This Privacy Statement and Information Clause explains our practices and processes regarding the collection, use, and disclosure of certain information, including your personal information, by Truphone ("Truphone") related to using Truphone Services.

DATA CONTROLLER

The data controller (the entity that determines the purposes and means of the processing of your personal information) is Truphone Limited registered in England and Wales, Company Registration Number 04187081, Registered office: c/o Edwin Coe LLP, Lincoln's Inn, 2 Stone Buildings, London WC2A 3TH, United Kingdom, VAT No. GB 851527819.

CONTACTING US

If you have any question regarding the Services you can contact us at ask@truphone.com. If you have questions about your this Privacy Statement and Information Clause or have any questions regarding your personal data processed by Truphone you can contact Truphone’s Data Protection Officer by email at dataprotection.officer@truphone.com

At Truphone we are committed to the privacy and securing of the data we hold about you therefore please note that to protect your personal information we may need to authenticate your identity before providing any assistance.

COLLECTION OF INFORMATION

We receive your personal data from you when you register for your Truphone account and subscribe to the Services, and later, while using the Service. Information about you can be retrieved from cookies collected by Truphone and similar mechanisms for saving information on the devices of website users when possible.

In addition, we receive information about you from payment operators, i.e. entities that enable you to make online payments for services purchased from Truphone. We receive information from them about the status of your payment for the service.

If you log in to your Truphone account via another platform - verifying and authenticating you - we receive this data from entities providing such a service, i.e. Facebook, Google or Apple.

We receive and store information about you such as: your name, surname, email address, contact of physical address, payment method(s), telephone number and device id number connected to our Services. We also hold data about which of our services you have used, and when. This will include call times and lengths, SMS sent/received, network usage made, routing and durations which are known as "traffic data". We will also, for a short period of time, hold data in relation to the websites, and IP addresses that your devices have used. Under certain circumstances for regulatory purposes in some countries in order to provide the Truphone Services we may require copies of personal documentation (Passport, ID document, etc) from you which will be held by us and made available to national regulators if they so request. We may collect this information in a number of ways, including when you enter it while using our service, interact with our customer service, or participate in surveys or marketing promotions as the case may be.

COOKIES

Cookies are pieces of information that Truphone will transfer to your device's hard drive through your browser to enable Truphone's systems to recognise your browser. Cookies also enable Truphone to gather information about the use of its website and to enhance the website accordingly to the preferences of the users. The Help option on the toolbar of most browsers will tell you how to prevent your browser from accepting new cookies, how to have the browser notify you when you receive a new cookie, or how to disable cookies altogether. Truphone's cookies do not contain any identifying information. Please bear in mind that some personalised services may not be available if you choose to disable cookies.

PURPOSE AND BASIS FOR THE PROCESSING OF PERSONAL DATA

Providing personal data by you is a statutory requirement from the provisions of tax or accounting law as well as from telecommunication law. It is also required to enter into the agreement with Truphone. If you do not provide us with all this information about yourself, we will not be able to set up your account and you will not be able to purchase and use the Services.

Truphone processes your personal data to enable you to use Services, ensure the functionality of the services offered, including solving technical problems, enable payment for services, handle complaints and perform obligations resulting from legal provisions, including tax, accounting and telecommunication regulations.

Truphone is entitled to process your personal data because it is necessary to perform Services, as well as on the basis of legal provisions, e.g. when these provisions require us to process your data for tax, accounting or telecommunication purposes.

The legal basis for the processing of personal data is also the legitimate interest of Truphone. It includes improving services, ensuring the best quality, informing our users, ensuring the maintenance of your Truphone account, conducting research and analysis, conducting direct marketing, protecting or pursuing claims, creating statistics and ensuring accountability.

If you have consented to the use of personal data for marketing purposes then we may use your personal data to send you information about additional services that we provide.

EXERCISE OF INDIVIDUAL RIGHTS

You can request from Truphone access to your personal data, rectification, deletion, restriction of processing or transfer and you have the right to object to the processing of your personal data. If we have collected and process your personal information based on your consent, then you can withdraw your consent at any time; withdrawing your consent will not affect the lawfulness of any processing we conducted prior to your withdrawal, nor will it affect processing of your personal information conducted in reliance on lawful processing grounds other than consent. Where possible and such request is not in a contradiction with the law regulations we will process such request however depending from the nature of the request from time to time this may impact your ability to use the service. To process your right to erasure (‘right to be forgotten’) or to obtain confirmation whether or not we are processing your personal data please contact us at dataprotection.officer@truphone.com

DISCLOSURE OF INFORMATION

In order to deliver the Service we disclose your information for certain purposes and to third parties, as described below:

• The Truphone Group of companies: We share your information among the Truphone Group as needed for: data processing and storage; providing you with access to our services; providing customer support; making decisions about service improvements; content development and for other purposes described in this Privacy Statement and Information Clause. Further details of Truphone Group companies you can find on truphone.com
• Third Party Service Providers: We may use other companies or contractors (" Third Party Service Providers") to perform services on our behalf or to assist us with the provision of services to you. Therefore we may engage Third Party Service Providers to provide marketing, advertising, communications, security, infrastructure and IT services, to customize, personalize and optimize our service, to provide bank account or balance information, to process credit card transactions or other payment methods, to provide customer service, to analyze and enhance data (including data about users' interactions with our service), and to process and administer consumer surveys. In the course of providing such services, these Service Providers may have access to your personal or other information. We do not authorize them to use or disclose your personal information except in connection with providing their services to us.

Third Party Service Providers have a Data Protection Agreement enforced by Truphone, thus cascading to them the security and privacy requirements we uphold with the customers.

Business transfers: In connection with any reorganization, restructuring, merger or sale, or other transfer of assets, we will transfer information, including personal information, provided that the receiving party agrees to respect your personal information in a manner that is consistent with our Privacy Statement.

Whenever in the course of sharing information we transfer personal information to countries outside of the European Economic Area and other regions with comprehensive data protection laws, we will ensure that the information is transferred in accordance with this Privacy Statement and Information Clause and as permitted by the applicable laws on data protection.

IN ORDER TO PROVIDE YOU WITH THE SERVICES TRUPHONE MAY TRANSFER YOUR PERSONAL DATA OUTSIDE OF THE EUROPEAN ECONOMIC AREA TO THE COUNTRIES THAT PROVIDE AN ADEQUATE LEVEL OF PERSONAL DATA PROTECTION, OR IN COUNTRIES THAT DO NOT PROVIDE SUCH A LEVEL LIKE UNITED STATES, HONG KONG OR PHILIPPINES. IN THE LATTER CASE TRUPHONE SECURES YOUR DATA BY CONCLUDING AGREEMENTS WITH RESPECTIVE COMPANIES CONTAINING THE SO-CALLED STANDARD CONTRACTUAL CLAUSES APPROVED BY THE EUROPEAN COMMISSION. BY ACCEPTING THIS PRIVACY STATEMENT AND INFORMATION CLAUSE YOU HEREBY ACKNOWLEDGE THIS FACT AND CONSENT TO THAT.

SECURITY OF PROCESSING

Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Truphone has implemented appropriate technical and organisational measures to ensure a level of security appropriate to the risk.

Truphone is an ISO 27001 – Information Security Management System and ISO 22301 – Business Continuity Management System Certified Organisation and upholds best practices certifications from GSMA Security Accreditation Scheme and the UK Cyber Essentials Plus.

We also take, on a continuous basis, independent audits regarding security best practices and compliance against the General Data Protection Regulation (GDPR).

If you suspect that we have shared your data inappropriately, or wish to report a security issues or non-compliance with your data, then please email: securitynotice@truphone.com or call our helpdesk providing us details of the issue and we will investigate immediately.

INFORMATION STORAGE

There are strict obligations which define for how long we may hold personal data about you. These obligations are included in data protection and data retention legislation. We will hold your personal data as outlined in the table below:

Truphone also stores your personal data for the duration of the agreement concluded with you, and - after its termination - for the period in which it is possible to pursue claims in connection with the performance of the agreement.

Truphone may as well stores your personal data for marketing purposes for the duration of the legal basis and the purpose of data processing.

SUPERVISORY BODY

You have the right to lodge a complaint regarding the processing of your personal data by Truphone to data protection authority or other regulatory supervisory body supervising processing of personal data.