GDPR PRIVACY ADDENDUM This GDPR Privacy Addendum (the “GDPR Privacy Addendum”) supplements the information contained in our privacy notice and applies solely to customers and users of our websites, individuals who interact with us through social media, email, or phone, and individuals that participate in our services that are located in the European Economic Area, the United Kingdom. We adopt this GDPR Privacy Addendum to comply with the European Union’s General Data Protection Regulation, and any laws implementing the foregoing by any member states of the European Economic Area, the United Kingdom (including the UK Data Protection Act and the UK-GDPR), (collectively, the “GDPR”). Unless otherwise defined in this GDPR Privacy Addendum, any terms defined in the GDPR or our privacy notice have the same meaning when used in this GDPR Privacy Addendum. When this GDPR Privacy Addendum is applicable to you, it takes precedence over anything contradictory in our privacy notice. Data Controller and Data Protection Officer Phonexa Ltd (collectively referred to as “Phonexa”, “we”, “us” and “our” in this privacy notice) is the controller and responsible for your personal data collected through the Phonexa website (the “website”) Details of our Data Protection Officer responsible for overseeing questions in relation to this privacy notice and our details are set out in the ‘How to Contact Us’ section at the end of this notice. Information We Collect About You and How We Collect It The Personal Data we collect and the ways in which we collect it is described in our privacy notice. The personal data we collect from you is required to enter into a contract with Phonexa, for Phonexa to perform under the contract, and to provide you with our products and services. If you refuse to provide such personal data or withdraw your consent to our processing of personal data (when appropriate), then in some cases we may not be able to enter into the contract or fulfill our obligations to you under it. The legal basis for processing your personal data We will only collect and process your personal data where we have a legal basis to do so. As a data controller, the legal basis for our collection and use of your personal data varies depending on the manner and purpose for which we collected it. We will only collect personal data from you when: we have your consent to do so, or we need your personal data to perform a contract with you. For example, to process a payment from you, fulfil your order or provide customer support connected with an order, or the processing is in our legitimate interests and not overridden by your rights, or we have a legal obligation to collect or disclose personal data from you. Uses made of your personal data Your personal data is used by Phonexa to support a range of different activities. These are listed in the table below together with the types of data used and the legal bases we rely on when processing them, including where appropriate, our legitimate interests. Please be aware that we may process your personal data using more than one lawful basis, depending on the specific activity involved. Please contact us if you need details about the specific legal ground we are relying on to process your personal data where more than one ground has been set out in the table below. We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we wish to use your personal data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so. We may process personal data without your consent, in compliance with the above rules, where this is required or permitted by law. If you have any questions about how Phonexa use any of your personal data, please contact our Data Protection Officer at DPO@phonexa.uk Your Rights You have several rights under the GDPR. This includes, under certain circumstances, the right to request access to your personal data request correction of your personal data request erasure of your personal data request restriction of processing of your personal data request the transfer of your personal data object to processing of your personal data request human intervention for automated decision making Brief details of each of these rights are set out below. If you wish to exercise any of these rights, please email us at DPO@phonexa.uk Request access to your personal data You have the right to obtain a copy of the personal data we hold about you and certain information relating to our processing of your personal data. Request correction of your personal data You are entitled to have your personal data corrected if it is inaccurate or incomplete. You can update your personal data at any time by logging into your account and updating your details directly, or by emailing us at DPO@phonexa.uk Request erasure of your personal data This enables you to request that Phonexa delete your personal data, where there is no good reason for us continuing to process it. Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request. Request restriction of processing of your personal data You have a right to ask Phonexa to suspend the processing of your personal data in certain scenarios, for example if you want us to establish the accuracy of the data, or you have objected to our use of your data but we need to verify whether we have overriding legitimate grounds to use it. Where processing is restricted, we are allowed to retain sufficient information about you to ensure that the restriction is respected in future. Request the transfer of your personal data You have the right to obtain a digital copy of your personal data or request the transfer of your personal data to another company. Please note though that this right only applies to automated data which you initially provided consent for us to use or where we used the data to perform a contract with you. Object to processing of your personal data You have the right to object to the processing of your personal data where we believe we have a legitimate interest in processing it (as explained above). You also have the right to object to our processing of your personal data for direct marketing purposes. In some cases, we may demonstrate that we have compelling legitimate grounds to process your data which override your rights and freedoms. Request human intervention for automated decision making and profiling You have the right to request human intervention where we are carrying out automated decision making when processing your personal data. This form of processing is permitted where it is necessary as part of our contract with you, providing that appropriate safeguards are in place or your explicit consent has been obtained. We will try to respond to all legitimate requests within one month. Occasionally, it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated. We may need to request specific information from you to help us confirm your identity and ensure your right to exercise any of the above rights. This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. Right to lodge a complaint If you have any concerns or complaints regarding the way in which we process your data, please email us directly at DPO@xxx.com. You also have the right to make a complaint to the ICO (the data protection regulator in the UK). We would, however, appreciate the chance to deal with your concerns before you approach the ICO, so please do contact us in the first instance. Your data and countries outside of Europe Transfers Outside the EEA – Your personal information may be transferred to, stored, and processed in a country other than the one in which it was collected, including the United States. It may also be processed by staff operating outside the EEA who work for Phonexa or for our third-party service providers. In such cases, we will take appropriate steps to ensure an adequate level of data protection of the recipient as required under the GDPR and as described in this Notice. Please contact us if you want further information on the countries to which we may transfer personal data and the specific mechanism used by us when transferring your personal data outside the EEA. How long we keep your data for We will keep your personal data for no longer than is necessary for the purpose(s) it was provided for and to meet our legal obligations. Further details of the periods for which we retain data are available on request. Changes to this GDPR Addendum From time to time we may change this GDPR Addendum. If there are any significant changes we will post updates on our website, applications or let you know by email. How to contact us We welcome feedback and are happy to answer any questions you may haveabout your data. Please send any questions, comments or requests for more information to our Data Protection Officer, who can be contacted at DPO@phonexa.uk