The following Privacy Notice („Notice“) is applicable to the processing of your personal data by Sinch as part of your use of Sinch platforms and services. For the purposes of this Notice, “Sinch” means Sinch AB (publ) or any of its subsidiaries, including the Sinch entity with which you or your employer have contracted if you are a Sinch customer or the employee of such a customer (hereafter simply “Customer”).
This Notice applies to activities where Sinch is a Controller under data protection law and excludes processing on Customers’ behalf while providing services – activities for which Customers are the Controllers.
Sinch will collect personal data from you based upon your business relationship with Sinch and the use of Sinch platforms and services, as set out below. Please read the entire Notice.
Before reading, please keep in mind that:
This section is a high-level overview of the contexts where Sinch, as a Controller, processes and collects personal data.
“Personal data” means information that relates to an identifiable, living person. The definition does not include information about businesses or organisations. By way of example your email address, including the one you use at work, is personal data, whereas the “info@yourjob.com” email address is not.
For the purposes of this notice Sinch processes two types of Personal Data as a Controller:
Please note that if you are an end recipient of messages sent through Sinch services, those messages were sent by Sinch Customers. Sinch Customers have their own privacy notices and policies regarding their use of personal data and you should read these privacy notices to understand why you’ve received messages through Sinch services.
This section describes where Sinch has received your personal data from – it is likely that Sinch has not received your Personal Data directly from you.
Customer Data comes to be processed by Sinch in one of several ways:
Service Data comes to be processed by Sinch when Customers send traffic through Sinch services as part of the services agreement we have in place with those Customers. Personal data that is Service Data and relates to you will likely originate from a Customer, who uploads the data to Sinch as they direct a message, call or other communication event, such as a multi-factor authentication message, to you.
This section describes the activities that Sinch undertakes related to Customer Data, which is a subcategory of personal data related to Customers as described above.
Sinch will process personal data related to Customers as part of providing services to our Customers and to communicate with you about those services. You may choose to share additional information with Sinch, such as by subscribing to newsletters or attending seminars or sales events, in which case Sinch will process that additional information to provide you with a better, more customized experience.
Processing activities for Customer Data include the following:
Activity | Why is this done? (Purpose) | Lawful basis* | What Personal data? | Deleted When? |
Administering, and entering into the contractual relationship with the Customer (including billing) | To enable Sinch to administer, foster and develop its Customer relationship (with the use of a customer relationship management system), perform credit checks and, verification of identity and personal or business data and payment details and other verifications before offering services to Customers. To enable Sinch to fulfil obligations in accordance its contract with its Customers, this may include sending you service announcements on elements included within the contract, customer service enquiries, product specification updates, contracts updates. | Legitimate interests | Contact data; such as phone number, email address, address, name, company, signature, position, contact preference and any other information that you may provide to Sinch, including the internal Sinch identifying number for the customer entity Payment details: method of payment for Sinch services and associated data such as billing address** Technical data: computer settings when stored, log information on use of portal/forum, IP-address | For the duration of the business relationship between Sinch and the customer |
Administering portals and websites | To enable Sinch to operate and administer access and use of the forums, websites, mobile applications, messaging products and portals provided to Customers, resellers, developers and other user groups, including APIs providing integrations with Customers and third party integration providers. | Legitimate interests | Contact data: such as phone number, email address Technical data: computer settings when stored, log information on use of portal/forum, IP-address | For the duration of the business relationship between Sinch and the customer |
Information security | To enable Sinch to protect forums, websites, portals, services and the customer data within, including detecting, investigating and preventing threats and fraud and to find vulnerabilities. | Legal obligation as an electronic communications provider | Technical data: computer settings when stored, log information on use of portal/forum, IP-address | According to the legal requirements |
Marketing | Sending newsletters, information and invites for seminars or webinars, white papers or similar marketing activities undertaken with leads or persons of interest and similar feedback and promotional communication, including leads sharing with partners provided that your explicit consent has been given. | Consent (for such practices where you have explicitly opted in or registered) Legitimate interests (when we reach out to you as a person of interest) | Contact data; such as phone number, email address, address, name, company, position, contact preference and any other information that you may provide to Sinch. | For the duration of your consent (until you opt-out or the opt-in ceases to be relevant) or, when not based on your opt-in, until you are no longer associated with a relevant lead |
Analytics and product development | Gathering insights related to the use of services, platforms and websites for the purpose of improving functionalities and the overall customer experience. When applicable, this is performed on aggregated and anonymized data. | Legitimate interests | Customer feedback data: information on your particular feedback and experience as applicable (when freely offered) Technical data: computer settings, log information on use of portal/forum (as collected by tracking technologies described on our cookies Statement, IP-address | Retained only temporarily (as expressed in our cookies statement) before anonymization |
Administering opt-outs and opt-ins | Maintaining features for opt-out and opt-in (such as consents and unsubscribe features) as required by law | Legal obligation under privacy and marketing laws | Contact data and opt-in or opt-out information Technical data: log information on use of portal/forum (as collected by tracking technologies described on our cookies statement, IP-address | As required to maintain an appropriate opt-in and opt-out register in each instance |
Service announcements | Providing service announcements including notices of downtime, updates, disturbances etc. according to SLA | Legitimate interests | Email address | For the duration of the business relationship between Sinch and the customer |
Legally required reporting | To enable Sinch to (prepare to) administer and fulfil our obligations under mandatory law including providing correct information to relevant authorities | Legal obligations under tax laws and other national reporting laws | Customer entity data Payment data and billing information ** | According to the legal requirement- we will delete such records when we are no longer legally obligated to retain them but may retain anonymized records, if the law allows. |
Tax calculation and financial audits | Fulfilling legal requirements and activities related to payment and calculation of tax and associated financial audits and planning | Legal obligation Legitimate interests | Customer entity data Payment data and billing information** | According to the legal requirement – deleted when no longer legally obligated to retain them but may retain anonymized records, if the law allows. |
Address and refute claims in legal or official proceedings | Protecting Sinch interests in official proceedings | Legitimate interest | Contact data: such as phone number, email address, address, name, company, position, contact preference and any other information that you may provide to Sinch or is created in communication with you. Technical data: computer settings when stored, log information on use of portal/forum, IP-address | When a legal hold is applied, information is retained until legal prescription or until the hold is lifted |
Responding to legitimate authority requests for information | Responding to legitimate authority requests for information, such as subscriber information, according to legal requirements in each jurisdiction | Legal obligation | Contact details: such as phone number, email address, name, company registered address and usage data, subscriber data | Information is processed only to respond to the individual request. |
Protecting services from threats, fraud and spam | Upholding an appropriate standard for our services by acting on detected inappropriate behaviours such as fraud, spam, phishing and similar activities – as legally required and permitted in each jurisdiction – including by suspending accounts. | Legitimate interests (Legal obligation, where such obligations apply) | Contact data; such as phone number, email address, address, name, company, position, contact preference and any other information that you may provide to Sinch Service Data: data related to the activities discovered. | Retained for evidence and investigation until the matter is resolved. |
Aggregating or de-identifying | Preparing anonymized, statistical information from personal data to gain customer and market insights | Legitimate interests | Contact data; such as phone number, email address, address, name, company, position, contact preference and any other information that you may provide to Sinch (which is removed as part of this process in order to de-identify) Technical data: site and platform visit behaviour, IP-address | N/A (activity describes end of retention practice) |
*A Lawful basis is required in certain jurisdictions (including the EU/EEA and the UK) in order to process personal data. The lawful bases assigned above indicate that use of Customer Data serves to understand the Customer base, manage Sinch relationship with that Customer base, carry out core business operations and comply with applicable legal obligations, as listed above.
** For Customers who choose to pay for Sinch services by credit card or direct debit, Sinch collects details related to the payment to processing. Payment data is stored according to industry standards for maximum security.
This section describes the activities that Sinch undertakes related to Service Data, which is a subcategory of personal data related to the communications flowing through Sinch services.
As a provider of electronic communications services, Sinch will process personal data related to end recipients of communications in the ways described below.
Processing activities for Service Data include the following:
Activity | Why is this done? (Purpose) | Lawful basis* | What Personal data? | Deleted When? |
Service continuity management | Protecting the stability of services against vulnerabilities. | Legal obligation as an electronic communications provider | Technical data: log information, functionality of services, metadata involved in the provision of the services, IP-address | Retained according to information security best practices |
Protecting services from threats, fraud and spam Includes automated decision making aided by machine learning | Upholding an appropriate standard for our services by detecting, filtering and acting on inappropriate behaviours such as fraud, spam, phishing and similar activities – as legally required and permitted in each jurisdiction. This practice is aided by automated decision making (performed by AI systems) with human oversight in certain jurisdictions as required by local legal obligations and best practices in order to effectively combat spam, abusive or fraudulent activity. | Legitimate interests (Legal obligation, where such obligations apply) | Service data: routing and message data processed when transmitting messages, including content data for non- end-to-end-encrypted channels. Technical data: log information, functionality of services, metadata involved in the provision of the services, IP-address | Retained for up to a week, unless legal obligation requires extended archiving. |
Maintaining block list | Maintaining a block list (“black list”) for stopping all communications to a particular addressee, in accordance with end recipient (data subject) wishes | Consent | Contact details and proof of acceptance of consequences of blocking | Retained until the data subject expresses they no longer wish to maintain the block |
Responding to legitimate authority requests for information | Responding to legitimate authority requests for information, such as subscriber information, according to legal requirements in each jurisdiction. Sinch discloses personal data to requesting authorities when the request is supported by a legal warrant, such as warrants issued under telecommunications subscriber data access regulations | Legal obligation | Subscriber data and metadata associated with directing of messages when in scope of lawful requests of information | Information is processed only in order to respond to the individual request. |
*A Lawful basis is required in certain jurisdictions (including the EU/EEA and the UK) in order to process personal data. Sinch’s use of Service Data as a Controller is connected to special responsibilities as an electronic communications services provider which also comes with special legal responsibilities in many jurisdictions – the purposes for which are described above.
This section describes the circumstances wherein the Sinch entity that first received your personal data will share personal data with other entities, including other Sinch entities.
Sinch does not sell personal data and does not allow third parties to use your personal data for their own business interests, without explicit consent from data subjects to do so, for instance from active customers who opt-in to participate in leads-sharing programs.
The Sinch entity that first sources your personal data will share these data (including both Service Data and Customer Data as described above) with other parties, as a part of providing services and maintaining the services infrastructure.
In the below, you’ll find the contexts and reasons for sharing your personal data with other parties. Please note that it’s not likely your data has been shared with all the listed categories of recipients. The sharing of your personal data depends on context: such as the specific Sinch service and where you live.
Type of recipient | Why is data shared? (Purpose) |
Sinch Group entities | Your personal data will be shared within the Sinch Group, including for business continuity and information security and support purposes, as well as for legally mandated reporting, bookkeeping, billing, and similarly important activities. |
Telecommunications operators | For various Sinch services, communications are sent over telephone networks, in which case the message transmitted, and metadata, is shared with those network operators as the communication is sent as a part of ensuring it arrives at the correct destination and can be billed properly. |
Other providers of electronic communications services | For various Sinch services and products, communications are sent over channels provided or owned by other communications companies such as Facebook Messenger or WhatsApp. If your personal data is involved in these services (by receiving or sending messages using Sinch services integrating such channels), that personal data for each message will be shared by the associated platform. |
Service providers or consultants | Sinch will engage third party vendors and suppliers to process personal data on our behalf to be able to provide our services. This includes various areas of business such as infrastructure, including data centres, payment service providers, providers of IT devices, insurance, administration, customer engagement, website functionality and optimization, information security experts and IT services. |
Partners of integrated solutions and services | For certain Sinch services and products, there are options for Customers to make use of integrated services and technical solutions. If the Customer chooses to use these solutions, those third parties, notified to the Customer, receive and process personal data as described. |
Authorities and other required/legitimate recipients | Sinch may disclose personal data to third parties (including government bodies or authorities) if in receipt of legitimate requests for information or otherwise if disclosure is compelled by applicable law, regulation, legal process or other government request. Similarly, Sinch may make such disclosures to protect rights under agreements or in line with internal policies, or in order to protect the security and integrity of services, Sinch Group and our interests or the public from harm or illegal activities. Unless prohibited by law, Sinch will notify such disclosure requirements. Our US company, Mailgun Technologies, Inc., is subject to the investigatory and enforcement powers of the Federal Trade Commission as part of certification under the EU-U.S Data Privacy Framework („EU-U.S DPF”). |
Business reorganisation transfers | As part of corporate entity sale, merger, reorganization, dissolution or similar events – personal data, as assets, may be part of entities transferred or shared as part of such a transaction of companies. |
This section describes Sinch standards for transferring of personal data between countries.
Sinch, being a global group, transfers personal data between countries. For instance, Sinch shares personal data internally between Sinch entities for many of the purposes described above under processing activities, such as to ensure correct billing and account handling. When personal data is transferred to a country that offers a lower level of protection for personal data than where the personal data is first sourced, Sinch ensures that requirements under applicable laws are fulfilled for the protection of the personal data transferred.
For transfers of personal data from the EU/EEA to other countries Sinch ensures that the European Standard Contractual Clauses cover the transfers unless an alternative mechanism for lawful transfers is applicable, including the EU-US Data Privacy Framework or Binding Corporate Rules of the third parties importing the personal data (such as service providers).
The service Sinch Email complies with the EU-U.S Data Privacy Framework (“EU-U.S DPF”) and the UK Extension to the EU-U.S. DPF, as set forth by the U.S Department of Commerce. More specifically, Mailgun Technologies, Inc., a US-based Sinch company, has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. DPF Principles regarding the processing of Personal Data received from the European Union and the United Kingdom in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF. If there is any conflict between the terms in this Privacy Policy and the EU-U.S. DPF, the Principles shall govern. To learn more about the Data Privacy Framework Program, and to view the certification, please visit https://www.dataprivacyframework.gov/
The list of locations where personal data is transferred is available for each Sinch service in the list of involved legal entities on the Sinch website, please visit https://sinch.com/de/legal/data-protection-agreement-sub-processors/
For specific information on what mechanisms have been used for transfers of your personal data, direct your query to the Sinch Group Data Protection Officer at dpo@sinch.com
This section briefly describes Sinch standards for protection of your personal data.
Sinch is strongly committed to keeping your Personal Data safe. Sinch has implemented and will maintain technical, administrative, organizational and physical measures that are reasonably designed to protect your Personal Data. These measures include encryption and redaction, and Sinch has dedicated teams to monitor our information security and privacy practices.
For specific information on the Sinch security standards and certifications, visit this page https://sinch.com/de/sicherheit/.
This section summarizes your rights as a data subject under data protection laws and suggests how you may best take action if you have concerns or questions.
Data protection laws afford you, as a data subject, a number of rights in relation to your personal data. To the extent that Sinch is the controller of processing of your personal data, the below applies to how you can exercise those rights by getting in touch.
To exercise these rights, please contact the Data Protection Officer at dpo@sinch.com.
When you exercise your rights, Sinch may need to confirm your identity to ensure that your personal data is not disclosed an unauthorized person.
a. Right to Access: You can request access to your personal data stored or processed by Sinch. Upon that request, Sinch will provide a copy of the data and information about the processing, to an extent that does not infringe upon the rights of other data subjects or reveal confidential or proprietary information.
b. Right to Data Portability: If you request access to personal data about you that you yourself have provided, you can request that the data is provided in a structured, commonly used and machine readable format and you can also request that the personal data is transmitted to another controller, if this is technically feasible.
c. Right to Rectification: You have the right to correct inaccurate or incomplete personal data. If data has been shared with third parties, Sinch will inform them of the rectification.
d. Right to Erasure (Right to Be Forgotten): You can request that Sinch delete your personal data under certain circumstances, such as when the data is no longer necessary for the purposes it was collected or if you’ve withdrawn your consent.
e. Right to Restriction of Processing: You can request the temporary suspension of processing of your data, for instance while you contest the accuracy of the data or in connection to a request of deletion or objection to its processing.
f. Right to Object: You can object to the processing of your personal data for specific purposes – those listed in the table of processing activities above where the lawful basis is listed as ‘Legitimate interests’. Sinch will then either stop processing the data or demonstrate compelling legitimate grounds for the processing. Please note that for most Sinch services, Sinch acts as a processor. You should turn to the sender of the messages to object to further communications, or use unsubscribe functions in each message.
g. Right to Withdraw Consent: If processing is based on your consent, you have the right to withdraw your consent at any time without affecting the lawfulness of processing based on that consent before you withdrew it.
You have the right to lodge a complaint with a supervisory authority if you believe your data rights have been violated. The responsible data protection supervisory authority for Sinch in the EU/EEA is Integritetsskyddsmyndigheten (”IMY”) in Sweden.
The service Sinch Email has also committed to cooperate and comply, in compliance with the EU-US DPF and the UK Extension to the EU-US DPF, with the advice of the panel established by the EU data protection authorities (DPA) and the UK Information Commissioner’s Office (ICO) with regard to unresolved complaints concerning personal data received in reliance on the EU-US DPF and the UK Extension to the EU-US DPF.
If you live outside the EU/EEA, you may have the right to lodge a complaint with a data protection supervisory authority or other government body in your country, state or region, but such government bodies are not available everywhere in the world. Regardless of where you live and work, you can always reach out to the Sinch Group Data Protection Officer at dpo@sinch.com if you have questions or to direct your concerns.
ADDENDUM
Last Updated: 01 August 2024
This addendum (‘Addendum’) to our group’s global privacy policy available upon request (‘Group Privacy Policy’), read with: (a) in the case of employees, the privacy notice shared with you via email or otherwise; or (ii) in the case of external parties, the privacy notice available at https://sinch.com/en-in/privacy-policy/; as the case may be; (‘Privacy Notice’, together with the Group Privacy Policy, ‘Global Data Privacy Policies’), is intended to inform individuals (including but not limited to employees, customers, service providers, partners and their employees), about the manner in which Sinch Cloud Communications Services India Private Limited (‘Sinch’, ‘we’ or ‘us’) collects information from you, processes your information, uses such information and discloses/ transfers such information, and the steps taken to protect such information.
Definition | Description |
‘Privacy Rules’ | Shall mean the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011. |
‘Personal Data’ | Shall mean any information that relates to a natural person, which, either directly or indirectly, in combination with other information available or likely to be available with a body corporate, is capable of identifying such person. |
‘Sensitive Personal Data’ | Shall mean such Personal Data which consists of information relating to: 1. password; 2. financial information such as Bank account or credit card or debit card or other payment instrument details; 3. physical, physiological and mental health condition; 4. sexual orientation; 5. medical records and history; 6. Biometric information; 7. any detail relating to the above clauses as provided to body corporate for providing service; and 8. any of the information received under above clauses by body corporate for processing, stored or processed under lawful contract or otherwise: provided that, any information that is freely available or accessible in public domain or furnished under the Right to Information Act, 2005 or any other law for the time being in force shall not be regarded as sensitive personal data or information. |
The provisions of this Addendum are supplemental to the provisions of the Global Data Privacy Policies and for the avoidance of doubt, this Addendum will be deemed to be an integral part of our Global Data Privacy Policies. In case of any conflict between the Global Data Privacy Policies and terms of this Addendum, the provisions of this Addendum shall prevail.
The data or information collected by us about you and / or relationship with us may contain Sensitive Personal Data or Personal Data. The Privacy Notices describe the Personal Data or Sensitive Personal Data that we collect, their source, purpose of processing the data, the legal basis for such processing, and for how long the data is retained.
In case we engage an agency for collecting or retaining the information / data relating to you, we will notify you of the details of such agency(ies) in writing and also update this Addendum to include their details.
Notwithstanding anything provided in the Global Data Privacy Policies, we shall not be responsible for the authenticity of the Personal Data or Sensitive Personal Data supplied by you to us or any third party acting on behalf of us.
We will not disclose or transfer information about you that we collect, to third parties without your consent, unless such disclosure has been agreed with us through contract or otherwise; provided that we may disclose data or information when required by law or when we believe in good faith that such disclosure is necessary to comply with applicable laws. This includes responding to court orders, warrants, or other legal processes, and cooperating with law enforcement or government agencies as required.
This Addendum read with the Global Data Privacy Policies lists out the detailed processes we undertake with respect to any Sensitive Personal Data or Personal Data. To this effect, we have also adopted the ISO/IEC 27001 and ISO 27701 security standards to protect the confidentiality and security of your Sensitive Personal Data.
We may revise this Addendum or our Global Data Privacy Policies from time to time for any reason, including to consider any amendments to applicable laws. If we make any modifications, we will make it available through our website and indicate the date of the latest revision.
We may not be able to separately notify you of the revisions each time that we make them. We encourage you to check our website periodically for modifications or revisions to our Global Data Privacy Policies to understand how it affects the use of your information. We will not be responsible for your failure to remain informed about such changes.
Please contact us with any questions or comments about our Global Data Privacy Policies and this Addendum, information we have collected or otherwise obtained about you, our use and disclosure practices, or your consent choices. You may address any such questions or concerns to our grievance officer whose name and contact details are as follows:
Name: Ira Dhasmana
Email: indialegal@sinch.com