Privacy Policy & Data Protection

This Personal Data Protection and Privacy Policy Statement (together with our Terms and Conditions and any other documents referred to herein) describes how TASC Towers Group ("TASC Towers," "we," "us," or "our") collects, uses, discloses, and protects Personal Data, and how we respect the privacy of our clients, business partners, contractors, suppliers, and other stakeholders (hereinafter referred to as "you" and "your").

TASC Towers is a leading independent telecommunications infrastructure company operating across the Middle East and North Africa (MENA) region, providing passive infrastructure solutions including tower management, colocation services, and telecom site development. Our operations span Jordan and Iraq and expanding to Qatar, Kuwait, Algeria, and Tunisia, and are governed by applicable laws, regulations, and regulatory directives issued by the relevant legislative and oversight authorities within each jurisdiction.

We are committed to ensuring the privacy and security of your Personal Data and to complying with applicable data protection legislation across all jurisdictions where TASC Towers operates. By engaging with our services or platforms, you acknowledge that you have read and understood this Policy and consent to the collection, use, and processing of your Personal Data as described herein.

Where TASC Towers processes Personal Data within the Dubai International Financial Centre (DIFC) or on behalf of DIFC-based entities, such processing is carried out in accordance with the DIFC Data Protection Law 2020 (DIFC Law No. 5 of 2020). In such cases, this Policy should be read together with the DIFC Data Protection Regulations and any DIFC-specific notices issued by TASC Towers.

This Policy applies to all Personal Data collected, processed, stored, or shared by TASC Towers and its subsidiaries through their telecommunications infrastructure operations, B2B service delivery, and corporate functions across all jurisdictions where TASC Towers operates and plans to operate, including Jordan, Iraq, Qatar, Kuwait, Algeria, and Tunisia.

The scope of this Policy covers the following:

• Data Subjects: Individuals who interact with TASC Towers as clients, business partners, contractors, suppliers, employees, or visitors to our facilities or digital platforms.
• Channels: Data collected through TASC Towers' websites, corporate portals, contract management platforms, field operations, client service interfaces, and communications channels.
• Data Types: Personal identifiers, professional contact details, financial information, site access credentials, service usage data, and other data categories as defined in this Policy.
• Processing Purposes: Contract management, service delivery, compliance, stakeholder communications, analytics, security, fraud prevention, and legal obligations.
• Jurisdictional Applicability: This Policy complies with applicable data protection regulations in each TASC Towers operating jurisdiction. Where local regulations require specific variations or additions, localized notices or supplementary statements will be issued. And where Personal Data is processed within the DIFC or transferred from the DIFC, TASC Towers complies with the DIFC Data Protection Law 2020, including requirements relating to lawful bases, cross-border transfers, Data Subject rights, and accountability obligations.

We process Personal Data for specific, limited purposes in accordance with applicable data protection regulations. And where feasible and appropriate, TASC Towers applies Pseudonymisation techniques to reduce the identifiability of Personal Data during processing activities, particularly in analytics, testing, and service improvement functions. Pseudonymised data is kept separately from identifying information and is subject to strict access controls.

The table below outlines key processing purposes and their legal bases:

• Service Delivery and Contract Management: To set up, activate, and manage infrastructure service agreements, co-location arrangements, and associated operational activities. Legal Basis: Contractual necessity.
• Billing and Payments: To process service invoices, manage payments from clients and to vendors, and issue financial statements. Legal Basis: Contractual necessity / Legal obligation.
• Security and Access Control: To manage access to TASC Towers' physical and digital infrastructure, verify identities, and prevent unauthorized access. Legal Basis: Legitimate interest / Legal obligation.
• Regulatory Compliance: To fulfill obligations under applicable telecommunications regulations, data protection laws, anti-money laundering frameworks, and other regulatory requirements across TASC Towers' operating jurisdictions. Legal Basis: Legal obligation.
• Fraud Detection and Prevention: To detect, investigate, and prevent fraud, abuse, or security threats to our operations and infrastructure. Legal Basis: Legitimate interest / Legal obligation.
• Business Development and Marketing: To share relevant service information, industry updates, and proposals with existing and prospective business partners where Consent has been obtained. Legal Basis: Explicit Consent / Legitimate interest.
• Analytics and Service Improvement: To analyze service performance, usage trends, and operational data to enhance TASC Towers' infrastructure offerings and support strategic planning. Legal Basis: Legitimate interest.
• Data Minimisation and Pseudonymisation: To enhance privacy and reduce risk by transforming Personal Data so it cannot be attributed to a specific individual without additional information kept separately. Used particularly for analytics, testing, and operational optimisation. Legal Basis: Legitimate interest / Compliance with DIFC DPL 2020.
• Automated Decision-Making (where applicable): To conduct limited automated assessments that do not produce legal or significant effects on Data Subjects. TASC Towers does not engage in solely automated decision-making that produces such effects. Legal Basis: Legitimate interest / Compliance with DIFC DPL 2020.

TASC Towers processes Personal Data in compliance with applicable data protection frameworks across its operating jurisdictions. Each processing activity is carried out on one or more of the following lawful bases:

• Consent of the data subject: Where required by regulation, TASC Towers obtains clear, specific, and informed Consent before collecting or processing Personal Data. Data Subjects have the right to withdraw their Consent at any time without affecting the lawfulness of prior processing.
• Performance of a contract: We process Personal Data when necessary to establish, manage, or fulfill a contractual relationship, including enabling service activation, managing billing, providing technical support, and fulfilling co-location agreements.
• Compliance with legal or regulatory obligations: Certain processing activities are mandated by applicable telecommunications regulations, tax laws, anti-corruption frameworks, or judicial orders. TASC Towers may also be obligated to disclose specific data to government or regulatory authorities upon lawful request.
• Legitimate Interests: TASC Towers may process Personal Data where necessary for its legitimate business interests, including maintaining security over infrastructure assets, detecting fraud, and improving operational performance, provided such interests do not override the rights and freedoms of Data Subjects.
• Protection of vital interests or public interest: In some cases, processing may be necessary to protect the vital interests of individuals or to support public interest tasks such as national security, critical infrastructure continuity, or emergency response.

Where processing involves Special Categories of Personal Data within the DIFC, TASC Towers ensures that one of the additional conditions under Article 10 of DIFC DPL 2020 is met. Where legitimate interest is relied upon, a Legitimate Interest Assessment (LIA) is conducted and documented.

TASC Towers may share Personal Data with carefully selected and contractually bound third parties, but only when necessary to fulfill one or more of the following purposes:

• Deliver, manage, or improve the services requested by the Data Subject or client organization;
• Perform technical, operational, or support functions such as billing, hosting, infrastructure maintenance, analytics, or fraud prevention;
• Enable engagement with agents, subcontractors, or business process outsourcing partners acting strictly on TASC Towers' behalf under written data processing agreements;
• Comply with obligations under applicable laws, court orders, or legal proceedings; or
• Respond to lawful requests from regulatory or governmental authorities including telecommunications regulators, data protection agencies, and law enforcement bodies.

Cross-border transfers of Personal Data from the DIFC are carried out only where the destination jurisdiction is recognized by the DIFC Commissioner of Data Protection as providing an adequate level of protection, or where appropriate safeguards are implemented, such as contractual clauses, binding corporate rules, or explicit Consent in accordance with Article 27 of DIFC DPL 2020.

As a Data Subject, you are entitled to exercise the following rights under applicable data protection regulations. TASC Towers is committed to facilitating these rights in a timely and transparent manner:

• ✔ Right to Be Informed: You have the right to know how we collect, use, process, store, and share your Personal Data, the legal basis for such processing, and how long it will be retained.
• ✔ Right of Access: You may request confirmation of whether we process your Personal Data and, if so, obtain access to that data and related information, including processing purposes and any third parties with whom it has been shared.
• ✔ Right to Correction: If your Personal Data held by TASC Towers is inaccurate or incomplete, you may request that it be corrected or updated promptly.
• ✔ Right to Erasure (Right to Be Forgotten): You may request the deletion of your Personal Data where there is no legal or contractual reason for its continued processing. Legal or regulatory obligations may limit this right in certain cases.
• ✔ Right to Restrict Processing: You may request temporary or permanent restriction of processing in certain circumstances, for instance when contesting the accuracy of your data or objecting to its use.
• ✔ Right to Withdraw Consent: Where processing is based on your Consent, you may withdraw it at any time. Withdrawal does not affect the lawfulness of processing carried out prior to such withdrawal.
• ✔ Right to Object to Direct Marketing: You may object at any time to the processing of your Personal Data for direct marketing purposes. Upon receipt of such an objection, TASC Towers will cease all related processing activities.
• ✔ Right to Submit a Complaint: You have the right to submit a complaint to TASC Towers' Data Protection Officer or to the competent data protection authority in your jurisdiction. TASC Towers will cooperate fully with any resulting investigation.
• ✔ Right to Data Portability: You may request to receive your Personal Data in a structured, commonly used, machine-readable format and to have it transmitted to another controller where technically feasible.
• ✔ Right Not to Be Subject to Automated Decision-Making: You have the right not to be subject to decisions based solely on automated processing, including Profiling, that produce legal or significant effects.

TASC Towers retains Personal Data only for as long as necessary to fulfill the lawful and clearly defined purposes for which it was collected. Retention periods are guided by internal schedules that account for the nature of the data, applicable legal and regulatory requirements, contractual obligations, and the rights of Data Subjects.

Retention periods vary depending on the category of Personal Data, the purpose of processing, and applicable legal or regulatory requirements. For DIFC-related processing, retention is determined in accordance with Article 14 of DIFC DPL 2020 and documented in TASC Towers' Records of Processing Activities (ROPA).

TASC Towers is committed to protecting Personal Data through the implementation of appropriate technical and organizational security measures. These include:

• Encryption and access control mechanisms to safeguard data against unauthorized access;
• An established incident response process to detect, manage, and resolve security incidents in a timely manner;
• Regular security audits and risk assessments to identify and mitigate potential vulnerabilities;
• Privacy by Design principles embedded into TASC Towers' systems, services, and operational practices; and
• Strict access controls limiting Personal Data access to authorized personnel based on job responsibilities and need-to-know principles.

TASC Towers conducts Data Protection Impact Assessments (DPIAs) for processing activities likely to result in high risk to individuals, in accordance with DIFC DPL 2020.

In the event of a Personal Data breach that poses a significant risk to the rights and freedoms of Data Subjects, TASC Towers is committed to notifying the affected individuals and the relevant data protection authority within the timeframes prescribed by applicable data protection regulations. TASC Towers maintains an established breach response protocol to ensure timely detection, containment, and communication of any such incidents.

For Personal Data breaches affecting DIFC Data Subjects, TASC Towers notifies the DIFC Commissioner of Data Protection as soon as practicable and maintains internal records of all breaches, whether reportable or not.

TASC Towers prioritizes the confidentiality and protection of Personal Data. We implement appropriate technical and organizational measures to prevent the loss, misuse, unauthorized access, or alteration of data. Personal Data is stored on secure servers and disclosed only when required by applicable regulations or when necessary to deliver our infrastructure services and technical support.

TASC Towers does not sell, lease, or disclose Personal Data to any third party outside of its subsidiaries without your Consent. Where third-party service providers are engaged to support our operations, they are contractually obligated to maintain the confidentiality of your information and to use it solely for the purposes for which it was shared.

Where TASC Towers appoints Data Processors for DIFC-related processing, such processors are bound by written agreements meeting the requirements of Article 24 of DIFC DPL 2020, including confidentiality, security, and sub-processing controls.

TASC Towers uses cookies and similar technologies on its corporate website to enhance user experience, analyze usage patterns and traffic, and ensure the proper functionality of our digital platforms. These technologies help us understand how our website is being used and enable us to optimize its performance for our stakeholders.

You have the option to manage your cookie preferences at any time through your browser or device settings. Please note that disabling certain cookies may affect the functionality or performance of some features on our platforms. Where required by applicable law, we obtain your Consent prior to deploying non-essential cookies.

For users accessing our services from within the DIFC, non-essential cookies are deployed only after obtaining explicit opt-in Consent.

TASC Towers is committed to safeguarding Personal Data and upholding the highest standards of privacy and data protection. All employees, contractors, suppliers, and third parties acting on behalf of TASC Towers are required to comply with this Policy and all applicable data protection laws. Regular training and awareness programs are provided to ensure that all personnel have the knowledge and capability to handle Personal Data responsibly.

In cases of a violation of this Policy, appropriate disciplinary action will be taken in accordance with applicable laws and regulations and TASC Towers' internal policies, along with corrective and preventive measures to mitigate the risk of future breaches. In any discrepancy between the provisions of this Policy and applicable data protection law, the law shall prevail.

TASC Towers maintains Records of Processing Activities (ROPA) for DIFC-related processing and ensures ongoing compliance monitoring in accordance with DIFC DPL 2020.

This Policy may be updated from time to time to reflect changes in TASC Towers' practices or for operational, legal, or regulatory reasons. The most recent version of this Policy will always be accessible on the TASC Towers corporate website. Data Subjects will be informed of material changes through appropriate communication channels. The last update to this Policy was in March 2026.

Where required under DIFC DPL 2020, material changes affecting DIFC Data Subjects will be communicated directly through appropriate channels.

If you have any concerns or complaints regarding how your Personal Data is handled by TASC Towers, you are encouraged to contact our Data Protection Officer (DPO) using the information below. We are committed to addressing all concerns in a timely, transparent, and constructive manner.

If you are not satisfied with TASC Towers' response, you have the right to escalate your complaint to the relevant data protection authority in your jurisdiction. If your Personal Data is processed within the DIFC, you may also lodge a complaint with the DIFC Commissioner of Data Protection.