Reseller Partner Privacy Policy

1.1 Scope. This Policy applies to personal data SimClaire processes about (a) approved reseller partners and applicants, their owners, directors, and personnel ("Partner Data"); and (b) individuals who purchase, activate, or use our Products through a partner ("End Customers")[cite: 160, 161, 162]. Because our Products are connectivity services used internationally, this Policy is designed to operate across multiple privacy and telecommunications regimes[cite: 163].

1.2 In this Policy, the following terms apply:

• 1.2.1 "Personal Data" / "Personal Information" means any information relating to an identified or identifiable individual[cite: 165].
• 1.2.2 "Processing" means any operation performed on personal data, including collection, storage, use, disclosure, transfer, and deletion[cite: 166].
• 1.2.3 "Controller" means the party that determines the purposes and means of Processing; "Processor" means a party that Processes personal data on a Controller's behalf and on its documented instructions[cite: 167, 168].
• 1.2.4 "Traffic Data" means data processed to convey a communication or for billing, including connection logs, session times, data volumes, and call/SMS detail records (CDRs) where voice and SMS Products are used[cite: 169].
• 1.2.5 "Location Data" means data indicating the approximate geographic location of a device or the host network/country in which a Product is used[cite: 170].
• 1.2.6 "Device Identifiers" means identifiers such as the eSIM EID and ICCID, the device IMEI, and the network IMSI/MSISDN assigned to a Product[cite: 171].
• 1.2.7 "Host Network" means any third-party mobile network operator, MVNO, or connectivity aggregator over whose infrastructure a Product is delivered, in any country worldwide[cite: 172].
• 1.2.8 "Applicable Privacy Laws" means all data-protection, privacy, and telecommunications laws applicable to a party, including Canada's PIPEDA; the EU and UK GDPR and the ePrivacy Directive; the California Consumer Privacy Act/CPRA and other U.S. state laws; and equivalent laws in other territories in which partners operate or End Customers use the Products[cite: 173, 174, 175].

2.1 Partner Data. SimClaire is the Controller of Partner Data (e.g., onboarding, account, and portal-usage information about partners and their personnel) and processes it as described in this Policy[cite: 179].

2.2 End Customer Data - the Partner is Controller. In the ordinary course, the Partner is the Controller of its own End Customers' personal data: the Partner sets the prices, owns the customer relationship, collects the data, and is responsible for its own lawful basis and privacy notice[cite: 180].

2.3 SimClaire as Processor. To the extent SimClaire Processes End Customer data solely to provision and deliver a Product on the Partner's instructions (e.g., generating and issuing an eSIM profile, QR code, or activation), SimClaire acts as a Processor for the Partner under a DPA[cite: 181].

2.4 SimClaire as independent Controller. SimClaire acts as an independent Controller of certain End Customer and network data where it determines the purpose itself - for example, operating and securing the network, preventing fraud and abuse, meeting its own legal, tax, and regulatory obligations, and managing relationships with upstream suppliers and Host Networks[cite: 182].

2.5 Host Networks. Host Networks and upstream connectivity suppliers act as their own Controllers (or processors of their carrier customers) in respect of Traffic Data and Location Data generated on their infrastructure, under the laws of the country in which the Product is used[cite: 183].

3.1 Partner Data: Identity and contact details of the partner and its personnel; business/legal name; business registration, incorporation, and tax identifiers; proof-of-identity and verification documents; bank or payment-card details (handled by our payment processor); login credentials and authentication data; portal and API usage, IP address, and device/browser information; support communications and correspondence[cite: 185, 186, 187, 188].

3.2 End Customer Data handled via the Platform: Where transmitted by the Partner or collected at point of sale/activation: name and email; order and transaction references; and the Device Identifiers needed to provision a Product (EID, ICCID, and, where applicable, IMEI/IMSI/MSISDN)[cite: 189, 190].

3.3 Telecommunications and network data: In connection with use of the Products, the Company and Host Networks process Traffic Data (connection logs, session start/end times, data volumes, and CDRs for voice/SMS Products), Location Data (the host network and country in which a Product is used, and approximate location derived from the network), and IP addresses and other connectivity metadata[cite: 191].

3.4 Fraud and security data: Risk and fraud-screening signals, usage patterns, sanctions/PEP screening results, and security logs[cite: 192].

3.5 We do not seek to collect special-category or sensitive data through the partner programme, and partners should not transmit such data to us unless strictly necessary and lawful[cite: 193].

6.1 Host Networks and connectivity suppliers. To deliver the Products, Device Identifiers and connectivity data are shared with upstream aggregators and the Host Networks in each country of use. This is inherent to providing global mobile connectivity[cite: 214, 215].

6.2 Payment processors. Card and payment data are processed by our payment provider (e.g., Stripe). SimClaire does not store full card numbers[cite: 216, 217].

6.3 Service providers. Cloud hosting, IT, analytics, communications, identity-verification, and professional advisors, each bound by confidentiality and data-protection obligations[cite: 218].

6.4 Authorities and lawful access. We may disclose personal data to law-enforcement, regulatory, tax, or governmental authorities where required by law, including under lawful-interception and data-retention obligations that may apply to the Company, our suppliers, or Host Networks[cite: 219, 220].

6.5 Corporate transactions. In connection with a merger, acquisition, financing, or sale of assets, subject to appropriate confidentiality safeguards[cite: 221].

6.6 We do not sell Partner Data or End Customer Data[cite: 222]. Where U.S. state laws define "sale" or "sharing" broadly, we honour applicable opt-out rights[cite: 223].

7.1 SimClaire is based in Canada and uses service providers and Host Networks located in Canada, the EU/EEA, the United Kingdom, the United States, and other regions[cite: 227]. Personal data may therefore be transferred to and processed in countries whose data-protection laws differ from those of the partner's or End Customer's home country[cite: 228].

7.2 Where we transfer personal data internationally, we rely on a lawful transfer mechanism, such as: an adequacy decision; the European Commission's Standard Contractual Clauses (SCCs); the UK International Data Transfer Agreement; or, for Canada, accountability and comparable-protection measures under PIPEDA[cite: 229, 230, 231].

7.3 Transfers to Host Networks for the purpose of delivering connectivity in a destination country are made because they are necessary for performance of the contract requested by the End Customer[cite: 232].

8.1 We retain personal data only for as long as necessary for the purposes for which it was collected, and to meet legal, accounting, tax, and regulatory requirements[cite: 234].

8.2 Indicative periods: Partner account and contract records for the term of the relationship plus the applicable limitation period [cite: 235]; financial and tax records as required by applicable law (commonly 6-7 years)[cite: 236]; Traffic and billing data for the period needed for billing and dispute resolution; fraud and security logs for as long as needed to investigate and prevent abuse[cite: 237, 238].

8.3 On termination of the reseller relationship we will delete or de-identify personal data when no longer required[cite: 239]. Where SimClaire acts as Processor, deletion or return of End Customer data follows the DPA and the Partner's instructions[cite: 240].

11.1 Subject to Applicable Privacy Laws, individuals may have rights to: access their personal data; correct or update it; request erasure; restrict or object to certain processing; data portability; and withdraw consent[cite: 252, 253]. Under California and certain other U.S. laws, individuals may also have rights to know, delete, correct, and to opt out of "sale"/"sharing"[cite: 254].

11.2 Partners and their personnel may exercise rights over their Partner Data by contacting care@simclaire.com[cite: 255].

11.3 Because the Partner is normally the Controller of its End Customers' data, requests from End Customers should be handled by the Partner[cite: 256]. Where SimClaire receives such a request and acts as Processor, it will refer the request to the Partner and assist as required under the DPA[cite: 257].

11.4 Individuals also have the right to lodge a complaint with their data-protection authority[cite: 258].

12.1 The Partner shall, as Controller of its End Customers' data: (a) maintain a valid lawful basis and provide its own clear privacy notice to End Customers; (b) obtain any consents required; (c) transmit to SimClaire only the personal data necessary to provision the Products; (d) respond to and resolve End Customer rights requests and complaints; and (e) implement appropriate security measures[cite: 260, 261, 262, 263].

12.2 The Partner shall comply with all anti-spam and electronic-marketing laws applicable to its activities, including Canada's Anti-Spam Legislation (CASL) and equivalents in other territories[cite: 264].

12.3 Where SimClaire Processes End Customer data on the Partner's behalf, the parties shall enter into a DPA that governs that Processing; the DPA prevails over this Policy to the extent of any conflict in respect of such Processing[cite: 265, 266].