Text Global Mobile Messaging for Businesses
Cheshire
Contact Us
Get in touch

GDPR Data Protection Policy

1. Introduction

This Data Protection Policy outlines how Text Global Limited ("the Company") collects, processes, stores, and protects personal data in compliance with the UK GDPR and the Data Protection Act 2018.

The Company provides Software-as-a-Service (SaaS) solutions specialising in SMS text and digital communications. In delivering these services, the Company processes personal data on behalf of its customers (Data Controllers) and, in some cases, as a Data Controller itself.

2. Scope

This policy applies to:

  • All employees, contractors, and third parties working on behalf of the Company
  • All personal data processed through the Company’s platform
  • All systems, applications, and services used in delivering digital communication solutions

3. Definitions

  • Personal Data: Any information relating to an identified or identifiable individual
  • Processing: Any operation performed on personal data
  • Data Controller: Entity determining purposes and means of processing
  • Data Processor: Entity processing data on behalf of the controller
  • Data Subject: The individual whose data is processed

4. Roles and Responsibilities

  • The Company acts primarily as a Data Processor for customer data
  • Customers are responsible for ensuring the lawful collection of contact data and obtaining valid consent for digital communications
  • The Company may act as a Data Controller for:
    • Employee data - Account management and billing data

A Data Protection Officer (DPO) or responsible lead is appointed to oversee compliance.

5. Lawful Basis for Processing

Customers must ensure that recipients have:

  • Given explicit consent to receive marketing messages; or
  • Another lawful basis, such as legitimate interest (where applicable and compliant with PECR)

The Company processes data based on:

  • Contractual necessity
  • Legal obligations
  • Legitimate interests (e.g., service improvement, security)

6. Data Collected

The Company may process the following categories of personal data:

  • Phone numbers
  • Names (if provided by customers)
  • Message content
  • Delivery and engagement data (timestamps, status reports)
  • IP addresses and device information

7. Data Processing Principles

The Company adheres to GDPR principles:

  • Lawfulness, fairness, and transparency
  • Purpose limitation
  • Data minimisation
  • Accuracy
  • Storage limitation
  • Integrity and confidentiality
  • Accountability

8. Consent and Opt-Out Management

The platform provides features to support compliance, including:

  • Opt-in tracking
  • Opt-out mechanisms (e.g., URL opt-out link and STOP replies)
  • Suppression lists

Customers are responsible for:

  • Maintaining proof of consent
  • Honouring opt-outs promptly

9. Data Retention

Personal data is retained only as long as necessary:

  • Customer data: retained per contractual agreement
  • Message logs: retained for 3 months for reporting and compliance
  • Backup data: securely deleted according to retention schedules

10. Data Security

The Company implements appropriate technical and organisational measures, including:

  • Encryption in transit (TLS) and at rest
  • Access controls and authentication
  • Role-based permissions
  • Regular security audits and penetration testing
  • Incident monitoring and logging

11. Subprocessors

The Company may engage subprocessors (e.g., SMS gateways, cloud hosting providers). The Company ensures:

  • Data Processing Agreements (DPAs) are in place
  • Subprocessors meet GDPR compliance standards
  • Customers are informed of subprocessors

12. International Transfers

Where data is transferred outside the UK/EEA, the Company ensures appropriate safeguards, such as:

  • Standard Contractual Clauses (SCCs)
  • Adequacy decisions

13. Data Subject Rights

The Company supports customers in fulfilling data subject rights, including:
  • Right of access
  • Right to rectification
  • Right to erasure
  • Right to restrict processing
  • Right to data portability
  • Right to object
Requests should be handled without undue delay and within one month.

14. Data Breach Management

In the event of a personal data breach:

  • The Company will assess and contain the breach promptly
  • Customers will be notified without undue delay
  • The ICO will be notified within 72 hours where required
  • Affected individuals will be informed where there is a high risk

15. Privacy by Design and Default

The Company incorporates data protection into system design, including:

  • Minimising data collection
  • Pseudonymisation where possible
  • Secure default settings

16. Training and Awareness

All staff receive regular data protection training and are required to adhere to this policy.

17. Audits and Compliance

The Company conducts periodic audits to ensure compliance and may support customer audits where contractually agreed.

18. Contact Information

For data protection queries, contact: [email protected]

19. Policy Review

This policy is reviewed annually or upon significant regulatory or operational changes.

Close
Search

Hit enter to search or ESC to close

cookie By using this website, you agree to our cookie policy. Close