Privacy Policy

This notice describes how we collect and process users’ data by E-CONNECT FZCO through the EvoSim https://evosim.com/ website (hereinafter – the “Website”) and mobile application (“App”), collectively referred to as the “Platform”. The terms “Company” “e-connnect”, “we”, “us”, and “our” refer to E-CONNECT FZCO incorporated and registered under the laws of Dubai

We are committed to safeguarding the privacy of our users. We will not misuse your data.

From the data protection perspective, we are a data controller for the information collected through the Platform. You can contact us at:

E-CONNECT FZCO

Registry code: DSO-FZCO-27223

Contact email address: support@evosim.com

DEFINITIONS

‘Applicable Law’ means all applicable laws, statutes, codes, ordinances, decrees, rules, regulations, municipal by-laws, judgments, orders, decisions, rulings or awards of any government, quasi-government, statutory or regulatory body, ministry, government agency or department, court, agency or association of competent jurisdiction.

‘Personal data’ means any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

‘Special categories of personal data’ (sensitive data) means personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade-union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.

‘Data controller’ (controller) means a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

‘Data processor’ (processor) means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

‘Data Subject’ means any living individual who is the subject of personal data processed by the Company, including Visitors, independent contractors/employees and other stakeholders.

‘DPO’ is a data protection officer appointed by a Controller (including a Joint Controller), or Processor to independently oversee relevant data protection operations in the manner set out in Articles 16, 17, 18 and 19 of Law.

‘Law’ means Data Protection Law 2020, Law No. 5 of 2020 as may be amended.

‘Visitor or User’ means Data Subject who has entered the Website and/or uses Company’s Services with any purpose.

‘Services’ means legal services provided by the Company.

‘Website’ means https://evosim.com/

‘Processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

‘Profiling’ means any form of automated processing of personal data intended to evaluate certain personal aspects relating to a natural person, or analyses or predict that person’s performance at work, economic situation, location, health, personal preferences, reliability, or behavior. This definition is linked to the right of the data subject to object to profiling and a right to be informed about the existence of profiling, of measures based on profiling and the envisaged effects of profiling on the individual.

‘Automated decision-making’ means an ability to make decisions by technological means without human involvement that produces legal effects concerning the Data Subject or similarly significantly affects the Data Subject.

‘Personal data breach’ means a breach of security leading to the accidental, or unlawful, destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.

‘Consent’ means any freely given, specific, informed and unambiguous indication of the Data Subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data.

GENERAL

In collecting and using of the personal data, the Company is subject to a variety of applicable laws controlling how such activities may be carried out and the safeguards that must be put in place to data protect.

This Policy applies to all Company’s employees, independent contractors, stakeholders and all other subjects that directly or indirectly participate in the personal data processing, including Users and non-users who visit the website https://evosim.com/, use our Service and application, within Company’s activities.

This Policy sets out how the Company uses, processes and stores Users personal information. The Company will obtain that information from the User with his/her permission and consent.

PRINCIPLES OF PROCESSING

During the collecting and processing of the personal data, the Company adheres to the principles provided by Data Protection Law 2020 (hereinafter - “Law”) and other legal basis if it applies to the Company. The Company’s policies and procedures are designed to ensure compliance with the principles of Data Protection Law 2020. Personal Data shall be:

(a) Processed in accordance with Article 10 of Law; (b) Processed lawfully, fairly and in a transparent manner in relation to a Data Subject; (c) Processed for specified, explicit and legitimate purposes determined at the time of collection of Personal Data; (d) Processed in a way that is not incompatible with the purposes described in Article 9(1)(c); (e) relevant and limited to what is necessary in relation to the purposes described in Article 9(1)(c); (f) Processed in accordance with the application of Data Subject rights under the Law; (g) accurate and, where necessary, kept up to date, including via erasure or rectification, without undue delay; (h) kept in a form that permits identification of a Data Subject for no longer than is necessary for the purposes described in Article 9(1)(c); and (i) kept secure, including being protected against unauthorized or unlawful Processing (including transfers), and against accidental loss, destruction, or damage, using appropriate technical or organizational measures.

LEGAL BASIS FOR PROCESSING

We use your Account information: • to create and maintain your account. The applied legal basis for this is the performance of the contract (Terms of Use) between you and us; • to contact you regarding the work of the application or your Account, including by email and by sending you web notifications (if any); • to respond to support requests; • upon receiving your consent from you, to send you marketing or promotional materials; • to analyze the efficiency of our Services in our legitimate interests; • to store certain types of information for compliance with law, e.g., KYC obligations.

TYPES OF INFORMATION WE COLLECT FROM YOU

We may collect personally identifiable information when you specifically and knowingly provide it to us, for example when you sign up for our newsletter or chat, create an account, request more information on our contact us page, respond to a survey or questionnaire and provide personal information such as your email address, name or other information. Where applicable, personally identifiable information includes personal data as defined in applicable law.

This Privacy Policy does not apply to the privacy practices of third parties that we do not own or control, including but not limited to any third-party websites, services, applications, or online resources to which this Site may link or otherwise reference (collectively Third Party Services) that you may access through the Services. We encourage you to carefully review the privacy policies of any Third Party Services you access.

eSIM Connect does not consider personally identifiable information to include information that has been anonymized so that it does not allow a third party to identify a specific individual. We collect and use your personally identifiable information to provide the services, operate and improve our service, provide customer service, perform research and analysis aimed at improving our products, service and technology, and display content that is customized to your interests and preferences.

You may always choose not to provide personally identifiable information, but if you choose so, certain parts of the Service may not be available to you. If you have registered an account with us, you will have agreed to provide your personally identifiable information in order to access the services. This consent provides us with the legal basis we require under applicable law to process your data. If you do not agree to our use of your personal data in line with this policy, please do not use our Services.

Subject to the following paragraph, we ask that you do not send us, and you do not disclose, any sensitive personal data (e.g., social security numbers, information related to racial or ethnic origin, political opinions, religion or other beliefs, health, biometrics or genetic characteristics, criminal background or trade union membership) on or through the services or otherwise to us. If you send or disclose any sensitive personal data to us when you submit content to the services, you consent to our processing and use of such sensitive personal data in accordance with this policy. If you do not consent to our processing and use of such sensitive personal data, you must not submit such content to us. Please note that even if this information is provided, we will not store them anywhere on our side.

We may collect and aggregate non-personally identifiable information which is information that does not permit you to be identified or identifiable either by itself or in combination with other information available to a third party. This information may include information such as a website that referred you to us, your IP address, browser type and language, hardware types, geographic location, and access times and durations. We also may collect navigational information, including information about the service content or pages you view, the links you click, and other actions taken in connection with the Service. We use this information to analyze usage patterns as part of making improvements to the Service.

ACCOUNT INFORMATION

To begin using our Services, you need to create your Account. During the registration process, you will be asked to provide us email address. You will also need at certain conditions provide us with your First and Last name, your date of birth. We use/store this information in order:

(a) to maintain your Account; (b) to provide you with access to our Services; (c) to contact you regarding your account and our updates (support emails); and (d) to comply with our legal obligations; (e) to attend and manage your requests to us (f) to comply with legal obligation purposes such as tax reporting, fraud prevention, our reporting obligations etc. (g) we may use your Personal Information for other purposes, such as data analysis, identifying usage trends, determining the effectiveness of our promotional campaigns and to evaluate and improve our service(s), products, services, marketing, and your experience.

SUPPORT REQUESTS AND OTHER INQUIRIES

To receive support or contact us with relevant questions about our Company, and Services, you will be asked to provide us with your email address and a brief description of your request that would be attached to your contact information. We will use this information solely to contact you back and assist you with your request. We will store your request data for as long as we keep in touch with you. We will keep your request data for additional two (2) years after your last contact with us, in case we need to follow up on your request later.

COOKIES

A cookie is a small text file that is downloaded onto your ‘terminal equipment’ (e.g., a computer or smartphone) when you access our Platform. It allows us to recognize your device and store some information about your preferences or past actions. We use cookies to appropriately run the Platform and analyze the Platform traffic. To learn more about cookies, please read our Cookie Notice on Website.

USER AGE

The Company collects the personal data on the basis of consent obtained from the Data Subjects who have reached the age of 18 years. If you know that the Company processes the data of a person under 18 years old, please inform about this by writing to the e-mail address: support@evosim.com

THE PERIOD OF STORAGE

The Company processes and stores the personal data during the period that is needed for the realization of the processing purposes, specified in this Policy.

After the expiration of the period of storage, the Company is obliged to delete the personal data or ask the Data Subject to provide the Company with new consent, if the necessity of processing remains actual for the Company or another purpose of processing appears.

The Company is entitled not to store more and delete the earlier collected Data Subject personal data of at any time if such personal data are not needed more. Herewith, the Company is obligated to notify the respective Data Subject that his/her personal data are deleted.

The Company may keep storing the personal data if subsequent processing is foreseen by law and is deemed relevant for a purpose that is not compatible with the original purpose of processing stated in this Policy. Herewith, under incompatible purposes means the purposes concerning archiving in the public interest, scientific, statistical, or historical use.

PROCESSORS

While processing the User's personal data, the Company may engage Google Inc. (by using Google Analytics) as a processor.

The Company is responsible for the proper processing of the User's personal data under the Law. Herewith, each processor is responsible for the adherence of the Law as well as for other legislative actions concerning data protection while processing the Users’ personal data. The processors are not entitled to define any additional purposes for personal data processing

YOUR RIGHTS

This Policy provide all Data Subjects with the opportunity to realize any of the following rights:

Right to withdraw consent

(1) Where the basis for the Processing of Personal Data is consent under Article 10(1)(a) or under article 11(1)(a), the Data Subject may withdraw consent at any time by notifying the Controller in accordance with Article 12(5). Where a Controller has not complied with Article 12(5) a Data Subject may notify the Controller by any reasonable means. (2) The right to withdraw consent is an absolute right available to a Data Subject if the basis for the Processing of the Data Subject’s Personal Data is consent under Article 10(1)(a) or Article 11(1)(a). (3) Upon the exercise of a Data Subject's right to withdraw consent, a Controller must comply with Article 22 and must cease Processing the Personal Data as soon as reasonably practicable, and ensure that any Processors do the same.

Rights to access, rectification, and erasure of Personal Data

(1) Upon request, a Data Subject has the right to obtain from a Controller without charge and within one (1) month of the request: (a) confirmation in writing as to whether or not Personal Data relating to him is being Processed and information at least as to the purposes of the Processing, the categories of Personal Data concerned, and the recipients or categories of recipients to whom the Personal Data are disclosed; (b) a copy of the Personal Data undergoing Processing in electronic form and of any available information as to its source, including up-to-date information corresponding with the information requirements set out in Articles 29 and 30; and (c) subject to Article 33(4), the rectification of Personal Data unless it is not technically feasible to do so.

(2) Subject to Article 33(3), the Data Subject has the right to require the Controller to erase the Data Subject's Personal Data where: (a) the Processing of the Personal Data is no longer necessary in relation to the purposes for which it was collected; (b) a Data Subject has withdrawn consent to the Processing where consent was the lawful basis for Processing and there is no other lawful basis, provided that in such circumstances the Controller must comply with Article 22; (c) the Processing is unlawful or the Personal Data is required to be deleted to comply with Applicable Law to which the Controller is subject; or (d) the Data Subject objects to the Processing and there are no overriding legitimate grounds for the Controller to continue with the Processing.

(3) The Controller is only required to comply with a request by a Data Subject to erase Personal Data where: (a) one of the conditions in Article 33(2) applies; and (b) subject to Article 33(4), the Controller is not required to retain the Personal Data in compliance with Applicable Law to which it is subject or for the establishment or defence of legal claims.

(4) Where rectification or erasure of Personal Data is not feasible for technical reasons, then the Controller is not in violation of this Law for failing to comply with a request for rectification or erasure of the Personal Data, in accordance with Articles 33(1)(c), 33(2)(a) or Article 33(2)(d) as applicable, if: (a) the Controller collected the Personal Data from the Data Subject; and (b) the information provided to the Data Subject under Article 29(1)(h)(ix) was explicit, clear and prominent with respect to the manner of Processing the Personal Data and expressly stated that rectification or erasure (as the case may be) of the Personal Data at the request of the Data Subject would not be feasible.

(5) Where a Data Subject suffers adverse effects as a result of the inability of a Controller to rectify Personal Data and where the need for rectification was not caused by the Data Subject's own provision of inaccurate data, the Controller shall provide all reasonable assistance to the Data Subject to enable the Data Subject to take steps to mitigate the adverse effects.

(6) A Controller shall direct all recipients and Processors to rectify or erase Personal Data where the respective right is properly exercised or to cease Processing and return or erase the Personal Data where the right to object is validly exercised. In such circumstances, Article 22 applies to the erasure of the Personal Data by both the Controller and the Processor.

(7) If a Data Subject request under Article 33(1) is particularly complex, or requests are numerous, the Controller may send notice to the Data Subject, within one (1) month, to increase the period for compliance by a further two (2) months citing the reasons for the delay.

(8) Where requests from a Data Subject are manifestly unfounded or excessive, in particular because of their repetitive character, the Controller may either: (a) charge a reasonable fee taking into account the administrative costs of providing the information or communication or taking the action requested; or (b) refuse to act on the request, providing written confirmation to the Data Subject reasons for the refusal.

(9) A Controller must be able to demonstrate to the Commissioner upon request that a Data Subject’s request made in accordance with Article 33(8) is manifestly unfounded or excessive.

(10) If a Controller has reasonable doubts as to the identity of a Data Subject asserting a right under this Article 33, it may require the Data Subject to provide additional information sufficient to confirm the individual’s identity. In such cases, the time period for complying with the Data Subject request does not begin until the Controller has received information or evidence sufficient to reasonably identify that the person making the request is the Data Subject.

(11) Where a Controller complies with a request under Article 33(1)(b) it shall not disclose the Personal Data of other individuals in a way that may infringe their rights under Applicable Law and the Controller may redact or otherwise obscure Personal Data relating to such other individuals. Where the Data Subject's request is received by electronic means, and unless otherwise requested by the Data Subject, the information may be provided in a commonly used electronic form.

(12) The information to be supplied pursuant to a request under this Article 33 must be supplied by reference to the data in question at the time the request is received, except that it may take account of any amendment or deletion made between that time and the time when the information is supplied, being an amendment or deletion that would have been made regardless of the receipt of the request.

(13) Without derogating from the requirements on DIFC Bodies as set out in Article 65(2), a Controller may restrict, wholly or partly, the provision of information to the Data Subject under Article 33(1). to the extent that and for so long as the restriction is, having regard to the fundamental rights and legitimate interests of the Data Subject, a necessary and proportionate measure to: (a) avoid obstructing an official or legal inquiry, investigation or procedure; (b) avoid prejudicing the prevention, detection, investigation or prosecution of criminal offences or the execution of criminal penalties; (c) protect public security; (d) protect national security; or (e) protect the rights of others.

(14) Where the provision of information to a Data Subject under Article 33(1) is restricted in accordance with Article 33(13), a Controller must inform the Data Subject in writing without undue delay: (a) that the provision of information has been restricted; (b) of the reasons for the restriction; (c) of the Data Subject’s right to lodge a complaint with the Commissioner under Article 60; and (d) of the Data Subject’s right to apply to the Court under Article 63. (15) Article 33(14)(a) and (b) do not apply to the extent that complying with them would undermine the purpose of the restriction.

Right to object to Processing

(1) A Data Subject has the right to: (a) object at any time on reasonable grounds relating to his particular situation to Processing of Personal Data relating to him where such Processing is carried out on the basis that: (i) it is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in a Controller; or (ii) it is necessary for the purposes of the legitimate interests, where applicable, of a Controller or of a Third Party; and (b) be informed before Personal Data is disclosed for the first time to third parties or used on their behalf for the purposes of direct marketing, and to be expressly offered the right to object to such disclosures or uses, subject to any provision of this Law that does not permit disclosure; and (c) where Personal Data is Processed for direct marketing purposes, object at any time to such Processing, including Profiling to the extent that it is related to such direct marketing.

(2) Where there is a justified objection, Processing initiated by a Controller shall no longer include that Personal Data, and Article 22 shall apply with respect to such Personal Data. An objection under Article 34(1)(a) is deemed justified unless the Controller can demonstrate compelling grounds for such Processing that overrides the interests, rights of a Data Subject or that the circumstances in Article 34(3) apply.

(3) If a Controller collected Personal Data from a Data Subject and the Controller can demonstrate that the information provided to the Data Subject under Article 29(1)(h)(ix) was explicit, clear and prominent with respect to the manner of Processing the Personal Data and expressly stated that it would not be possible to implement an objection to the Processing at the request of the Data Subject, then the Controller may continue Processing the Personal Data in the same manner, subject to this Law in all other respects.

(4) A Controller shall, no later than its first communication to a Data Subject, explicitly bring to the attention of the Data Subject in clear language that is prominent and separate from other communications or information, the rights referred to in Article 34(1).

Right to restriction of Processing

(1) Subject to Article 35(3), a Data Subject shall have the right to require a Controller to restrict Processing to the extent that any of the following circumstances apply: (a) the accuracy of the Personal Data is contested by the Data Subject, for a period allowing the Controller to verify the accuracy of the Personal Data; (b) the Processing is unlawful and the Data Subject opposes the erasure of the Personal Data and requests the restriction of its use instead; (c) the Controller no longer needs the Personal Data for the purposes of the Processing, but they are required by the Data Subject for the establishment, exercise or defence of legal claims; (d) the Data Subject has objected to Processing pursuant to Article 34 pending verification of whether the legitimate grounds of the Controller override those of the Data Subject.

(2) If a Controller lifts the period of restriction, it shall inform the Data Subject in writing.

(3) Where Article 35(1) applies, the only Processing that may continue to be conducted without the consent of the Data Subject is: (a) storage of the Personal Data concerned; (b) Processing of the Personal Data for the establishment, exercise or defence of legal claims; (c) Processing for the protection of the rights of another person; and (d) Processing for reasons of Substantial Public Interest.

Right to data portability

(1) A Data Subject shall have the right to receive Personal Data that he has provided to a Controller in a structured, commonly used and machine-readable format where the Processing is: (a) based on the Data Subject's consent or the performance of a contract; and (b) carried out by automated means.

(2) The purpose of Article 37(1) is to enable ready portability between Controllers if so required by the Data Subject, and the Data Subject shall have the right to have the Personal Data transmitted directly from the Controller to whom the request is made to any other person, where technically feasible. A Controller is not required to provide or transmit any Personal Data where doing so would infringe the rights of any other natural person.

DATA TRANSFER

The Company stores personal data in Dubai.

The Company does not sell, trade or transfer personal data to any legal persons or individuals.

SECURITY OF INFORMATION

We take necessary and sufficient measures to protect your information from unauthorized or accidental access, destruction, modification, blocking, copying, distribution, as well as from other illegal actions of third parties. Internally, immediate access to the data is only allowed to our authorized employees involved in maintaining our Platform and conducting other processing activities. Those employees include our backend software developer, operational and marketing team. Such employees keep strict confidentiality and prevent unauthorized third-party access to personal information. While we have taken reasonable steps to secure the personal information you provide to us, please be aware that despite our efforts, no security measures are perfect or impenetrable, and no method of data transmission can be guaranteed against any interception or other type of misuse. Any information disclosed online is vulnerable to interception and misuse by unauthorized parties.

THIRD-PARTY SERVICES

Our Platform may contain links to third-party services and platforms, including those posted by our partners and affiliate companies. Although we choose our partners thoroughly and diligently, we cannot be responsible for the content, terms, and conditions, or privacy policies of third-party services.

We encourage users to be aware when they leave our Platform and to read the privacy statements of the services that collect personally identifiable information. Third-party Platforms may contain their own cookies. We are not responsible for their usage of cookies.

CHANGES TO THIS NOTICE

We may update this privacy notice from time to time by posting a new version on our Platform. We advise you to check this page occasionally to ensure you are happy with any changes.

However, we will endeavor to provide you with an announcement about any significant changes.

CONTACT US

If you have any questions, comments, or concerns regarding our Privacy Policy and/or how we process your personal data, please contact us at the email address support@evosim.com.