IVT COMMUNICATIONS FZC LLC (“IVT”, “Company”, “we”) is a company incorporated under the laws of the UAE and committed to compliance with applicable data protection laws.

Afina Data Monetization Platform (“Afina”, “Afina Platform”) is a software product developed by IVT. Afina is deployed exclusively within the infrastructure of Mobile Network Operators (“MNOs”). MNOs act as controllers of personal data processed within Afina. IVT may act as a processor only when providing technical support, bug fixing, or model tuning for Afina upon explicit request of an MNO.

This Privacy Policy applies to the processing of personal data carried out by IVT in connection with:

• The operation of our corporate website www.afinadmp.com (the “Website”), where IVT acts as a data controller; and
• Limited processing of personal data within Afina, where IVT may act as a data processor on behalf of an MNO when authorized.

By visiting this Website and requesting information, products, or services, you agree to be bound by the terms and conditions of this Privacy Policy. If you do not agree with the terms of this Privacy Policy, please do not provide any information, or use any of the services or products offered or provided on this Website.

Please note: This Privacy Policy changes from time to time and changes are effective upon posting. Please check back frequently for updates as it is your sole responsibility to be aware of changes. We do not provide notices of changes in any manner other than by posting the changes at this Website.
This Privacy Policy describes the information collection, use, and disclosure practices of IVT with respect to:

• (a) the Website, including all related divisions, subsidiaries, and affiliated companies (collectively, the “Websites”); and
• (b) the engagement of third-party service providers acting on behalf of IVT.

INFORMATION COLLECTION AND USE

Personal data provided via the Website (e.g., contact forms, partnership requests, job applications) is processed by IVT as a controller to operate the Website and respond to you.

Personal data within Afina is controlled by the MNO; IVT may access it solely as a processor under the MNO’s instructions for defined support purposes.

In this Privacy Policy, “personal data” means any information relating to you as an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular, by reference to an identifier such as a name, an online identifier or to one or more factors specific to your physical, physiological, genetic, mental, economic, cultural or social identity.

For the avoidance of doubt, personal data does not include information from which you cannot be identified (which is referred to simply as data, non-personal data, anonymous data, or de-identified data).

In this Privacy Policy, “processing” means any operation or set of operations performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

IVT does not knowingly collect personal data of children under the age applicable in their jurisdiction (e.g., 16 in the EU; 13 under COPPA in the US). If we learn that we hold such data, we will promptly delete it from active systems and securely delete or anonymize backups within a reasonable timeframe. Parents and guardians are encouraged to monitor children’s online activities.

HOW DO WE COLLECT PERSONAL DATA AND FOR WHAT PURPOSES

A. Website (IVT as controller)

Scenarios of processing:

1. 1. 1. Provision of requested services or information
         • Purpose:respond to inquiries, provide requested materials, set up demos.
         • Categories of data: Identity Data (name, title), Contact Data (email, phone), Technical Data (IP, browser).
      2. Communication and partnerships
         • Purpose: manage business communications with partners, clients, and prospects.
         • Categories of data: Identity Data, Contact Data, Financial Data (for invoicing).
      3. Recruitment
         • Purpose: evaluate candidates, manage recruitment process.
         • Categories of data: Identity Data, Contact Data, employment-related data (CV details, work history, qualifications, references).
      4. Marketing communications (opt-in only)
         • Purpose: send newsletters, product updates, invitations to events.
         • Categories of data: Identity Data, Contact Data, Marketing and Communications Data.
      5. Website administration and security
         • Purpose: ensure proper functioning, prevent fraud, improve performance.
         • Categories of data: Technical Data (IP, browser, cookies, logs).
      6. Compliance and legal obligations
         • • Purpose: conduct KYC and AML/CFT checks, defend legal claims, respond to regulators.
           • Categories of data: Identity Data, Contact Data, Financial Data, Technical Data (as applicable).

   B. Afina Platform (MNO as controller; IVT may act as processor under MNO instructions)

• Categories of data (determined by the MNO):
  • • Subscriber Identity Data (subscriber number/MSISDN, SIM identifiers, demographics)
    • Traffic Data (call detail records, session data, IP addresses)
    • Service Usage Data (telecom service consumption, preferences, interactions)
    • Technical Data (device identifiers, network logs, geolocation data where applicable)
• Purpose (defined by the MNO): provision of telecom services, customer analytics, targeted advertising, fraud detection.

Important: IVT does not determine the purposes of such processing. IVT may access personal data only as a Processor, and only under documented instructions of the MNO (e.g., for technical support, maintenance, bug fixing, or ML model tuning).

Legal Basis for Processing

• For Website-related processing, IVT processes personal data:
  • • on the basis of your consent (e.g., when you opt in to marketing communications);
    • where processing is necessary for the performance of a contract with you;
    • where processing is necessary for legitimate interests pursued by IVT, provided these are not overridden by your fundamental rights and freedoms;
    • where processing is necessary to comply with legal obligations.
• For Afina-related processing, the legal basis is determined by the respective MNO, and IVT acts only under documented instructions of the MNO.

By submitting your information to IVT through the Website, you agree to the processing described in this Privacy Policy. Your personal data will be retained for as long as your relationship with IVT is active. Once the relationship ends, data will be stored only as necessary to comply with legal obligations or to defend legitimate interests, unless you exercise your right to erasure. We apply retention policies to ensure that personal data is not kept longer than necessary. Specific retention periods may depend on the nature of the data and applicable legal requirements.

If you fail to provide required personal data (for example, where it is needed by law or under the terms of a contract), we may not be able to perform the contract we have or are trying to enter into with you, and services may not be provided. You will be notified if this occurs.

The Website may contain links to external websites. If you follow these links, your data may be transferred to those websites. IVT is not responsible for the privacy practices or content of external sites, and we encourage you to review their privacy policies.

In some cases, we and other organizations may access and use your personal data to conduct ‘know your client’ (“KYC”) checks, credit checks, or to prevent fraud, money laundering and terrorist financing (“AML/CFT”). If false or inaccurate information is provided and fraud is suspected, details may be shared with relevant authorities, including credit reference and fraud prevention agencies, which may operate across different countries.

CONFIDENTIALITY AND SECURITY

IVT is committed to taking all necessary measures to protect personal data from unauthorized access, loss, alteration, or disclosure. We implement commercially reasonable technical and organizational safeguards, including encryption, secure servers, and access controls, in accordance with data protection legislation.

Please note, however, that no data transmission over the Internet can be guaranteed to be fully secure. Any transmission is at your own risk. Once we have received your personal data, we apply strict procedures and security features to minimize the risk of unauthorized access.

All information you provide to us is stored on our or our subcontractors’ secure servers in various locations worldwide and accessed and used subject to our security policies and standards. Where we have provided you with a password to access restricted sections of the Website, you are responsible for keeping this password confidential and complying with security instructions provided by us.

COOKIES AND TRACKING

We use cookies and similar tracking technologies to operate the Website, analyze usage, and improve user experience. Cookies are small text files placed on your device that help us recognize repeat visitors, remember preferences, and measure the effectiveness of content.

Categories of cookies used on the Website:

1. Strictly necessary cookies
   • • Purpose: enable core Website functionality (e.g., security settings, session management, load balancing, user authentication).
     • Legal basis: strictly necessary for the provision of the Website; do not require consent.
     • Please note: if you do not agree to the use of strictly necessary cookies, you should discontinue use of the Website and close it immediately, as the Website cannot function properly without them.
2. Functional cookies
   • • Purpose: store your preferences (e.g., language settings, personalization options) to provide a more user-friendly experience.
     • Legal basis: processed only on the basis of your explicit consent, collected through the cookie banner on the Website.
3. Analytical and performance cookies
   • • Purpose: collect aggregated information on how visitors use the Website (e.g., Google Analytics cookies), including traffic sources, visited pages, and user behavior. This helps us improve Website performance and usability.
     • Legal basis: processed only on the basis of your explicit consent, collected through the cookie banner on the Website.
4. Marketing cookies and ClickID tracking
   • • Purpose: track interactions when you click on a link or an offer from the Website. ClickID is a unique identifier that allows us to measure conversion, attribute traffic to campaigns, and support advertising effectiveness.
     • Legal basis: processed only on the basis of your explicit consent, collected through the cookie banner on the Website.

Cookie management and consent

• You can control or disable cookies at any time through your browser or device settings.
• Consent for optional cookies (functional, analytical, marketing) is collected via the cookie banner on our Website. You may accept or reject these cookies separately.
• You may change your cookie settings at any time via the Cookie Settings link or by clearing cookies in your browser.
• More detailed information about the specific cookies we use (including their names, providers, and retention periods) is available in our separate Cookie Notice, which is always kept up to date and accessible via the cookie banner and Website footer.

THIRD PARTIES ACCESS

‍Your personal data may be transferred to third parties where necessary to comply with legal obligations or in order to provide the services for which such third parties are engaged, or in order to support the operation and security of the Website and Afina.

IVT engages third-party service providers under written Data Processing Agreements (DPAs) imposing obligations no less protective than those in applicable data protection laws; providers may not use personal data for their own purposes. Where personal data is transferred outside the EEA, such transfers are carried out either on the basis of an adequacy decision adopted by the European Commission or, in the absence thereof, subject to appropriate safeguards such as Standard Contractual Clauses (SCCs). These providers include:

• SendPulse – email marketing and communication services.
• WordPress – website hosting and content management system (CMS).
• Unisender – mailing list management and email campaigns.
• Zapier – workflow automation and service integrations.
• Notion – collaboration and knowledge management platform.
• Digital Ocean – cloud infrastructure and hosting services (servers may be located outside the EEA).
• Contractors providing technical support services on behalf of IVT.

Each of the above providers has entered into a Data Processing Agreement (DPA) with IVT, ensuring that personal data is processed only as instructed by IVT and in accordance with the General Data Protection Regulation (GDPR) and other applicable laws (including UK GDPR, Swiss FADP, and LGPD, where relevant).

These third parties are not permitted to use your personal data for their own purposes and are required to implement appropriate safeguards to protect the data they process on our behalf.

In addition, personal data may be disclosed to competent authorities where required by law, or in connection with legal proceedings, fraud prevention, or compliance with anti-money laundering (AML) and counter-terrorism financing (CFT) obligations.

YOUR RIGHTS AS A DATA SUBJECT

As a data subject, you have rights under applicable data protection laws, including the EU General Data Protection Regulation (GDPR), the UK GDPR, the Swiss Federal Act on Data Protection (FADP), and, where applicable, the Brazilian General Data Protection Law (LGPD). These rights include:

Right to information and transparency

You have the right to be informed about the processing of your personal data, including the purposes, categories of data, recipients, retention periods, and your available rights.

Right not to be subject to a decision

Right not to be subject to a decision based solely on automated processing, including profiling” (Art. 22 GDPR).

Right of access (Art. 15 GDPR / equivalent provisions in UK GDPR, FADP, LGPD)

You may request confirmation as to whether your personal data is being processed, and if so, receive a copy of the data along with additional details.

Right to rectification (Art. 16 GDPR)

You may request the correction of inaccurate or incomplete personal data held about you.

Right to erasure (“right to be forgotten”, Art. 17 GDPR / Art. 18 LGPD)

You may request deletion of your personal data in certain circumstances, for example where the data is no longer needed, consent has been withdrawn, or processing is unlawful.

Right to restriction of processing (Art. 18 GDPR)

You may request that the processing of your personal data be restricted under certain conditions.

Right to object (Art. 21 GDPR)

You may object to the processing of your personal data when it is based on legitimate interests or for direct marketing purposes.

Right to data portability (Art. 20 GDPR / LGPD equivalent)

You may request to receive your personal data in a structured, commonly used, and machine-readable format, and have the right to transmit that data to another controller.

Right to withdraw consent

Where processing is based on your consent, you have the right to withdraw consent at any time without affecting the lawfulness of processing carried out before withdrawal.

Additional rights under Swiss FADP and LGPD

Under the Swiss FADP, you also have the right to request information about the origin of data and to prevent disclosure to third parties in certain cases. Under the LGPD, you may additionally request anonymization, blocking, or deletion of unnecessary or excessive data, and be informed about the entities with whom your data has been shared.

How to exercise your rights

You can exercise your rights at any time by contacting us at privacy@afinadmp.com. We may request proof of identity to verify your request.

Right to lodge a complaint

You have the right to lodge a complaint with a competent data protection authority in your country of residence or where you believe that your rights have been violated.

Limitations and Fees

In certain cases, as permitted by Applicable Data Protection Laws, IVT may:

• charge a reasonable fee to cover administrative costs of processing a data subject request; or
• refuse to act on a request if it is manifestly unfounded, excessive, or repetitive.

Forwarding requests to the Controller (MNO)

Where IVT receives a request that falls under the responsibility of the data controller (for example, an MNO using the Afina Platform), IVT may forward the request to the relevant controller and inform the data subject accordingly. In such cases, the controller remains responsible for fulfilling the request in accordance with Applicable Data Protection Laws.

INTERNATIONAL APPLICATION OF DATA PROTECTION LAWS

This Privacy Policy is intended to comply not only with the EU GDPR but also with other applicable personal data protection laws in regions where IVT operates or provides services. These include, but are not limited to:

• United Arab Emirates (UAE PDPL, Federal Decree-Law No. 45 of 2021) – applicable to processing conducted by IVT as a UAE-established entity.
• Brazil (LGPD) – applicable to individuals in Brazil or where processing relates to offering services in Brazil.
• United States – including federal requirements and state laws such as the California Consumer Privacy Act (CCPA/CPRA), Virginia Consumer Data Protection Act (CDPA), and other emerging state-level privacy frameworks.
• United Kingdom (UK GDPR) – post-Brexit equivalent of GDPR.
• Switzerland (FADP) – Federal Act on Data Protection applicable to Swiss residents.
• South Africa (POPIA) – Protection of Personal Information Act governing processing of data relating to individuals in South Africa.
• CIS countries – including national data protection laws such as the Russian Federal Law on Personal Data and Kazakhstan’s Law on Personal Data and Its Protection.
• Asia-Pacific – including data protection laws in Malaysia (PDPA), Singapore (PDPA), Thailand (PDPA), Indonesia, Philippines (Data Privacy Act), Vietnam, and Pakistan.

Where local data protection laws apply in addition to the GDPR, IVT commits to respecting the rights of individuals under those frameworks, provided they are applicable to our processing activities.

Where personal data is transferred outside the EEA, the UK, or Switzerland, IVT relies either on adequacy decisions adopted by the relevant authority or, in their absence, on appropriate safeguards such as Standard Contractual Clauses (SCCs) or other lawful transfer mechanisms.

CONTACTING US

If you have questions or concerns regarding this Privacy Policy or the way your personal data is processed, you can contact us at:

• privacy@afinadmp.com – for all inquiries related to data privacy, including exercising your data subject rights under GDPR, UK GDPR, Swiss FADP, or LGPD.
• sales@afinadmp.com – for commercial inquiries, partnerships, or business-related communication.

This Website is owned and operated by IVT COMMUNICATIONS FZC LLC; a company incorporated and operating under the laws of the United Arab Emirates, located at: BLA-SP1-97, AMC – Boulevard – A Building, Ajman Media City. Registered number: 3621.