In this section, you will find information on the processing of personal data when we provide Services to our customers. It provides details on how we are processing your data if you are: 

An “account user” is an individual authorized by the customer to log into their account and utilize Infobip Services, a “business contact” is a customer’s representative or any other individual acting as a contact point between the customer and Infobip, and an “end-user” is an individual that receives communications from or sends it to our customers

What personal data do we collect?

Infobip collects “account data” which refers to all data essential for successfully maintaining a business relationship with customers, such as information needed to create accounts, enable access to our Services, and billing. Account data includes: 

• Registration details of a customer and account users (e.g. name and surname, business address, phone number, email address, company’s name and industry, business role, as well as login details) 
• Billing and financial details of a customer (e.g. billing address, prepaid or postpaid customer, bank account details, VAT number, information about creditworthiness and payment behavior, and other additional information as required under applicable laws)  
• Business contacts’ details (e.g. name and surname, (business) address, phone number and email address, company’s name and industry, and business role) 

Infobip also collects “customer support data” which refers to customer support communication including the content of customer support tickets. 

How do we collect it?

• From you, your organization, our partners that help us to market our services, or our due diligence providers

Why do we collect it, under which legal basis, and how do we use it?

We collect and use account data to:

• Carry out the necessary due diligence process, such as identity verification and crosschecking with applicable sanction lists, prior to entering into an agreement with you or your company 
• Sign and administer agreements with our customers  
• Create and manage accounts of customers and users’ accounts on our platform 
• Invoice for the Services we provide  
• Keep customers’ accounts secure 
• Enable AI powered chatbot on Infobip Portal for customer care purposes  
• Provide customer support 
• Share relevant information about our products and services, maintain and improve our business relationships with customers, and exercise our rights and fulfill our obligations arising from these business relationships

Performing due diligence before entering into an agreement with our customers is either a legal obligation or a legitimate interest, depending on the applicable laws. For example, checking sanction lists is a legal obligation, whereas processing personal data to assess credit scores is based on our legitimate interest. 

Administration of agreements, customers’ and users’ account management, ticketing for support purposes and invoicing for the services we provide is our legitimate interest. However, if you personally are our contractual counterpart, we may process your data because it is necessary for the performance of the agreement between us.  

We collect and use customer support data to resolve support requests from Infobip’s customers, which is our legitimate interest

How long do we keep it?

• Personal data in customers’ accounts are kept for seven (7) years after the end of our business relationship.  
• Personal data of account users and business contacts are retained for twelve (12) months after the end of our business relationship with the customer. 
• Personal data processed for invoicing are retained for seven (7) years after the end of the business relationship. 
• Customer support tickets are retained for seven (7) years from the date the ticket was raised. 

Account data will be generally kept as per the stated deadlines. However, we might be required to retain this data for a different period under certain circumstances, such as when prescribed by specific local laws, when requested by authorities, or if needed to defend our legal rights. 

What personal data do we collect?

Infobip collects “communications-related data” that includes:

• “Communications content”: message text, voice, video or audio media, documents, or images exchanged between the customer and their end-users via Infobip Services 
• Traffic data”: data that is processed for the transmission of a communication exchanged by using our Services or for billing related to that communication. It includes information on the communication itself (e.g. routing, type, duration and time of communication) and on the source and destination of the communication (including the customer’s end-users’ phone number or e-mail address depending on the Services provided).

We also collect “activity (audit) logs” related to the way account users use the Services (e.g. IP addresses, timestamps, edit or delete actions).

How do we collect it?

• Communications content is received from our customers or their end-users. 
• Customers’ end-users’ phone numbers or email addresses are received from our customers or the end-users. Other traffic data is automatically generated or unveiled during the process of transmission of a communication. 
• Activity (audit) logs are automatically generated when you as an account user use our Services.

Why do we collect it, under which legal basis, and how do we use it?

Communications content is collected and processed on behalf of a given customer. We act as a processor and in line with the customer’s instructions. 

Traffic data is generally kept in the form of communication detail records, and we collect it and use it to:  

• Manage traffic with the purpose of transmitting customer’s communications toward or from telecom operators and other communications providers, handle customer’s enquiries, and troubleshoot thereof. 

We rely on our legitimate interest in providing Services to our customers. If you are using our Services as an individual, we process your personal data to fulfill our contract with you. 

• Ensure compliance with Infobip’s Service Use Policy, prevent fraudulent activities such as misuse of accounts, sending spam and artificially inflated traffic, as well as to keep our Services secure. To enhance prevention, we implemented a system of automated alerts for suspicious behaviors, such as bot-like behaviors, that includes the intervention of security experts. Besides prevention, the gathered data is also used to investigate and mitigate prohibited activities as it allows us to construct the timeframe of suspicious actions. For these purposes, we might also pull account data and activity (audit) logs. 

The security of our Services is crucial for us, so for these activities we rely on our legitimate interest in preventing fraudulent activities and maintain and improve the security of our network and Services. 

• Calculate charges to customers and settle interconnection payments with telecommunication operators and other communications providers or resolve billing disputes thereof. In some cases, we might also utilize account data as part of this activity. 

The carrying out of these activities is our legitimate interest in the sense of handling payments and resolving financial disputes. 

Please note that to comply with our legal obligations, we may be obliged to retain records containing communications-related data as stipulated in the relevant national data retention provisions regulating law enforcement matters, and to share them upon government request.

How long do we keep it?

• Communications content is retained on behalf of the customer and according to the customer’s instructions. 
• Traffic data containing end-users’ personal data (such as phone number or email address) is deleted from communication detail records twelve (12) months after the end of the month in which the communication took place. 
• Other traffic data (such as time, type, duration of communication, routing details) which do not contain end-users’ personal information and from which the end-user cannot be identified is retained in communication detail records for at least ten (10) years following the year of communication. 
• Activity (audit) logs are retained for fifteen (15) months for security purposes, while for customers these logs are available for a five (5) year period.  

Communications-related data and activity (audit) logs will be generally kept as per the stated deadlines. However, we might be required to retain this data for a different period in certain circumstances if prescribed by specific local laws, when requested by authorities, or if needed to defend our legal rights.

What personal data do we collect?

Infobip collects “user analytics data”, which is data you generate as our customer’s account user during your activity on our website and our platform (e.g. your behavior records inside our web interface, such as time spent, pages visited, history of your visits and features used as well as your IP address and information about your browser).

How do we collect it?

• We collect “user analytics data” using cookies, from Infobip Portal account users and from visitors to our website who accept cookies. 
  If you use both the Portal and the website and have accepted cookies, we combine the data to better understand how you interact with our services. 
• If you have accepted cookies on our website, you can find more details about how we use your data in section 5.7 of our Privacy Notice. 

For more information on how we collect your data through cookies on our website, please visit our Cookie Policy. 

Why do we collect it, under which legal basis, and how do we use it?

We collect and use user analytics data to:

• Gain insight into the way our current customers are using our platform and Services. Specifically, we take partially automated measurements that include human intervention to analyze the way you use the features and tools available on our platform to give you recommendations to improve your performance (e.g. how to better access some features) and to better satisfy the business needs of our customers 
• Create statistics on the use of our tools to understand which tools have a user-friendly design and which should be enhanced.  
• Display personalized pop-up notices about new products, features and tips on Infobip Portal  

To achieve these purposes, we rely on our legitimate interest.

How long do we keep it?

User analytics data is retained for twenty-five (25) months after it was generated. 

What personal data do we collect?

When we work with suppliers (also called vendors), we collect their company’s billing details—like address, tax number, and bank account. If you’re listed as their representative or business contact, we also collect your personal data.  

• Your name and surname, (business) address, phone number, email address, company’s name and industry, business role.

Besides companies, in some cases individuals also supply us with their services. If you as an individual are our supplier, we collect the same personal data as the mentioned above. 

How do we collect it?

• We collect the personal data from our suppliers or directly from their representatives and business contacts.  
• Also, we collect personal data directly from you, if you as an individual are our supplier.

Why do we collect it, under which legal basis, and how do we use it?

We collect and will use this data to:

• Carry out the necessary due diligence process, such as identity verification and crosschecking with applicable sanction lists, prior to entering into an agreement with you or your organization 
• Sign and administer an agreement with you or your organization  
• Get relevant information about your product or services or share relevant information about our business and services with you
• Maintain and improve our business relationship with you or your organization as well as exercise our rights and fulfill our obligations arising from the business relationship. 

Conducting these activities is our legitimate interest in purchasing products or services from or collaborating with a supplier that is a legal person. However, if you personally are our contractual counterpart, we process your personal data because it is necessary for the performance of an agreement or for entering into an agreement. 

How long do we keep it?

• Personal data about business contacts will be deleted twelve (12) months after the end of our business relationship with the supplier.  
• Financial information, including personal data of individuals who are our suppliers, will be deleted seven (7) years after the end of our business relationship. 

If prescribed by specific local laws, when requested by authorities, or if needed to defend our legal rights, we might be required to retain this data for a different period than listed above.

What personal data do we collect?

We may collect your name, contact details (like email, phone number, and country), and business information (such as your company name, industry, and role). 
If you use our AI-powered chatbot on the website, we also collect a chat ID to identify each conversation. 

Depending on how we communicate, we may also collect other information you choose to share with us, including meeting recordings.

How do we collect it?

• Directly from you when you submit web forms, such as sales forms and Start-Up Tribe forms, when you communicate with our AI-powered bots, or book demo calls. 
• When you agree with us to record our demo calls and other meetings.
• From recordings, we may create transcripts and summaries of our meetings, which may involve the use of AI-powered solutions. 
• From our partners with whom we collaborate in exploring new business opportunities 
• Indirectly through business and professional networks and databases (such as LinkedIn) or third parties we might employ that supply us with information collected from publicly available sources and data enrichment providers. We only retain the information that will help us reach potential customers or suppliers that could benefit from our services and products, or if we are interested in their products and services.

Why do we collect it, under which legal basis, and how do we use it?

We collect and use this data to:

• Communicate with you, answer your questions, and find out if you or your organization are interested in exploring business opportunities with us, either by using our products and services or by offering your own 
• Ensure adequate support within the presales and purchasing process if there is a mutual interest in entering into an agreement.  

If you contact us, we will process your personal data based on your consent. When we reach out to you, we rely on our legitimate interest in growing our business and exploring new opportunities.  Recordings of meetings are always performed based on your consent.  

How long do we keep it?

What personal data do we collect?

We collect your name and surname and contact details (e.g. email address or phone number). We also gather simple statistics on how our marketing communications are opened and clicked.

How do we collect it?

• Directly from you when you subscribe to receive our marketing communication and ask for gated or similar content.
• Directly from you when you provide your business details to explore new business opportunities with us.
• Directly from you or via your organization if we have an existing business relationship with your organization or you
• From our business partners from whom we may receive your business contact details to explore new business opportunities and market our products and services 
• Basic statistics on how our marketing communications are opened and clicked are automatically generated using industry-standard technologies, such as clear gifs when you engage with our emails.

Why do we collect it, under which legal basis, and how do we use it?

Our purpose for collecting this data is to:

• Inform you about our Services, company news, webinars and upcoming events  
• Improve our direct marketing initiatives by gathering statistics (e.g., email opening and clicks). 

If you subscribe to our marketing communications, we rely on your consent.  Additionally, if you contact us via our web forms, we may rely on our legitimate interest in sending you marketing communications. This allows us to keep you informed about the latest news, trends, events, and offers from Infobip, as well as from our affiliates and partners. 

Please note that unsubscribing will only stop communications from the specific sender you opted out from. Since Infobip operates multiple marketing channels across different teams, you may still receive messages from other Infobip senders. If you want to unsubscribe from all marketing communication, please contact us via this form or via the email address data-protection-officer(at)infobip.com.  

However, we maintain a so-called “suppression list” that contains only your email address or phone number just to be sure that we do not contact you if you unsubscribe from receiving marketing communication. We retain this information relying on our legitimate interest in respecting the choices of our marketing content recipients. 

How long do we keep it?

• Your personal data (name and surname, contact details) are kept for our marketing activities during your or your organization’s business relationship with us unless you object. 
• If you have subscribed directly, then your personal data will be kept for our marketing activities until you unsubscribe.  
• If you unsubscribe or object, we will only keep a suppression list that includes your contact details (e.g. email address or phone number) to ensure you do not receive further marketing communication.

What personal data do we collect?

When you register to attend or when you check-in at our in-person or online events (“event”), we normally collect your name and surname, contact details (e.g. email, phone number, country), as well as your business details (e.g. company’s name and industry and your business role). If you are participating as a speaker, you might also be asked to provide your brief CV and an official photo of you. 

For live events, we may also ask you for information about the time and place of your arrival as well as accommodation details and dietary requirements you may have. If you require us to provide you with an invitation letter, or you need to get a letter of guarantee to be able to get a visa, we will collect the necessary information required by applicable law (such as your name and surname, address, date of birth, or passport details). If the event involves a fee, we’ll collect the necessary information to issue an invoice. We may collect photos, audio, and video material from our events.  

When we promote our business by sharing interviews, blog posts, articles, or other content, we may process personal data such as your name, your role in the organization you represent, and other business-related information. This may be in written, audio, photo, or video format. When registering for and attending Infobip Shift Conference, details about the processing of your personal data are provided in Infobip Shift Privacy Notice

How do we collect it?

• Directly from you when you register to attend or check in at our event or when we take interviews, photos and videos from our events.  
• Sometimes your organization will send us your contact details to attend our event on their behalf.

Why do we collect it, under which legal basis, and how do we use it?

We collect and use this data:

The legal basis we rely on is your consent, provided when you submit your details through our registration forms. When we collect any information about dietary requirements, we also rely on your consent.

• If you register for an in-person or online event, to provide event details in advance, send reminders, and share the event recording afterward. The legal basis we rely on is your consent, provided when you submit your details through our registration forms. When we collect any information about dietary requirements, we also rely on your consent.
• If you register to attend or speak at our live event, to ensure your place at the event, and to provide you with all details and comply with your dietary preferences. 

When we collect any information about dietary requirements, we also rely on your consent. 

• If the event requires a participation fee, we collect invoicing details to manage and track the relevant payments.

If you personally pay the event fees, we process your invoicing details as part of fulfilling our contract and meeting legal requirements. 

• To support you with getting a visa for an event that you wish to attend, including sending an invitation, support letter or letter of guarantee. 

We collect this information only to respond to your request, and we rely on the consent you provided when submitting your personal data for this purpose.   However, we may be obligated to share such documentation with governmental authorities or to retain it for a certain period. We do this to comply with our legal obligation.

• To invite you to future events. For that purpose, we maintain former events’ participants lists containing only your name and surname, contact and business details. 

We rely on our legitimate interest in conducting and developing our business. You may object to these communications at any time. 

• To explore business opportunities with you and send you marketing communications about our Services 

We rely on your consent or our legitimate interest in conducting and developing our business. You may opt out of these communications at any time. 

• To promote our business by publishing photos, videos, audio, and texts in online and offline media. 

These activities represent our legitimate interest in promoting our business activities. 

How long do we keep it?

• Personal data collected when registering for a webinar or a live event (e.g. name and surname, contact details, business details) and used to invite you to new events, will be deleted two (2) years after the event.
• All other personal data collected for the organization of an event (accommodation, and other logistic data) will be erased within sixty (60) days after the event day.  
• Any invitation, support letter or letter of guarantee will be kept for a period determined by the applicable legislation. 

What personal data do we collect?

We collect your name and surname and email address. However, as this type of research is meant to be anonymous, our intention is to collect only your personal data necessary to send you a questionnaire but not to link the anonymous answers with you in any way.

How do we collect it?

• We collect your name and surname and contact details (email address) from business and professional networks (for example LinkedIn), or from our databases if you or your organization are our customer or supplier.

Why do we collect it, under which legal basis, and how do we use it?

We collect and use this data to:

• Invite you to take a survey by sending you a generic untraceable URL to a survey questionnaire. If you decide to participate and answer our questions, we will not ask you to reveal any personal data as our intention is to keep the answers anonymous. We do this as part of our anonymous market research activities to further improve our products, services and our targeting potential.  

When searching for your email address, we rely on our legitimate interest. Our intention is to collect only anonymous information through the surveys. However, if you disclose any information about you in your answers, we will rely on your consent. We will not link or attempt to link the answers provided with you nor do we inform other organizations (e.g. your employer) of the answers you provided in any way. 

How long do we keep it?

We will process the answers you provided to have general feedback on our products and services. However, we will never ask you to reveal any personal data in your answers, and if you reveal any personal data in your answers, it will be promptly deleted.

What personal data do we collect?

We collect your personal data such as name and surname, email, business role, and name of the organization you work for. We will also collect any additional information you choose to share during the interview.  Please note that the interviews will be recorded and transcribed using AI-powered technology. 

How do we collect it?

• We collect your name and surname and contact details directly from you or from a third-party provider that we engage to conduct these interviews and find the appropriate participants
• Any further information (e.g. your opinions on the overall market for certain services) will be collected directly from you by us or by a third-party provider depending on who is conducting the interview.

Why do we collect it, under which legal basis, and how do we use it?

We collect and use this data to:

• We use your data to conduct in-depth market research interviews to understand the broader market situation for the products and services that we offer and for our company overall. Any comments and opinions that you provide will be used only for internal purposes to improve our products, services, and business practices. 
• When inviting you to be part of our research, we send you an email with a link to apply, for this we rely on our legitimate interest.
• When you apply to a third-party provider to participate in research activities, we will rely on your consent or the contract between you and the third-party provider, depending on the circumstances.
• When conducting and recording the interviews with you, we rely on your consent.

How long do we keep it?

Recordings of interviews and associated personal data (e.g. contact details and personal data within the interview transcripts) will be deleted two (2) years after the interview date.

What personal data do we collect?

We collect your personal data such as name and surname, email, company name, and business role, as well as all information you provide during the interviews. We might record and transcribe interviews that we conduct.

How do we collect it?

• If you apply to be part of our research hub and participate in our research, we will collect your contact details directly from you. Also, if you have registered to participate in research activities at a third-party provider, they may share your contact details with us. 
• During the research interviews, we collect the information directly from you, by taking notes, video recording and creating AI featured transcripts of the interviews

Why do we collect it, under which legal basis, and how do we use it?

We collect and use the data to:

• Invite you to be part of our research hub.

When inviting you to be part of our research hub, we send you an email with a link to apply, for this we rely on our legitimate interest. However, your participation in the research hub is voluntary.  When you apply to a third-party provider to participate in research activities, we may contact you to participate in our user experience research. We will rely on your consent or the contract between you and the third-party provider, depending on the circumstances. 

• Conduct user experience research activities and obtain your feedback to improve our products and Services.

Your participation is completely voluntary; we will rely on your consent to collect and record your input during the research.  

The research may be recorded, and we will take notes, including AI-powered transcripts and summaries, on your comments and actions. The research results, recordings, and notes are used only for improving our products and Services and will be shared internally with our product design and development teams.

How long do we keep it?

Recordings of interviews and associated personal data (e.g. contact details and personal data within the interview transcripts) will be deleted two (2) years after the interview date.

What personal data do we collect?

When visiting our website, by placing cookies, we may collect your IP address, your browser type and associated information, the pages you have visited and the order you visited them, as well as whether you are a new or returning visitor.  

How do we collect it?

Directly from you when you browse our website by placing cookies on your browser. The cookies are either placed automatically (necessary cookies) or only once you have consented to them (functional, analytical, and advertising cookies). Please review our Cookie Policy for more information. 

Why do we collect it, under which legal basis, and how do we use it?

We collect and use this data to:

• Basic performance purposes (necessary cookies): these cookies are strictly necessary to ensure the performance of core functionalities such as security, network management, and accessibility. 
• Functional purposes (functional cookies): allow us to remember your preferences and settings. For example, functional cookies will remember your language choice and display the website in your preferred language.  
• Analytical purposes (analytical cookies): allow us to understand how the website is being used and include analyzing how effective our campaigns are. If you are an Infobip Portal user and when visiting our public website you consent to these cookies, we will merge your activities on our website and on Infobip Portal. 
• Advertising purposes (advertising cookies): facilitate personalization and other advertising. Such ads are generally more valuable for both you and the advertisers. 

When doing so, we rely either on our legitimate interest in ensuring the functioning of the website (for necessary cookies) or on your consent (for functional, analytical, and advertising cookies).  Please review our Cookie Policy for more information on how you can manage (including to withdraw) your cookie consent. 

How long do we keep it?

This depends on the specific types of cookies that were either placed automatically (necessary cookies) or that you have consented to be placed (other categories). Please review our Cookie Policy for more details on the retention periods for specific types of cookies.

What personal data do we collect?

We, including Infobip Foundation, collect personal data such as your name and surname, contact details, job title, and name of the organization you work for or represent or in whose activities you participate.

How do we collect it?

• Directly from you when you email us or fill out a contact form on our or Infobip Foundation’s website or reach out to us from an organization that you work for.  

Why do we collect it, under which legal basis, and how do we use it?

We collect and use your personal data to:

• Answer your queries and analyze your requests for donations or volunteering
• Collaborate on various projects and initiatives, donate and get information on how our grants and donations were utilized, maintain and improve our relationship with your organization, and evaluate our social impact initiatives.  

When you reach out to us with queries and requests, we process your personal data based on your consent. When we receive your personal data from an organization that you work for or in whose projects you participate in, we rely on our legitimate interest in conducting social impact initiatives. 

How long do we keep it?

What personal data do we collect?

We collect your personal data, including your name and surname, the name of the organization you work for or represent, and the name of the Infobip representative you are meeting with. We might also collect your phone number. If you visit one of our offices, we may also collect CCTV recordings as some of the entrances and common areas might be under CCTV surveillance.  

How do we collect it?

Directly from you when you visit one of our offices or our other company’s premises.

Why do we collect it, under which legal basis, and how do we use it?

We collect and use your personal data to:

• Manage access control to our offices and premises and provide you with additional services while you are visiting us  
• Ensure the safety and security of our employees, visitors, and property (CCTV surveillance at the entrances and common areas of some of our offices and premises) 
• As a visitor to one of our campuses, you can also chat with our chatbots to find out more about the locations and to get recommendations on things to do and see. If you decide to communicate with one of the chatbots, we will process your phone number and the content of the communication. 

The processing of CCTV surveillance data as well as the processing regarding access control to premises are done based on our legitimate interest in protecting our premises and staff.  If you chat with our bot, for the processing of your personal data, we rely on your consent.

How long do we keep it?

• Personal data collected for the purpose of managing access to our premises is erased as soon as it is no longer needed for that purpose.
• CCTV surveillance recordings are generally deleted ninety (90) days after the recording date, unless prescribed otherwise by the local laws. 
• The chatbot communication is stored for six (6) months from the moment the chat was initiated

However, we might be required to retain this data for a different period in certain circumstances if prescribed by specific local laws, when requested by authorities, or if needed to defend our legal rights. Please see Section 11 for more details. 

In addition to or in derogation of the Privacy Notice, the following applies to processing of personal data for individuals residing in Argentina: For the purposes of Argentinian data protection laws, including The Personal Data Protection Act (“PDPA”) Act No. 25.326 and the Decree No. 1558/2001, personal data will be processed by Infobip Latam S.A., domiciled at Av. Dorrego 1789, Piso 2, Oficina 201/202, Buenos Aires (C1414CKM) Argentina, as the controller of the personal data. 

Your consent is granted for the collection, processing, use and transfer of personal data as described in the Privacy Notice, in the Annex hereto. In the event you wish to exercise any of the rights, you should contact Infobip using the details provided in Section 11 of the Privacy Notice.

If you consider that you have not been duly attended to in the exercise of your rights, you may file a claim with the Agencia de Acceso a la Información Pública.

In addition to or in derogation of the Privacy Notice, the following applies to processing of personal data for individuals residing in Brazil: For the purposes of Brazilian data protection laws, including the General Data Protection Law No 13,709/2018 (“LGPD”), Infobip Brasil Serviços de Valor Adicionado Ltda, domiciled at  Avenida Candido de Abreu, 70, sala 81 Curitiba/PR, 80530-000 Brasil, has appointed its Data Protection Officer (“DPO”) as our Representative.

Our DPO is contactable via the email address data-protection-officer(at)infobip.com. If you are located in Brazil, you have all the following rights as set forth in the LGPD: 

• Be informed if there is any personal data processing and request information and a copy of the personal data. 
• Request the correction of your personal data that is inaccurate and/or completion of such data which is incomplete. 
• Ask us to anonymize, block or erase your personal data in certain circumstances.  
• Request to transmit your personal data to another service or product provider, limited to commercial or industrial secrets.
• Provide an informed consent for specific purpose and within determined period of retention and withdraw your consent at any time for the future where processing is based on your consent. 
• To oppose the processing carried out based on one of the legal basis other than your consent. 
• If we process your personal data solely by automated means, you have the right to request the review such decisions. 
• Ask us about public and private entities with which we have shared your data. 
• Withdraw consent at any time. 
• Be informed about the possibility of denying consent, and the consequences of such denial. 

You have the right to lodge a complaint regarding your personal data before the Brazilian Data Protection National Authority (“ANPD”) as well as consumer-defense entities. 

If you have any questions on how we use your personal data or if you wish to exercise a certain right or resolve a complaint regarding the processing of your personal data, you can contact our addressed Data Protection Officer by sending an email to the following email address: [email protected].

In addition to or in derogation of the Privacy Notice, the following applies to processing of personal data for individuals residing in Canada:  

The term “applicable privacy law” includes all Canadian laws and regulations applicable to the processing of personal data, including the Personal Information Protection and Electronic Documents Act (Canada) or any equivalent provincial legislation, including, the Personal Information ‎Protection Act (British Columbia), the Personal Information ‎Protection Act (Alberta), or the Act respecting the protection ‎of personal information in the private sector (Quebec). 

We will not collect personal data indiscriminately, but will limit collection of ‎personal data to ‎that ‎which is reasonable and necessary.  We will also collect ‎personal data as authorized or required by law.‎ We will only use or disclose your personal ‎information for the purposes set out above and as required or authorized by law. We will ‎retain your personal information as long as is reasonable to serve the original purpose ‎for which we collected the ‎‎information, and for so long as retention is necessary for a ‎legal or business purpose‎.‎ 

LEGAL BASIS FOR PROCESSING YOUR PERSONAL DATA – CONSENT  

We will process your personal data only with your knowledge and consent, except ‎where ‎exempted, required or permitted by applicable laws. The form of consent may vary ‎depending on the ‎circumstances and the type of information being requested. Your consent ‎may be express or ‎implied. Taking into account the ‎sensitivity of your personal information, purposes ‎of collection, and your reasonable ‎expectations, we will obtain the form of consent that is appropriate ‎to the personal information ‎being processed. By using our Services or otherwise ‎by choosing to provide us with your ‎personal data, you acknowledge and consent to the ‎processing of your personal ‎data in accordance with this Privacy Notice and as may be further identified ‎when the ‎personal data is collected. When we process your personal data for a new ‎‎purpose, we will document that new purpose and ask for your consent again, unless applicable law authorizes or requires us to do so without consent.‎ 

If you are a resident of the province of Quebec, we will always seek your express consent to ‎the collection, use, and communication of your personal data, except when specifically ‎allowed by applicable law. For example, we may, in certain cases, use or communicate your ‎personal data, without your consent for purposes of fraud prevention or to provide a ‎service requested by you. ‎You may, in certain circumstances, be asked to confirm your ‎consent in a separate document. When we process your personal data for a new ‎‎purpose, we will, when required by applicable law, document that new purpose and ask for ‎your consent again.‎ 

If you do not consent to the processing of your personal data in accordance with this ‎Privacy Notice, ‎please do not access or continue to use the Services or otherwise provide ‎any ‎personal data to us.

TRANSFERS OF YOUR PERSONAL DATA ACROSS BORDERS 

As noted in section 7 of this Privacy Notice, your personal data may be processed, used or ‎stored in ‎jurisdictions other than your jurisdiction of residence. As a ‎result, ‎when your personal data is processed, used or stored in a jurisdiction ‎other than where ‎you are residing, it may be subject to the law of that foreign ‎jurisdiction, including any law ‎permitting or requiring disclosure of the ‎information to the government, government agencies, ‎courts and law enforcement ‎in that jurisdiction.‎ 

When we transfer your personal data outside your jurisdiction of residence, we ‎will use ‎ reasonable safeguards, including contractual requirements with the third parties receiving and processing the personal data, to ‎ensure the adequate protection of your personal information. ‎ 

YOUR RIGHTS REGARDING YOUR PERSONAL DATA 

If you are a Canadian resident, you may have the following rights under applicable ‎Canadian privacy laws:‎ 

• Right to access: You have the right to request that we confirm the existence of the ‎‎personal information concerning you that we hold and that we allow you to access ‎that personal information. In some situations, we may not be able to provide ‎access to ‎certain personal information (for example, if ‎‎disclosure would reveal ‎personal information about another individual, or the personal information is ‎‎‎protected by ‎solicitor/client privilege).  We may also be prevented by law from ‎providing access to ‎certain personal information.‎ If we refuse an access request, ‎we will notify you in writing, ‎document the reasons for refusal, and ‎outline ‎further ‎steps which are available to you.‎ 
• Right to correct: If your personal information that we hold is inaccurate, incomplete ‎or ‎equivocal, or if its processing is not authorized by law, you have the right to ‎request that ‎the information be rectified. If a challenge regarding the accuracy of ‎your personal information is not resolved to your satisfaction, we ‎will ‎annotate the ‎personal information ‎with a note that the correction was requested ‎but not ‎made‎. 
• Right to revoke consent: You have the right to revoke your consent to the use or ‎‎communication of your personal information. This will not affect the lawfulness of ‎any ‎use or communication of your personal information that happened before you ‎revoked ‎your consent. If you revoke your consent, we ‎will inform you of the likely ‎consequences ‎of that revocation, which may include our ‎inability to ‎provide ‎certain services for which ‎that information is necessary‎.‎ 
• Right to portability: If you are a resident of the province of Quebec, you have the ‎right ‎to request that your personal information that we hold be communicated to ‎you, or to ‎any person you may designate, in a structured, commonly used ‎technological format.‎ 
• Right to de-indexation: If you are a resident of the province of Quebec, you may, in ‎‎certain situations and if the legal ‎requirements are met, require that we cease ‎‎disseminating your personal information, or that ‎we de-index any hyperlink ‎attached to ‎your name that provides access to your personal information.‎ 

In addition to or in derogation of the Privacy Notice, the following applies to processing of personal data for individuals residing in Colombia:  

For the purposes of Colombian data protection laws, including Law 1581, 2012 and its regulatory decrees, personal data will be processed by Infobip Colombia S.A.S., domiciled at Carrera 11 B No. 97-56 Edificio Ápice Oficina 601, Bogotá, Colombia, as the controller of the personal data. 

Your rights: In addition to the rights that are outlined in Section 9 of this privacy notice, you are also entitled to: 

• Request from us a copy of the information that was given to you in the moment you consented to the processing of your personal data. 
• Request rectification or correction of their personal data. 
• Request evidence of the consent, except when consent is not required for the processing. 
• Be informed about the use that has been effectively given to your personal data. 
• Withdraw consent in certain circumstances including where it is no longer necessary for Infobip to process the personal data. 
• File claims before the Superintendency of Industry and Trade.

In addition to the information set out in Section 7 above, when this Privacy Notice refers to the possibility of sharing your personal information or performing international transfers of such information, these operations shall comprise, under Colombian laws, both transfers and transmissions of your personal data. Both transfers and transmissions shall be fully compliant with applicable Colombian laws 

If you consider that you have not been duly attended to in the exercise of your rights, you may file a claim with the la Superintendencia de Industria y Comercio, Delegatura de Protección de Datos Personales. 

In addition to or in derogation of the Privacy Notice, the following applies to processing of personal data for individuals residing in Egypt: 

DATA SUBJECT RIGHTS 

In addition to the data subject’s rights stated under Section 9 of the Privacy Notice, you as the data subject enjoy the following additional rights: 

1. To object to the processing of personal data or its results whenever the same contradicts your fundamental rights and freedom.
2. To get notified of any infringement to your personal data; and 
3. To submit a compliant before the Personal Data Protection Center (the “PDPC”) in any of the following cases: 

• Infringement or breach of the right of personal data protection 
• Failure to exercise your rights 
• In relation to the decisions issued by the data protection officer for the personal data held by the processor or the controller in relation to the requests submitted to the data protection officer. 

NOTIFICATION OF BREACH 

Infobip shall notify the PDPC of any personal data infringement within seventy-two (72) hours of such infringement. In the event that such infringement relates to national security protection concerns, then the notification shall be immediate. 

 In all cases, Infobip shall notify the data subject with the infringement of the personal data of the data subject and the measures taken within 3 (three) days from the date of notifying the PDPC.   

In addition to or in derogation of the Privacy Notice, the following applies to processing of personal data for individuals residing in or subject to the laws of India:  

WHAT PERSONAL DATA DO WE COLLECT, WHY AND ON WHICH LEGAL BASIS, HOW DO WE USE IT AND FOR HOW LONG DO WE KEEP IT? 

In addition to the data collected under the Privacy Notice, we also collect the following sensitive personal data or information (as this term is defined under the Information Technology [Reasonable Security Practices and Procedures and Sensitive Personal Data or Information] Rules, 2011) from you, namely financial data including but not limited to, billing and financial details of a customer (e.g. billing address, prepaid or postpaid customer, bank account details, information about creditworthiness and payment behaviour, and other additional information as required under applicable laws). This data will be used for the purposes listed under Section 5 of this Privacy Notice, for which we rely on your consent.  

INFORMATION FROM CHILDREN 

To the extent you are residing in or subject to the laws of India, children above the age of 16 and under the age of 18 cannot use our products or services as our customers without the express consent and supervision of a parent or guardian. If you are above the age of 16 but under the age of 18, your parent or guardian is required to consent on your behalf prior to using our products or services as our customer. If we learn or are notified that you are below the age of 18 and using our services without express consent of a parent or guardian, we will immediately take reasonable steps to delete that information from our records as quickly as possible. If you think a child under 18 is using our products or services as a customer without express consent of a parent or guardian, please contact us at  [email protected]. 

GRIEVANCE OFFICER 

In case of any queries or grievances with respect to your data or this Privacy Notice, you may contact our Grievance Officer at [email protected].   

In addition to or in derogation of the Privacy Notice, the following applies to processing of personal data for individuals residing in Indonesia or outside the territory of Indonesia when that has legal impact towards: (i) the territory of Indonesia or (ii) data subjects being Indonesian citizens outside of the territory of Indonesia. With reference to the applicable Indonesian laws and regulations, this Privacy Notice is also prepared in Indonesian language version in addition to the English language version for the purpose of delivering this Privacy Notice to you (as the data subjects). 

If there is any inconsistency or difference in the interpretation between the Indonesian language version and the English language version of this Privacy Notice, the English language version shall prevail. 

With respect Personal Data Protection, the primary law source is Law No. 27 of 2022 on Personal Data Protection (“Law No. 27”) and along with other related regulations being: (i) Law No. 11 of 2008 regarding Electronic Information and Transactions as amended by Law No. 19 of 2016 (“EIT Law“); (ii) Government Regulation No. 71 of 2019 regarding Provisions of Electronic Systems and Transactions (“Reg. 71“); (iii) Minister of Communications and Informatics Regulation No. 20 of 2016 regarding the Protection of Personal Data in an Electronic System (“MOCI 20/2016“). For your ease of reference, we shall refer Law No. 27, EIT Law, Reg.71 and MOCI 20/2016 jointly or separately as the “Indonesian Data Protection Laws” or “IDPL”. 

In addition to or in derogation of this Privacy Notice, the following applies to the processing of personal data by Infobip within the scope of the IDPL.

DEFINITIONS

For Indonesia, the definitions in Section 1 of the Privacy Notice shall be amended and added to become as follows:  

• “personal data” means data regarding a person either being identified and/or can be identified either individually or combined with other information either directly or indirectly through an electronic system and/or non-electronic system. 
• “controller” means each person, public agency, and international organization acting individually or jointly in determining the purpose and exercising control over the processing of Personal Data. 
• “processor” means each person, public agency and international organization acting individually or jointly in processing the Personal Data on behalf of the Personal Data Controller. 
• “personal data subject” is an individual to whom the personal data applies

ADDITIONAL INFORMATION ON RIGHTS OVER PERSONAL DATA 

In addition to the information set out in Section 9 above, and pursuant to Law No. 27 you have the right to: 

• Obtain information regarding identity clarity, basis of legal interest, purpose of requesting and using personal data, and accountability of parties that request personal data; 
• Object a decision-making action that is based solely on automated processing, including profiling, which has legal consequences or has a significant impact on personal data subjects; 
• Sue and receive compensation for violations of the processing of personal data regarding yourself in accordance with provisions of laws and regulations; 
  Obtain or use personal data regarding yourself from us in a form that is in accordance with the structure or formats commonly used or readable by an electronic system; and 
• Use and send personal data regarding yourself to other controllers, as long as the system used can communicate with each other securely in accordance with the personal data protection principles based on Law No. 27. 

INFORMATION FROM CHILDREN 

For Indonesia, the minimum age requirement to use our products and services is 21 years.

In addition to or in derogation of the Privacy Notice, the following applies to processing of personal data for individuals residing in Japan:  

We will comply with the Act on the Protection of Personal Information (the “APPI”), other relevant laws and regulations concerning the protection of personal data, and the guidelines issued by the Personal Information Protection Commission, competent ministers, or relevant industry groups. 

JOINT USE NOTICE 

Your personal data may be jointly used with Infobip Group in accordance with Article 27.5.3 of the Act on the Protection of Personal Information (“APPI”) within the scope necessary for achieving the purposes described in Section 5 of this Privacy Notice.

 Infobip G.K. (address: Dai-3 Meiwa Bldg. 4F, 4-31-3 Shinbashi, Minato-ku, Tokyo 105-0004), representative director: https://www.infobip.com/offices/japan-tokyo, will be responsible for management of the jointly used personal data.  

YOUR DATA SUBJECT RIGHTS 

In Japan, you may also have additional unique rights under the APPI such as:

1. To request deletion of or cessation of processing of your personal data if your personal data has been used beyond the scope necessary to achieve the purpose for which they were collected, processed or obtained by deceit or in violation of the APPI, if our use of your personal data triggers illegal acts, or if your data are no longer necessary in relation to the purposes for which they were collected, are compromised or are otherwise processed in a manner which could harm your rights or legitimate interest.  
2. To request cessation of transferring of your personal data if your personal data is transferred to a third party in violation of the APPI or the transfer could harm your rights or legitimate interest.  
3. To request to disclose the following information (we may refuse your request to the extent we are permitted to do so in accordance with APPI): 

• Data security measures we have been implemented; and  
• In case where your personal data has been shared with foreign companies including Infobip Group by way of joint use and external foreign service providers, (i) measures to ensure the data recipients take sufficient data security measures (the “Measures”) and the details of the Measures, (ii) measures and frequency that we audit the data recipients’ implementation of the Measures, (iii) name of the recipient country and rules of the country that could hinder the implementation of the Measures and (iv) other obstacles that could hinder the implementation of the Measures and measures that we have conducted to solve such obstacles. 

INTERNATIONAL PROCESSING 

If you are a resident of Japan, your personal data may be shared with the entities described in Section 6 of this Privacy Notice. If those recipient entities are outside of Japan, we will use reasonable endeavours to require recipients located outside Japan protect it in a way that provides comparable safeguards to those under the APPI, such as via contractual data protection obligations or because the recipient is subject to laws of another country with comparable protections. Specifically, we take “Equivalent Action” specified under Article 28.1 of the APPI to protect your personal data transferred outside of Japan.  

In addition to or in derogation of the Privacy Notice, the following applies to processing of personal data for individuals residing in Malaysia:  

DEFINITIONS 

The term “applicable privacy law” includes the Personal Data Protection Act 2010 (“PDPA”) of Malaysia, its amendment, related subsidiary legislation, orders and standards issued under the PDPA.  

Terms such as “processor”, “controller”, “personal data”, shall have the same meaning ascribed to them and include any term or person meeting any similar concept in the applicable privacy law.  

PROVISION OF PERSONAL DATA 

The provision of your personal data is mandatory. If you do not provide us the personal data, we will not be able to provide you with our Services. 

WHAT PERSONAL DATA DO WE COLLECT, WHY AND ON WHICH LEGAL BASIS, HOW DO WE USE IT AND FOR HOW LONG DO WE KEEP IT?

5.1.1. To enter into an agreement, create the customer’s account, and provide the necessary support to enable the customer to use our Services 

Infobip will refrain from using the following personal data: 

• Billing and financial details of a customer (e.g. billing address, prepaid or postpaid customer, bank account details, VAT number, information about creditworthiness and payment behaviour, and other additional information as required under applicable laws) 

Banking account-related data is subject to bank secrecy laws under the Financial Services Act 2013 (“FSA”).  

INFORMATION FROM CHILDREN 

Our Services are not intended for children or minors (individuals under 18 years of age). In the event information of minors is provided to us, you, as their parent or legal guardian hereby consent to the processing of the minor’s information and personally accept and agree to be bound by this Privacy Notice and take responsibility for their actions. 

CONTACT INFORMATION 

If you have any questions on how we use your personal data or if you wish to exercise a certain right or to limit the processing of your personal data or resolve a complaint regarding the processing of your personal data, you can contact our Data Protection Officer by sending an email to the following email address: [email protected] or via this telephone number: 603-8601 0105. 

LANGUAGE OF THIS PRIVACY NOTICE 

In the event of any discrepancy or inconsistency between the English version and Malay version of this Privacy Notice, the English version shall prevail.   

In addition to or in derogation of the Privacy Notice, the following applies to processing of personal data for individuals residing in Mexico: 

For the purposes of the Federal Law on Protection of Personal Data Held by Private Parties (LFPDPPP), and its regulatory provisions, personal data will be processed by Mobile Cloud Services Mexico SA DE CV, as the data controller, with an address at Paseo de la Reforma 180, 18th Floor, Office 1805, Col. Juárez, Del. Cuauhtémoc, CP 06600, Mexico City, Mexico, in its capacity as responsible for processing personal data. 

Your rights:

To exercise any of these rights, or if you believe that you have not received an adequate response to your request, you may contact our Privacy Department at data-protection-officer(at)infobip.com or go directly to the National Institute for Transparency, Access to Information, and Protection of Personal Data (INAI). 

Additionally, when this notice refers to the transfer of your personal information, including national and international transfers, such actions will be carried out in accordance with the provisions of the Federal Law on Protection of Personal Data Held by Private Parties and other applicable regulations. 

In addition to or in derogation of the Privacy Notice, the following applies to processing of personal data for individuals residing in Nigeria: 

HOW DO WE SECURE YOUR PERSONAL DATA 

Please note that in relation to any personal data you submit to us online, we cannot guarantee the security of information transmitted over the internet or that unauthorised persons will not obtain access to personal data. Infobip is not responsible and has no control over websites outside its domain. We do not monitor or review the content of other party’s websites which are linked from our website or media platforms.

Please be aware that we are not responsible for the privacy practices, or content of these sites. Infobip will not accept any responsibility for any loss or damage in any manner, howsoever caused, resulting from your disclosure to third parties of personal information.  

Where we collect any special category personal information about your ethnic background, sexual orientation, political opinions, religion, trade union membership, or criminal record, we will apply additional security controls to protect that data. 

INTERNATIONAL TRANSFER OF PERSONAL DATA 

We will seek your consent when we need to send your data to a country without an adequate data protection law. We will protect your information using physical, technical, and administrative security measures to reduce the risks of loss, misuse, unauthorized access, disclosure and alteration. Some of the safeguards we use are firewalls and data encryption, physical access controls to our data centres, and information access authorization controls.  

PERSONAL DATA BREACH  

We have procedures to deal with any suspected personal data breach and will notify you where we are legally required to do so. In the event of a breach, we will notify the Nigeria Data Protection Comission within 72 hours of becoming aware of the breach. 

CONSENT 

You accept this privacy policy when you give consent upon access to our platforms, or use our services, content, features, technologies or functions offered on our website, digital platforms or visit any of our offices for official or non-official purposes. This privacy policy governs the use of our platforms and services by users, unless otherwise agreed through a written contract. We may amend this privacy policy at any time by posting a revised version on our website, or placing such notice at conspicuous data collection points. 

In addition to or in derogation of the Privacy Notice, the following applies to processing of personal data for individuals residing in Pakistan: 

5.1.2 To enable customers to exchange their communications through our Services, ensure the security of our network and Services, and handle billing and payments

Why do we collect it, under which legal basis, and how do we use it?

Traffic data is generally kept in the form of communication detail records (in original).  

The requirements to assess original form shall be: 

It will be ensured that data retained shall:  

INFORMATION FROM CHILDREN  

Children under 18 cannot use our products and services as our customers. If we learn or are notified that it is the case, we will immediately take reasonable steps to delete that information from our records as quickly as possible. If you think a child under 18 is using our products or services as a customer, please contact us at data-protection-officer(at)infobip.com.

In addition to or in derogation of the Privacy Notice, the following applies to processing of personal data for individuals residing in Peru: 

For the purposes of Law No. 29733, the Personal Data Protection Law, its regulations, and other applicable provisions, personal data will be processed by INFOBIP PERU S.A.C., acting as the Data Controller, with its registered office at Avenida Dionisio Derteano 184, office no. 302, San Isidro, Lima, Peru. 

Your rights: 
In addition to the rights described in section 9 of this privacy notice, you have the right to: 

To exercise any of these rights, as well as to make any inquiry or complaint related to the protection of your personal data, you may contact our Data Protection Officer at data-protection-officer(at)infobip.com or file a complaint with the National Authority for Personal Data Protection – Ministry of Justice and Human Rights (https://www.gob.pe/anpd ). 

National and international transfers of your personal information will be carried out only in accordance with Law No. 29733 and its regulations. 

To prevent the loss, misuse, alteration, unauthorized access, and theft of personal data or confidential information provided by users, INFOBIP PERU S.A.C. has adopted the legally required levels of security and personal data protection, as well as all technical measures within its reach to adequately protect your information. 

Any change to this privacy notice will be communicated in a timely manner. 

In addition to or in derogation of the Privacy Notice, the following applies to processing of personal data for individuals residing in the Philippines:  

CONSENT ON COLLECTION AND PROCESSING OF PERSONAL DATA 

To the extent that you disclose to us any personal information (whether or not coming within the definition of personal data above) of another individual, such as your spouse, children or other relatives or family members, we shall assume, without independent verification, that you have obtained such individual’s consent and that you have been specifically authorized by such individual to disclose his or her information for our processing in accordance with the terms of this Privacy Notice. 

Consistent with how the term is defined in the Philippine Data Privacy Act of 2012 (Republic Act No. 10173) (“DPA”), the personal data referred to above excludes any de-identified or anonymized data that does not enable or allow Infobip Limited to identify or ascertain your and your relatives’ or family members’ identity. 

By giving us your personal data, it is understood that you consent to the transfer of such information for the purpose of data sharing, as above discussed, where applicable, to any entity that forms a direct or indirect part of Infobip Limited, its subsidiaries or affiliates, as well as third parties, either local or foreign, as enumerated in Section 6 above. In all instances, the personal information processor shall only process personal information pursuant to our specific instructions as laid out in the respective outsourcing agreements. Rest assured that we will only disclose the minimum amount of information which we deem necessary and will take all reasonable steps to ensure that such information is kept confidential.  

Notwithstanding this, we may collect, use or disclose your personal information without your knowledge or consent whenever we are permitted or required by the DPA and other applicable laws or regulatory requirements. 

ADDITIONAL RIGHTS OVER PERSONAL DATA 

Right to be informed: Right to be informed, whether personal data pertaining to you shall be, are being, or have been processed, including the existence of automated decision-making and profiling. You shall be notified and furnished with information before the entry of your personal data into the processing system of the personal information controller, or at the next practical opportunity: (a) Description of the personal data to be entered into the system; (b) Purposes for which they are being or will be processed, including processing for direct marketing, profiling or historical, statistical or scientific purpose; (c) Basis of processing, when processing is not based on your consent; (d) Scope and method of the personal data processing; (e) The recipients or classes of recipients to whom the personal data are or may be disclosed; (f) Methods utilized for automated access, if you have allowed the same, and the extent to which such access is authorized, including meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for you; (g) The identity and contact details of the personal data controller or its representative; (h) The period for which the information will be stored; and (i) The existence of your rights as a data subject, including the right to access, correction, and object to the processing, as well as the right to lodge a complaint before the Philippine National Privacy Commission. 

Right to access: Upon request in writing, you should be given access to information on the processing of your personal information, including information on the following: 

• Contents of personal data and categories of data that were processed; 
• Sources from which your personal data were obtained, if the data was not collected from you; 
• Purposes of processing; 
• Identities and addresses of recipients of personal data; 
• Manner by which your personal data were processed; 
• Reasons for the disclosure and purposes for granting access to the recipients of your personal data; 
• Information on automated processing, in case the data was used as the sole basis for any decision that significantly affects or will significantly affect you as a data subject; 
• Date when your personal data was last accessed or modified; 
• The designation, identity, and address of the controller or processor other than Infobip Limited, if any; 
• Period for which particular categories of information will be stored or if not possible, the criteria used to determine the retention period; and 
• The designation, name or identity, and address of the personal information controller’s data protection officer. 

Right to rectification: You have the right to dispute the inaccuracy or error in the personal data and have the personal information controller correct it immediately and accordingly, unless the request is vexatious or otherwise unreasonable. If the personal data has been corrected, the personal information controller shall ensure the accessibility of both the new and the retracted information and the simultaneous receipt of the new and the retracted information by the intended recipients thereof. Recipients or third parties who have previously received such processed personal data shall be informed of its inaccuracy and its rectification, upon your reasonable request. 

SOURCES OF INFORMATION 

Your personal data will be obtained from the sources as discussed in Section 4. 

By giving your consent and agreeing to this Privacy Notice, you authorize us and such third parties as we may engage to collect and obtain personal data pertaining to you from the sources mentioned above. 

As the accuracy of your personal data depends largely on the information you provide to us, kindly inform us as soon as practicable if there are any errors in your personal data or if there have been changes to your personal data. 

ACCESS TO PERSONAL DATA AND LIMITING PROCESSING

You have rights to request access or to correct your personal data or to lodge a complaint with the Philippine National Privacy Commission or to limit the processing thereof at any time hereafter in line with applicable law. We must point out that there are consequences in limiting the processing as requested. If this is the case, we will inform you of the consequences in further detail depending on the specific personal data. You are also requested to correct or amend your personal data to the extent you realize it is incorrect, inaccurate, or outdated. 

If you consider, after contacting us (as provided in Section 9 above), that your rights are not respected you can file a claim directly to the competent supervisory authority, which for the Philippines is the National Privacy Commission (https://www.privacy.gov.ph). 

In addition to or in derogation of the Privacy Notice, the following applies to processing of personal data for individuals residing in Saudi Arabia:  

Whilst we will continue to rely on legitimate interests as our lawful basis for processing for the purposes of complying with the GDPR, for the purposes of complying with the laws and regulations of Saudi Arabia, we will seek your express consent to process your personal data where: 

• We rely on legitimate interests within the Privacy Notice; and  
• Where an alternative lawful basis for processing is not available.  

In addition to or in derogation of the Privacy Notice, the following applies to processing of personal data for individuals residing in Singapore:  

WHAT PERSONAL DATA DO WE COLLECT, WHY AND ON WHICH LEGAL BASIS, HOW DO WE USE IT AND FOR HOW LONG DO WE KEEP IT? 

Where required under applicable law, we will obtain your notified consent for the collection, use or disclosure of your personal data for the purposes set out in this Privacy Notice.  

The provision of your personal data to us is voluntary. However, if you do not provide us with certain personal data, we may not be able to provide you with the Services or respond to your requests.  

WHAT ARE YOUR RIGHTS IN RESPECT OF YOUR PERSONAL DATA? 

Where granted by the applicable privacy law, you have the right to: 

• Request from us to access your personal data, which means requesting a copy of the personal data we hold about you. You also have the right to request for information regarding the way in which your personal data has been used and disclosed by us in the 12 months prior to your request. 

If applicable to you, you can lodge a complaint with the Personal Data Protection Commission (PDPC) at https://www.pdpc.gov.sg/.  

INFORMATION FROM CHILDREN 

Minors under the age of 21 cannot use our products and services as our customers. If we learn or are notified that it is the case, we will immediately take reasonable steps to delete that information from our records as quickly as possible. If you think a minor is using our products or services as a customer, please contact us at [email protected].  

CONTACT INFORMATION 

If you have any questions on how we use your personal data or if you wish to exercise a certain right or to limit the processing of your personal data or resolve a complaint regarding the processing of your personal data, you can contact our Data Protection Officer either by post at: 

Data Protection Officer  

Infobip Mobile Services Pte Ltd  

50 Raffles Place, #34-01, Singapore Land Tower, Singapore 048623 

Or by email at [email protected]. 

HOW OFTEN DO WE UPDATE THIS PRIVACY NOTICE? 

The most current version of this Privacy Notice will govern our practices for collecting, processing, and disclosing personal data. We will provide notice of any modifications on this page and where required by law, we will obtain your consent to those changes. You can always check the date of the last update at the beginning of this Privacy Notice.

In addition to or in derogation of the Privacy Notice, the following applies to processing of personal data for individuals or existing juristic persons where the responsible party (i.e. controller) is domiciled in South Africa; or the responsible party (controller) is not domiciled in South Africa but makes use of automated or non-automated means in South Africa, unless the means is only to forward personal data through South Africa and whenever the processing of personal data falls within the ambit of South Africa’s Protection of Personal Information Act, 2013 (POPIA): 

DEFINITIONS

When this Privacy Notice is used for South Africa: 

The term “you” shall include a natural person and a juristic person (company). 

The term “controller” shall refer to a public or private body or any other person which, alone or in conjunction with others, determines the purpose of and means for processing personal information.

Reference to “Data Controller” in the Privacy Notice shall be to “Responsible Party” when the processing of personal information falls under the ambit of POPIA. 

The term “Personal Data” shall refer to information relating to an identifiable, living, natural person, and where it is applicable, an identifiable, existing juristic person, including, but not limited to: 

• Information relating to the race, gender, sex, pregnancy, marital status, national, ethnic or social origin, colour, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture, language and birth of the person; 
• Information relating to the education or the medical, financial, criminal or employment history of the person; 
• Any identifying number, symbol, e-mail address, physical address, telephone number, location information, online identifier or other particular assignment to the person; 
• The biometric information of the person; 
• The personal opinions, views or preferences of the person; 
• Correspondence sent by the person that is implicitly or explicitly of a private or confidential nature or further correspondence that would reveal the contents of the original correspondence; 
• The views or opinions of another individual about the person; and 
• The name of the person if it appears with other Personal Information relating to the person or if the disclosure of the name itself would reveal information about the person. 

• The term “processor” shall refer to a person who processes personal information for a responsible party (i.e. controller) in terms of a contract or mandate, without coming under the direct authority of that party. Reference to “Data Processor” in the Privacy Notice shall be to “Operator” when the processing of personal data falls under the ambit of POPIA. 
• The term “applicable privacy law” shall include all laws and regulations applicable to the processing of personal data in South Africa, including the Protection of Personal Information Act, 2013 as amended or replaced from time to time, and the Regulations thereunder. 

WHO IS RESPONSIBLE FOR YOUR PERSONAL DATA? 

When the processing of personal data falls within the ambit of POPIA, the main entity responsible for processing of personal data as described in this Privacy Notice – the controller (“Responsible Party”) – is Infobip Africa (Pty) Ltd. 

For the purposes of South African data protection laws, Infobip Limited has appointed Imraan Kharwa as our Information Officer. Our Information Officer is contactable via the email address [email protected]

HOW DO WE OBTAIN YOUR PERSONAL DATA? 

In addition to what is stated above, please note that the provision of personal data by you is voluntary. However, should you not provide the personal data Infobip may not be able to effectively manage the relationship that we have with you. 

WHAT PERSONAL DATA DO WE COLLECT, WHY AND ON WHICH LEGAL BASIS, HOW DO WE USE IT AND FOR HOW LONG DO WE KEEP IT? 

In addition to what is stated above, in the case where we process personal data, sometimes that personal data is defined by POPIA as special personal information, in which case we use one of the following legal bases for processing:  

• The processing is necessary for the establishment, exercise or defence of a right or obligation in law; or 
• The data subject has freely given his, her, or their informed, specific consent to the processing. 

HOW DO WE CARRY OUT INTERNATIONAL TRANSFERS OF YOUR PERSONAL DATA? 

Where the processing of personal data falls under the ambit of POPIA, we will only transfer your personal data outside of South Africa to countries which provide an adequate level of data protection similar to that of POPIA or where we are satisfied that there is an appropriate justification under POPIA for the transfer such as a binding transfer agreement.  

To the extent that prior authorisation from the Information Regulator is required for the transfer of special personal information or personal data relating to children to third parties in foreign countries that do not provide an adequate level of data protection, we will ensure that such prior authorisation requirements are complied with, in circumstances where required. 

WHAT ARE YOUR RIGHTS IN RESPECT OF YOUR PERSONAL DATA? 

In South Africa, if you have any questions on how we use your personal data or if you wish to exercise a certain right or resolve a complaint regarding the processing of your personal data, you can contact our Information Officer by sending an email to [email protected]. 

If applicable to you, you can lodge a complaint with the Information Regulator. If you want to file a complaint or contact the Information Regulator for any other reason, the Information Regulator’s contact details are: 

Information Regulator  

Information Regulator  Woodmead North Office Park  54 Maxwell Drive, Woodmead, Johannesburg 2191 Email: [email protected]

In addition to or in derogation of the Privacy Notice, the following applies to processing of personal data for individuals residing in Republic of Korea:  

PROCESS AND METHOD OF DESTRUCTION OF PERSONAL DATA  

Except as otherwise required by law, personal data is securely disposed of without delay when (i) the data subject revokes his or her consent for our use of the data, (ii) the purpose of our collection and use of the personal data has been accomplished or (iii) the legal retention period has expired.  If applicable law requires the preservation of personal data that otherwise would be disposed of, the personal data is transferred to a separate database and then disposed of after the period determined by the applicable law.  Personal data is disposed of using a method that is reasonably likely to prevent the personal data from being restored or reused. We will permanently destroy any personal data recorded or saved in electronic format by using a means that can ensure that it cannot be restored and recovered.  Personal data printed on paper will be destroyed by shredding or incineration thereof. 

PROVISION OF PERSONAL DATA TO THIRD PARTIES 

We will not provide your personal data to third parties in violation of law (such as without your consent, where consent is required).  For the purposes stated in the Privacy Notice, we currently do not share your personal data with any third parties in Korea. Should this change in the future, we will update the details of such third parties in the table below: 

DELEGATION OF PROCESSING OF PERSONAL DATA  

We delegate the processing of your personal data as described below, and the delegatees may process your personal data according to the purpose of the delegation: 

We delegate processing of personal data as follows:  

OVERSEAS TRANSFER OF PERSONAL DATA 

Specifically, we transfer personal data overseas as follows: 

MEASURES TO ENSURE THE SECURITY OF PERSONAL DATA 

1) Managerial Measures

• We appointed a Chief Privacy Officer (“CPO”) to ensure that data subjects’ Personal information is processed in conformity with Korean privacy laws.  We have established and implemented an internal management plan to this end.  
• We have established and implemented Personal information protection education plans for our employees, delegates and others who are directly in charge of processing Personal information.

2) Technical Measures

• We control access to Personal information, and restrict and manage the access right. 
• We record the details of the management of access right to Personal information, and retain such records for a certain period of time. 
• We have installed and operated an intrusion blocking/prevention system to prevent any unauthorized access to Personal information. In addition, a safe access measures, including a virtual private network, has been implemented to control the access from the outside. 
• At the time of transmitting, receiving and storing Personal information, including sensitive information and unique identification information, we take encryption measures required under applicable Korean privacy laws and regulations. 
• We install and periodically update programs to fix security defects in software, including operating systems. 
• We keep the records of access to the Personal information processing system in a safe manner for a certain period of time.] 

3) Physical Measures

• We take physical access prevention measures, including restrictions on access and placing locks, storing Personal information in hard copies in a safe manner. 

RIGHTS OF DATA SUBJECTS  

Irrespective of the legal basis mentioned in the Privacy Notice, we will obtain consent from you when necessary.  

You may exercise your rights as a data subject through your legal representative or agent who is delegated by you. In such case, the legal representative and agent must submit a documentation evidencing that he or she is duly authorized by you such as a power of attorney.  

DISABLING COOKIES 

You can prevent the use of cookies at any time with effect for the future by setting your browser so that no cookies or only certain cookies are permitted or so that you are notified as soon as cookies are sent. An example of the installation method (in the case of Internet Explorer): The tool button on the upper part of the web browser > Internet Option > Personal data. 

CONTACT  

If you have any questions or comments about the Privacy Policy, if you need to report a problem, or if you would like us to update, amend, or request deletion of the information we have about you, please contact our Chief Privacy Officer (or department in charge of personal data protection) at:  

[Department in Charge of Protection of Personal information] 

Name of Department: Corporate Privacy 

E-mail: [email protected]  

In addition to or in derogation of the Privacy Notice, the following applies to processing of personal data for individuals residing in Thailand pursuant to the Personal Data Protection Act B.E. 2562 (2019) (“PDPA”): 

• Personal data described under this Privacy Notice is generally required for our business operation, for compliance with the contractual obligations we have with you, or for compliance with our legal obligations. In certain cases, failure to provide your personal data may result in us not being able to provide you with our Services, or to comply with our legal obligations.  
• In addition to the rights in respect of your personal data as described in Section 9 of this Privacy Notice, where you believe that our processing of your personal data is in violation or not in compliance with the law you are also entitled to lodge a complaint to a competent authority in Thailand.  
• Contact information: Where we are a data controller processing personal data of a Thai data subject, the following are the contact details: 

Data Controller: 
Infobip (Thailand) Limited 
Address: 1788 Singha Complex Building, Room 1902, 19^th floor, New Petchaburi Road, Bang Kapi, Huai Khwang, Bangkok 10310 
Phone number: +66 2 651 9384 / +668 3597 8588 
Email: [email protected] 

INFORMATION FROM CHILDREN

Children under 20 except in cases where one becomes sui juris upon marriage, provided that the marriage is made in accordance with the provisions of Section 1448 of the Thailand Civil and Commercial Code (part III) cannot use our products and services as our customers. If we learn or are notified that it is the case, we will immediately take reasonable steps to delete that information from our records as quickly as possible. If you think a child under 20 is using our products or services as a customer, please contact us at data-protection-officer(at)infobip.com.  

In addition to or in derogation of the Privacy Notice, the following applies to processing of personal data for individuals residing in the UAE: Where applicable, the controller is Infobip Gulf FZ LLC (20714), EIB Building No.1, Office 302, Dubai Internet City, P.B 500284, Dubai, United Arab Emirates.  

Whilst we will continue to rely on legitimate interests as our lawful basis for processing for the purposes of complying with the GDPR, for the purposes of complying with UAE Federal Decree-Law No. 45 of 2021 regarding the Protection of Personal Data (“PDPL”), we will seek your express consent to process your personal data in each case where:  

Subject to certain limited exceptions, where we rely on your consent, you will have the right to withdraw that consent at any time.  

This section provides residents of U.S. states with enacted comprehensive privacy laws—including, but not limited to, California, Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, Tennessee, and others (collectively, “Applicable State Privacy Laws”)—with additional information regarding our collection, use, and disclosure of their personal information, as well as their privacy rights under those laws. 

This supplement applies to Infobip’s processing of personal information subject to Applicable State Privacy Laws. If you are a resident of a state with more expansive privacy rights, additional disclosures or rights may apply to you. 

CATEGORIES OF PERSONAL INFORMATION COLLECTED AND DISCLOSED

While our processing of personal information may vary based on your relationship and interactions with Infobip, the table below identifies, in general, the categories of personal information that we collect and the categories of third parties to whom we may disclose such information for business or commercial purposes: 

5.1.1. To enter into an agreement, create the customer’s account, and provide the necessary support to enable the customer to use our Services 

DISCLOSURE TO PROTECT US OR OTHERS 

In addition to what is disclosed in the table above, we may access, preserve, and disclose each of the categories listed in the table above to external parties if we, in good faith, believe doing so is required or appropriate to: comply with law enforcement or national security requests and legal process, such as a court order or subpoena; protect your, our, or others’ rights, property, or safety; enforce our policies or contracts; collect amounts owed to us; or assist with an investigation or prosecution of suspected or actual illegal activity.  

For purposes of the CCPA, Infobip does not “sell” or “share” personal information or sensitive personal information, including that of minors under 16 years of age. 

DISCLOSURE TO PROTECT US OR OTHERS 

Infobip is committed to protecting your privacy and providing transparency and control over how your personal data is used, shared, and disclosed. 

SOURCES OF PERSONAL INFORMATION 

Generally, we may collect personal information from the following categories of sources: 

• Directly from you (e.g. through our website forms, registration, events or Contact Sales) 
• Recruitment agencies 
• Data analytics providers 
• Social and professional/business networks (e.g., LinkedIn) 
• Internet service providers 
• Automatically through cookies and pixels 
• Operating systems and platforms 
• Business customer/client/contacts

PURPOSES OF COLLECTION, USE, DISCLOSURE AND PROCESSING   

As described in more detail in Section 5 of our Privacy Notice, we collect, use and otherwise process the above personal information in order to provide our Services to you, respond to and fulfil your orders and requests, as otherwise directed or consented to by you, and for the following business or commercial purposes:  

• Services and customer support (including technical support) 
• Marketing and advertising 
• Operating the platform services (including to manage traffic with the purpose of transmitting customer’s communications toward or from telecom operators and other communication networks, in order to handle customer’s enquiries and to calculate charges) 
• Improve our products and Services and analytics 
• Customization and personalization 
• Loyalty/rewards program 
• Planning and managing events 
• Research and surveys 
• Security and protection of rights 
• Legal proceedings and obligations 
• General business and operational support 

SENSITIVE PERSONAL INFORMATION  

We do not use or disclose sensitive personal information except as reasonably necessary to: 

We do not use sensitive personal information for purposes inconsistent with applicable state law (such as inferring personal characteristics beyond legal requirements or without your explicit consent). 

OUR APPROACH TO SELLING, SHARING, AND DISCLOSING PERSONAL DATA 

Infobip does not sell your personal information in exchange for monetary consideration. However, under certain U.S. state privacy laws—including the California Consumer Privacy Act (CCPA)—some activities, such as sharing data with analytics or online advertising vendors, may be considered a “sale,” “sharing,” or “targeted advertising.” These activities help us understand website usage and deliver relevant ads.

The categories of personal information involved may include Identifiers, Internet or Network Usage Information, and Geolocation. By “our business purposes,” we mean that we only disclose personal data as described in Privacy Notice Section 5.

We also process personal data, as explained in Section 5.7, to deliver advertising targeted to your interests on other companies’ websites and mobile apps. Some of these activities may be considered “sharing” or “targeted advertising” under applicable law. Infobip does not “sell” or “share” personal or sensitive personal information of minors under 16 years old as defined by state or federal law. 

YOUR RIGHTS & HOW TO OPT OUT 

You have the right to opt out of the processing of your personal data for targeted advertising. To manage your preferences, you may: 

SENSITIVE PERSONAL INFORMATION 

You also have the right to request restrictions on the processing of your sensitive personal information. Where applicable, we will mark such information accordingly and limit processing to certain permitted purposes. At this time, however, Infobip does not use or disclose sensitive personal information for purposes other than those described in this Privacy Notice or otherwise permitted by applicable law. These uses cannot currently be limited under California law. 

NOTICE CONCERNING DO NOT TRACK 

Do Not Track (“DNT”) is a browser setting you can activate for enhanced privacy. While the opt-out tools provided above help us stop tracking you, we do not currently recognize or respond to DNT signals. 

In addition to or in derogation of the Privacy Notice, the following applies to processing of personal data for individuals who are Vietnamese citizens or residing in Vietnam:   

DEFINITIONS

 When this Privacy Notice is used for Vietnam, the definitions in Section 1 of the Privacy Notice shall be amended and added to become as follows:   

PERSONAL DATA BREACH 

In order to protect your personal data, we have implemented security measures as described in Section 8 of the Privacy Notice, but it does not guarantee the complete safety of the personal data. There is always a risk of unauthorized access, disclosure, or accidental loss of personal data, which could potentially lead to increased vulnerability to financial fraud, identity theft or emotional distress. In the unlikely event of a data breach, we will respond in a timely and appropriate manner in accordance with applicable laws and regulations. 

HOW YOU CAN CONTACT US 

If you have any questions on how we use your personal data, you can contact our Data Protection Officer: By sending an email to the following email address: data-protection-officer(at)infobip.com.  

Or contact us directly at the office: 

Floor 3A, Itaxa building, 124 – 126 Nguyen Thi Minh Khai, Ward 6, District 3, Ho Chi Minh.