GENERAL PRIVACY POLICY

At Soprano we respect your privacy and the security of your personal information and data. This General Privacy Policy explains how we collect, hold, handle, share and otherwise process Personal Data in connection with your use of our Services and Sites (as defined below), and how you can exercise your rights. Please carefully read this General Privacy Policy before browsing our Sites and using our Services. This General Privacy Policy supplements other privacy notices and is not intended to override them.

Soprano Group is made up of different legal entities, details of which can be found HERE. This General Privacy Policy is issued on behalf of the Soprano Group, so when we mention “Soprano”, “we”, “our” or “us” we are referring to the relevant company in the Soprano Group responsible for processing your Personal Data. We will let you know which entity will be the Controller of your data when you purchase our Services in the application process. If you are a Customer or a Supplier of more than one Soprano affiliate, the relevant data Controller is the Soprano legal entity retained by you in each particular case. When we refer to “you” or “your” in this General Privacy Policy, we are referring to any individual or entity who is a Customer, Supplier or User of our Sites or Services.

Soprano Design Pty Ltd , a company located in Australia with head office at Level 15, 132 Arthur St North Sydney NSW 2060 and company number ACN 066 450 397 is a Controller and responsible for this Site.

TABLE OF CONTENTS

  1. INTRODUCTION
  2. TYPE OF PERSONAL DATA WE MAY COLLECT ABOUT YOU
  3. SOURCES FROM WHICH WE MAY COLLECT YOUR PERSONAL DATA
  4. HOW WE USE YOUR PERSONAL DATA AND LAWFUL BASES FOR PROCESSING
  5. WHEN DO WE DISCLOSE YOUR PERSONAL DATA AND WHY?
  6. INTERNATIONAL TRANSFERS OUTSIDE THE EEA
  7. RETENTION OF YOUR PERSONAL DATA
  8. SECURITY
  9. YOUR LEGAL RIGHTS IN RELATION TO YOUR PERSONAL DATA
  10. CONTACT
  11. CHANGES TO THIS GENERAL PRIVACY POLICY
  12. ADDITIONAL TERMS FOR CERTAIN REGIONS
  13. DEFINITIONS

  1. TABLE OF CONTENTS

    We are a cloud-based Communications Platform as a Service (CPaaS) provider of mobile messaging technology for our business and government Customers worldwide, and for telecommunication companies and other providers that include our Services in their own offerings. Our omni-channel platform allows our Customers to interact with a variety of communication channels with their end-users (e.g. SMS, WhatsApp, email).

    Some data protection laws, such as GDPR, differentiate between controllers (those who determine why and how they process Personal Data) and processors (those who process data on a controller’s behalf). When we process Personal Data in the provision of our Services, we may do it in the role of Controller or Processor, depending on the situation.

    When we send communications to our Customers’ end-users (e.g. the Customer’s staff or members of the public), we do it under instructions and on behalf of our Customers for the sole purpose of providing the Services to them. Therefore, when an end-user receives a communication that has been sent by Customer using our platform, we are acting as a Processor. The processing of Personal Data in our role of Processor and service provider on behalf of our Customers is not within the scope of this policy. Our Customers are solely responsible for complying with the data protection laws that apply to the collection and processing of Personal Data of their end users with whom they interact through the use of our Services. If you’re an end user of one of our Customers, please contact our Customer directly for any requests or questions relating to your Personal Data.

    This General Privacy Policy only applies in situations where we process data for our own purposes acting as a controller, such as:

    1. When you visit our Sites that link to this policy.
    2. When you use our Services as an authorized user (e.g. as someone engaged by our Customer and has been given access to our platform).
    3. When you interact with our official Social Media profiles.
    4. When you attend or register for our events or webinars.
    5. When you contact us to request information about our Services.
    6. When we seek new business opportunities and collect data to nurture our Customer base.
    7. When you provide your Services or products to us.
    8. When you apply for or invest with Soprano.

    If you are a job applicant and apply for a job position with us, please refer to the Candidate Privacy Noticemade available when you apply online for further details as to how your Personal Data is collected, processed and how long it is retained for.

    Our Sites and Services may contain links to other third-party web pages and applications. The privacy practices of such other websites, including social media platforms that host our Soprano official profile, are governed by their privacy notices which we encourage you to review in order to understand their information practices.

  2. TYPE OF PERSONAL DATA WE MAY COLLECT ABOUT YOU

    Any information or an opinion relating to an identified or reasonably identifiable natural person, directly or indirectly, is “Personal Data”.

    We may collect, use, store and transfer different types of Personal Data about you, depending on how you interact with us:

    1. Identity Data includes first and last name, ID number, image, signature, username or similar identifiers.
    2. Contact Data includes registered address, billing address, email address and telephone numbers.
    3. Financial Data includes bank account, payment card details (when you pay for our Services).
    4. Professional Data includes your employer, job title and your role at your company.
    5. Profile Data includes your username and password, purchases or orders made by you; your interests, preferences, feedback and survey responses.
    6. Usage Data includes information about how you browse our Sites and use our Services (e.g. what features you use on our platform; time spent; pages

      7. visited, etc.).

    7. Traffic Data includes all data processed for the purpose of conveying an electronic communication through your use of our Services or for the billing in

      8. respect of that communication, and includes data relating to the routing, duration, type and time of the communication (e.g. Customer end-user’s telephone number or email address, IMEI, IMSI, MSISDN, etc.).

    8. Technical Data includes internet protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types

      9. and versions, operating system and platform, type of computer or device you are using, system configuration information and other technology on the devices you use to access our Sites.

    9. Marketing Data includes your preferences in receiving marketing communications from us.

    We also process the contents of the communications you send and receive via our Services, but we do it as a processor and service provider acting on behalf of our Customer.

    In addition, we collect, use and share “Aggregated Data” such as statistical or demographic data for any purpose. Aggregated Data could be derived from your Personal Data but is not considered personal information in law, as this data will not directly or indirectly reveal your identity. For example, we may aggregate your Usage Data to calculate the percentage of users accessing a specific site feature. However, if we combine or connect Aggregated Data with your Personal Data so that it can directly or indirectly identify you, we treat the combined data as Personal Data which will be used in accordance with this General Privacy Policy.

    We do not collect any sensitive or Special Categories of Personal Data about you (this includes details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health, and genetic and biometric data). Nor do we collect any information about criminal convictions and offences.

  3. SOURCES FROM WHICH WE MAY COLLECT YOUR PERSONAL DATA

    We use different methods to collect Personal Data from you by:

    Direct interactions. We may collect directly from you your identity, contact, professional or Financial Data when you:

    1. apply for or enquire about our Services;
    2. register for an account to access or use our Services, or when you authorize an individual to use our Services in connection with your account;
    3. register for an event or webinar hosted by us;
    4. subscribe to our newsletter or publications;
    5. request marketing communications to be sent to you;
    6. if you contact us or show interest in receiving information about our Services.

    It is important that the Personal Data we hold about you is accurate and current. Please keep us informed if your Personal Data changes during your relationship with us.

    you represent that you are the owner of the Personal Data you provide to us, or if you provide us with data of other individuals, you represent that you have the authority and necessary consent to do so and acknowledge that it will be used pursuant to this General Privacy Policy.

    Automated technologies or interactions. As you interact with our emails, Sites and use our Services, we may automatically collect Technical Data about your equipment, browsing actions and patterns, which help us provide you with a good experience when you browse our Sites and also allows us to improve them. We collect this information by using cookies, web beacons, server logs and other similar technologies. Please read our detailed Cookie Policy for further details.

    Third parties or publicly available sources. We may receive Personal Data about you from various third parties and public sources as set out below:

    1. Profile, Technical and Usage Data if you visit other websites employing our cookies
    2. From third party providers including, for example, advertising networks, analytics providers, search information providers, credit reference agencies, data brokers or aggregators.
    3. Identity, contact and Professional Data from publicly-available sources such as LinkedIn or other publicly available sources.
    4. Identity and Contact Data from data brokers, aggregators or marketing mailing lists some of which may be based outside the EU.
    5. We may also process Identity Data you provide when you interact with Soprano using a third party service (“Third Party Platforms”). For example, we may have access to certain information from your corporate authentication service if you log into Soprano using single sign on authentication. Any access that we may have to such information from a Third Party Platform is in accordance with the authorisation procedures determined by that service. By allowing us to connect with the Third Party Platform, you authorise us to access and store your personal information that the third party makes available to us, and to use and disclose it in accordance with this General Privacy Policy.

  4. HOW WE USE YOUR PERSONAL DATA AND LAWFUL BASES FOR PROCESSING

    We will only use your Personal Data when permitted by the law, and using appropriate technical and organisational measures. Most commonly, we will use your Personal Data in the following circumstances:

    1. Where we need to perform the contract we are about to enter into or have entered into with you.
    2. Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests.
    3. Where we need to comply with a legal obligation.
    4. Where you have provided your consent. your consent is not always required for us to process your Personal Data although we will get your consent before sending marketing communications as set out in section 4.1.4 below.

    We have set out a helpful table below as a summary of the lawful basis for processing, and the ways we plan to use your Personal Data as described below. Note that we may process your Personal Data for more than one lawful basis depending on the specific purpose for which we are using your data. Please contact us if you need details about the specific legal basis we are relying on to process your Personal Data where more than one basis apply.

    4.1. IF YOU ARE A CUSTOMER

    4.1.1. Processing activities necessary for the performance of the existing contractual relationship with our Customers.

    The processing of the Customers’ personal data indicated below will be carried out because it is necessary for the formalization, development, control, maintenance and fulfillment of the contractual relationship.

    These tasks include the following activities:

    • To register you as a new Customer, create a Customer Account, communicate with you, and enable you to use our Services. If you sign up for our Services we’ll need to process your data in order to create your “Customer Account”, and enable you to use our Services and communicate with us, and for us to communicate with you, through the account portal. For this purpose, we will process your identity, professional, contact data, and technical data (e.g. login details such as your password or API key).
    • To process and deliver your order. For this purpose, we will process your identity, professional, contact data, financial data, and traffic data.
    • To manage payments, fees and charges. For this purpose, we will process your identity, contact data, financial data, and traffic data.
    • To collect and recover money owed to us. For this purpose, we will process your identity, professional, contact data, financial data, and traffic data.
    • To manage our relationship and communicate with you as our Customer. For this purpose, we will process your identity, contact data, professional data, profile, traffic data, and usage data.
    • To provide our Services to you. For this purpose, we will process your identity, contact data, profile, usage data, and traffic data. When you use our services, traffic data may be collected either automatically (e.g. data generated during the process of conveyance of a message) or directly from you (e.g. Customer’s end user’s phone number or email address).
    • To provide you with Customer care and technical support. For this purpose, we will process your identity, professional, contact data, profile, traffic data, and usage data.
    • To notify you about changes to our terms or privacy policy. For this purpose, we will process your identity, professional, contact data, profile, and usage data.
    • To provide you with the requested information about our Services, answer your questions, provide Customer support or otherwise communicate with you. For this purpose, we will process your identity and contact data, and any other information you decide to send us or share while communicating with us. We will keep a record of the information you provide in the course of our communications, so even if we have put in place security measures to protect your data, you should not disclose personal or sensitive data irrelevant to your request.

    4.1.2. Processing activities necessary to comply with legal obligations.

    We will process your personal data in order to comply with the different legal obligations that may be required from time to time.

    These obligations will exist and must be fulfilled even after the termination of the contractual relationship, as appropriate in each case.

    4.1.3. Processing activities based on legitimate interest.

    There are other processing activities that we will carry out because we have a “legitimate interest” in them and because, in addition, we believe that they do not negatively affect your privacy and do not compromise the protection of your personal data. With respect to these processing activities, you have the right (i) to obtain more information about what exactly this “legitimate interest” consists of, (ii) to know how we have come to the conclusion that they do not harm your privacy, (iii) or directly to object to them.

    We will now detail and explain these processing activities:

    • To conduct credit checks from time to time to investigate fraudulent activities.
    • To investigate fraudulent activities and prevent security incidents. When you log in to your Customer Account, we also gather some information automatically such as Technical Data (e.g., your IP address, routing information) and activity logs, in order to understand who is accessing our Services, investigate fraudulent activities and prevent security incidents. We will do so because it is our legitimate interest to ensure the security of our network, or because it might be necessary to comply with a legal obligation.
    • To ask you to leave a review or take a survey. For this purpose, we will process your identity, contact data, profile, technical data and usage data.
    • To administer and protect our business and Sites (including troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data) and investigate fraudulent activities in connection with our Sites and Services. For this purpose, we will process your identity, contact data, technical data and traffic data.
    • To deliver relevant website content and advertisements to you and measure or understand the effectiveness of the advertising and content we serve to you. For this purpose, we will process your identity, contact data, profile, usage data and technical data.
    • To use data analytics to improve our Sites, Services, marketing, Customer relationships and experiences. For this purpose, we will process your technical data and usage data.
    • To look for new business opportunities and make suggestions and recommendations to you about products or Services that may be of interest to you. For this purpose, we will process your identity, contact data, technical data, usage data, professional data and profile data. We may gather your identity, contact and professional data indirectly through publicly-available sources such as LinkedIn, or we may also obtain your information from third party providers such as data brokers or marketing mailing lists, for the purposes of helping us build new business relationships and find potential buyers that could benefit from our Services. We also collect business contact data through direct interactions with prospective Customers during meetings or events.

    4.1.3.1. How can you object to the processing of your data?

    The aforementioned personal data processing activities, covered by the legitimate interest, do not constitute an impediment to the normal exercise of your rights and freedoms, and are considered standard practices within the sector, so we understand that the performance of these processing activities does not violate your rights and freedoms, nor expectations. We are committed to use the least harmful means to carry out such data processing activities.

    In the event that you wish to object to the processing of your data, you may do so by sending a communication to the e-mail address [email protected]/span>.

    4.1.4. Processing carried out on the basis of your consent.

    Provided that you give us your consent, we may carry out the following data processing:

    • To manage your registration request and facilitate your attendance to our events or webinars. For this purpose, we will process some basic identity data, contact data (name, email, country), profile, professional data and usage data. When you register to attend an event, your data will also be processed by Soprano to manage any travel or hotel accommodation reservations you may need to attend our event, to handle any changes or cancellations, to provide you with all necessary information and documentation to attend such event, to develop our events based on Customer preferences, to analyse and prepare statistics and studies on the events attended by our Customers or prospective Customers and to design advertising strategies. During our events, we may collect photo and video material that might depict our event participants, and we will use it for PR and illustration purposes.
    • When you browse our Sites, we automatically collect certain Usage and Technical Data by placing tracking technologies (e.g., cookies, web beacons) on your browser, in order to understand how visitors use our Sites and improve their browsing experience. When you first visit any of our Sites you’ll be able to block the installation of any type of cookies, with the exception of the technical ones, which are required for proper functioning of the Sites. you can also set your browser to refuse all or some browser cookies, or to alert you when websites set or access cookies. If you disable or refuse cookies, please note that some parts of our Sites may become inaccessible or not function properly. For more information about the cookies we use, please see our Cookie Policy.
    • If you sign up to receive marketing communications from us or you have given your consent by ticking the box provided for this purpose on the relevant form, we will process your Personal Data in order to send you, on an ongoing basis, information of the Soprano Group’s products and Services, special promotions, surveys, and invitation to events or webinars that may be of interest to you. Accordingly, with this consent, Soprano may contact you about such products, Services, promotions or events by electronic messages (e.g. email, SMS, direct messaging or social networks) and by telephone call. you will always have the right to opt-out for further communications by contacting us at [email protected] or using the opt-out link provided at the end of any marketing email you receive from us. It may take up to 3 days (72h) days to remove your contact information from our marketing communications lists, so please note that you may receive communications from us within this time interval.
    • If you are a Customer of Soprano or make a request to receive information about our Services, such as a Soprano whitepaper, we may use your Personal Data, where permitted by applicable national laws, to send you customized communications based on the products or Services requested, or based on the information we may obtain from your browsing, interest in certain content, or reaction to our communications, among others. you may object to any of the above processing and elect to opt-out or withdraw your consent at any time, without any consequences for your status as a Customer or contact of Soprano, by simply sending an email to [email protected] or by clicking the unsubscribe link at the bottom of our marketing messages. Please note than even if you opt-out from receiving marketing messages from us, if you are our Customer, you will continue to receive transactional communications related to your existing relationship with us (such as messages about your account, security information or changes on our Service Terms).

    4.1.4.1. How do we obtain your consent?

    Your consent will be obtained previously and expressly, through consent clauses or privacy statements, in which you will have all the necessary information about the processing of your data for the relevant purposes, in accordance with the applicable regulations.

    In any case, you may withdraw any of the consents granted through a communication by mail to [email protected]. Depending on the local regulations applicable in your country, we may request documentation to verify your identity before processing your request. This could include a photocopy of your ID card, your full name and surname, if necessary.

    4.2. IF YOU ARE A SUPPLIER

    4.2.1. Processing activities necessary for the performance of the existing contractual relationship with our Suppliers.

    The processing of the Suppliers’ personal data indicated below will be carried out because it is necessary for the formalization, development, control, maintenance and fulfillment of the contractual relationship.

    These tasks include the following activities:

    • To register you as a new Supplier, communicate with you, and enable us to receive your Services. For this purpose, we will process your identity, professional and contact data.
    • To manage payments, fees and charges. For this purpose, we will process your identity, contact data and financial data.
    • To manage our relationship and communicate with you as our Supplier. For this purpose, we will process your identity, professional and contact data.
    • To notify you about changes to our terms or privacy policy. For this purpose, we will process your identity, professional and contact data.

    4.2.2. Processing activities necessary to comply with legal obligations.

    We will process your personal data in order to comply with the different legal obligations that may be required from time to time.

    These obligations will exist and must be fulfilled even after the termination of the contractual relationship, as appropriate in each case.

    4.2.3. Processing activities based on legitimate interest.

    There are other processing activities that we will carry out because we have a “legitimate interest” in them and because, in addition, we believe that they do not negatively affect your privacy and do not compromise the protection of your personal data. With respect to these processing activities, you have the right (i) to obtain more information about what exactly this “legitimate interest” consists of, (ii) to know how we have come to the conclusion that they do not harm your privacy, (iii) or directly to object to them.

    We will process your information to maintain communications with you as necessary to receive services from the entity you represent, or to handle any request you make on their behalf.

    4.2.3.1. How can you object to the processing of your data?

    The aforementioned personal data processing activities, covered by the legitimate interest, do not constitute an impediment to the normal exercise of your rights and freedoms, and are considered standard practices within the sector, so we understand that the performance of these processing activities does not violate your rights and freedoms, nor expectations. We are committed to use the least harmful means to carry out such data processing activities.

    In the event that you wish to object to the processing of your data, you may do so by sending a communication to the e-mail address [email protected].

    4.3. IF YOU ARE A WEBSITE USER

    4.3.1. Processing activities necessary to comply with legal obligations.

    We will process your personal data in order to comply with the different legal obligations that may be required from time to time.

    These obligations will exist and must be fulfilled even after the termination of the contractual relationship, as appropriate in each case.

    4.3.2. Processing carried out on the basis of your consent.

    Provided that you give us your consent, we may carry out the following data processing:

    • To provide you with the requested information about our Services, answer your questions, provide support or otherwise communicate with you. For this purpose, we will process your identity and contact data, and any other information you decide to send us or share while communicating with us. We will keep a record of the information you provide in the course of our communications, so even if we have put in place security measures to protect your data, you should not disclose personal or sensitive data irrelevant to your request.

    4.3.2.1. How do we obtain your consent?

    Your consent will be obtained previously and expressly, through consent clauses or privacy statements, in which you will have all the necessary information about the processing of your data for the relevant purposes, in accordance with the applicable regulations.

    In any case, you may withdraw any of the consents granted through a communication by mail to [email protected]. Depending on the local regulations applicable in your country, we may request documentation to verify your identity before processing your request. This could include a photocopy of your ID card, your full name and surname, if necessary.

    PURPOSE TYPE OF DATA LAWFUL BASIS FOR PROCESSING RETENTION PERIOD
    I.

    To register you as a new Customer, create a Customer Account, communicate with you, and enable you to use our Services.
    1. Identity
    2. Contact
    		 Performance of a contract with you. 12 months after end of Contract.
    II.

    To process and deliver your order including:

    1. Manage payments, fees and charges
    2. Collect and recover money owed to us
    1. Identity
    2. Contact
    3. Financial
    4. Traffic
    5. Marketing
    1. Performance of a contract with you
    2. Necessary for our legitimate interests (Eg. to recover debts due to us and reconciling invoices with MNOs/aggregators)
    		 12 months after end of Contract (except data we must keep to settle our payments to MNOs or aggregators, or to comply with tax or data retention laws)
    III.

    To manage our relationship and communicate with you as our Customer which will include:

    1. Provide our Services to you.
    2. Providing you with Customer care and technical support.
    3. Notifying you about changes to our terms or privacy policy.
    4. Asking you to leave a review or take a survey.
    1. Identity
    2. Contact
    3. Profile
    4. Traffic
    5. Usage
    6. Marketing
    1. Performance of a contract with you
    2. Necessary to comply with a legal obligation
    3. Necessary for our legitimate interests (Eg. to keep our records updated and to study how Customers use our Services).
    		 1 month after end of Contract (except data we must keep to comply with tax or other applicable laws until the relevant limitation period expires)
    IV.

    To manage your registration request and facilitate your attendance to our events or webinars.
    1. Identity
    2. Contact
    3. Profile
    4. Usage
    5. Marketing
    1. Consent
    2. Necessary for our legitimate interests (Eg. to study how Customers use our products/Services, to develop them and grow our business.)

    12 months after end of the event or webinar.
    V.

    To administer and protect our business and Sites (including troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data) and investigate fraudulent activities in connection with our Sites and Services.
    1. Identity
    2. Contact
    3. Technical
    4. Traffic
    1. Necessary for our legitimate interests (Eg. for running our business, provision of administration and IT Services, network security, to prevent fraud and in the context of a business reorganisation or group restructuring exercise)
    2. Necessary to comply with a legal obligation.
    		 2 years (except data we must keep to comply with applicable laws until the relevant limitation period expires)
    VI.

    To deliver relevant website content and advertisements to you and measure or understand the effectiveness of the advertising and content we serve to you.
    1. Identity
    2. Contact
    3. Profile
    4. Usage
    5. Marketing
    6. Technical
    		 Necessary for our legitimate interests (Eg. to study how Customers use our products/Services, to develop them, to grow our business and to inform our marketing strategy). 12 months
    VII.

    To use data analytics to improve our Sites, Services, marketing, Customer relationships and experiences.
    1. Technical
    2. Usage
    		 Necessary for our legitimate interests (Eg. to define types of Customers of our products and Services, to keep our Sites updated and relevant, to enhance our Services, to develop our business and to inform our marketing strategy) 12 months
    VIII.

    To look for new business opportunities and make suggestions and recommendations to you about products or Services that may be of interest to you.
    1. Identity
    2. Contact
    3. Technical
    4. Usage
    5. Profile
    6. Marketing
    		 Necessary for our legitimate interests (Eg. to develop our products/Services and grow our business) If no Contract, 12 months from our last communication.
    IX.

    To provide you with the requested information about our Services, answer your questions, provide Customer support or otherwise communicate with you.
    1. Identity
    2. Contact
    1. Necessary for our legitimate interests (Eg. to develop our products/Services and grow our business)
    2. Performance of a contract with you.

    1 month after end of Contract.

    If no contract, 12 months from our last communication.
    X.

    To manage our relationship with our Suppliers.
    1. Identity
    2. Contact
    3. Professional
    		 Performance of a contract with you. 1 month after end of Contract. (except data we must keep to comply with applicable laws until the relevant limitation period expires)

  5. WHEN DO WE DISCLOSE YOUR PERSONAL DATA AND WHY?

    We may share your Personal Data with third parties.

    5.1 Intragroup transfers

    We may share your Personal Data with other companies in the Soprano Group acting as processors who are based in Australia, New Zealand, Europe, North America, South America, and Southeast Asia. Our Soprano affiliates may undertake leadership reporting and provide IT and system administration, marketing, accounting, legal, technical operations and Customer support Services. We will only share your data to the extent necessary to fulfil a request you have submitted through our Sites or other online forms, or for technical, marketing, Customer support or account management purposes.

    Depending on the circumstances, the Soprano affiliates may act as joint controllers. For example, if you register for an event or webinar via our website online forms, we may share your Personal Data with the affiliate in charge of the event, who will act as a separate Controller and will process your information in accordance with this General Privacy Policy. The intercompany processing of Personal Data will be governed by our Intra-Group Data Processing Agreement, as set out in section 6 below.

    5.2 Transfers to external third parties

    We will not transfer, sell, rent or otherwise make your Personal Data available to any third party, except to those providing Services to Soprano to the extent strictly necessary for them to provide such Services (i.e. archival, auditing, accounting, Customer contact, legal, business consulting, banking, payment, mailing, delivery, data processing, data analysis, document management, information broking, research, share registry, investigations, insurance, website and technology Services), but in no case for their own purposes. These are the type of recipients with whom we may share your Personal Data:

    1. Service providers acting as processors based in UK, EU and USA who provide Data Centre and Infrastructure Services.
    2. Customer relationship management software platform provider based in USA.
    3. Service provider acting as processor based in USA who provides broadcast email management Services and a distribution platform, which we use to send and manage emails to customers about any service issues.
    4. Service provider acting as processor based in USA who provide trouble ticketing tools, which we use to provide our Customers with support relating to the Services.
    5. Service provider acting as processor based in USA who provide email verification Services, which we use for the purposes of validating email addresses.
    6. Marketing automation platform provider based in USA, which we use for sending marketing messages, website traffic analytics and CRM purposes.
    7. Other trusted third-party providers based in the US who provide technology Services, such as our website interactive chat-box function, our enterprise communication, collaboration and productivity tools and our project management and task tracking software.
    8. Mobile Network Operators, aggregators and other Communications Providers when necessary for message switching and routing. Our communications platform is connected to MNO’s and other Communications Providers worldwide, in order to enable the transmission of the messages sent by our Customers to their End-Recipients. We are connected with AT&T, BT, Vodafone and Orange, among other providers.
    9. Professional advisers acting as processors, including lawyers, bankers, auditors and insurers based in the countries in which we have a Soprano legal entity, who provide consultancy, banking, legal, insurance and accounting Services.
    10. Any Stock Exchange Eg. continuous disclosure or listing rules equivalent provisions.
    11. Third parties to whom we may choose to sell, transfer or merge parts of our business or our assets. Alternatively, we may seek to acquire other businesses or merge with them. If a change happens to our business, then the new owners may use your Personal Data in the same way as set out in this General Privacy Policy.
    12. Payment processors based in various locations which will process payments on our behalf.

    Other than in the cases referred to above we will not disclose your Personal Data to third parties except where such disclosure is required by regulations, by court order or by the public authorities.

  6. INTERNATIONAL TRANSFERS OUTSIDE THE EUROPEAN ECONOMIC AREA

    We share your Personal Data within the Soprano Group. This will involve transferring your data outside your jurisdiction, in countries that may impose privacy obligations less stringent than those established by the privacy regulations in your jurisdiction, such as in the European Economic Area (EEA).

    Some of our external third parties may be located in Australia, the United Kingdom, Spain, the Netherlands, Belgium, Romania, the United States, Brazil, Colombia, Chile, Singapore, Malaysia, the Philippines, New Zealand and other countries. This means that the processing of your Personal Data by our service providers may involve a transfer of data outside the EEA.

    Whenever we transfer your Personal Data out of the EEA, we ensure a similar degree of protection is afforded to it by ensuring at least one of the following safeguards is implemented:

    • We will only transfer your Personal Data to countries that have been deemed to provide an adequate level of protection for Personal Data by the European Commission. For further details, see European Commission: Adequacy of the protection of Personal Data in non-EU countries.
    • Where your Personal Data is transferred to other companies within Soprano, then this processing is governed by an Intra-Group Data Processing Agreement that incorporates the EU Standard Contractual Clauses, which provide sufficient guarantees to ensure that the processing complies with the requirements established by the GDPR.
    • Where we use certain service providers, we may also use the EU Standard Contractual Clauses approved by the European Commission which give Personal Data the same protection it has in Europe. For further details, see European Commission: Model contracts for the transfer of Personal Data to third countries.

    Please contact us if you want further information on the specific mechanism used by us when transferring your Personal Data out of the EEA.

    In the absence of an adequacy decision or appropriate safeguards such as those outlined above, overseas transfers are also permitted in very specific situations. An example is where an individual explicitly consents to the proposed transfer after they have been provided with certain information about the possible risks associated with the transfer.

    6.1 Australian Privacy Act

    Before we disclose personal information collected or held in Australia to another country, we will take reasonable steps to ensure that the overseas recipient does not breach the Australian Privacy Principles (“APPs”) in relation to the information (exceptions apply). We remain accountable for any acts or practices of the overseas recipient in relation to the information that would breach the APPs (exceptions apply).

  7. RETENTION OF YOUR PERSONAL DATA

    We will only retain your Personal Data for as long as reasonably necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, regulatory, tax, accounting or reporting and record retention requirements. We may retain your Personal Data for a longer period in the event of a complaint or if we reasonably believe there is a prospect of litigation in respect to our relationship with you.

    To determine the appropriate retention period for Personal Data, we consider the amount, nature and sensitivity of the Personal Data, the potential risk of harm from unauthorised use or disclosure of your Personal Data, the purposes for which we process your Personal Data and whether we can achieve those purposes through other means, and the applicable legal, regulatory, tax, accounting or other requirements (e.g. applicable statutes of limitation).

    Details of retention periods for different aspects of your Personal Data are set out in the Table above. For more information on our data retention policy please contact us by using the contact details in section 10 below.

  8. SECURITY

    We have implemented appropriate technical, organizational, and physical security measures to protect your personal data from unauthorized access, use, alteration, disclosure, or accidental loss. These measures are based on industry standards and best practices, including frameworks such as ISO 27001, and are tailored to the types of personal data we process and the risks associated with that processing.

    Access to your personal data is limited to employees, agents, contractors, and other third parties who have a legitimate business need to know. They are only permitted to process your personal data on our instructions and are bound by a duty of confidentiality. We also prioritize privacy and security awareness among our employees by providing regular training on the appropriate handling, access, and protection of personal data. In addition, we have established procedures to manage and respond to any suspected personal data breaches and will notify you and the relevant regulatory authorities of a breach where we are legally required to do so.

    If you have any questions on the security measures that we use to protect your personal information, you may contact us at [email protected].

  9. YOUR LEGAL RIGHTS IN RELATION TO YOUR PERSONAL DATA

    9.1 your Rights

    you may have certain rights in relation to your Personal Data depending on the local Data Protection Laws that apply to the processing of your data. These rights may include:

    1. Request access to your Personal Data (commonly known as a “data subject access request”). This enables you to receive a copy of the Personal Data we hold about you and to check that we are lawfully processing it.
    2. Request correction of the Personal Data that we hold about you. This enables you to have any incomplete or inaccurate data we hold about you corrected, though we may need to verify the accuracy of the new data you provide to us.
    3. Request erasure of your Personal Data. This enables you to ask us to delete or remove Personal Data where there is no good reason for us continuing to process it. you also have the right to ask us to delete or remove your Personal Data where you have successfully exercised your right to object to processing (see below), where we may have processed your information unlawfully or where we are required to erase your Personal Data to comply with local law. Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request.
    4. Object to processing of your Personal Data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground as you feel it impacts on your fundamental rights and freedoms. you also have the right to object where we are processing your Personal Data for direct marketing purposes. In some cases, we may demonstrate that we have compelling legitimate grounds to process your information which override your rights and freedoms.
    5. Request restriction of processing of your Personal Data. This enables you to ask us to suspend the processing of your Personal Data in the following scenarios:
      • If you want us to establish the data’s accuracy.
      • Where our use of the data is unlawful but you do not want us to erase it.
      • Where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims.
      • you have objected to our use of your data but we need to verify whether we have overriding legitimate grounds to use it.
    6. Request the transfer or portability of your Personal Data to you or to a third party. We will provide to you, or a third party you have chosen, your Personal Data in a structured, commonly used, machine-readable format. Note that this right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you.
    7. Withdraw consent at any time where we are relying on consent to process your Personal Data. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain products or Services to you. We will advise you if this is the case at the time you withdraw your consent.
    8. In addition, you may file a complaint with the appropriate data protection supervisory authority.

    In normal circumstances we will fully support and facilitate the exercise of your rights. However, these rights are not absolute and there may be some lawful reasons to deny these requests such as the regulations to which we are subject in the provision of electronic communications Services. If your request is denied, we will provide you with reasons to explain the denial. In some cases, the exercise of these rights may make it impossible for us to fulfil the purposes listed in Section 4 of this General Privacy Policy and provide our Services effectively.

    9.2 How to exercise your rights

    If you would like to exercise any of said rights please send an email to [email protected] with “Exercise of Rights” as the subject of the email, including your name and purpose of the request. We may ask you for documentation proving your identity to meet your request if this is required by local regulations.

    Finally, we inform you that you have the right to file a complaint with the competent Supervisory Authority if you believe that Soprano has processed your data in violation of this General Privacy Policy or any other prevailing and applicable regulations in force.

    • If you are a resident in the EEA you may contact your local Data Protection Authority (https://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=612080 ) or the Spanish Data Protection authority where our EEA headquarters are based.
    • In the UK, you may contact the Information Commissioner’s Office at ico.org.uk and on 0303 123 1113.
    • In Australia, you may contact the Office of the Australian Information Commissioner at oaic.gov.au and on 1300 363 992.
    • In New Zealand, you may contact the Office of the New Zealand Privacy Commissioner at privacy.org.nz and on 0800 803 909.
    • In Singapore you may contact the Personal Data Protection Commission at https://www.pdpc.gov.sg/ and on 6377 3131.

  10. CONTACT

    If you have any questions about your rights and other privacy concerns about our handling of your personal information, or wish to make a complaint, please contact our Data Privacy Team at [email protected] or write to us by post at:

    EU
    SIT WORLD WIDE S.L.U.
    Legal Department
    ATT: Data Privacy Team
    C/ Mallorca 264, 2º 2ª
    08008, Barcelona (Spain)
    REST OF THE WORLD
    Soprano Design Pty Ltd
    Legal Department
    ATT: Data Privacy Team
    Level 15, 132 Arthur St
    North Sydney NSW 2060 (Australia)

  11. CHANGES TO THIS GENERAL PRIVACY POLICY

    This General Privacy Policy may change over time to reflect changes in applicable regulations or in our data processing practices, so we encourage you to visit this page regularly to see the latest version. Previous versions can be obtained by contacting us.

    Any modification to this General Privacy Policy will be posted on our website with an updated revision date. We will take reasonable steps to notify you of any material changes to this General Privacy Policy by way of a Policy on our Sites, our Service portal or via our agent.

  12. ADDITIONAL TERMS FOR CERTAIN REGIONS

    US: California Consumer Privacy Act 2018

    For the purposes of the California Consumer Privacy Act, we do not sell personal information of any individual.

    If you are a resident of California, you have the following legislative rights:

    Right to Know – what personal information a business collects, and how it is used and stored. you may request the business disclose:

    • The categories of personal information collected
    • Specific pieces of personal information collected
    • The categories of sources from which the business collected personal information
    • The purposes for which the business uses the personal information
    • The categories of third parties with whom the business shares the personal information
    • The categories of information that the business sells or discloses to third parties
    • Businesses must provide you this information for the 12-month period preceding your request. They must provide this information to you free of charge.

    Right to Delete – your personal information collected unless an exception applies (Eg. Legal obligations to retain data for set periods).

    Right to Opt-Out of the sale of your data to third parties – Soprano has a Privacy Policy with “Do Not Sell My Personal Information” link to enable consumers to opt-out.

    Right to non-discrimination – in the exercise of your rights.

    Right to be Notified – before or at the time of collection of your personal information a notice at collection must list the categories of personal information businesses collect about consumers and the purposes for which they use the categories of information. If the business sells consumers’ personal information, then the notice at collection must include a Do Not Sell link. The notice must also contain a link to the business’s privacy policy, where consumers can get a fuller description of the business’s privacy practices and of their privacy rights.

    If you have any questions or comments about this policy, the ways in which Soprano collects and uses your information described here, your choices and rights regarding such use, or wish to exercise your rights under California law, please do not hesitate to contact us at [email protected].

    California Regulator:

    CONSUMER COMPLAINT AGAINST A BUSINESS/CORPORATION

    STATE OF CALIFORNIA DEPARTMENT OF JUSTICE

    PUBLIC INQUIRY UNIT (916) 210-6276/ (800) 952-5225 Toll Free – CA only TTY/TDD (800) 735-2929 (California Relay Service) For TTY/TDD outside California contact your state’s relay service number at http://www.fcc.gov/cgb/dro/trsphonebk.html AG Web Site: http://www.ag.ca.gov/

    Mail Form to: Public Inquiry Unit Office of the Attorney General P.O. Box 944255 Sacramento, CA 94244-2550 SECTION 1 – your Information First Name Middle Name Last Name

  13. DEFINITIONS

    • Communications Provider means any individual or legal entity that provides electronic communications Services or an electronic communications network.
    • Contract means the written or electronic agreement between Soprano and Customer for the provision of the Services.
    • Controller means an individual or legal entity which, alone or jointly, determines the purposes and means of the processing of Personal Data.
    • Customer/s means the individual or legal entity that has applied to receive our Services, has entered into a contract with us or has shown interest in our Services by engaging in discussions, submitting inquiries or interacting with us through any means (whether or not a Contract was ultimately put in place).
    • EEA means the European Economic Area.
    • End-Recipient means an individual or legal entity to whom you send or try to send messages via the Services.
    • GDPR means Regulation (EU) 2016/679 of the European parliament and of the council of 27 April 2016 on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
    • Lawful basis for processing means the following basis provided in article 6.1 GDPR:
      • Legitimate Interest means the interest of our business in conducting and managing our business to enable us to give you the best service/product and the best and most secure experience. We make sure we consider and balance any potential impact on you (both positive and negative) and your rights before we process your Personal Data for our legitimate interests. We do not use your Personal Data for activities where our interests are overridden by the impact on you (unless we have your consent or are otherwise required or permitted to by law). you can obtain further information about how we assess our legitimate interests against any potential impact on you in respect of specific activities by contacting us.
      • Performance of Contract means processing your data where it is necessary for the performance of a contract to which you are a party or to take steps at your request before entering into such a contract.
      • Comply with a legal obligation means processing your Personal Data where it is necessary for compliance with a legal obligation that we are subject to.
    • Mobile Network Operator or MNO means a telecommunications service provider which provides wireless communication Services or mobile voice and data Services and that owns or controls all the elements necessary to sell and deliver messages to End-Recipients.
    • Personal Data means any information or an opinion about an individual from which that person can be identified (“data subject”) or is reasonably identifiable. An identifiable individual is one who can be identified either directly (e.g., by their name or ID) or indirectly (e.g. by reference to one or more factors to the physical, genetic, economic or cultural identity of that individual).
    • Processor means an individual or legal entity which processes Personal Data on behalf of the Controller.
    • Services means Soprano’s cloud-based enterprise messaging products and Services that we market for subscription.
    • Site/s means this website www.sopranodesign.com and other websites, microsites and Service portals owned and managed by the Soprano Group and that link to this General Privacy Policy.
    • Soprano Group means Soprano Design Pty Ltd (ACN 066 450 397) and its affiliates.
    • Supplier means any individual or legal entity that provides products or Services to Soprano.
    • User/s means anyone who visits our Sites.

    This version was last updated on March 10, 2025.