Privacy notice
Last updated: Wednesday, 22th Feb ’23
This is the Privacy Notice of Infobip Limited and its subsidiaries and affiliates. At Infobip we aim to do privacy the right way – wherever we operate. We believe that the responsible use of personal data supports business growth and builds strong relationships between partners, consumers, and brands. As a business, we are committed to respecting and protecting the privacy of all individuals with whom we interact.
It is very important to us to be transparent about the personal data we collect about you, how we use such data, and with whom we share it. That is exactly what this Privacy Notice – including Appendix 1 – contains. It is divided into several sections for easier navigation. In addition to this Privacy Notice, we will also sometimes provide you with additional just-in-time privacy information where appropriate.
If you want to review first our simplified plain language overview of some of our key privacy practices, please see right below.
Unless you are a lawyer or enjoy long and detailed texts, you should read through this simplified overview of some of our key privacy practices first.
This overview is not a substitute for our Privacy Notice but an endeavour to make the privacy information you need regarding Infobip Ltd and our subsidiaries and affiliates more accessible and easier to understand.
The text is short, the language is easy, and it features examples to help save you time and mental energy. Feel free to let us know whether this helped you.
Your privacy is essential to us. We know that everyone always says that! However, our primary business revolves around communications, so we’ve had to consider privacy issues from the beginning. We have a dedicated team of passionate people located all around the world who work on privacy 100% of their time. As we like to say at Infobip – being local, globally.
Let’s talk privacy basics
Some context first – as a company, we are in the business of communications. The fancy way to say this is that we provide CPaaS and SaaS services. In layperson’s words – we help companies communicate and connect with their customers securely and efficiently over a wide range of channels. That SMS notification you received from your bank about a recent transaction or the chatbot response to your customer query at your favourite online clothing retailer? These were likely sent via our platform. We are present all around the world and handle a lot of traffic. We can connect with over 7 billion people and things, with almost 24 billion transactions annually!
Hence, we’re expected to handle personal data as part of our day-to-day business. Personal data means any information that can identify you, such as your name, phone number, the fact that you have attended one of our webinars, or the CV you might have submitted along with your job application.
Most privacy laws look at companies like ours and say that we operate as either a controller or a processor when handling personal data. This distinction is crucial because it determines what a company should do and how you might be able to exercise your privacy rights. The simplest explanation is that a controller decides what will happen to the personal data and is ultimately responsible for handling it, while a processor follows the orders of a controller on how to handle it. For example, if you receive a text message with a promotion from your favourite retailer, the message is delivered by us as the processor, but the retailer is the controller who tells us to send it and to what number, what to include in the message, and when to send it.
The key to understanding more about the personal data that we handle lies in your relationship with us. Most likely, you fall into one of these five categories as our:
- Customer (we provide services to you)
- Customer’s end-user (you have received a message from our customer via our services)
- Marketing subscriber (you are receiving news about our company and services)
- Job applicant (you have or want to apply to work with us)
- Supplier (you provide some services to us)
For most of these, we act as the controller. The one exception? Our customers’ end-users. In that scenario, we primarily serve as the processor, and our customer acts as the controller (primarily means that exceptions related to our status as a communications provider exist – please see Section 5 of our Privacy Notice). The bottom line is that if you are our customer’s end-user and we process your personal data, then it is best to talk first to our customer about that (e.g. your bank or your favourite online clothing retailer from the examples above). If you are our customer, marketing subscriber, job applicant, supplier, or if you fit into any other category we list in Section 5 of our Privacy Notice, then talk to us about the personal data we process about you! The easiest and fastest way to contact us is by emailing data-protection-officer@infobip.com.
Before you start getting your keyboard ready to write to us, let’s see if we can provide you with enough information about the processing of your personal data to spare you from sending an email!
What about your personal data then?
Let’s take a step-by-step approach, as the processing of your personal data depends on your relationship with us. Three quick notes that apply to all categories before we start. First, when handling your personal data, we secure it appropriately. As a company, we have certificates of compliance with leading security standards such as ISO 27001. Check out this page if you want more details about our current certificates! Second, we might share your data with third parties – most commonly with suppliers who provide some services to us (for other rare situations, please see Section 6 of our Privacy Notice). When we do that, we conduct due diligence before we onboard the supplier, and ensure that the appropriate legal contract (e.g. a data processing agreement) is in place to protect the data. The supplier cannot use that data for their own purposes. Third, if we transfer your data across jurisdictions, we will comply with any applicable legal obligations. Now let’s get into more detail about the personal data we process!
If you are our customer, you might be most likely interested in two types of personal data we process about you.
- The first type is the personal data related to your end-users that you might send through our services (e.g. mentioning someone’s name and phone number in a text message). As we mentioned above, you are in control here, and we follow your instructions. These instructions are captured in the agreements we have signed, such as the Master Services Agreement, online Terms and Conditions, or a Data Protection Agreement.
- The second type is the personal data related to you as an employee of our customer. For example, your name, email address, phone, and job title. We get this directly from you, our customer who is your employer, or our services if you use them on behalf of your employer. We use it primarily to deliver services to your employer (e.g. to communicate with you about the agreement, your account, support requests etc.). When possible, we delete it one year after your employer terminates the contract with us. Do not forget – you have rights, and you can always contact us. See more below!
If you are our marketing subscriber, we likely have your basic identification and contact data (think name, email address, phone number, and job title). Most often, we get this directly from you when you sign up to receive newsletters or attend our events or if you are communicating with us on behalf of your employer, our customer. We use it to provide you with information on our services, company news, and any cool events we are organizing. We delete most of your data when you unsubscribe. However, we keep your email address or phone number on our suppression list to ensure that you do not receive any more messages in the future. Do not forget – you can unsubscribe at any time and have other rights, and you can always contact us. See more below!
If you are our job applicant (we are excited to hear that), we likely have your basic identification and contact data (think name, email address, phone number, and mailing address) as well as information on your educational background and previous work experience that you shared in the application form or resume. We get this data directly from you. As you advance in our selection process, we might get more data from your previous employers or a background check provider (we will let you know separately before that happens). We use the data as part of our new employee selection process to ensure we hire the right talent and grow successfully. When you give us the data, we tell you when we will delete it – we only keep it during the period you consent to. Do not forget – you have rights and can always contact us. See more below!
If you are our supplier, then we likely have some personal data related to you as an employee of that supplier, for example your name, email address, phone, and job title. We get this directly from you or our supplier, your employer. We use it primarily to purchase and receive services from your employer (e.g. to communicate with you about the agreement, support requests, or our services if relevant). When possible, we delete it one year after our business relationship with your employer ends. Do not forget – you have rights, and you can always contact us. See more below!
Rights, rights!
Did anybody say you have rights concerning your personal data? Because you do – even when you think you might not! In some countries, no law gives you such rights, but we try our best to act as if you indeed had those rights. The most commonly used rights allow you to request a copy of your personal data from us, to have your data corrected, or to have your data deleted. You might also withdraw your consent to our processing of your personal data and can object to the processing done based on our legitimate interest. These are technical terms, so do not hesitate to review Section 9 of our Privacy Notice in detail or look them up on your local data protection authority’s website to understand how they apply. That authority is often a great source of information. If you want to file a complaint, you can do it with us or your local data protection authority.
Do not hesitate to reach out to us at data-protection-officer@infobip.com if you want to exercise any of your rights (e.g. have your personal data deleted) or if you need more information about the personal data that we process or your rights! We always aim for the best and appreciate inputs and suggestions for improvement.
That’s it! We hope this was useful for you and more enjoyable than going through a lengthy legal text. If you still need to review the Privacy Notice, you can read it right below.
We use the following definitions in this notice:
- The term “Infobip” or “us” or “we” or “our” refers to the company Infobip Limited as well as to its subsidiaries and affiliates. Occasionally, we might also use the term “Infobip Group” to refer to Infobip Limited and its subsidiaries and affiliates.
- The term “you” refers to a natural person (an individual) whose personal data Infobip collects and processes.
- The term “Services” means Infobip’s cloud-based communication (CPaaS – Communications Platform-as-a-Service and SaaS – Software-as-a-Service) and other products and services.
- The term “personal data” means any information about you from which you can be identified, directly or indirectly.
- The term “controller” means the organisation which determines the purposes and means of the data processing and is responsible for processing such data in a manner consistent with the applicable privacy law.
- The term “processor” means an organisation who processes personal data on behalf of the controller.
- The term “applicable privacy law” means all laws and regulations applicable to the processing of given personal data (e.g. the General Data Protection Regulation (EU) 2016/679, the UK GDPR, or the UK Data Protection Act 2018). Please see the country-specific addenda for more information.
Infobip is a Communications Platform-as-a-Service (CPaaS) and Software-as-a-Service (SaaS) provider. While providing Services to our customers, we act either as the controller or the processor, depending on the situation.
Our activities as processor
Our customers are mainly companies that integrate our Services into their business operations through their own software applications (via API) or by using Infobip Portal, our web interface. By using our cloud communications platform, our customers are able to send or exchange their communications with their end-users using different communication channels (SMS, email, voice etc.). We are not in a direct relationship with our customers’ end-users, so we distribute these communications through telecom operators and other communications providers. When we do this, we act as the processor on behalf of our customers, and process the relevant data for the sole purpose of providing our Services to them. We do that within limits and according to customers’ instructions and in line with the Services terms and conditions, agreement for Services, or data processing or similar agreement concluded with the customer.
For example, when you, as an end-user of our customer are the recipient of communication that our customer sent you by using our platform (such as an SMS message), we send that customer’s communications acting on behalf of our customer. That means that the customer is the controller, and Infobip is the processor. Any request we may receive from customers’ end-users regarding their rights related to our activities taken on behalf of our customers will be forwarded to customers, or the end-users will be asked to contact them directly.
Our activities as controller
This Privacy Notice describes the activities which Infobip undertakes as controller. Infobip is a controller when we process personal data for our own purposes and do not act on behalf of someone else. We are committed to processing that data as described in this Privacy Notice and respecting all obligations arising from the applicable privacy law.
The main entity responsible for processing of personal data as described in this Privacy Notice – the controller – is Infobip Limited, 35-38 New Bridge Street, Fifth Floor, London EC4V 6BW, United Kingdom with a registration number 7085757.
For the purposes of EU data protection laws, Infobip Limited has appointed its EU-based Data Protection Officer (‘DPO’) as our EU Representative. Our DPO is contactable via the email address data-protection-officer@infobip.com.
Please note that depending on the specific contractual agreement applicable to you and the given processing activity, another Infobip subsidiary or affiliate may be a controller for your personal data. Contact details of all Infobip subsidiaries and affiliates are available at https://www.infobip.com/offices.
If you have any questions regarding this Privacy Notice or our privacy practices, you may contact our Privacy team and Data Protection Officer via the email address data-protection-officer@infobip.com.
Most of the personal data we process is provided to us directly by you when you for example use our Services, visit our website, register for an event, participate in our research initiatives, submit an application form, or otherwise communicate with us.
We also receive personal information from other sources, such as in the following situations:
- If you are employed by or represent one of our customers or suppliers they may provide us with certain information so that you can use our Services
- If you are an end-user of one of our customers they may provide us with certain information in order to use our Services
- If you participate in our market research, we may receive information from our third-party provider related to that research
- If you visit our website or use our Services, we automatically collect certain information, such as your Internet protocol (IP) address, user settings, cookie identifiers, and other unique identifiers, browser or device information, and location information (including approximate location derived from IP address). For more information about how we collect data through cookies please visit our Cookie Policy
- If you apply for a job, we may receive information from providers of background check services, or collect information from LinkedIn or other publicly available sources or from data enrichment providers (where permitted by local law)
- If you are named as a referee by our job applicant, we may receive certain information so that we can connect with you as part of our recruitment process.
In this section, you will find information on the processing of personal data when we provide Services to our customers.
It provides details on how we are processing your data if you:
- As an individual are our customer
- Are working for or on behalf of our customer, in which case you are either:
- An “account user” (an individual authorized by the customer to log into their account and utilize Infobip Services)
- A “business contact” (a customer’s representative or any other individual acting as a contact point between the customer and Infobip)
- Are our customer’s “end-user” (an individual that receives communications from or sends it to our customer).
What personal data do we collect?
Infobip collects “account data”, which is all data essential for successfully maintaining a business relationship with a customer such as information needed to create customer’s account, to allow customer to use Infobip Services, or to bill the customer accordingly. Specific data types include:
- Registration details of a customer and account users (e.g. name and surname, (business) address, phone number, email address, company’s name and industry, business role, as well as login details)
- Billing and financial details of a customer (e.g. billing address, prepaid or postpaid customer, bank account details, VAT number, information about creditworthiness and payment behaviour, and other additional information as required under applicable laws)
- Business contacts’ details (e.g. name and surname, (business) address, phone number and email address, company’s name and industry, and business role)
- “Customer support data” (i.e. customer support communication including the content of customer support tickets).
How do we collect it?
- Directly from you or from our due diligence provider, if you are an individual.
- Directly from you or via your organisation, if your organisation is our customer.
Why do we collect it, under which legal basis, and how do we use it?
We collect and use account data to:
- Sign and administer agreements with our customers
- Create customers’ accounts and enable their account users to use our Services
- Keep customers’ accounts secure and provide customer care and support
- Share relevant information about our products and services, maintain and improve our business relationships with customers, and exercise our rights and fulfill our obligations arising from these business relationships
- Assess, by conducting a due diligence process, whether we can enter into a contractual agreement with a prospective customer. We might use your identification data as part of the process. Whenever due diligence is conducted, we will separately inform you of precise details about the processing.
Conducting these activities is our legitimate interest in the sense of providing our Services to your organisation. However, if you personally are our contractual counterpart, we process your data because it is necessary for the performance of an agreement for Services or to provide assistance at your request prior to entering into the agreement.
How long do we keep it?
- Personal data of account users and business contacts are retained for twelve (12) months after the end of our business relationship with the customer.
- Personal data of individuals who are our customers are retained for seven (7) years after the end of our business relationship.
- Customer support data is retained for seven (7) years after the resolving of the support request.
Account data will be generally kept as per the stated deadlines. However, we might be required to retain this data for a different time period in certain circumstances if prescribed by specific local laws, when requested by authorities, or if needed to defend our legal rights. Please see Section 11 for more details.
What personal data do we collect?
Infobip collects “communications-related data” that includes:
- “Communications content”: message text, voice, video or audio media, documents, or images exchanged between the customer and their end-users via Infobip Services
- “Traffic data”: data that is processed for the transmission of a communication exchanged by using our Services or for billing related to that communication. It includes information on the communication itself (e.g. routing, type, duration and time of communication) and on the source and destination of the communication (including the customer’s end-users’ phone number or e-mail address depending on the Services provided).
We also collect “usage data”, which is information created during your use of our Services. This includes information communicated by the application to Infobip (e.g. IP addresses, information on your usage, routing information), as well as logs of your activities on our platform.
How do we collect it?
- Communications content is received from our customers or their end-users.
- Customers’ end-users’ phone numbers or email addresses are received from our customers. Other traffic data is automatically generated or unveiled during the process of transmission of a communication.
- Usage data is received directly from you or generated automatically when you use our Services
Why do we collect it, under which legal basis, and how do we use it?
Communications content is collected and processed solely on behalf of a given customer. We act as a processor and in line with the customer’s instructions.
Traffic data is generally kept in the form of communication detail records, and we collect it and use it to:
- Manage traffic with the purpose of transmitting customer’s communications toward or from telecom operators and other communications providers and handling customer’s enquiries.
If you, as our customer, are an individual, the processing of your personal data is necessary for the performance of our agreement for Services. If our customer is a legal person, we rely on our legitimate interest to provide Services to our customers.
- Troubleshoot and detect problems with the network, prevent fraud and other illicit activities, and keep our Services secure. When conducting these activities, we might also leverage account and usage data. The latter is especially relevant for investigating fraudulent activities as it allows us to construct the timeframe of account user’s activities in the case of security-related incidents and be able to take adequate steps for mitigation.
The security of our Services is crucial for us, so for these activities we rely on our legitimate interest to maintain and improve the security of our network and Services.
- Calculate charges and settle interconnection payments with telecom operators and other communications providers or resolve a billing dispute with our customer or our communications provider. In some cases we might also utilize account data as part of this activity.
The carrying out of these activities is our legitimate interest in the sense of handling payments and resolving financial disputes.
Please note that in order to comply with our legal obligations, we may be obliged to retain records containing communications-related data as stipulated in the relevant national data retention provisions regulating law enforcement matters, and to share them upon government request.
How long do we keep it?
- Communications content is retained on behalf of the customer and according to the customer’s instructions.
- Traffic data containing end-users’ personal data (such as phone number or email address) is deleted from communication detail records twelve (12) months after the end of the month in which the communication took place.
- Other traffic data (such as time, type, duration of communication, routing details) which do not contain end-users’ personal information is retained in communication detail records for up to ten (10) years following the year of communication.
- Usage data may be retained for up to three (3) years.
Communications-related and usage data will be generally kept as per the stated deadlines. However, we might be required to retain this data for a different time period in certain circumstances if prescribed by specific local laws, when requested by authorities, or if needed to defend our legal rights. Please see Section 11 for more details.
What personal data do we collect?
Infobip collects “behaviour analytics data”, which is data you generate as ourcustomer’s account user during your activity on our website and our platform (e.g. your behaviour records inside our web interface, such as time spent, pages visited, history of your visits and features used as well as your IP address and information about your browser).
How do we collect it?
- Behaviour analytics data is received directly from you or generated automatically when you use our Services by placing cookies and trusted tracking technologies on your browser. For more information on how we collect your data through cookies on our website, please visit our Cookie Policy.
Why do we collect it, under which legal basis, and how do we use it?
We collect and use behaviour analytics data to:
- Gain insight into the way our current customers are using our platform and Services. Specifically, we take partially automated measurements that include human intervention in order to analyse the way you use the features and tools available on our platform to give you recommendations to improve your performance (e.g. how to better access some feature) and to better satisfy the business needs of our customers
- Create statistics on the use of our tools to understand which tools have a user-friendly design and which should be enhanced.
The general goal of such activities is to enhance your and your organisation’s messaging execution when communicating with your end-users, and we rely on our legitimate interest when conducting them.
How long do we keep it?
Behaviour analytics data is retained for up to twenty-five (25) months after it was generated.
What personal data do we collect?
If you as our supplier (also known as vendor or service provider) are an individual, we may collect:
- Your name and surname, (business) address, phone number, email address, company’s name and industry, business role, as well as your billing information (e.g. billing address, your VAT number, bank account details, and further information if we are legally required to and in accordance with applicable national legislation).
When doing business with our suppliers, we may also collect:
- Personal data related to “business contacts” (supplier’s representatives and other individuals acting as a contact point between the supplier and Infobip) such as name and surname, (business) address, phone number, email, company name and industry, and business role.
How do we collect it?
- Directly from you, if you as an individual are our supplier.
- Directly from you or via your organisation, if your organisation is our supplier.
Why do we collect it, under which legal basis, and how do we use it?
We collect and will use this data to:
- Sign and administer an agreement with you or your organisation
- Get relevant information about your product or services or share relevant information about our business and services with you
- Maintain and improve our business relationship with you or your organisation as well as exercise our rights and fulfill our obligations arising from the business relationship.
Conducting these activities is our legitimate interest in the sense of purchasing products or services from or collaborating with a supplier that is a legal person. However, if you personally are our contractual counterpart, we process your personal data because it is necessary for the performance of an agreement or for entering into an agreement.
How long do we keep it?
- Personal data about business contacts will be deleted twelve (12) months after the end of our business relationship with the supplier.
- Personal data of individuals who are our suppliers will be deleted seven (7) years after the end of our business relationship.
If prescribed by specific local laws, when requested by authorities, or if needed to defend our legal rights, we might be required to retain this data for a different time period than listed above. Please see Section 11 for more details.
What personal data do we collect?
We may collect your name and surname, contact details (e.g. email address, phone number, country), and business details (e.g. company’s name and industry and your business role). We will also collect any other information you choose to provide to us, depending on the nature of our communication.
How do we collect it?
- Directly from you when you register on our website to learn more about our business and services (e.g. through “Contact Sales” form), start chatting with us via our chat channel, take steps to enter into a business relationship with us, submit Startup Tribe application form and when you provide to us your contact details when requesting further information.
- Indirectly through business and professional networks and databases (such as LinkedIn) or third parties we might employ that supply us with information collected from publicly available sources and data enrichment providers. We only retain the information that will help us reach potential customers or suppliers that could benefit from our services and products, or if we are interested in their products and services.
Why do we collect it, under which legal basis, and how do we use it?
We collect and use this data to:
- Communicate with you, answer your questions, and find out if you or your organisation are interested in further cooperation with us, either by using our products and services or by providing your products or services to us
- Ensure adequate support within the presales and purchasing process if there is a mutual interest in entering into an agreement.
Such activities represent our legitimate interest to conduct our business. If you personally are our contractual counterpart, we process your data because it is necessary for the performance of a contract or for entering into a contract.
How long do we keep it?
Personal data collected for this purpose will be deleted six (6) months after our last communication unless we enter into a business agreement with you or your organisation.
What personal data do we collect?
We collect your name and surname, and contact details (e.g. email address or phone number). We also gather simple statistics around email openings and clicks.
How do we collect it?
- Directly from you if you subscribe to receive our newsletters, blogs or our other marketing communications through the webforms available on our website
- Directly from you or via your organisation as part of business-to-business (B2B) marketing if we have an existing business relationship with your organisation
- Simple statistics around email openings and clicks are generated automatically via industry standard technologies such as clear gifs when you engage with our emails.
Why do we collect it, under which legal basis, and how do we use it?
Our purpose for collecting this data is to:
- Inform you about our Services, company news, webinars and upcoming events
- Gather statistics (email opening and clicks) to help us improve our direct marketing initiatives.
If you subscribe to our email marketing communications, we rely on your consent provided to us when submitting such webforms. For B2B (business-to-business) marketing, we rely on our legitimate interest to maintain and improve our business relationships by informing our existing business partners (e.g. customers and suppliers) about our Services, company news, webinars, and upcoming events via email or other forms of communications.
In any case, you may proactively manage your preferences or opt-out of communications (unsubscribe) with Infobip at any time using the unsubscribe link provided in all Infobip’s marketing communications. When you unsubscribe from our marketing communications (i.e. withdraw your consent or object to the processing), we will stop sending you any marketing materials. However, we maintain a so-called “suppression list” that contains only your email address or phone number just to be sure that we do not contact you with unwanted content in the future. We retain this information relying on our legitimate interest to respect the choices of our newsletter recipients.
How long do we keep it?
- Your personal data (name and surname, contact details) are kept for our marketing activities during your or your organisation’s business relationship with us unless you object (B2B).
- If you have subscribed directly, then your personal data will be kept for our marketing activities until you unsubscribe.
- If you unsubscribe or object, we will only keep a suppression list that includes your contact details (e.g. email address or phone number) to ensure you do not receive any further marketing communication.
What personal data do we collect?
When you register to attend or when you check in at our business breakfast, webinar, developer meetup, or any other event (“event”), we normally collect your name and surname, contact details (e.g. email, phone number, country), as well as your business details (e.g. company’s name and industry and your business role). If you are participating as a speaker, you might also be asked to provide your brief CV and an official photo of you.
For live events, we may also ask you information about the time and place of your arrival as well as accommodation details and dietary requirements you may have. If you require us to provide you with an invitation letter, or you need to get a letter of guarantee to be able to get a visa, we will collect the necessary information required by applicable law (such as your name and surname, address, date of birth, or passport details).
We may collect photos, audio, and video material from our events. When registering for and attending Infobip Shift Conference, separate rules may apply. For more information please review the Infobip Shift Privacy Notice.
How do we collect it?
- Directly from you when you register to attend or check in at our event.
- Sometimes your organisation will send us your contact details to attend our event on their behalf, and we will send you an invitation with the link for registration.
Why do we collect it, under which legal basis, and how do we use it?
We collect and use this data:
- If you register for a webinar, to provide you with the webinar details in advance, to remind you of the webinar and email you the recording of the webinar subsequently.
- If you register to attend or speak at our live event, to ensure your place at the event, to communicate to you all the relevant information before your arrival and during the event, and to facilitate the event (e.g. help you with information about the location of our event, accommodation, travel or other logistic details related to the event).
The legal basis we rely on is your consent, provided when you submit your details through our registration forms. When we collect any information about dietary requirements, we also rely on your consent.
- To support you with getting a visa for an event that you wish to attend, including to send an invitation, support letter or letter of guarantee.
We collect this information only to respond to your request and we rely on your consent provided when you submit your personal data for this purpose. However, we may be obligated to share such document with government authorities and to retain it for a certain period of time. We do this to comply with our legal obligation.
- To invite you to future events and inform you about our products and services that we think you might be interested in. For that purpose, we maintain former events’ participants lists containing only your name and surname, contact details, and business details.
We rely on our legitimate interest to conduct our business for this purpose. You may object to these communications at any time by using the unsubscribe link provided in all Infobip’s communications and we will stop sending you event invitations.
- To conduct promotion activities of the events we held, which include the publishing of photos, videos, audio, and texts in online and offline media.
These activities represent our legitimate interest to conduct our business
How long do we keep it?
- Personal data collected when registering for a webinar or a live event (e.g. name and surname, contact details, business details) will be deleted two (2) years after the event.
- All other personal data collected for the organisation of an event (accommodation, and other logistic data) will be erased within sixty (60) days after the event day.
- Any invitation, support letter or letter of guarantee will be kept for a period of time determined by the applicable legislation.
What personal data do we collect?
We collect your name and surname and email address. However, as this type of research is meant to be anonymous, our intention is to collect only your personal data necessary to send you a questionnaire but not to link the anonymous answers with you in any way.
How do we collect it?
- We collect your name and surname and contact details (email address) from business and professional networks (for example LinkedIn), or from our databases if you or your organisation are our customer or supplier.
Why do we collect it, under which legal basis, and how do we use it?
We collect and use this data to:
- Invite you to take a survey by sending you a generic untraceable URL to a survey questionnaire. If you decide to participate and answer our questions, we will not ask you to reveal any personal data as our intention is to keep the answers anonymous. This is done as part of our conducting anonymous market research activities to further improve our products and services and our targeting potential.
When searching for your email address, we rely on our legitimate interest. Our intention is to collect only anonymous information through the surveys. However, if you disclose any information about you in your answers, we will rely on your consent. We will not link or attempt to link the provided answers with you nor do we inform other organisations (e.g. your employer) of the answers you provided in any way.
How long do we keep it?
We will process the answers you provided in order to have general feedback on our products and services. However, we will never ask you to reveal any personal data in your answers, and if you reveal any personal data in your answers, it will be promptly deleted.
What personal data do we collect?
We collect your personal data such as name and surname, email, business role, and name of the organisation you work for. We will also collect any other information you choose to provide during the interview, and the interviews will be recorded and transcribed.
How do we collect it?
- We collect your name and surname and contact details directly from you or from a third-party provider that we engage to conduct these interviews and find the appropriate participants
- Any further information (e.g. your opinions on the overall market for certain services) will be collected directly from you by us or by a third-party provider depending on who is conducting the interview.
Why do we collect it, under which legal basis, and how do we use it?
We collect and use this data to:
- Conduct in-depth market research interviews to understand the broader market situation for the products and services that we offer and for our company overall. Any comments and opinions that you provide will be used only for internal purposes to improve our products, services, and business practices.
When conducting these interviews, we rely on your consent.
How long do we keep it?
Recordings of interviews and associated personal data (e.g. contact details and personal data within the interview transcripts) will be deleted one (1) year after the interview date.
What personal data do we collect?
We collect your personal data such as name and surname, email, company name, and business role. We might record and transcribe interviews that we conduct.
How do we collect it?
- We collect your name and surname and contact details (email address) from our databases if you or your organisation are our customer to invite you to be part of our research hub. If you have registered to participate in research activities at a third-party provider, we may collect the same types of data from them to invite you
- If you apply to be part of our research hub and participate in our research, we will collect the personal data directly from you through a third-party provider who will process it on our behalf
- We collect any further information (e.g. your feedback on our products) directly from you as part of the research.
Why do we collect it, under which legal basis, and how do we use it?
We collect and use the data to:
- Invite you to be part of our research hub.
When inviting you (our customers or business contacts) to be part of our research hub, we send you an email with a link to apply. For this activity we rely on our legitimate interest to improve our products and Services. We will contact you only about research related to the product or Services you already use or have used. When you apply to a third-party provider to participate in research activities, we may contact you to be part of our research hub and participate in our user experience research via a third-party provider’s platform. We will rely on your consent or the contract for personal data collected and processed, depending on the circumstances.
- Conduct user experience research activities and obtain your feedback to improve our products and Services.
Your participation is completely voluntary. If you decide to be a part of our research hub or to participate in our research, we will rely on your consent or the contract for personal data collected and processed, depending on the circumstances.
The research may be recorded, and we will take notes on your comments and actions. The research results, recordings, and notes are used only for improving our products and Services and will be shared internally with our product design and development teams
How long do we keep it?
Recordings of interviews and associated personal data (e.g. contact details and personal data within the interview transcripts) will be deleted one (1) year after the interview date.
What personal data do we collect?
When visiting our website, by placing cookies, we may collect your IP address, your browser type and associated information, the pages you have visited and the order you visited them, as well as whether you are a new or returning visitor.
How do we collect it?
Directly from you when you browse our website by placing cookies on your browser. The cookies are either placed automatically (necessary cookies) or only once you have consented to them (functional, analytical, and advertising cookies). Please review our Cookie Policy for more information.
Why do we collect it, under which legal basis, and how do we use it?
We collect and use this data to:
- Maintain and improve our website and overall business.
When doing so, we rely either on our legitimate interest to ensure the functioning of the website (for necessary cookies) or on your consent (for functional, analytical, and advertising cookies). Please review our Cookie Policy for more information on how you can manage (including to withdraw) your cookie consent.
How long do we keep it?
This depends on the specific types of cookies that were either placed automatically (necessary cookies) or that you have consented to be placed (other categories). Please review our Cookie Policy for more details on the retention periods for specific types of cookies.
What personal data do we collect?
When you apply for a job or internship with us we collect:
- Your name and surname, contact details (email address and phone number) and place of residence as well as information about your education, previous work experience, and any other information you choose to share with us in your resume (CV) or application when expressing interest in joining our team
- When permitted by applicable law, we may also collect professional information about you from the business networking sites you use (such as LinkedIn) and we may search their content in order to find out more professional information about you or from other sources (e.g. web pages) if your resume or application contains links to such sources
- If we arrange an interview and you go through our selection process, we may collect further information gathered from you during the interviews, results of conducted evaluation tests, and interview notes and reviews of our colleagues who interviewed you. We may also collect information about your professional experience from your referees, if you indicated them
- If you are a successful candidate, we might also conduct a background check if permitted by the legislation. We will provide a separate privacy notice to you prior to conducting it.
When you sign up to receive job posting updates, we collect your name and surname as well as your email address.
How do we collect it?
- Directly from you when you submit your resume or application into our recruitment software or when you create an account there to receive job posting updates.
- From recruitment agencies we have engaged to help us find potential candidates for open positions or from business networking sites you use such as LinkedIn.
- We may collect further information about you during the selection process. This information will be generated by you and by us. For example, you might complete an evaluation test or we might take interview notes or contact your referees.
- If you are a successful candidate, we might also collect your personal data from a background check agency if permitted by the legislation.
Why do we collect it, under which legal basis, and how do we use it?
We collect and use your personal data to:
- Find talented individuals who will become part of our global team by enabling you to apply for a job or internship with us in order to assess whether you are a good fit for a position at Infobip
- Enable you to sign up to receive job posting updates.
For most activities under these two purposes, we rely on your consent to collect and process your personal data. You can create a profile in our recruitment software accessible on our Careers web page to submit your resume and apply for an available position or to receive job posting updates. When submitting it, you will be asked to provide us with your consent to process your personal data for recruitment purposes for a period specified in the consent form.
If you do not submit your resume directly into our recruitment software (e.g. when we receive it from a recruitment agency or when we find your professional details on business networking sites you use), we will send you an email with a link to our recruitment software and you will be asked to provide us your consent to keep your personal data for recruitment purposes. In such cases, we collect your personal data and contact you with an email based on our legitimate interest to find potential job candidates. However, we need your consent for any further processing of your personal data. If you do not provide us with the consent within thirty days following the receipt of the email, we will erase your personal data from our database.
During the selection process we collect further information in order to review your professional qualifications and interests and be able to choose the best candidate. We also conduct the relevant background checks, to the extent permitted by applicable laws, which include identity verification, right of work verification, education, professional license and previous employment checks, verification of recommendations, checks of company registers and criminal checks. Moreover, for executive roles we will also carry out a reputational check from publicly available sources. For the processing of this information, we rely on our legitimate interest, your consent, or legal obligation depending on the circumstances.
If you have been selected as the most suitable candidate for a job position or internship, you will be presented with an offer. If you accept it, we will collect further information to be able to conclude and execute an agreement with you. The further collection and processing of your personal data will be carried out to conclude an employment or internship agreement with you or to take certain steps, at your request, prior to entering into that agreement. You will be presented with an Infobip privacy notice that applies to our staff where you can find relevant privacy information.
We collect and process your personal data through the recruitment platform of our processor, Workday Ltd. Your personal data are collected and stored on servers maintained by Workday in data centers located in the European Union. It will be processed by authorized members of the Infobip recruitment team. However, if there is a problem with the platform, the Workday support team may also have access to your personal data in order to help us resolve the problem. If you want to know more details about Workday’s privacy practices, you can refer to the Workday’s Privacy Policy. We may share your personal data within Infobip Group companies (subsidiaries and affiliates). Since we are a global company, we may engage our subsidiaries and affiliates in which we have employed members of our recruitment team in order to complete the recruitment process.
How long do we keep it?
Your recruitment-related personal data will be deleted after the expiration of the period for which you have provided us with your consent (or earlier if you withdraw it). These periods might differ across countries due to local legislation.
If requested by local authorities or if needed to defend our legal rights, we might be required to retain this data for a different time period than stated above. Please see Section 11 for more details.
Please note that you have the right to withdraw your consent at any time. If you want to withdraw your consent or to edit your profile, you can do so yourself directly by accessing your profile in our recruitment software. Otherwise, you can always withdraw your consent as well as exercise your other rights by contacting our Data Protection Officer. More information regarding your rights is listed in Section 9 below.
What personal data do we collect?
We collect personal data such as your name and surname, contact details, job title, and name of the organisation you work for or represent or in whose activities you participate.
How do we collect it?
Directly from you when you fill out a contact form on our website or reach out to us directly or from an organisation that you work for or that organises activities that you participate in
Why do we collect it, under which legal basis, and how do we use it?
We collect and use your personal data to:
- Answer your queries and analyse and respond to your requests for donations or volunteers
- Collaborate on various projects and initiatives, get information on how our grants and donations were utilized, maintain and improve our relationship with your organisation, and evaluate our social impact initiatives.
When you reach out to us with queries and requests, we process your personal data based on your consent. When we receive your personal data from an organisation that you work for or in whose projects you partake, we rely on our legitimate interest to conduct social impact initiatives.
How long do we keep it?
- We retain your personal data for as long as needed to fulfill your specific request.
- All the personal data of individuals who contact us in their individual capacity will be deleted at the latest one (1) year after the initial communication date.
- Personal data related to queries and donation or volunteer requests submitted on behalf of an organisation will be deleted three (3) years after the end of the year when we last communicated.
- For supported projects and initiatives, any personal data contained within the legally required documentation will be kept for a period determined by local legislation in order to comply with audit, tax and financial requirements.
If requested by local authorities or if needed to defend our legal rights, we might be required to retain this data for a different time period than stated above. Please see Section 11 for more details.
What personal data do we collect?
We collect your personal data such as name and surname, email, signature, business role, and name of the organisation you work for or represent. We might also collect your phone number. If you visit one of our offices, we may also collect CCTV recordings as some of the entrances and common areas might be under CCTV surveillance.
How do we collect it?
Directly from you when you visit one of our offices or our other company’s premises.
Why do we collect it, under which legal basis, and how do we use it?
We collect and use your personal data to:
- Manage access control to our offices and premises (e.g. signing of a non-disclosure agreement during your first visit) and provide you with additional services while you are visiting us (e.g. bike rental)
- Ensure the safety and security of our employees, visitors, and property (CCTV surveillance at the entrances and common areas of some of our offices and premises)
- As a visitor to one of our campuses, you can also utilize an Infobip chatbot to find out more about the locations and to get recommendations on things to do and see. If you decide to communicate with one of the chatbots, we will process your phone number.
Most of these activities are conducted based on your consent. The processing of CCTV surveillance data as well as the processing regarding access control are done based on our legitimate interest to protect our premises and staff.
How long do we keep it?
- Personal data collected for the purpose of managing the access to our premises is erased as soon as it is no longer needed for that purpose.
- When we provide you with additional services during your visit, we will retain your personal data for as long as needed to fulfill your specific request or until you withdraw your consent.
- CCTV surveillance recordings are generally deleted ninety (90) days after the recording date, unless prescribed otherwise by the local laws.
However, we might be required to retain this data for a different time period in certain circumstances if prescribed by specific local laws, when requested by authorities, or if needed to defend our legal rights. Please see Section 11 for more details.
We may engage suppliers (also known as vendors or service providers) to help us in the processing of your personal data for the activities that we conduct as a controller and that we describe in this Privacy Notice. Since we are a global company, we may also share your personal data with our subsidiaries and affiliates as part of our daily operations. Any such sharing within the Infobip Group is regulated by intercompany agreements on personal data processing and transfer.
Before engaging any new supplier, we perform a security and privacy assessment. Where such supplier acts as our processor we ensure that the processing of personal data is governed by a written data processing agreement.
Notwithstanding the foregoing, as a rule, we do not share personal data with third parties except when strictly necessary and on a need-to-know basis, such as with:
- Telecom operators and other communications service providers when necessary for the set-up of proper routing and connectivity. We are able to deliver messages that our customers send to their end-users, independent of where they are located, through our connections with telecoms and other communications providers (such as Whatsapp, Viber, Facebook, Kakaotalk, Line, or Telegram).
- Service and technology providers to the extent strictly necessary for them to perform specific actions on our behalf. These might be related both to our Services (e.g. as part of the functionality of our Services) and to our other processes (e.g. utilizing a software provider to manage our job application process).
- Third parties when required to comply with our legal obligations. We may share your personal data with authorised legal authorities due to relevant legislation, such as a judicial proceeding, court order, or legal process served on us (e.g. for criminal procedures) or because of threats to public security, regulatory requirement, or in the context of investigations or bankruptcy. As a communications provider, we are required to retain certain communications-related data for law enforcement purposes and will be required to share that data with authorized law enforcement authorities upon their request. Also, if we are under an obligation to demonstrate compliance with relevant accounting, financial and tax legislation, your data can be shared with auditors and tax authorities for those purposes.
- Advertising partners that we might use as part of our marketing activities. More information is listed in our Cookie Policy along with an explanation of how to adjust your cookie settings when visiting our website.
- Merger and acquisition stakeholders as part of disclosure in the event of a merger, sale, or other asset transfer. Your information may be transferred as part of such a transaction, as permitted by law or contract.
We conduct our business operations globally, and sometimes we need to carry out international transfers of your personal data by providing your personal data to the parties specified in the section above. All international transfers are carried out while ensuring the confidentiality and security of your personal data and in line with the applicable privacy law. This might include specific technical, organisational, and contractual measures. For example, in relation to transfers of personal data outside the European Economic Area, we will complete and execute standard contractual clauses for data transfers where required.
At Infobip, we believe that security and privacy go hand in hand. In order to protect personal data collected and processed by us, we have therefore invested in the development, implementation, and constant improvement of a wide range of technical and organisational security measures. These measures have been implemented in accordance with ISO 27001:2013 standard requirements, and you can read more about them here. The list of our current and up-to-date certificates can be found here.
We take care to train all our staff in the field of privacy and security, starting from their first day in Infobip through the onboarding process and continuously throughout their stay at Infobip.
Before we engage a supplier, we check their security practices and alignment with the applicable privacy law. Once engaged, we continue to assess them on a regular basis.
Depending on the applicable privacy law, you may have certain rights with respect to your personal data.
Where granted by the applicable privacy law, you have the right to:
- Withdraw your consent to our processing of your personal data (to the extent such processing is based on your consent and consent is the only permissible basis for processing), without affecting the lawfulness of processing based on consent before its withdrawal
- Request from us to access your personal data, which means requesting a copy of the personal data we hold about you
- Ask us to rectify (correct) your personal data that you think is inaccurate and to complete your personal data that you think is incomplete
- Ask us to erase your personal data in certain circumstances
- Ask us to restrict the processing of your personal data in certain circumstances
- If we process your personal data by automated means based on your consent or upon a contractual relation with you, you can exercise the right of data portability
- If we process your personal data upon our legitimate interest, you have the right to object to the processing
- If you want to object to the processing of your data for marketing purposes, you can do it at any time by using the unsubscribe link provided in our marketing communications
- You may also have specific rights in exceptional cases when we may carry out automated decision-making operations, including profiling.
If you have any questions on how we use your personal data or if you wish to exercise a certain right or resolve a complaint regarding the processing of your personal data, you can contact our Data Protection Officer by sending an email to the following email address: data-protection-officer@infobip.com.
If applicable to you, you can lodge a complaint with the supervisory authority of the EU member state of your habitual residence, place of work, or place of the alleged infringement. If you want to file a complaint or contact the relevant data protection authority for any other reason, you may find contact details of EEA data protection authorities at https://edpb.europa.eu/about-edpb/board/members_en.
We take partially automated measurements that include human intervention in order to analyze the way users of our platform use the features and tools available (e.g. by tracking usage behavior inside our web interface) in order to give you recommendations to improve your performance (e.g. how to better access certain features).
Your personal data that has been collected based on your consent will be kept for a period specified in the consent. If you wish to withdraw your consent for the processing of your personal data for any purpose and to delete your data, you can do that at any time by sending an email to data-protection-officer@infobip.com. Regarding your personal data that is not subject to your consent, we will only keep it for as long as necessary to fulfill the purposes for which it was collected before making it non-identifiable (anonymous) or deleting it, as required by law.
Specific retention periods are listed under the respective activities in section 5 of this Privacy Notice. The retention periods listed are the standard default periods. In some cases, exceptions apply due to local laws related to law enforcement, tax, or other purposes. Additionally, if legal matters such as litigation, law enforcement requests, or government investigations require us to preserve records, including those containing personal information, for longer periods than listed in section 5, then we will delete the records in question when we are no longer legally obligated to retain them.
Children under 16 cannot use our products and services as our customers. If we learn or are notified that it is the case, we will immediately take reasonable steps to delete that information from our records as quickly as possible. If you think a child under 16 is using our products or services as a customer, please contact us at data-protection-officer@infobip.com.
The most current version of this Privacy Notice will govern our practices for collecting, processing, and disclosing personal data. We will provide notice of any modifications on this page. You can always check the date of the last update at the beginning of this Privacy Notice.
In the document below, you may find Appendix 1 to this Privacy Notice, which covers specific requirements for the following countries: Argentina, Brazil, Canada, Colombia, Egypt, India, Indonesia, Japan, Malaysia, Nigeria, Pakistan, Philippines, Saudi Arabia, Singapore, South Africa, Republic of Korea, Thailand, United Arab Emirates, United States (California).