The following Privacy Notice (“Notice”) is applicable to the processing of your personal data by Sinch (Sinch AB and its subsidiaries providing the Sinch MessageMedia service) as part of your use of the Sinch MessageMedia platform and services. This Notice applies to activities where Sinch is a Controller under data protection law and excludes processing on Customers’ behalf while providing services – activities for which Customers are the Controllers.  

Sinch will collect personal data from you based upon your business relationship with Sinch and the use of Sinch platforms and services, as set out below. Please read the entire Notice.   

Before reading, please keep in mind that: 

• If you have complaints or questions related to messages sent through Sinch services, it is likely easier for you to reach out to the sender of the message directly. 
• Sinch platforms and services are not targeted to anyone underage. If you are underage, you should not submit your personal data through Sinch websites or portals. 
• Sinch recruitment processes are covered by a different Notice that you can find on the recruitment website itself. 
• Sinch has a Group Data Protection Officer who can be reached per email at DPO@sinch.com whenever you have questions or complaints or in case you want to exercise your rights as a data subject. 

What Types of Personal Data Does Sinch Process? 

This section is a high-level overview of the contexts where Sinch, as a Controller, processes and collects personal data.  

“Personal data” means information that relates to an identifiable, living person. The definition does not include information about businesses or organisations. By way of example, your personal email address, including the one you use at work, is personal data, whereas the “info@yourjob.com” email address is not.  

For the purposes of this notice Sinch processes two types of Personal Data as a Controller: 

• Customer Data, which means personal data relating to current and potential future Customers. This includes how Customers interact with Sinch platforms and services, and how Sinch in turn handles information about Customers related to the use of Sinch services and platforms, and, 
• Service Data, which means the routing and message data, including message content, that is created and processed as a part of provision of services to Sinch Customers.  

Please note that if you are an end recipient of messages sent through Sinch services, those messages were sent by Sinch Customers. Sinch Customers have their own privacy notices and policies regarding their use of personal data and you should read these privacy notices to understand why you’ve received messages through Sinch services.  

Who Provides Sinch with Personal Data? 

This section describes where Sinch has received your personal data from – it is likely that Sinch has not received your Personal Data directly from you.  

Customer Data comes to be processed by Sinch in one of several ways: 

• Your employer or colleague may have submitted your personal data to be processed by Sinch through a Sinch platform – for instance registering an account and submitting your work email as a new user. 
• Third parties may have provided information about you to Sinch – these third parties include market survey companies, marketers, and sales leads databases. In these cases, Sinch takes steps to ensure that the source of personal data is legitimate. Sinch providers, in turn, are responsible for ensuring that they comply with applicable data protection law when providing data to us. 
• In the process of working with Customers, new information can be generated that also qualifies as personal data for customer engagement purposes. For instance, Sinch may learn why you are interested in Sinch services and note this in internal systems along with the type of organization (Customer) you represent.   

Service Data comes to be processed by Sinch when Customers send traffic through Sinch services as part of the services agreement we have in place with those Customers. Personal data that is Service Data and relates to you will likely originate from a Customer, who uploads the data to Sinch as they direct a message, call or other communication event, such as a multi-factor authentication message, to you.  

  

How Does Sinch Process Customer Data?  

This section describes the activities that Sinch undertakes related to Customer Data, which is a subcategory of personal data related to Customers as described above.  

Sinch will process personal data related to Customers as part of providing services to our Customers and to communicate with you about those services. You may choose to share additional information with Sinch, such as by subscribing to newsletters or attending seminars or sales events, in which case Sinch will process that additional information to provide you with a better, more customized experience.  

Processing activities for Customer Data include the following: 

Activity	Why is this done? (Purpose)	Lawful basis*	What Personal data?	Deleted When?
Administering, and entering into the contractual relationship with the Customer (including billing)	To enable Sinch to administer, foster and develop its Customer relationship (with the use of a customer relationship management system), perform credit checks and, verification of identity and personal or business data and payment details and other verifications before offering services to Customers.  To enable Sinch to fulfil obligations in accordance its contract with its Customers, this may include sending you service announcements on elements included within the contract, customer service enquiries, product specification updates, contracts updates.	Legitimate interests	Contact data; such as phone number, email address, address, name, company, signature, position, contact preference and any other information that you may provide to Sinch, including the internal Sinch identifying number for the customer entity  Payment details: method of payment for Sinch services and associated data such as billing address**  Technical data: computer settings when stored, log information on use of portal/forum, IP-address	For the duration of the business relationship between Sinch and the customer
Administering portals and websites	To enable Sinch to operate and administer access and use of the forums, websites, mobile applications, messaging products and portals provided to Customers, resellers, developers and other user groups, including APIs providing integrations with Customers and third party  integration providers.	Legitimate interests	Contact data: such as phone number, email address  Technical data: computer settings when stored, log information on use of portal/forum, IP-address	For the duration of the business relationship between Sinch and the customer
Information security	To enable Sinch to protect forums, websites, portals, services and the customer data within, including detecting, investigating and preventing threats and fraud and to find vulnerabilities.	Legal obligation as an electronic communications provider	Technical data: computer settings when stored, log information on use of portal/forum, IP-address	According to the legal requirements
Marketing	Sending newsletters, information and invites for seminars or webinars, white papers or similar marketing activities undertaken with leads or persons of interest and similar feedback and promotional communication, including leads sharing with partners providing explicit consent has been given.	Consent (for such practices where you have opted in or registered)  Legitimate interests (when we reach out to you as a person of interest)	Contact data; such as phone number, email address, address,  name, company, position, contact preference and any other information that you may provide to Sinch.	For the duration of your consent (until you opt-out or the opt-in ceases to be relevant) or, when not based on your opt-in, until you are no longer associated with a relevant lead
Analytics and product development	Gathering insights related to the use of services, platforms and websites for the purpose of improving functionalities and the overall customer experience. When applicable, this is performed on aggregated and anonymized data.	Legitimate interests	Customer feedback data: information on your particular feedback and experience as applicable (when freely offered)  Technical data: computer settings, log information on use of portal/forum (as collected by tracking technologies described on our cookies Statement, IP-address	Retained only temporarily (as expressed in our cookies statement) before anonymization
Administering opt-outs and opt-ins	Maintaining features for opt-out and opt-in (such as consents and unsubscribe features) as required by law	Legal obligation under privacy and marketing laws	Contact data and opt-in or opt-out information  Technical data: log information on use of portal/forum (as collected by tracking technologies described on our cookies statement, IP-address	As required to maintain an appropriate opt-in and opt-out register in each instance
Service announcements	Providing service announcements including notices of downtime, updates, disturbances etc. according to SLA	Legitimate interests	Email address	For the duration of the business relationship between Sinch and the customer
Legally required reporting	To enable Sinch to (prepare to) administer and fulfil our obligations under mandatory law including providing correct information to relevant authorities	Legal obligations under tax laws and other national reporting laws	Customer entity data  Payment data and billing information **	According to the legal requirement- we will delete such records when we are no longer legally obligated to retain them but may retain anonymized records, if the law allows.
Tax calculation and financial audits	Fulfilling legal requirements and activities related to payment and calculation of tax and associated financial audits and planning	Legal obligation  Legitimate interests	Customer entity data  Payment data and billing information**	According to the legal requirement – deleted when no longer legally obligated to retain them but may retain anonymized records, if the law allows.
Address and refute claims in legal or official proceedings	Protecting Sinch interests in official proceedings	Legitimate interest	Contact data: such as phone number, email address, address, name, company, position, contact preference and any other information that you may provide to Sinch or is created in communication with you.  Technical data: computer settings when stored, log information on use of portal/forum, IP-address	When a legal hold is applied, information is retained until legal prescription or until the hold is lifted
Responding to legitimate authority requests for information	Responding to legitimate authority requests for information, such as subscriber information, according to legal requirements in each jurisdiction	Legal obligation	Contact details: such as phone number, email address, name, company registered address and usage data, subscriber data	Information is processed only to respond to the individual request.
Protecting services from threats, fraud and spam	Upholding an appropriate standard for our services by acting on detected inappropriate behaviours such as fraud, spam, phishing and similar activities – as legally required and permitted in each jurisdiction – including by suspending accounts.	Legitimate interests  (Legal obligation, where such obligations apply)	Contact data; such as phone number, email address, address,  name, company, position, contact preference and any other information that you may provide to Sinch  Service Data: data related to the activities discovered.	Retained for evidence and investigation until the matter is resolved.
Aggregating or de-identifying	Preparing anonymized, statistical information from personal data to gain customer and market insights	Legitimate interests	Contact data; such as phone number, email address, address, name, company, position, contact preference and any other information that you may provide to Sinch (which is removed as part of this process in order to de-identify)  Technical data: site and platform visit behaviour, IP-address	N/A (activity describes end of retention practice)

*A Lawful basis is required in certain jurisdictions (including the EU/EEA and the UK) in order to process personal data. The lawful bases assigned above indicate that use of Customer Data serves to understand the Customer base, manage Sinch relationship with that Customer base, carry out core business operations and comply with applicable legal obligations, as listed above.  

** For Customers who choose to pay for Sinch services by credit card or direct debit, Sinch collects details related to the payment to processing. Payment data is stored according to industry standards for maximum security. 

Service Data – or “Data about our Customers’ customers” 

This section describes the activities that Sinch undertakes related to Service Data, which is a subcategory of personal data related to the communications flowing through Sinch services.  

As a provider of electronic communications services, Sinch will process personal data related to end recipients of communications in the ways described below. 

Processing activities for Service Data include the following: 

Activity	Why is this done? (Purpose)	Lawful basis*	What Personal data?	Deleted When?
Service continuity management	Protecting the stability of services against vulnerabilities.	Legal obligation as an electronic communications provider	Technical data: log information, functionality of services, metadata involved in the provision of the services, IP-address	Retained according to information security best practices
Protecting services from threats, fraud and spam  Includes automated decision making aided by machine learning	Upholding an appropriate standard for our services by detecting, filtering and acting on inappropriate behaviours such as fraud, spam, phishing and similar activities – as legally required and permitted in each jurisdiction.  This practice is aided by automated decision making (performed by AI systems) with human oversight in certain jurisdictions as required by local legal obligations and best practices in order to effectively combat spam, abusive or fraudulent activity.	Legitimate interests  (Legal obligation, where such obligations apply)	Service data: routing and message data processed when transmitting messages, including content data for non- end-to-end-encrypted channels.  Technical data: log information, functionality of services, metadata involved in the provision of the services, IP-address	Retained for up to a week, unless legal obligation requires extended archiving.
Maintaining block list	Maintaining a block list (“black list”) for stopping all communications to a particular addressee, in accordance with end recipient (data subject) wishes	Consent	Contact details and proof of acceptance of consequences of blocking	Retained until the data subject expresses they no longer wish to maintain the block
Responding to legitimate authority requests for information	Responding to legitimate authority requests for information, such as subscriber information, according to legal requirements in each jurisdiction. Sinch discloses personal data to requesting authorities when the request is supported by a legal warrant, such as warrants issued under telecommunications subscriber data access regulations	Legal obligation	Subscriber data and metadata associated with directing of messages when in scope of lawful requests of information	Information is processed only in order to respond to the individual request.

 *A Lawful basis is required in certain jurisdictions (including the EU/EEA and the UK) in order to process personal data. Sinch’s use of Service Data as a Controller is connected to special responsibilities as an electronic communications services provider which also comes with special legal responsibilities in many jurisdictions – the purposes for which are described above.  

With Whom Does Sinch Share Personal Data? 

This section describes the circumstances wherein the Sinch entity that first received your personal data will share personal data with other entities, including other Sinch entities. 

Sinch does not sell personal data and does not allow third parties to use your personal data for their own business interests, without explicit consent to do so. 

The Sinch entity that first sources your personal data will share these data (including both Service Data and Customer Data as described above) with other parties, as a part of providing services and maintaining the services infrastructure.  

In the below, you’ll find the contexts and reasons for sharing your personal data with other parties. Please note that it’s not likely your data has been shared with all the listed categories of recipients. The sharing of your personal data depends on context: such as the specific Sinch service and where you live.  

Type of recipient	Why is data shared? (Purpose)
Sinch Group entities	Your personal data will be shared within the Sinch Group, including for business continuity and information security and support purposes, as well as for legally mandated reporting, bookkeeping, billing, and similarly important activities.
Telecommunications operators	For various Sinch services, communications are sent over telephone networks, in which case the message transmitted, and metadata, is shared with those network operators as the communication is sent as a part of ensuring it arrives at the correct destination and can be billed properly.
Other providers of electronic communications services	For various Sinch services and products, communications are sent over channels provided or owned by other communications companies such as Facebook Messenger or WhatsApp. If your personal data is involved in these services (by receiving or sending messages using Sinch services integrating such channels), that personal data for each message will be shared by the associated platform.
Service providers or consultants	Sinch will engage third party vendors and suppliers to process personal data on our behalf to be able to provide our services. This includes various areas of business such as infrastructure, including data centres, payment service providers, providers of IT devices, insurance, administration, customer engagement, website functionality and optimization, information security experts and IT services.
Partners of integrated solutions and services	For certain Sinch services and products, there are options for Customers to make use of integrated services and technical solutions. If the Customer chooses to use these solutions, those third parties, notified to the Customer, receive and process personal data as described.
Authorities and other required/legitimate recipients	Sinch may disclose personal data to third parties (including government bodies or authorities) if in receipt of legitimate requests for information or otherwise if disclosure is compelled by applicable law, regulation, legal process or other government request. Similarly, Sinch may make such disclosures to protect rights under agreements or in line with internal policies, or in order to protect the security and integrity of services, Sinch Group and our interests or the public from harm or illegal activities. Unless prohibited by law, Sinch will notify such disclosure requirements.   Our US company, Mailgun Technologies, Inc., is subject to the investigatory and enforcement powers of the Federal Trade Commission as part of certification under the EU-U.S Data Privacy Framework (“EU-U.S DPF”).
Business reorganisation transfers	As part of corporate entity sale, merger, reorganization, dissolution or similar events – personal data, as assets, may be part of entities transferred or shared as part of such a transaction of companies.

Where Will My Personal Data Be Transferred To? 

This section describes Sinch standards for transferring of personal data between countries.  

Sinch, being a global group, transfers personal data between countries. For instance, Sinch shares personal data internally between Sinch entities for many of the purposes described above under processing activities, such as to ensure correct billing and account handling. When personal data is transferred to a country that offers a lower level of protection for personal data than where the personal data is first sourced, Sinch ensures that requirements under applicable laws are fulfilled for the protection of the personal data transferred.  

For transfers of personal data from the EU/EEA to other countries Sinch ensures that the European Standard Contractual Clauses cover the transfers unless an alternative mechanism for lawful transfers is applicable, including the EU-US Data Privacy Framework or Binding Corporate Rules of the third parties importing the personal data (such as service providers).  

The service Sinch Email complies with the EU-U.S Data Privacy Framework (“EU-U.S DPF”) and the UK Extension to the EU-U.S. DPF, as set forth by the U.S Department of Commerce. More specifically, Mailgun Technologies, Inc., a US-based Sinch company, has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. DPF Principles regarding the processing of Personal Data received from the European Union and the United Kingdom in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF. If there is any conflict between the terms in this Privacy Policy and the EU-U.S. DPF, the Principles shall govern. To learn more about the Data Privacy Framework Program, and to view the certification, please visit https://www.dataprivacyframework.gov/  

The list of locations where personal data is transferred is available for each Sinch service in the list of involved legal entities on the Sinch website, please visit https://www.sinch.com/data-protection-agreement/sub-processors/ 

For specific information on what mechanisms have been used for transfers of your personal data, direct your query to the Sinch Group Data Protection Officer at dpo@sinch.com  

How is Sinch Protecting your personal data? 

This section briefly describes Sinch standards for protection of your personal data. 

Sinch is strongly committed to keeping your Personal Data safe. Sinch has implemented and will maintain technical, administrative, organizational and physical measures that are reasonably designed to protect your Personal Data. These measures include encryption and redaction, and Sinch has dedicated teams to monitor our information security and privacy practices. 

For specific information on the Sinch security standards and certifications, visit this page https://www.sinch.com/security/. 

What are Your Rights as the Data Subject? 

This section summarizes your rights as a data subject under data protection laws and suggests how you may best take action if you have concerns or questions. 

Data protection laws afford you, as a data subject, a number of rights in relation to your personal data. To the extent that Sinch is the controller of processing of your personal data, the below applies to how you can exercise those rights by getting in touch. 

To exercise these rights, please contact the Data Protection Officer at dpo@sinch.com.  

When you exercise your rights, Sinch may need to confirm your identity to ensure that your personal data is not disclosed an unauthorized person.  

1. Right to Access: You can request access to your personal data stored or processed by Sinch. Upon that request, Sinch will provide a copy of the data and information about the processing, to an extent that does not infringe upon the rights of other data subjects or reveal confidential or proprietary information. 

2. Right to Data Portability: If you request access to personal data about you that you yourself have provided, you can request that the data is provided in a structured, commonly used and machine readable format and you can also request that the personal data is transmitted to another controller, if this is technically feasible. 

3. Right to Rectification: You have the right to correct inaccurate or incomplete personal data. If data has been shared with third parties, Sinch will inform them of the rectification. 

4. Right to Erasure (Right to Be Forgotten): You can request that Sinch delete your personal data under certain circumstances, such as when the data is no longer necessary for the purposes it was collected or if you’ve withdrawn your consent. 

5. Right to Restriction of Processing: You can request the temporary suspension of processing of your data, for instance while you contest the accuracy of the data or in connection to a request of deletion or objection to its processing. 

6. Right to Object: You can object to the processing of your personal data for specific purposes – those listed in the table of processing activities above where the lawful basis is listed as ‘Legitimate interests’. Sinch will then either stop processing the data or demonstrate compelling legitimate grounds for the processing. Please note that for most Sinch services, Sinch acts as a processor. You should turn to the sender of the messages to object to further communications, or use unsubscribe functions in each message. 

7. Right to Withdraw Consent: If processing is based on your consent, you have the right to withdraw your consent at any time without affecting the lawfulness of processing based on that consent before you withdrew it. 

You have the right to lodge a complaint with a supervisory authority if you believe your data rights have been violated. The responsible data protection supervisory authority for Sinch in the EU/EEA is Integritetsskyddsmyndigheten (”IMY”) in Sweden.  

The service Sinch Email has also committed to cooperate and comply, in compliance with the EU-US DPF and the UK Extension to the EU-US DPF, with the advice of the panel established by the EU data protection authorities (DPA) and the UK Information Commissioner’s Office (ICO) with regard to unresolved complaints concerning personal data received in reliance on the EU-US DPF and the UK Extension to the EU-US DPF.  

If you live outside the EU/EEA, you may have the right to lodge a complaint with a data protection supervisory authority or other government body in your country, state or region, but such government bodies are not available everywhere in the world. Regardless of where you live and work, you can always reach out to the Sinch Group Data Protection Officer at dpo@sinch.com if you have questions or to direct your concerns.