SIMReady

Privacy Policy

Effective Date: August 16, 2024

This Privacy Policy describes, among other things, how we use, share, and protect your personal data, the choices you have regarding your personal data, and how you can communicate with us. Wherever the term “Company” is used in this Privacy Policy, it refers to the anonymous company named “BURRAQ TRAVEL & TOURS GENERAL TOURISM OFFICE ANONYMOUS COMPANY” with the distinctive title “BURRAQ A.E.”, headquartered in Athens, at 58 Menandrou Street and Xouthou, with Tax Identification Number (TIN) 998912520 and General Commercial Registry (GEMI) number 008408601000. Wherever the term “Application” is used in this Privacy Policy, it refers to “SIM READY”, the application developed by the company in relation to the resale of prepaid e-SIMs. The protection of your personal data is important to us. Our goal is to be as transparent and honest as possible regarding the personal data we collect and how we process it. Our Company fully shares your concerns regarding your personal data. The Company resells prepaid e-SIMs through the “SIM READY” application. The data protection statement explains the types of personal data the company processes, how it processes them, and the purposes of processing. In the data protection statement, you can also find details about the processing of personal data for specific products and services we provide, for which additional relevant information is provided. The data protection statement applies to every interaction you have with the company. Personal Data Personal data is data that can be used to identify a natural person. You may be asked to provide personal information in the context of any communication, transaction, and in general interaction with the company. We ensure that we collect only the absolutely necessary data, which is appropriate and clear for the intended purpose. The collection and general processing are done for various purposes, which are described below. Among these purposes are our effective operation and providing you with the best experiences with our products and services. Some of this data is provided directly by you, for example, when you create an account in our application, or when you purchase a service or communicate with us. We rely on various legal grounds and rights (“legal bases”) for processing data, such as your consent, our legitimate interests, the need to enter into and execute contracts with you, and compliance with our legal obligations, for various purposes described below. Additionally, we may obtain data from third parties. We protect the data we receive from third parties according to the practices described in the data protection statement, as well as any additional restrictions imposed by the data provider. Furthermore, we may obtain data on behalf of third parties. We process this data under valid contracts and acting as Processors on their behalf. When you are asked to provide personal data, you may refuse. However, some of our services require certain personal data in order for us to respond and provide you with our products and services. If you choose not to provide data that is necessary for the operation and provision of a product or service to you, you will not be able to use that specific product or service. Similarly, in cases where we are required to collect personal data by law or for the purposes of entering into or executing a contract with you, and you do not provide your personal data, we will not be able to enter into and execute the contract. The data we collect includes the following:

  1. Data We Collect as Processors

A1. Information required for account creation, registration for our services, and serving you. It is expressly stated that this processing is carried out by us only as processors on behalf of the Data Controller named Vodafone-Panafon A.E.E.T., and the data will not be stored in any of our systems, while processing for any other purpose is excluded. The entry will be made directly into the Data Controller’s system.

  • Identification details and contact information. Your first and last name, email address, phone number, gender, nationality, and date of birth.
  • For compliance with applicable legislation and for security reasons, with the aim of verifying the user’s identity in certain cases (e.g., data and voice packages) and always with the user’s explicit consent according to Article 9(2)(a) of the GDPR, remote electronic identification of the user takes place using biometric data (facial characteristics) through SumSub (https://SumSub.com/) and the User Verification Process. The verification of the user’s identity takes place in a short period of time, by providing identification documents (e.g., IDs, passports, driver’s licenses, etc., which include information such as the type of identification document, the number, the country of issue, the date of issue and expiration, the nationality and age of the user, and other information) and taking photos (selfies). The biometric method used consists of verifying your identity through automated analysis of the photo and comparison with the photo in your identification document. In cases where the result of the remote electronic identification process requires the intervention of a natural person, a responsible person from the service office contacts the user via video call. The user is immediately informed of the result of the identification process. The above identification process is not required if the user chooses only data packages (only data).
  1. Data We Collect as Data Controllers

B1. Application User Data User Data (email, full name, date of birth, nationality) is personal data collected directly by us during your identification process and provided that you give us your explicit consent for their use. B2. Credentials. Passwords, password hints, and similar security information used for authentication and account access. B3. Payment Data. Information about your payment method, such as the payment method number, expiration date, and security code associated with the payment method, which are required for purchasing data and voice packages through the application’s services and which are not stored by the application, which uses a third-party payment service provider for processing payments. Transactions are processed and secured by the secure encrypted environment of the company-approved financial institution Stripe (https://stripe.com/) and protected by top online security systems. Only the last four digits of your credit card may be displayed in the application. When you choose to make payments via electronic cards and similar payment methods, your data may be disclosed to financial and banking institutions. In case of refunds (e.g., due to cancellation of the program you initially selected), you may be required to provide us with personal data, such as your account details, to proceed with the refund. B4. Account Activity History. Our application collects information about your account activity. Usage information is necessary for us to know if the application is functioning correctly (e.g., if the user was able to register or log in successfully), to understand how users interact with our application, and to identify issues related to the performance and updates of our application. The Account Activity History includes event information (event time, categorization, and limited routing information), device information (operating system, device architecture, device type, model, brand, unique device identifier), application information (name, version, and source of the application, updates, time and frequency of application use, enabled or disabled features at the time of the event, network type, internet service provider information, user preferences, such as enabling or disabling notifications, language), and account information (current or previous active or inactive programs). B5. Device Information. We may collect certain device information, which is automatically recorded and may include your device model, your operating system version, and similar information that does not identify you. We may use this information to monitor, develop, and analyze the use of our services. Additionally, in this way, we can help users make the most of the eSIM’s features. B6. Interactions. Data related to your use of the Company’s services. For example, we collect notes from any type of conversation with the Company, details about any complaints or comments you make, details about the purchases of the provided programs, coupon redemptions, how and when you communicate with us. Interests and purchase preferences, which help us suggest specific products and services that interest you. Application visit data. B7. Comments and Reviews. Information you provide to us and the content of messages you send to us, such as comments, survey data, and reviews you write about a product or service. Collection and Use of Non-Personal Data We also collect data in a form that does not automatically allow direct association with a specific individual. We have the right to collect, use, transfer, and disclose non-personal information for any purpose. How We Use Personal Data The Company uses the data it collects to provide you with its services and products. The Company uses your personal data exclusively for the purposes for which it is collected. In some cases and only if you explicitly provide us with your consent, we use your contact details to send promotional/informational messages. We also use data to conduct our business activities, which includes analyzing our performance, fulfilling our legal obligations, developing our workforce, and conducting research. For these purposes, we combine data we collect from different environments. When we process personal data concerning you, we do so based on your consent or as required to provide you with the products you use, conduct our business activities, fulfill our contractual and legal obligations, protect the security of our systems and customers, or serve other legitimate interests of the Company, as described in this section. Specifically, we use your data for:

  • Providing our products and services, which includes: (i) updating, securing, and troubleshooting, as well as (ii) sharing data when required to provide the service or execute the requested transactions.
  • Improving and developing our products and services.
  • Personalizing our products and services and making recommendations to you.
  • Advertising and promoting our products and services, which includes sending promotional material, sending informational material, and displaying relevant offers.
  • Our compliance with all our obligations as Processors under valid contracts with third-party Data Controllers.

More specifically: Processing your order and providing the products and services you have chosen. The Company provides its customers with the ability to purchase its products and services through the application. In this context, the Company processes your data in order to fulfill its obligations under its contractual relationship, to fulfill its obligations as a Processor on behalf of Vodafone-Panafon A.E.E.T. as the Data Controller, to process the order of products or services, to inform you about its progress, to provide customer service as a Processor on behalf of Vodafone-Panafon A.E.E.T. as the Data Controller, and to communicate with customers about changes to its products or services, to comply with legal obligations, to counter, raise, or exercise legal claims. If we do not collect your data when completing the order, we will not be able to process your order and comply with our legal obligations. Your data may need to be transferred to third parties to complete your order. Additionally, we may retain your data for a reasonable period to fulfill our contractual obligations, as the relevant legislation provides and as outlined below. Account Creation and Identification. Users can create their personal account in the application. Registration requires filling out a form with the user’s full name, email address, phone number, nationality, date of birth, and a password. Additionally, the Company provides the possibility of remote electronic identification through the use of biometric methods, provided you give us your consent. Communication. In cases where you wish to communicate with us, you can contact our support team: (i) via live chat with our digital assistant (chatbot), which can automatically execute your request or provide you with instructions for technical support issues, etc., and in any case with an authorized representative of ours, or (ii) by sending an email to the email address: ([email provided]). In these cases, the Company uses data you provide to respond to your requests/questions, refund requests, and/or complaints. The information you share with us allows us to manage your requests and respond to you in the best possible way. We may also maintain a record of your questions/requests to us, so that we can better respond to any future communication. We do this based on our contractual obligations to you, our legal obligations, and our legitimate interests, in order to provide you with the best possible service and to be able to improve our services based on your personal experience. It is expressly stated that this processing is carried out by us as Processors on behalf of Vodafone-Panafon A.E.E.T. (Data Controller). For billing and customer service. We process your payment data to charge you for the use of our products and services or to receive the appropriate amount of credit from you, to communicate with you if the billing details you provided are about to expire or if we are unable to receive payment, to respond to any questions or concerns you may have regarding the network, products, or services. Newsletters. If you wish to be informed about news and offers of the Company’s products and services, you can subscribe to our Newsletter by providing us with your full name and email address. With your consent, we will use your personal data, preferences, and transaction details to inform you via email, internet, phone, and/or through social media about relevant products and services, including personalized offers, discounts, etc. Of course, you have the option to withdraw this consent at any time. Participation in reward programs. The Company processes your data for the purposes of your participation in reward programs, i.e., both the examination of your participation request and the collection and redemption of points and generally the enjoyment of customer privileges, as outlined in the terms of participation of the reward program. This allows us to offer you personalized offers that interest you. More information about the purposes of processing: Protection of Rights. We use data to detect and protect against malicious, misleading, improper, or illegal activities, including violations of our policies and terms and conditions, security incidents, and damage to the rights, property, or security of our company and users, our employees, or others. Also, to detect and correct errors that reduce the existing intended functionality of the application and our services. Commercial Transactions. We use data for the purposes of executing transactions. Reporting and Business Activities. We use data to analyze our activities. This allows us to make informed decisions and create reports on the performance of our business activities. Legal Compliance. We process data for the purposes of legal compliance. For example, we use the age of our customers to ensure that we fulfill our obligations to protect the personal data of children. Also, we process contact details and credentials to help customers exercise their data protection rights. Why We Share Personal Data We share your personal data with your consent or as required to complete any transaction or provide any product or service you have requested or authorized, as well as to prevent fraud and reduce credit risk in the context of transactions. Additionally, we share personal data with our partners for the purposes described in this statement. In these cases, our partners must comply with our privacy policy and security requirements and are not permitted to use the personal data they receive from us for any other purpose. Furthermore, in cases where our Company operates as a Processor under a valid contract, we will share your personal data with the respective Data Controller. It is expressly stated that among the above-mentioned processing actions, the identification of mobile subscribers and their service in compliance with the requirements of the applicable legislation is carried out by us as Processors on behalf of Vodafone-Panafon A.E.E.T. Finally, we will store, access, transmit, disclose, and retain personal data, including your content, when we believe in good faith that it is necessary to comply with applicable law or to respond to a valid legal process, which may also come from law enforcement or other government agencies. The Company shares your Data with: (a) Third-party service providers who process personal data on behalf of the Company, for example (indicatively) for processing credit cards and payments, hosting, technical support, management and maintenance of our data, email distribution, research and analysis, management of promotional activities of our products and services, as well as management of certain services and elements. When we use third-party service providers, we enter into agreements that require them to apply appropriate technical and organizational measures to protect your personal data. (b) Other third parties, to the extent required for the following purposes: (i) compliance with a government request, court order, or applicable law, (ii) prevention of illegal uses of our application or violations of our application’s terms of use and our policies, (iii) our protection from third-party claims, and (iv) contribution to the prevention or investigation of fraud cases (e.g., forgery). (c) Companies that may acquire the business and our assets as well as affiliated companies (e.g., joint ventures or other companies under our control). (d) Other third parties when you yourself have given your consent. (e) Third-party Service Providers on whose behalf our Company processes personal data. To provide our services and products, we collaborate with the following companies, which process your personal data within the framework of their agreements with us, operating either as Data Controllers or Processors, depending on our contractual relationship: Vodafone – Panafon, Logicea Greece M.I.K.E., SumSub, Stripe, Google, Amazon, Zoho. To the above companies, as well as to anyone else with whom we share your data:

  • We provide only the information necessary for the execution of their specific services.
  • They can use your data only for the exact purposes we specify in our contract with them.
  • We work closely with them to ensure that your privacy is respected and protected at all times.
  • If we stop using their services, any data they hold will be deleted or anonymized.

The Processors on our behalf, as well as the Data Controllers on whose behalf we act, have agreed and are contractually bound to the Company:

  • To maintain confidentiality,
  • Not to send your data to third parties without the Company’s permission,
  • To take appropriate security measures,
  • To comply with the legal framework for the protection of personal data and especially the GDPR.

Your Rights and How to Access and Control Your Personal Data The General Data Protection Regulation provides a series of rights and options, which we are committed to fulfilling. Thus, you can ask us:

  • To inform you about the data we hold about you and how we process it. If you wish, we will also provide you with a copy at no cost to you. (Right of Access)
  • To correct inaccuracies or errors, to complete missing information, or to update your data. (Right to Rectification)
  • To delete data, provided we do not retain it for a specific, lawful, and declared purpose. (Right to Erasure or Right to be Forgotten)
  • To suspend processing: a) while you dispute the accuracy of the data, b) if you consider the processing unlawful (but do not wish to delete), c) when the data is no longer necessary for the purpose of processing, and d) for the period during which it is disputed whether the reasons for which we process your data outweigh those you invoke to stop.
  • To object at any time for reasons concerning you to the processing of personal data we carry out especially for direct marketing purposes or for profiling. The objection may, specifically, also concern your compliance with a decision we made by automated means. In this latter case, you can require us to allow you to intervene. (Right to Object – Automated Individual Decision-Making)
  • To provide you with your data in a specific format (usually machine-readable) or to transfer it directly to another controller upon your indication, provided, of course, this is technically feasible. (Right to Data Portability).
  • To no longer process your data, giving you the option to withdraw freely the consent (consent) you have given us.

You can address your requests to our support team: (i) via live chat with our digital assistant (chatbot), which can automatically execute your request or provide you with instructions for technical support issues, etc., and in any case with an authorized representative of ours, or (ii) by sending an email to the email address: ([email provided]). Our Company will fulfill all your requests within one month. In extremely rare cases, where fulfilling your rights is almost impossible for us, we will inform you immediately, explaining the reasons for our inability. Cookies Simultaneously with the application, the company maintains a website, which informs customers about the existence of the application, redirects customers to the application, and includes answers to frequently asked questions that may arise for customers. No products and services of the company are available through the website. We use cookies within our website. For further information regarding cookies, you can read the Cookie Policy Security of Personal Data The Company recognizes the importance of the security of personal data, as well as electronic transactions, and has taken all necessary measures, with the most modern and advanced methods, to ensure the highest possible security. We have specialized security teams, which continuously examine and improve the measures to protect your personal data from unauthorized access, loss, disclosure, or destruction. Our specialized team has implemented appropriate physical, technical, and organizational measures to protect your personal data.

  • Physical Measures. We control access to our facilities. We use security alarm systems and CCTV. We store devices with personal data information only in locked rooms or cabinets. Our printers are protected with access control measures. A “clean desk” policy is applied.
  • Technical Measures. We use multi-layered defense with firewalls, protection against malicious software, intrusion detection and prevention systems. Our infrastructures are updated at regular intervals and regular checks are carried out to detect any system vulnerabilities. We have security incident management solutions. Our servers are protected and automated configuration tools are used for their management. Data that is not being processed is encrypted. Encryption protocols are used according to the latest security practices.
  • Organizational Measures. We adopt security and data processing policies according to best practices. We conduct external audits to prove that our policies meet the standards of these practices. We adopt a culture of continuous development of our employees’ awareness of security and data protection issues (including the organization of regular and continuous training, as well as other awareness activities). We analyze threats and attacks and continuously update our security measures. We provide access to databases to third parties, provided this access is justified based on the law and this privacy policy and provided this data is processed according to our instructions.

We are responsible for keeping your personal data and account details secure and not disclosing them to third parties. We do not assume responsibility for any unauthorized access or loss of personal data that is beyond our control. Application users remain responsible for the secure retention of their password and credentials. If you have reason to believe that your interaction with us is no longer secure (for example, if you feel that the security of any account you may have with us has been compromised), please notify us immediately of the problem by contacting us at the email address: ([email provided]). International Data Transfers We may transfer your data outside the European Economic Area (EEA), for example, if we use a service provider located outside the EEA, acting on our behalf. When the Company transfers your data to a country that is not part of the EEA, it ensures that your data is protected. For example, we ensure that there is an adequacy decision from the European Commission regarding the recipient country or we use standard contractual clauses approved by the European Commission for such transfer of your personal data. We will always ensure that there is an appropriate legal agreement covering the data transfer. Also, if the country is considered not to have legislation equivalent to the personal data protection standards of the European Union, we will ask the third party to enter into additional terms reflecting these standards. Retention of Personal Data by Us The Company retains personal data for as long as you keep your account active and for as long as it is necessary to provide our products and services and to complete the transactions you have requested or for other lawful purposes, such as compliance with our legal obligations, dispute resolution, and enforcement of our agreements. Because these needs may vary for different types of data, the context of our interaction with you or your use of our products and services, the actual retention periods may vary significantly. Some examples of customer data retention periods:

  • Personal data related to the user’s account as well as the use of the application and the provision of our services are retained for 14 months from the last date the account was active. They are deleted after the deletion of the user’s account or after a 14-month period of inactivity from the last use of the application. The user is sent an informational email regarding the deletion of their account and data.
  • During the identification process using the User Verification Process, the personal data contained in the identification documents (e.g., the type of identification document, the number, the country of issue, the date of issue and expiration, the nationality and age of the user, and any other information that may be included in them) as well as the photo/video are temporarily stored in the SumSub database, which retains them until they are transferred to Vodafone’s CRM, which takes place within 30 days at the latest. Once the data is transferred to Vodafone, and in any case within 30 days, it is immediately deleted in a way that makes it impossible to recover. Only the data of successful user identification is transferred to Vodafone and is retained according to Vodafone’s privacy policy, which you can find at the following link: [https://www.vodafone.gr/vodafone-ellados/privacy-policy-cookies ]. In case of unsuccessful user identification, SumSub does not transfer the data but proceeds to immediate deletion. These identification data will never be stored in any of our systems, except for the full name, date of birth, and nationality, which are necessary for the proper execution of the contract between us as well as for our legitimate interests in fulfilling our contractual obligations and complying with our legal obligations.
  • Billing data for as long as required to comply with tax legislation and accounting standards.
  • Newsletters. Your consent declaration for sending newsletters is retained for as long as you receive newsletters from the Company and in any case no longer than 30 days from the cessation of sending.

When we no longer have a legal reason to retain your personal data, it will either be securely deleted/destroyed, i.e., using appropriate technical methods that prevent their recovery, or anonymized through appropriate means, in a way that they cannot be attributed to a specific individual. Collection of Children’s Data Our services are intended for adults, and we do not knowingly collect personal data of minors without the consent of their parents. Even if we have parental consent, we will not knowingly ask minors to provide more data than is necessary to provide our services. In no case do we collect personal data of children under 13 years of age, in compliance with Article 8(1) of the GDPR. Parents can change or withdraw their consent, as well as check, edit, or delete the personal data of children for which they have given consent. Changes to this Privacy Policy We update this Privacy Policy when necessary, to ensure more transparency or in response to:

  • Comments from customers, regulatory authorities, industry representatives, or other stakeholders.
  • Changes in our products and services.
  • Changes in our activities or data processing policies.

When we publish changes to this Privacy Policy, we will modify the “publication date” listed at the beginning of the data protection statement. If there are substantial changes to the Privacy Policy, such as a change in the purposes of processing personal data that differs from the purpose for which it was originally collected, we will notify you either by posting a notice in a prominent place before the changes take effect or by sending you this notice directly. We encourage you to read this Privacy Policy periodically to know how the Company protects your information. Finally, this Privacy Policy has been drafted in Greek and English. In case of doubt as to the true meaning of the text, the Greek version of the text prevails. Contact Information If you have any concerns, complaints, or questions regarding data protection that you wish to address to the Company’s Data Protection Officer, please contact our support team: (i) via live chat with our digital assistant (chatbot), which can automatically execute your request or provide you with instructions for technical support issues, etc., and in any case with an authorized representative of ours, or (ii) by sending an email to the email address: ([email provided]). We will respond to questions or concerns within 30 days. You can also report a concern or submit a complaint to a data protection authority or other official body with relevant jurisdiction. Right to Appeal to the Authority For any issue that arises regarding your personal data, you can contact the Personal Data Protection Authority, which is based in Athens, 1-3 Kifissias Ave., P.C. 115 23, tel: +30 210 6475600, and which oversees the implementation of the General Data Protection Regulation, Laws 4624/2019 and 3471/2006 of the Greek Parliament, and other regulations concerning the protection of individuals with regard to the processing of personal data. More specifically, you can submit a complaint through a special online portal to the Personal Data Protection Authority: https://www.dpa.gr/en/individuals/complaint-to-the-hellenic-dpa. Any dispute that may arise in the context of this Privacy Policy is subject to Greek law and the jurisdiction of the Courts of Athens, unless other mandatory rules apply.