Personal Data Protection Policy

Preamble

LLC Inexphone (hereinafter – “Inexphone” or the “Company”) ensures that all personal data processing activities are carried out in compliance with the law and that the rights of data subjects are protected.

As a provider of telecommunications, IP telephony, contact center, and electronic communications services, the Company carries out subscriber services, management of telecommunications infrastructure, voice communication services, technical support, reporting, identification, and other processes related to service delivery.

In this context, special attention is given to the protection of the personal data of subscribers, clients, employees, partners, and service users.

This Policy sets out the key measures by which the Company ensures that its data processing is fully aligned with the Law of Georgia on Personal Data Protection (hereinafter – the “Law”) and safeguards the lawful rights of data subjects.

Article 1. Scope of Application

This Policy applies to all processes involving the processing of personal data (hereinafter – “data”) by Inexphone, including:

• Registration, identification, servicing, and support of subscribers, clients, and business partners;
• Provision of telecommunications and electronic communications services;
• Recording of telephone communications for service and quality assurance purposes;
• Management of technical support and communication channels (calls, messages, online platforms);
• Financial and accounting operations (reporting, payments, settlements, invoices, contracts);
• Processing of employee data for the purposes of employment relations and administration;
• Interaction with partners, operators, agents, or other parties when processing is carried out through them or jointly with them.

Article 2. Definitions

The terms used in this Policy carry the meanings established by the Law.

Article 3. Principles of Data Processing

1. Inexphone processes personal data in accordance with the Law, based on lawful grounds for processing, and in compliance with the following principles:

1. lawfully, fairly, and transparently;
2. only for specific and legitimate purposes;
3. limited to the minimum volume necessary;
4. accurately, with the possibility of updates;
5. with limited and purpose-oriented retention periods;
6. with the implementation of technical and organizational security measures.

1. The Company ensures that the management of data processing is organized in such a way that compliance with these principles can be demonstrated at any stage.

Article 4. Measures Ensuring Compliance with the Law

Inexphone ensures the secure and lawful processing of personal data through the following means:

1. a) implementation of technical and organizational protection measures, designation of information asset owners, and access control;
2. b) systematic training of employees on data protection matters;
3. c) prompt response to incidents, prevention of harm, and notification of the supervisory authority and the data subject in accordance with the law;
4. d) ensuring transparency of data processing and the use of appropriate communication channels;
5. e) informing employees about the rules and principles for the processing of their personal data;
6. f) timely response to data subjects’ requests and the exercise of their rights;
7. g) risk assessment of data processing activities and, when necessary, conducting Data Protection Impact Assessments (DPIAs);
8. h) applying data minimization and security considerations when planning new services and projects;
9. i) maintaining records of data processing in accordance with legal requirements;
10. j) defining purposes, retention periods, data categories, and security measures in the case of joint processing or when entrusting processing to third parties;
11. k) ensuring anonymization or pseudonymization where necessary.

Article 5. Implementation

1. To ensure the measures set out in Article 4 of this Policy, the Company shall prepare additional written documents and take other appropriate actions.
2. For the identification of risks arising from data processing under this Policy and for the coordination of appropriate measures:

1. the Data Protection Officer monitors the Company’s data processing activities for compliance with the Law and this Policy and issues relevant recommendations;
2. Information Asset Owners ensure that the information assets under their control, which contain data, comply with the Law and this Policy.

Article 6. Review

This Policy shall be reviewed at least once a year and amended as necessary, in particular to reflect technological or legal developments relevant to the Company’s operations.