OVOSIM Privacy Policy

1. Introduction

Pinocchio, LLC, operating under the name OVOSIM ("we," "us," "our," or "Company") respects your privacy and is committed to protecting your personal information. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our eSIM services and website. This policy complies with applicable privacy laws including the General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), and other relevant data protection regulations.

2. Information We Collect

Personal Information

We collect the following types of personal information:

• Identity Information: Name, email address, phone number, billing address
• Payment Information: Credit card details, billing information (processed securely through third-party payment processors)
• Device Information: IMEI numbers, device model, operating system, eSIM capabilities
• Account Information: Username, password, account preferences, service history
• Communication Records: Customer service interactions, support tickets, feedback

Technical and Usage Information

• Connection Data: IP addresses, connection timestamps, data usage, location information (cell tower data)
• Website Analytics: Browser type, pages visited, time spent, referring websites, cookies
• Performance Data: Network performance metrics, connection quality, error logs
• Location Data: Approximate location based on IP address and cell tower connections

Information from Third Parties

• Network operator partners may provide connection and usage data
• Payment processors provide transaction verification data
• Fraud prevention services may provide risk assessment data

3. How We Use Your Information

Service Provision

• Provisioning and activating eSIM profiles
• Processing payments and managing billing
• Providing customer support and technical assistance
• Managing user accounts and preferences
• Monitoring service performance and network optimization

Legal and Regulatory Compliance

• Complying with telecommunications regulations
• Meeting data retention requirements
• Responding to legal requests and court orders
• Preventing fraud and ensuring security
• Conducting know-your-customer (KYC) verification where required

Business Operations

• Improving and developing our services
• Conducting analytics and research
• Marketing and promotional communications (with consent)
• Risk assessment and fraud prevention

4. Legal Basis for Processing (GDPR)

Under GDPR, we process personal data based on the following legal grounds:

• Contract Performance: Processing necessary to provide eSIM services
• Legal Obligation: Compliance with telecommunications and data retention laws
• Legitimate Interest: Fraud prevention, network security, service improvement
• Consent: Marketing communications and non-essential cookies
• Vital Interest: Emergency services and public safety requirements

5. Information Sharing and Disclosure

Service Providers and Partners

• Network Operators: Mobile network operators providing connectivity infrastructure
• Payment Processors: Stripe, PayPal, and other payment service providers
• Cloud Services: Amazon Web Services, Google Cloud for data processing and storage
• Customer Support: Third-party support platforms and communication tools
• Analytics Providers: Google Analytics and similar services (anonymized data)

Legal Requirements

We may disclose information when required by law or to:

• Comply with legal process, subpoenas, or court orders
• Respond to government investigations or regulatory requests
• Protect our rights, property, or safety
• Prevent fraud or illegal activities
• Assist law enforcement with legitimate investigations

Business Transfers

In the event of a merger, acquisition, or sale of assets, personal information may be transferred as part of the business transaction.

6. Data Security Measures

We implement comprehensive security measures including:

• Encryption: End-to-end encryption for data transmission and storage
• Access Controls: Role-based access with multi-factor authentication
• Network Security: Firewalls, intrusion detection, and monitoring systems
• Regular Audits: Security assessments and penetration testing
• Employee Training: Regular security awareness and privacy training
• Incident Response: Procedures for handling security breaches
• Vendor Management: Security requirements for all third-party providers

7. Data Retention Policies

Retention Periods

• Account Information: Retained while account is active plus 7 years after closure
• Payment Records: 7 years for tax and audit purposes
• Connection Logs: 12 months for network optimization and troubleshooting
• Customer Support Records: 3 years after last interaction
• Marketing Consents: Until consent is withdrawn
• Legal Hold Data: Retained as required by legal proceedings

Data is securely deleted at the end of retention periods unless legal obligations require longer retention.

8. Your Privacy Rights

General Rights

• Access: Request copies of your personal information
• Rectification: Correct inaccurate or incomplete information
• Erasure: Request deletion of your personal information
• Portability: Receive your data in a machine-readable format
• Restriction: Limit how we process your information
• Objection: Object to processing based on legitimate interest

GDPR-Specific Rights (EU Residents)

• Right to withdraw consent at any time
• Right to lodge a complaint with supervisory authorities
• Right to object to automated decision-making
• Right to be informed about data breaches affecting your data

CCPA Rights (California Residents)

• Right to know what personal information is collected
• Right to know if personal information is sold or disclosed
• Right to opt-out of the sale of personal information
• Right to equal service and price, even if you exercise privacy rights

9. International Data Transfers

Your information may be transferred to and processed in countries other than your own, including the United States. We ensure appropriate safeguards through:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Adequacy decisions for transfers to approved countries
• Binding Corporate Rules for intra-group transfers
• Certification programs and codes of conduct

10. Cookies and Tracking Technologies

Types of Cookies

• Essential Cookies: Required for website functionality
• Performance Cookies: Analytics and website optimization
• Functional Cookies: User preferences and settings
• Marketing Cookies: Advertising and promotional content

You can control cookie settings through your browser preferences. Disabling certain cookies may affect website functionality.

11. Children's Privacy

Our services are not intended for children under 16 years of age (13 in the United States). We do not knowingly collect personal information from children. If we become aware that we have collected information from a child, we will delete it promptly.

12. Telecommunications-Specific Disclosures

Call Detail Records (CDRs)

We collect and retain connection metadata including timestamps, data usage, and network identifiers as required by telecommunications regulations.

Emergency Services

Location information may be shared with emergency services when you make emergency calls through our network.

Lawful Interception

We may be required to provide access to communications and data to law enforcement agencies under applicable laws and with appropriate legal authorization.

13. Data Breach Notification

In the event of a data breach that may pose a risk to your privacy, we will:

• Notify relevant supervisory authorities within 72 hours (where required)
• Inform affected individuals without undue delay
• Provide information about the nature of the breach and mitigation steps
• Implement measures to prevent future incidents

14. Third-Party Services and Links

Our website may contain links to third-party services. We are not responsible for the privacy practices of these external sites. We encourage you to review their privacy policies before providing any information.

15. Changes to This Privacy Policy

We may update this Privacy Policy to reflect changes in our practices or applicable laws. Material changes will be communicated through:

• Email notification to registered users
• Prominent notice on our website
• In-app notifications where applicable

Continued use of our services after changes constitutes acceptance of the updated policy.

16. Contact Information and Data Protection Officer

For privacy-related questions, to exercise your rights, or to contact our Data Protection Officer:

Supervisory Authority Contacts:

• EU: Contact your local Data Protection Authority
• UK: Information Commissioner's Office (ICO)
• California: California Attorney General's Office