals, we may collect information from you such as your email address or IP address. This helps us to track unique visits and monitor patterns of customer website traffic, such as who visits and why they visit.

We use cookies and/or pixel tags on some pages of our websites and applications. A cookie is a small text file sent to your computer. A pixel tag is an invisible tag placed on certain pages of our website but not on your computer. Pixel tags usually work together with cookies to assist us to provide you with a more tailored service. This allows us to monitor and improve our email communications and website. Choices over the use of cookies and pixel tags will be provided to you as applicable within the website/application.

Useful information about cookies, including how to remove them, can be found in our Cookies Policy at www.zurichinternational.com/im/legal/cookies

Data Security
We implement technical and organisational measures to protect your data against loss, misuse, or unauthorised access through strict security measures and robust governance.

We limit data access to only authorised employees and trusted third parties who must adhere to ZIPAL’s data protection standards. Comprehensive controls—including encryption, regular audits, and continuous monitoring—are in place to safeguard data against unauthorized access, loss, or misuse. ZIPAL also requires third parties to maintain equivalent security standards, to protect personal data throughout its lifecycle. Our commitment to transparency and accountability underpins all data handling practices.

Further details on how ZIPAL protects personal data can be found at www.zurich.com/sustainability/governance-and-positions/data-privacy-and-protection

Given the global nature of our business, we may transfer personal data to other countries. Where we transfer personal data to countries that are outside of the Isle of Man and/or the European Union (EU) we will ensure that it is protected and that the transfer is lawful. We will do this by ensuring that there is either an adequacy decision relating to the safeguards for personal data from the European Commission, or that the personal data is given adequate safeguards by using ‘standard contractual clauses’ which have been adopted or approved by the Isle of Man and the EU, or other solutions that are in line with the requirements of applicable data protection laws.

Requests for a copy of the template used for the ‘standard contractual clauses’ can be made by contacting our Data Protection Officer (see ‘Contact Details section below).

We will keep and process your personal data for as long as necessary to meet the purpose it was originally collected for. This includes if you or your appointed financial advisor or intermediary request an illustration from us but you do not proceed with an application.

There are a number of factors influencing how long we will keep this information including:

• Complying with applicable laws and regulations or with requirements of regulatory authorities or professional bodies.
• Performing our business processes associated with the type of product or service you have requested.
• Whether your information relates to any ongoing, pending, threatened, imminent or likely dispute, litigation, or investigation.
• To enable us to respond to any questions, complaints, claims, or potential claims.
• If you or a regulatory authority require us to keep your information for a legitimate purpose.
• To prevent and detect fraud.
• Obligations to comply with any court order.

In some circumstances we may anonymise your personal data so that it can no longer be associated with you, in which case we may use such information without further notice to you. This anonymised data may be used for research or analytical purposes.

We are required to collect and process certain personal data such as your contact details, identity information, and, where applicable, health information. This is necessary to provide you with our products and services and to fulfil our legal and regulatory obligations.

If you choose not to provide the required personal or health information, we may be unable to offer you our services.

Where necessary, we may share the personal data provided to us with the types of recipients described below:

• Zurich Insurance Group or any of its affiliated companies.
• Your employer, appointed intermediary, financial advisors, legal representative.
• Your other pension provider(s) for transfers in or out.
• Regulators, government, and tax authorities (HMRC and Isle of Man Income Tax Division).
• IT and service providers including services such as policy administration, electronic ID verification and biometric checks, screening, website and application analytics and underwriting assessment.
• Healthcare professionals, social and welfare organisations.
• Other companies when required for a proposed or actual sale, reorganisation, transfer, financial arrangement, asset disposal, or other transaction related to our business and/or assets held by our business.
• Auditors, suppliers, and service providers, such as those who will process benefit payments.
• Survey and research organisations.
• Regulatory and legal bodies, law enforcement bodies, including investigators.

All individuals have the following rights under data protection laws, namely:

• To access your personal data (by way of a subject access request).
• To have personal data rectified if it is inaccurate or incomplete.
• In certain circumstances, to have personal data deleted or removed.
• In certain circumstances, to restrict the processing of personal data.
• A right of data portability, namely, to obtain and reuse personal data for related purposes across different services.
• To object to the processing of personal data.
• If we are processing personal data with consent, consent may be withdrawn at any time (the withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal).

These rights may be exercised by contacting our Data Protection Officer (see ‘Contact Details’ section below).

In the above circumstances, we may need to request specific information from you to help us confirm your identity and ensure your right to access the personal data (or to exercise any of your other rights). This is another appropriate security measure to ensure that personal data is not disclosed to any person who has no right to receive it.

Data Protection Officer (DPO) contact details:
Data Protection Officer, Zurich International Pensions Administration Limited, Zurich House, Isle of Man Business Park, Douglas, Isle of Man, IM2 2QZ.
Email: ZIPALPrivacy@Zurich.com

The Isle of Man Information Commissioner Office (ICO) contact details:
The ICO can be contacted regarding the processing of personal data or dissatisfaction with our handling of any request in relation to any data protection rights. Escalation can be made directly with the Isle of Man Information Commissioner’s Office.

First Floor, Prospect House, Prospect Hill, Douglas, Isle of Man, IM1 1ET.
Email: ask@inforights.im

This Privacy Notice is dated January 2026.

We may make changes to this Privacy Notice from time to time, for example, as the result of government regulation, new technologies, changes to our business operations, or developments in data protection law or privacy generally. You can request a copy of the most up-to-date privacy notice at any time by contacting us using the details above.

We may also supplement this Privacy Notice with other Data Protection & Privacy Notices and Statements where appropriate. If ZIPAL introduces you to a company outside the group, that company should provide its own privacy notice, explaining how your personal data will be used.

Our websites, applications and online portals may contain links to other sites. We are not responsible for the content or privacy practices of such other sites. You should ensure you read the privacy notices of any other site that collects personal data when you leave our domain. Your data protection and privacy rights under these third-party platforms will be governed by their respective privacy practices.