Privacy Policy

We are committed to protecting your privacy.For customers resident in the European Union (EU), the EU General Data Protection Regulation (GDPR) comes into force on 25th May 2018, replacing the UK Data Protection Act 1998. The GDPR requires some additional safeguards to the holding of personal Data which our customers and potential customers provide to us (the Company) during the course of applying for any of our telecom services, and to how that data is used thereafter. This data means the information sent to us by you subsequent to filling in our online forms from our website or any information supplied by you to our Customer Services team - primarily via e-mail. Obligations under the GDPR also apply to any third party supplier or subcontractor used by the Company - and for us in particular, this means wholesale telecom operators (for customer call-related or service data) and the supplier of the secure e-mail database used by the Company to hold key personal contact data in the form of e-mail lists. These e-mail lists are the only method we use to provide our company Customer Service and Marketing functions, and they allow us to operate quickly efficiently and economically when informing assisting and updating customers and potential customers about our services. We are in any event committed to protecting all information on our network through appropriate controls, and to being transparent about what data we hold for you as one of our customers or potential customers and how we use that data, no matter where you may be resident. General If you contact the Company by e-mail as a Customer or Potential Customer, other than through one of our secure forms on the website, we may request certain additional information to be able to confirm your identity, check our records and answer your questions quickly and accurately. When you visit our website, we may collect and process information about your visit by using “cookies” and other similar technologies to help us make improvements to the websites and to the services we make available. Please see the Cookies section below for more information. No Calls. We NEVER make outgoing Marketing or Customer Service voice calls to our Customers or Potential Customers. SMS We may use SMS texting data in the future as part of our Customer Service or to enable some product features, but only with your permission. This data would be added to the appropriate Customer or Potential Customer e-mail list. New Customer The most important piece of personal data we hold is a valid e-mail address for all our customers and potential customers. It is our only means of on-going secure communication. We rely on our e-mailing lists to deliver such information as we feel is necessary for us to provide our various services to you. When you apply for a new pre-paid Calling Account or pre-paid chatPIN or other telecom service product with us via our secure web-site application forms, we request certain basic information which will include your name and private/business contact e-mail address, the amount you wish to pay and the payment method, and may also include personal telephone or mobile number(s), financial or credit card information, and possibly IP address/es. This data is necessary to help us identify you and to initially provide the appropriate telecom service to you. Where valid initial credit card (cc) information is provided on a secure application form to enable the initial transaction, this cc information will subsequently be securely archived and kept for up to six years. If the “auto top-up” service is requested so that current valid credit card information is re-required, the new credit card details will be requested via a secure credit top-up form on our website and that data subsequently kept on our secure servers. When we open a new pre-paid Calling Account or chatPIN or other service we will send full details about the service to the e-mail address provided by the customer with the original application. This e-mail address is added to the relevant Customer e-mail list and becomes the primary e-mail address for the chosen service with us and is our preferred and effectively our only means of contact with our Customers. Call Data Security We provide for all our pre-paid product Customers a unique username and an initial cardnumber/PIN/password (minimum 6 digits for security). Secure access to our various services is normally by first dialling a local access number(s) - the Company provides this information in the initial new Customer e-mail mentioned above - and then entering the assigned secure cardnumber/PIN/password. Other secure password/PIN protected access methods to our services include internet access with SIP via ATAs, Smartphones, and/or from applications or other VOIP devices. Customers using the service from the PSTN may need or choose to use their identifying personal cardnumber/PIN/password for all calls that they make, or, when available, they may register personal phone numbers stored as data on our servers so that calls made from numbers authorised by the customer will not require further identification - Caller Line Identity (CLI) - see Wikipedia. We recommend that where possible customers regularly review and change their PINs/passwords, this facility being available for Calling Account customers through a secure website accessed by the unique Account username and password combination. Here Calling Account customers have secure access to their own account call data and can enable other service features as available. Service Data Held For Calling Account and other Customers we receive service call record data, including the CLI passed, the call date and time, the IP the call originated from, the number dialled and the duration of the call. Other service data kept may include Call Recording (only at express wish of the customer) SMS, Fax, personal numbering and Video data as and when these new services become available. Where new numbers and number portability services are provided we will also keep data on any associated telephone numbers assigned. Where service issues or fraud issues are reported, additional personal data may be needed in order to investigate these issues such as account username, personal password, call date and time, number dialled, CLI passed, call traces and call recordings. Personal Data Held Reasons for holding personal data include but are not limited to: Verifying your identity when you use our services or contact us. Advising you of any matters affecting your service. Processing any enquiries you have about the service. Monitoring, recording, storing and using any telephone, e-mail or other electronic communications, Improving the quality of our customer service, and in order to meet our legal and regulatory obligations. Providing Personal Numbers Number Portability - as and when available - under Ofcom’s General Conditions Telling you about changes to our websites, services or terms and conditions. Recovering or refunding any monies owed whilst using our services. Analysing our services with the aim of improving them. Preventing or detecting a crime, fraud or misuse of, or damage to our network, and investigating where we believe any of these have occurred. Monitoring network traffic from time to time for the purposes of network optimisation, backup and problem solving. Personal Financial data/ Credit Card Information We keep Customer financial data that we receive from you which relates to any purchase by you of our pre-paid call-time or other associated services using a valid credit card. For most payments made to us, and particularly for top up payments where we have already validated you as a Customer, we prefer to direct you to our Merchant Service Providers. Where you the Customer have opted to pay for your new Calling Account or PIN or service by Credit Card using one of our secure website forms, we manually process these payments with Barclaycard EPDQ Merchant Services using the credit or debit card information supplied by you. We run our own basic e-mail, security and validation checks on each new application before processing it which provides a more secure service to you as a Customer and helps prevent fraudulent use of your credit card. We may also need to keep current valid credit card information where a Customer requests the Auto top-up service if available, which basically passes to us the responsibility of ensuring that the relevant account or service does not run out of credit. Credit Card information initially supplied, and not subsequently needed for the Auto top-up service is not retained by us for longer than 2 years, and is archived prior to deletion. Merchant Service Providers. At present, we use Barclaycard EPDQ Merchant Services or PayPal. Please follow the links provided for further information relating to financial data processed by these organisations. PayPal and Barclaycard will independently request and process your financial data on our behalf from the appropriate secure payment link on our website. We rely upon these organisations to (1) provide secure access for us to their servers so that we can either process a payment or view details of a payment made in relation to an order from you the Customer and (2) to notify us via secure e-mail regarding any payment received with sufficient information to identify you as the Customer so that we can make the appropriate credit to your Calling Account PIN or other service. There are plans to include further independent Payment Options for our Customers in the near future, and we will ensure that your personal data will continue to be protected. E-mail lists - Personal Contact Data Our e-mail lists contain the original basic data that we receive from you when you complete and submit an Order Form or Contact Form on our website - this includes e-mail address, Title, Full Name, the Service or Product required/interested in and how you heard about the Company. The data held on these lists is then updated as required by our own Customer Service. As a Customer, and where you have not opted out (unsubscribed) from our Customer e-mail lists, we will e-mail information from time to time about call rates, service issues and changes and/or improvements and possibly other services, offers or products that you may or may not always be interested in. Please note that as an internet-based company, we rely only upon outgoing e-mails and the data kept on our Customer e-mail lists to maintain contact with you, the Customer. We do not make outgoing Customer Service Calls. Any incoming e-mail received from a Customer or Potential Customer will be dealt with on an individual basis as a top priority. As an existing Customer using one of our services, if you opt out from receiving e-mails from our Customer e-mail lists we will not be able to provide you with any future information including urgent and routine Customer Service issues relating to your Calling Account, chatPIN or other service with us. You may elect to opt out or unsubscribe from our Customer e-mail list at any time and we will not contact you again, unless you apply to re-subscribe - see below. As a Potential Customer, which means where you have e-mailed us directly or completed one of the forms on our website applying for or requesting information concerning one particular service that we offer, the basic contact data that you send - most importantly a valid personal e-mail address - will be added to the appropriate Potential Customer e-mail list. We will then from time to time - and not excessively - e-mail to the personal e-mail address database associated with the Potential Customer e-mail list information designed to persuade you to become a Customer. When you become a Customer, your personal data is transferred to the appropriate Customer e-mail list - see above. You may elect to opt out or unsubscribe from our Potential Customer e-mail list at any time and we will not contact you again, unless you apply to re-subscribe - see below. Your personal contact data will be kept secure, accurate and up to date with appropriate technical and organisational methods used to ensure the integrity of the data we hold and to prevent it being accidently lost, accessed or used in an unauthorised way, altered or disclosed. All personal data you provide to us is stored either on our secure service servers based in Europe or with our e-mail list database kept with specialist company icontact based in the USA. This company icontact adds another level of protection to our e-mail list communication by (1) reviewing any list message we send and (2) managing the responses - particularly in regard to “opting out” - so that our lists are kept accurate and up to date. Please see the icontact “Statement” in the Addendum below for further information as to how icontact will integrate with GDPR. Re-Subscription Policy We are aware that some Customers and Potential Customers may wish to re-subscribe to one or more of our e-mail lists for various reasons. To do this, the customer should e-mail deliverability@icontact.com using the same original e-mail address, with suggested text "Dear icontact, Please re-subscribe me to the list(s) previously associated with my e-mail address: xx@xxxxxxxxxxxx Yours sincerely (name and surname)" Sharing Data We may share information with other organisations but only under the following circumstances: In response to properly made requests from law enforcement agencies for the prevention and detection of a crime, for the purpose of safeguarding national security or when the law requires us to, such as in response to a Court Order or other lawful demand or powers contained in legislation. In response to properly made requests from regulatory bodies such as the UK Information Commissioners Office and Ofcom. As part of any fraud investigation. As part of the process of selling our business. As part of any possible future legal proceedings. Where necessary with companies assisting us in providing services to you, e.g. customer support, portability or other telecommunications Service Providers/ Facilitators. Where we share information with other parties who help us provide these services, they are required to follow our express instructions in respect of the use of your personal information and they must comply with the requirements of the GDPR and any other relevant legislation to protect your information and keep it secure. Outside the EU Some of the organisations with whom we may share information may be based outside the European Economic Area, in countries that do not always have the same data protection laws as the EU or the UK. However, we will have contracts in place with them to ensure that your information is adequately protected and we will remain bound by our GDPR obligations for personal data even when the data is processed outside the European Economic Area. How long will we hold your Data? The time period that we will keep your data for will vary depending on whether you are a Customer or Potential Customer. Unless there is a specific legal requirement to the contrary, we will keep Customer data for as long as it is necessary. Once the requirement to hold the data is complete, appropriate measures will be taken to delete the data in line with the terms of the GDPR. The Company may also be required by Law to keep certain historic information about how you use some of our services for a period of 12 months – this will include, but is not limited to: records of the dates and times of the calls made via your account or service with us and the numbers dialled. As a Calling Account holder, you can access this information on-line through the appropriate secure personal Account Management Portal Information requested by certain law enforcement agencies involved in the prevention and detection of crime and the protection of national security. We will only disclose such information where we are legally bound to do so. Where we have your e-mail contact data, and where you are no longer a Customer, this data is held for a limited period of time before we delete it permanently. Typically this will be a maximum of 6 years for account related emails for the purpose of dealing with future enquiries, complying with any legal obligation or investigation as described previously. We provide you with the option to unsubscribe (opt out) from our e-mailing lists at any time. Your rights as a Data Subject Under the GDPR, a “data subject” - our Customer or Potential Customer - has a right to request a record of the data held about himself/herself. The GDPR gives data subjects a number of other rights including the right to request the correction or erasure of personal data, the right to request the restriction of processing of personal data and the right to request the transfer of personal data (either to the data subject or a third party). To do this, and where the data requested is otherwise unavailable to the “data subject” through any other means, a request should be submitted in writing to us: c/o The Data Controller at the Company’s Registered Office address (as it appears on the Company website). We may also ask you to provide us with proof of identity to make sure we are giving information to the right person. To help us process requests we may need all or some of the following information: Registered/Validated e-mail address(es) Telephone number(s). Username(s) and/or PIN password cardnumber Postal Address/Post Code/ZIP. Please note that any response from us will only be by e-mail to the relevant e-mail address if that e-mail address is - or has been at any time - registered to or validated with one of our Customer or Potential Customer e-mail lists. Marketing Preferences Our contact with you as a customer or potential customer is almost always via e-mail to the primary e-mail address we hold for you. It may also be by SMS where available and where requested by you. As a Customer you are automatically subscribed to the relevant Customer e-mail list created for all our other Customers with the same product/service and unsubscribed where relevant from any Potential Customer e-mail list. You may opt out/unsubscribe from the Customer e-mail list at any time by cliicking on the “Manage Your Subcription” option available with every e-mail we send to our list members. But please note that only we use this e-mail list to inform you about matters vital to your service which may include: Service announcements Changes to services or terms and conditions. Unavailability of the Service Changes to Call Rates Changes to Access Numbers If you wish to re-subscribe, please follow the Re-Subscription Policy (above) As a Potential Customer - i.e. before you have successfully applied for one of our service products - we will send you Marketing e-mails relevant to the product enquired about to the e-mail address you provided until such time as you elect to become a Customer or opt out/unsubscribe from our Potential Customer e-mail list. Please note that we are fully aware of how many spam e-mails are generated into personal mailboxes every day, and it is not in our interest to send you as our Potential Customer anything irrelevant to the service you initially asked about. Our Website Cookies Our websites will use cookies. Cookies collect information about the use of our websites, including but not limited to: details of the operating system, browser and IP address of the device used to visit the website the time and duration of the visit which parts of our website were visited. The information collected by cookies enables us to understand the use of our websites, including the number of visitors we have, the pages viewed per session, time exposed to particular pages, etc. This in turn helps us to provide a better website, since we can evaluate the level of interest in the content of our website and tailor it accordingly. We will not attempt to personally identify visitors from their IP addresses unless required to as a matter of law or regulation or in order to protect our rights or those of our Customers. Most browsers automatically accept cookies. You can set your browser options so that you will not receive cookies and you can also delete existing cookies from your browser. However, you may find that some parts of our websites will not function properly if you disable cookies. Protecting information We take protecting data seriously, and through appropriate organisational and technical security measures we will do our utmost to protect against unauthorised disclosure or processing. Unfortunately we and all other businesses using e-mails can never fully guarantee the security of transmitting information via the Internet. We have tried to create a secure and reliable service but we have no responsibility or liability for the security of personal information or data transmitted via the Internet. If a data breach occurs, identified by us or notified to us, which affects the information that we hold about or have processed from you, we will notify you immediately by e-mail from the relevant Customer or Potential Customer e-mail list, and provide full information about the personal data affected by this breach. We will take all appropriate steps possible to restore any personal data which is lost or corrupted as a result of a data breach where we are at fault. Changes Please note that the ways in which we protect personal data will be reviewed periodically and may change from time to time. Contact Us If you have any questions about privacy issues, want us to update your marketing preferences, or amend information, please contact ss either by using the Contact Us Form on the website, or via e-mailing us directly, or by writing to The Data Controller, c/o the Company’s Registered Office address (as it appears on the Company website). Complaints You have the right to complain to the Information Commissioner about the way in which we collect and use your personal data: www.ico.org.uk/concerns or telephone 0303 123 1113.

ADDENDUM: STATEMENT FROM ICONTACT - dated May 2018 and reproduced by permission as below:

“STATEMENT OF GDPR PREPAREDNESS

Introduction At iContact we are very aware of the importance of managing the personal data that we hold, whether that be from a customer, an influencer, an employee or anyone else we interact with through the products and services we provide. We take our privacy and data protection obligations very seriously, and a key part of that right now is ensuring that we align all our data practices with the new requirements of General Data Protection Regulation (GDPR) by May 2018. We are fully committed to doing so and working hard to make this happen. We’re also very conscious that things don’t stop in May 2018. This is an ongoing process and we will be looking to ensure that privacy concerns continue to be built into our products and services, and in our practices and procedures. This note responds to a number of the most frequently asked questions that we have been receiving from our customers about what iContact is doing with respect to GDPR and in particular questions related to data that is provided to us by our customers. This document addresses the following areas: • GDPR Awareness at iContact • Data Inventory – what data do we hold? • How We Handle Customer Data • The Rights of Individuals • Data Retention • Notices and Consent • iContact Suppliers • Breach Notification • Protection of IT Assets We are conscious that this may not answer all of your questions, but we hope this helps to answer many of them, and of course we are happy to respond to any particular concerns you may have. Rest assured that iContact is committed to a program of full GDPR compliance and has a long-term commitment to privacy. GDPR Awareness at iContact GDPR represents a significant change in the European data protection regime but, as the UK regulator (the ICO) has said, in many respects it is an evolution not a revolution. iContact has been subject to and respectful of its data protection obligations under existing law, and will continue to be so leading up to and beyond May 2018. The protection of our customer and employee data has always been a priority for our leadership. We established a GDPR transformation program in 2017 with, at its heart, a cross disciplinary team including representatives from product design, sales, marketing, research, IT, HR and legal all overseen by management. This team includes a designated data protection officer who will liaise closely with our internal and external advisers. Each of our businesses has had internal data protection and privacy awareness programs for many years, and a number of our employees have undergone specific GDPR training. We are introducing a range of GDPR awareness sessions as we move towards May 2018 and beyond. As part of our GDPR transformation program, we have been undertaking a thorough audit of all the personal data we hold throughout the organization and have been conducting a ‘gap analysis’ of GDPR requirements against an assurance framework and mapping this against all activities in the group. We are investing in the creation of robust and sustainable processes to support a strong, long-term GDPR compliance framework. iContact is based in the US but does have customers worldwide. Where we are engaged in cross border data transfers from customers located in the European Economic Area (EEA), we will ensure that we continue to follow appropriate practices and follow one or more of the approved means of protecting personal data that leaves the EEA. This is not something that we can do on our own. The products and services that we provide typically mean that we will be a data processor for data provided to us by our customers which our customers then use through our products and services. As a general rule we do not act as a joint data controller in respect of information provided by our customers. Our customers have their own compliance obligations, and where we can we will work with them to help them comply. Data Inventory The main category of personal data that we process as a data processor is data belonging to our customer. We are enhancing our data protection impact assessment processes and supporting governance frameworks to ensure that privacy issues are considered appropriately in all new product developments that may impact privacy rights. What iContact Does With Customer Data The personal data that we process which is provided by our customers falls into two broad categories: first, personal data of our customers (i.e. the representatives that we interact with in order to provide our products and services); and, second, personal data of recipients that our customers provide to us. Personal information about our customers is usually limited to the contact and other details we need in order to fulfill our obligations to you. Personal information on our customers recipients may be much broader, depending on what our customers provide to us. Typically it will include name and email addresses. With our customers’ subscriber lists, we will act as a data processor, and we only process the information in accordance with our customers’ instructions. We do not typically store or process any special categories of personal data (for example, data regarding mental or physical health, sexual orientation, criminal convictions, and religious or political beliefs). iContact Suppliers Where we engage third party service providers, we do so in accordance with best practice to ensure that those providers are obliged to only process such data in accordance with our instructions, to keep it secure, and not to transfer it outside the EEA other than with our consent or in accordance with the appropriate frameworks. Under GDPR we are obliged to impose certain additional obligations on our data processors, and we are enhancing our framework of controls around such third parties suppliers and sub-processors. We will be updating our suppler contracts and seeking confirmation of GDPR readiness across all of our suppliers’ data processing facilities and security controls surrounding the processing and management of data. We will expect all our data processors to comply with their contractual obligations and more widely with their own obligations under GDPR. Communicating Breaches Data breach notification is one of the key new requirements under GDPR. We are reviewing our controls and processes around data breach detection, investigation and reporting to ensure we can comply with our obligations as data controller and as a data processor, by May 2018. This includes our obligations as a controller to report to the appropriate data protection regulator within 72 hours of discovery, to the data subjects where appropriate, and our obligations as a data processor (e.g. of customer data) to report to the data controller (in this case our customer) without undue delay after becoming aware of a breach. This review also includes assessing the adequacy of present information security assessment programs. IT Protection We have reviewed current IT services and systems and are carrying out remedial actions, where required, to strengthen our IT controls around personal data. We are also reviewing our encryption, anonymization and pseudonymizing controls across customer and supplier data, and on all of our databases. Summary This statement is intended to provide responses to the most common inquiries we have received from our customers. As part of ongoing transformation, iContact will be communicating regularly with its customer base in 2018 about what it is doing on its journey to achieve compliance and how we are protecting customer data, retraining staff and upgrading systems, processes and governance as we move towards compliance with GDPR by May 2018 and onwards, and to ensuring privacy issues continue to sit at the heart of our product and service development plans in the future. If you have more detailed questions that are not covered by this document, please contact gdpr.help@icontact.com and we will respond to you as soon as possible.” -----------------