Privacy Notice

1. OVERVIEW – SCOPE/COVERAGE

• 1.1 About OXIO and OXIO customers. OXIO Mobile (collectively with its affiliates, “OXIO”, “us”, “we”) operates as a telecom-as-a-service technology provider to its business customers. As a service provider, OXIO does not operate its own direct-to-consumer brand. Instead, brands and companies – OXIO’s customers – use OXIO’s technology to offer mobile connectivity services to their clients and users. We refer to each such customer as a mobile virtual network operator brand, or “MVNO Brand.” 
• 1.2 Personal Information. In this Privacy Notice, “Personal Information” means information that is considered personal information under applicable data protection laws (such as under the definition of “Personal Information” in the California Consumer Privacy Act (“CCPA”) or under the definition of “Personal Data” in the EU General Data Protection Regulation (“GDPR”)). In general, Personal Information is information that can be used to identify you and information about you that is linked to you specifically, as an identified or identifiable person. For example, your name or contact information is Personal Information, and your user preferences, if they are linked to your name or other identifier, are also Personal Information. In some cases, information that is Personal Information can be transformed so that it is no longer Personal Information. For example, user preferences that have been aggregated and anonymized and cannot be used to identify you are not Personal Information.
• 1.3 How this Privacy Notice applies. This Privacy Notice describes OXIO’s privacy practices with respect to Personal Information collected and processed by OXIO on its own behalf, not the privacy practices of any MVNO Brand or any other company. This Privacy Notice also summarizes certain choices and rights that you may have with respect to your Personal Information. Except with respect to certain Personal Information of employees and other personnel of our customers, for the most part the applicable MVNO Brand is primarily responsible for privacy related matters concerning Personal Information of individual end users/consumers – this includes informing you of your rights, providing choices, and responding to inquiries and requests regarding Personal Information. OXIO may, however, collect and process Personal Information and address privacy matters on behalf of or at the direction of a given MVNO Brand, (including following the instructions of the MVNO Brand in response to, for example, requests by an individual for information about that individual’s Personal Information, or choices made by that individual with respect to that individual’s Personal Information). Whenever that is the case, the written contract between OXIO and the MVNO Brand, which may include a “data processing addendum” or similar set of privacy-related terms, will address the respective responsibilities of OXIO and the MVNO Brand regarding Personal Information.
• 1.4 How to read this Privacy Notice. 
  • 1.4.1 The applicability of the practices described in this Privacy Notice depends on (a) your relationship to OXIO, (b) OXIO’s role in the business relationship under which OXIO may be collecting and processing your Personal Information, (c) applicable law (such as data protection laws, like CCPA, and other relevant laws, like the US Telecommunications Act), and (d) applicable agreements (such as the contracts between OXIO and MVNO Brands). 
  • 1.4.2 Certain descriptions in this Privacy Notice are provided as examples, and certain concepts are phrased in terms that are derived from particular data protection laws, which may or may not apply in a specific case, but which may have analogous concepts in applicable law. For example, “Personal Information” under CCPA is essentially the same as “Personal Data” under GDPR, as noted above. As another example, “Consumer” under CCPA is essentially the same as “Data Subject” under GDPR. So, whenever we refer to “Personal Information,” we also mean “Personal Data” where GDPR applies, and vice versa. In certain sections of this Privacy Notice, we include a link to a table (<“[Information we collect]”>) that provides additional information about the categories of Personal Information we collect, the purposes or legal bases of our collecting, processing and sharing that Personal Information, etc.
• 1.5 Other notices. For Personal Information collected by us on behalf or at the direction of an MVNO Brand, the MVNO Brand’s privacy notice(s) will take precedence over this Privacy Notice. In addition, OXIO may publish additional notices for specific geographic regions, services, or audiences. Where that is the case, the more specific notice will apply. The privacy notices of third parties may also apply, where applicable.
• 1.6 Changes. We may change this Privacy Notice and our privacy practices over time to reflect changes in our business or applicable law, or to reflect the evolving privacy landscape and our continuing efforts to strengthen our protections for our customers and their clients and users. The most recent version of this Privacy Notice applies as of the time it is posted on our website, and it will be the User’s sole responsibility to verify the applicable version of this Privacy Notice.

2 SOURCES AND CATEGORIES OF PERSONAL INFORMATION WE COLLECT

• 2.1 Overview. To provide our services to our customers and manage our business relationships with them, enable our customers to provide mobile connectivity services to their clients and users, and to otherwise operate our business, we collect information about you, your devices and how you use our services or our customers’ services. This can include information you give to us, information we collect automatically, information we obtain from other sources, and information we or our customers generate about you. Examples follow. Please see <“[Information we collect]”> for more details. 
• 2.2 Information you provide. We collect information you provide to us or to an MVNO Brand (which the MVNO Brand might pass along to us, or which we might collect on behalf of the MVNO Brand). For personnel of our customers, this might include business contact information, employment/role information or customer support information. For MVNO Brand end users or subscribers, this might include account information, such as contact and billing information, personal identifiers or identity verification information (which may include biometric information), demographic or personal interest information, customer support information, and other information you provide in response to a request by us or the MVNO Brand from time to time (such as information related to surveys, referrals, or promotions). 
• 2.3 Information we collect via technology. We collect information automatically when you use our services or our customers’ services. This might include information about networked equipment, like your type of device, device identifiers and phone number. It might also include network and device usage and performance data, and location information (from multiple sources, such as cell towers, wi-fi routers, satellites, Bluetooth services, network equipment or other network devices). It could also include web browsing and mobile app information, such as usage data, website URLs and IP addresses.
• 2.4 Information from third parties. We also collect information from third parties. This may include business partners (such as payment providers or apps or websites with OXIO integrations (that use OXIO APIs, or whose APIs OXIO uses)), social media services, credit reporting agencies, third parties that you direct to share information with us, public sources, marketing mailing lists or other commercially available information.  
• 2.5 Information generated by OXIO or MVNO Brands. We or our customers may create data about you. For example, we may make inferences about you based on your use of our services or an MVNO Brand’s services, such as interests or demographic information. 

3 HOW WE USE PERSONAL INFORMATION

• 3.1 We rely on the information we collect to provide our services to our customers, to help our customers provide their services to their subscribers and end users, to support our and our customers’ business functions, to improve the user experience and for troubleshooting issues, managing network performance. In most cases these uses are tied to our contractual obligations to our customers (including where our customer’s use of Personal Information is based on consent) or to our obligations under applicable law. Please see <“[Information we collect]”> for details. For example, we use Personal Information to:
  • 3.1.1 Deliver our products and services.
  • 3.1.2 Enable MVNO Brands to deliver certain products and services that use OXIO technology.
  • 3.1.3 Contact our customers or their clients and users, including for direct or indirect billing, support, marketing or other purposes (subject to consent and/or opt-in or opt-out choices, where applicable). 
  • 3.1.4 Improve the user experience.
  • 3.1.5 Improve and protect our network(s).
  • 3.1.6 Investigate and resolve security issues or other technical problems.
  • 3.1.7 Comply with applicable laws and legal processes, including investigation of illegal activities.
  • 3.1.8 Enforce our contracts and protect our property. 
  • 3.1.9 Create and analyze aggregated, anonymized/de-identified statistical data.
  • 3.1.10 Conduct research and generate aggregated reports that offer insights about groups of users (but not identified individuals). 
  • 3.1.11 Understand what products and services may be of interest to particular individuals or groups of individuals (but without accessing or using the content of any messages or communications by such individuals for this or any other marketing or advertising purposes). Where the user has provided specific, informed consent (collected by OXIO or the MVNO Brand), this may include creating a profile that the MVNO Brand can use to offer personalized products and services, subject to the MVNO Brand’s privacy notice and the user’s right to withdraw such consent at any time.  
  • 3.1.12 Other legitimate uses that are disclosed to you at or prior to our collection of the applicable Personal Information and that are compatible with the context in which the Personal Information was collected.
• 3.2 We may use automation, including process automations and artificial intelligence tools, to assist with these uses. We do not access, use or share any user content, such as text messages or other communications, for any marketing, advertising, or similar purposes. Again, please see <“[Information we collect]”> for additional details.

4 HOW WE SHARE PERSONAL INFORMATION

As summarized below, we share Personal Information with MVNO Brands, OXIO affiliates and third parties in connection with the uses described above and in <“[Information we collect]”>”. 

• 4.1 MVNO Brands. If you are a customer or end user of an MVNO Brand, please keep in mind that OXIO is a service provider to the MVNO Brand, and the MVNO Brand, in general, determines the privacy practices that apply to your Personal Information. Nevertheless, in some cases, both OXIO and the MVNO Brand collect Personal Information relating to MVNO Brand clients and users, which they share with each other as part of the delivery of the MVNO Brand’s services to you. We follow the practices described in this Privacy Notice as applicable under our contract with the MVNO Brand; the MVNO Brand may collect, use and share your Personal Information in ways not covered by this Privacy Notice.
• 4.2 Service Providers. We share Personal Information with companies that provide services to us (or to MVNO Brands or their clients and users on our or the MVNO Brand’s behalf). We share only the Personal Information needed to obtain the applicable service and contractually limit its use. Service providers may include OXIO affiliates. Applicable services may include those relating to:
  • 4.2.1 Billing, payment processing and collections.
  • 4.2.2 Cloud storage and other cloud and computing infrastructure.
  • 4.2.3 Security, including identity verification.
  • 4.2.4 Customer support platforms, such as call centers and support ticketing. 
  • 4.2.5 Marketing.
  • 4.2.6 Analytics and research.
  • 4.2.7 Legal and accounting services, including third parties and their representatives in connection with a potential merger or acquisition.
• 4.3 Third parties where authorized by users. You may configure your device or applications or otherwise authorize us or an MVNO Brand to share your personal information (or you may directly authorize a third party to share and/or receive information from us or an MVNO Brand).
• 4.4 Third parties where authorized or required by law. In some cases, we may be authorized or required to share Personal Information under applicable law, whether with governmental authorities, service providers, or other third parties. This may include sharing when we:
  • 4.4.1 Route your communications with carrier networks, such as when we connect calls or text messages.
  • 4.4.2 Comply with legal requirements, such as responding to subpoenas, court orders or other legal process. 
  • 4.4.3 Prevent, detect or investigate fraud, suspected illegal activities, or violation of our policies, or to protect or defend ourselves or others, collect payment, ensure network security, enforce our agreements and legal rights, or comply with law.
  • 4.4.4 Share information about account users with the owner of the account used by that user. 
  • 4.4.5 Provide applicable information to the appropriate authority or users in emergency circumstances.
  • 4.4.6 Provide applicable information to Caller ID and similar services.

5 DATA RETENTION

We retain Personal Information for as long as necessary to fulfil the purposes for which we collected and processed that Personal Information unless a longer period is permitted or required by law. In some cases, Personal Information is used for multiple purposes, as described above, and we may retain and use Personal Information for one purpose even after our need to use it for another purpose has expired. We take various factors into account in determining our retention periods for Personal Information, including:

• 5.1 The type, sensitivity and amount of the Personal Information.
• 5.2 Our contractual or legal obligations related to the Personal Information.
• 5.3 The purposes for which we collected the Personal Information, and any additional legitimate or compatible purpose under applicable law.
• 5.4 The potential risk of harm from unauthorized use or disclosure of the Personal Information. 

6 SECURITY

• 6.1 We take data security seriously, and we implement and work continuously to improve the security of our systems and services. We monitor our systems, implement industry-standard controls, train our employees, and use independent auditors to test and verify our practices. Our contracts with MVNO Brands and our service providers include detailed security obligations relating to Personal Information.
• 6.2 The security of your Personal Information also depends on you and the steps you take to control the possession of your devices and protect the confidentiality of your passwords or other authenticators or confidential information. 
• 6.3 No security measures are perfect, and no commercially reasonable measures can withstand focused or sustained attacks from the most determined and skilled actors, such as government sponsored hackers or criminal gangs. Accordingly, we cannot guarantee that your Personal Information will never be disclosed or used in a manner inconsistent with this Privacy Notice. 

7 MINORS

We do not knowingly collect Personal Information from anyone under 18, and we do not contact anyone under 18 for marketing purposes without parental consent. If we are not aware that a child is using a service or device purchased by an adult, we may collect Personal Information and treat it as an adult’s Personal Information in accordance with this Privacy Notice. 

8 YOUR PRIVACY CHOICES AND CONTROLS

• 8.1 Overview.
  • 8.1.1 You may have certain rights under applicable data protection laws with respect to your Personal Information. Below is a brief summary of examples of rights that you may have, depending on where you live, as well as how to submit a request to us to exercise your rights (whether or not listed below) or to take advantage of a choice or control we make available to all. Not all rights apply in all areas, and you may have rights that are not specifically addressed below. For MVNO Brand clients and users, in most cases your requests should be directed to the MVNO Brand, and we will cooperate with the MVNO Brand to process your request where we possess or control the applicable Personal Information. 
  • 8.1.2 In some cases, the MVNO Brand or OXIO may limit or deny your request because applicable law allows or requires us to do so. We may also deny your request if we cannot verify who you are or your right to make the request. We do not discriminate against anyone for exercising rights relating to Personal Information. 
  • 8.1.3 To make a request, please <method, such as “submit a Personal Information request”, or “click on the “Privacy Choices” link”, etc.>. We are required to verify your identity before we can implement or give you access to implement your request, and you may be required to provide information that we can use to reasonably verify your identity. This may include account information, government-issued ID or other evidence of your identity. We will use this information solely to identify you in connection with your request. 
  • 8.1.4 If we deny your request, you may have the right to submit an appeal, and we will include in our response instructions for how to submit an appeal. 
• 8.2 Rights and choices. 
  • 8.2.1 Access. You may have the right to request access to your Personal Information or confirmation that we have Personal Information about you. Where that is the case, we will provide access to your Personal Information in a portable and machine-readable format, if possible. We will not provide Personal Information where prohibited by law. For example, we will not disclose certain sensitive Personal Information, such as a social security number, except to state whether we have such Personal Information. We may not be required to search for your Personal Information in certain circumstances under applicable law, such as under CCPA regulation 7024(c). For multi-line accounts, the amount and types of Personal Information provided will depend on whether the request is made by the account owner or by the user of a particular line on the account. 
  • 8.2.2 Changes. Most of our apps and websites allow users to change their account profiles. For changes that cannot be made through your account profile, you can request that we correct your Personal Information.
  • 8.2.3 Deletion. You may request that we delete your Personal Information. Note that in many situations we must keep some of your Personal Information for our business purposes, like providing service to the applicable MVNO Brand or managing our business relationship with you or your organization, detecting security problems, or complying with our legal obligations. We may comply with your request by deleting your Personal Information from our systems, or by deidentifying or aggregating such information.
  • 8.2.4 Do not sell or share. You may have the right to opt out of having your data sold by us for monetary or other valuable consideration or shared by us for cross-context behavioral advertising purposes. We do not currently engage in either such uses.
  • 8.2.5 To the extent we engage in direct marketing via emails or texts, we will provide a mechanism within such emails or tests to adjust your marketing communication preferences. We do not disclose Personal Information collected on our own behalf to third parties for their direct marketing purposes. 
  • 8.2.6 Profiling and automated decisions. “Profiling” is a specific type of activity under certain privacy laws and generally refers to the automated processing of Personal Information to evaluate, analyze, or predict certain personal aspects about your performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location, or movements. We do not engage in profiling on our own behalf, such as with respect to personnel of our customers, or visitors to our websites. If an MVNO Brand wishes to engage in profiling using OXIO services, the MVNO Brand must provide its clients and users with appropriate disclosures and opt-out or opt-in mechanisms, as applicable. This may include mechanisms to request to limit the use of sensitive Personal Information.
  • 8.2.7 Customer Proprietary Network Information (“CPNI”). CPNI under U.S. law consists of certain types of information about your telecommunications services, such as details about your subscription plan and your use of voice services. Your phone number, name and contact information are not CPNI. We will not use your CPNI to market other products or services to you without your consent. And we do not share your CPNI outside of our affiliates, agents, suppliers and MVNO Brands without your consent, except for ordinary business operations, fraud prevention, or legal compliance. We or an MVNO Brand, if applicable, may provide tools to allow you to manage who can access your CPNI. 

9 Cookies

We store certain data about the use of our website to prevent any problems with its operation and improve the user experience through the use of Cookies. Cookies allow us to control traffic and data communications and analytics, monitor website performance, and analyze and track user behavior within the website to improve their experience.

Cookies can be classified according to the purpose for which the data obtained is processed. Among these, we can distinguish the following:

1. Technical Cookies: Cookies that allow the user to navigate a website, identify the session, remember elements that make up an order, process the purchase of a product, request registration or participation in an event, among others.
2. Personalization Cookies: Cookies that allow the user to access the service with predefined characteristics based on criteria set by the user’s device, for example, the language, type of browser used to access the page, or the regional settings from which the service is accessed.
3. Analysis cookies: These cookies allow OXIO to track and analyze user behavior on the website.

To make the most of our website, we recommend that you set your device to accept all Cookies. However, you can disable or limit certain aspects of Cookies, using your device’s settings.

10 Other Information. 

• 10.1 For residents of the EEA, the UK and Switzerland. You may have additional rights under applicable law, which may include GDPR and its UK and/or Swiss equivalents. OXIO does not offer its products or services to EEA, UK or Swiss data subjects. Where an MVNO Brand does so using OXIO technology, we will collect or process Personal Information of such data subjects only pursuant to an appropriate written agreement meeting the requirements of GDPR Article 28(3), and transfers of Personal Information to our facilities in the United States or other countries outside the EEA, UK and Switzerland will be made only pursuant to an adequacy decision under GDPR Article 45 (currently the EU-US and/or Swiss-US Data Privacy Framework and/or the UK extension to the EU-US Data Privacy Framework) or appropriate safeguards under GDPR Article 46. In general, our legal basis for processing Personal Information will be to perform our contractual obligations to the MVNO Brand. Where we may be deemed to be the “controller” of Personal Information, our legal basis for processing will generally be to pursue our legitimate interests, such as to understand the use of and improve our services, or to comply with legal obligations, or for other purposes with your consent, where required. Personal Information relating to personnel of our EEA/UK/Swiss business customers is generally limited to business contact information and customer support information.
• 10.2 Third-party applications and websites. We may provide links to websites or other third-party content, applications, or services that we neither own nor control. Your use of such websites, content, applications or services will be governed by the privacy notices of the applicable third party, and not by this Privacy Notice.

11 CONTACT US

If you have questions or concerns about our privacy practices, you can contact us at support@oxio.io. To submit a privacy-related request, such as to inquire about Personal Data we have about you, or to exercise other rights relating to Personal Data, you can <method, such as click on the “Privacy Choices” link next to the <[check-mark/X logo]> on our website or submit a written request at <contact information>>. If you are a client or user of an MVNO Brand, in most cases you should direct your inquiry to the MVNO Brand, and we will forward your applicable requests to the MVNO Brand or respond to your requests suggesting that you do so.