Personal Data Processing Terms of LLC "Trustconnect"

LLC "Trustconnect" (registration number: 405759825) represents an authorized person by the National Communications Commission of Georgia in accordance with the Law of Georgia "On Electronic Communications," which offers clients messaging (SMS) sending services. Specifically, companies are able to automatically send SMS messages through Trustconnect's system to their own telephone number databases, while Trustconnect ensures the performance of the carrier company function. The service provided by the company will be based solely on technical aspects and transmission performed through the system. Accordingly, LLC "Trustconnect" has a technical system to which access is granted to the client with an individual username and password, and through which the client will send SMS messages of specific quantity, content, and designation to their own telephone number database.

Definition of Terms:

Personal Data - any information relating to an identified or identifiable natural person. A natural person is identifiable when it is possible to identify them directly or indirectly, including by name, surname, identification number, geolocation data, electronic communication identification data, physical, physiological, mental, psychological, genetic, economic, cultural, or social characteristics;

Data Processing - any operation performed on data, including their collection, acquisition, access to them, their photographing, video monitoring and/or audio monitoring, organization, grouping, interconnection, storage, modification, restoration, retrieval, use, blocking, deletion or destruction, as well as disclosure of data through their transmission, publication, distribution, or otherwise making them accessible;

Data Subject - any natural person whose data is being processed;

Client - a person in contractual relationship with LLC "Trustconnect" who orders various services from it and within the scope of which they may share personal data of data subjects with LLC "Trustconnect";

Data Controller - a natural person, legal entity, or public institution that individually or jointly with others determines the purposes and means of data processing, carries out data processing directly or through a data processor;

Data Processor - a natural person, legal entity, or public institution that processes data for or on behalf of the data controller. A natural person in employment relationship with the data controller is not considered a data processor;

Third Party - a natural person, legal entity, or public institution, except for the data subject, personal data protection service, data controller, data processor, special representative, and the person authorized to process data by direct assignment of the data controller or data processor; Incident - a breach of data security that causes unlawful or accidental damage, loss of data, as well as unauthorized disclosure, destruction, modification, access to them, their collection/acquisition, or other unauthorized processing.

Purpose of Personal Data Processing

The purpose of these personal data processing terms is to explain which personal data is processed by LLC "Trustconnect" (registration number: 405759825) (hereinafter: "Company"), for what purpose each personal data is processed, and what measures the Company applies for the purpose of personal data protection.

The purpose of this document is for interested persons to receive basic information about how their personal data is processed by the Company, how the Company complies with applicable legislation and personal data security.

The Company carries out personal data processing and protection in accordance with the requirements of Georgian legislation on personal data.

Legal Basis for Personal Data Processing

The legal basis for processing personal data of data subjects by the Company is the performance of contractual obligations provided for by the Company's contract.

The Company may process data subjects' data only on the following basis:

Based on the service contract concluded with the client.

Considering the present terms, the client in contractual relationship with the Company represents the data controller. Since it is precisely the client who obtains the personal data that the Company, as a data processor, subsequently processes for the purpose of fulfilling obligations provided for in the contract concluded with the client. The contract concluded between the data controller and the data processor provides for the processor's obligation to process data only for purposes determined by the client, as well as taking into account the procedures and prohibitions established by the Law of Georgia "On Personal Data Protection." In this case, according to the Personal Data Law, the client, as the data controller, is responsible for the acquisition.

Sources of Personal Data Acquisition

Personal data transmitted by the client:

The client shares personal data with the Company through: email, WhatsApp, the Company's special online platform, for the purpose of fulfilling obligations undertaken by the contract concluded between the Company and the client, and transmits personal data of data subjects to it.

Principles of Personal Data Processing

• The Company processes personal data openly, fairly, and lawfully, without violating human dignity;
• The Company processes data for specific and clearly defined purposes;
• The Company observes elements of proportionality and reasonableness, specifically, processes only those data and in the volume necessary to achieve the purpose;
• Considering the purposes of data processing, the Company corrects, deletes, or destroys inaccurate data without unjustified delay;
• The Company stores personal data for a legitimate period, specifically, for the period provided by law or only necessary for achieving a specific purpose. After achieving the purpose, data must be deleted, destroyed, or stored in a form that does not allow personal identification;
• During the Company's data processing, appropriate technical and organizational measures are maintained, specifically, complete data security is ensured with appropriate technical means.

Categories of Personal Data

Information processed by the Company may include only contact information of the data subject - telephone number.

Data Security

The Company has taken all necessary organizational and technical measures that ensure data processing in accordance with the Law of Georgia "On Personal Data Protection."

The organizational and technical measures taken by the Company ensure the protection of personal data from accidental or unlawful destruction, modification, disclosure, acquisition, unlawful use, and loss.

Only those employees who need data processing to perform their assigned duties have access to personal data protected by the Company.

Rights of Data Subjects

A data subject has the right to request information about the processing of their personal data and receive copies of this data. A data subject has the right to:

• Receive information about what data is being processed about them, specifically, what is the purpose and legal basis of their processing, information about the source of data collection;
• Receive information about whether their personal data has been transmitted to a third party, information about the third party, the basis and purpose of data transmission;
• Request correction, updating and/or addition of false, inaccurate and/or incomplete data;
• At any time, without any explanation, withdraw their consent regarding personal data processing and request deletion of data processed on the basis of consent;
• Request cessation of data processing, deletion or destruction if:
  - They withdraw consent that constitutes the sole basis for data processing;
  - Data processing is no longer necessary for the purpose for which it was processed;
  - Data processing is being conducted unlawfully.
• Request data blocking if:
  - The authenticity or accuracy of data is disputed;
  - Data processing is unlawful, but they do not want their deletion and request only their blocking;
  - Data is no longer needed to achieve the purpose of their processing, but the data subject needs them for legal proceedings;
  - The consideration of a request for cessation, deletion, or destruction of data processing is ongoing;
  - There is a necessity to store for the purpose of using data as evidence.

The Company will implement appropriate response within the timeframes established by the Law of Georgia "On Personal Data Protection" from receiving the data subject's notification, no later than within 10 working days.

The rights of data subjects may be restricted in the manner established by Georgian legislation.

Restriction of Data Subject Rights

The rights of data subjects may be restricted if their realization creates a threat to:

• State security, information security and cybersecurity and/or defense interests;
• Public security interests;
• Crime prevention, crime investigation, criminal prosecution, administration of justice;
• Significant financial or economic (including monetary, budgetary and tax), public health and social protection interests of the country;
• Detection of violations of professional, including regulated professional ethics norms by the data subject and imposing responsibility on them;
• Rights and freedoms of others;
• Protection of state, commercial, professional and other types of secrets provided by law;
• Substantiation of legal claim or defense.

The Company uses restriction measures only adequately to the purpose of restriction and in proportional volume.

Transfer to Third Parties

The Company does not transfer personal data of data subjects to third parties. When the Company transfers its rights and obligations fully or partially to another person, if the Company also transfers personal data fully or partially, it will have prior written consent from the data controller/client regarding this matter.

International Data Transfer

The Company does not carry out international transfer of personal data of data subjects.

Personal Data Retention Period

Personal data is stored for the duration of the contract concluded with data controllers. After the expiration of this period, personal data is automatically destroyed.

Processing personal data for this period is necessary for the Company's proper operation.

Incident Management

An incident is a breach of data security that causes unlawful or accidental damage, loss of data, as well as unauthorized disclosure, destruction, modification, access to them, their collection/acquisition, or other unauthorized processing.

In case of an incident, the Company records the incident, the resulting consequences, and measures taken within 72 hours from incident detection and notifies the Personal Data Protection Service in writing or electronically, except when it is less likely that the incident will cause significant harm and/or pose a significant threat to fundamental human rights and freedoms.

If an incident is highly likely to cause significant harm and/or pose a significant threat to fundamental human rights and freedoms, the Company notifies the data subject about the incident as soon as possible from incident detection, without unjustified delay, and provides the following information in simple and understandable language:

• General description of the incident and related circumstances;
• Information about probable/actual damage caused by the incident, measures implemented or planned to reduce or eliminate it;
• Contact details of the personal data protection officer or other person.