We are Sinch. We’re not just experts in messaging…we’re #1. Our cloud communications platform reaches every mobile?phone on the planet -?in seconds or less. Customers (and their end-users) need to be able to trust us. Customers trust us to have privacy as a top priority. They trust us to implement the security measures to protect their data. And trust us to not provide information to just anyone that asks.
The following Privacy Statement is applicable on the use of our websites, products, services, or otherwise by interacting with Us. It applies to the processing of personal data carried out by Sinch AB (publ) or any of its subsidiaries (“We”, “Our”, “Us” or “Sinch”). The websites and Portals of Sinch are operated by Sinch Sweden AB unless we state otherwise. Please do not engage in any of these activities if you do not agree with the terms of this Privacy Statement.
This statement is divided into two parts. Our Privacy Statement and our Cookie Statement. Our Cookie Statement that you find here is connected to a tool on our website that contains more information and allows you to arrange which cookies you may want to accept and which ones you do not want to accept.
In general, Sinch will collect personal data from you based upon our (business) relationship, your use of the Site, Our services and Our products, as set out in the Privacy Statement below. We encourage you to read the entire statement (even if it might be a bit long) but by clicking on the various sections, you can also skip to the sections of the statement that you find most interesting.
If you plan to click&skip or just accept or ignore, please do note a quick overview:
• That Sinch does not sell your personal data to third parties.
• That Sinch may share your personal data within the group if necessary, to provide the service that you requested or to answer your question in the best way possible.
• That Sinch may transfer your personal data to countries outside of the EU/EEA. If we do this, we take sufficient technical, organisational and contractual measures to ensure that an adequate level of data protection is provided.
• That Sinch has a Group Data Protection Officer, based in Stockholm, Sweden. She can be reached via DPO@sinch.com whenever you want to use the rights to access, rectification, erasure, object, revoke consent or block data or have any questions.
Let’s start at the beginning: who is “we”?
The Privacy Statement applies to the processing of personal data carried out by Sinch AB (publ) or any of its subsidiaries (“We”, “Our”, “Us” or “Sinch”). The websites and Portals of Sinch are operated by Sinch Sweden AB unless we state otherwise. We belong to the Sinch Group of which the head office is Sinch AB (publ.) located at the Lindhagensgatan 74 (postal code: 112 18) in Stockholm, Sweden (hereafter: “Sinch Group”). Sinch Group is a global leader in cloud communications for mobile customer engagement. We ensure that Sinch is compliant with local data protection laws of the countries where we are established and other applicable data protection laws that may be applicable on your personal data because of where you live.
So why are we informing you?
To enable us to fulfil our legal and contractual obligations, to conduct business securely and efficiently and for other specific purposes that are described in this notice, we need to process certain personal information about you (referred to as “personal data”).
Personal data is any information that relates to an identified or identifiable living individual. Different pieces of information, which when collected together or combined with other information can lead to the identification of a particular person, is also personal data.
Sinch as a Controller
Sinch is what is known as the “controller”. That means that we are responsible for the processing of your personal data and if you want to use your rights, have any questions or complaints concerning what we do, you can contact us.
This Privacy Statement outlines the kind of personal data that is processed by Sinch in relation to you, how and why we need this personal data, ensure equal and secure treatment of personal data, inform you about your and Sinch’s rights, and ensure that Sinch is in compliance with data protection law, including the general data protection regulation (the “GDPR”).
For more information on which personal data we are processing, please read “Next questions: Who provides us with personal data, which information will we have and what will we use the data for?”
Sinch as a Processor
Sinch also acts as a “processor” for most of our services. In that case we process personal data on behalf of our customers (which are mainly companies and institutions). As Processor, Sinch will only process Personal Data pursuant to the instructions of our customer.
If you have a data subject rights request that is connected to data for which We are the processor, we will ask you to contact the company or institution that is the controller of your personal data.
Next questions: Who provides us with personal data, which information will we have and what will we use the data for?
Who provides us with your personal data?
There are three sources that provide us with personal data: you yourself, Sinch and third parties.
We might ask you to provide us with personal data in preparation of the concluding of your new customer agreement or when you are in contact with company within the Sinch Group or want to stay up to date and ask for newsletters.
Third parties may also have provided information about you.
For example: if we are working with a third party that helps us collect feedback from our campaign, you might be approached by them to provide information (if you agreed to this). You will be told clearly whether this information is collected anonymously or that your feedback is provided to us with information that allows us to identify you (most of the time, we will leave the choice to you!). You are then informed about this by this third party (or they inform you together with us). They are responsible for ensuring that the data they provide to us is provided in compliance with applicable data protection law.
And thirdly, Sinch may also produce new personal data in the coming months.
For example: When you are included in our CRM system as you have showed interest in receiving a newsletter or want to be contacted by our salesperson, we may also add information on what kind of information we have provided you with, why you are interested in our services etc.
We do not process personal data of children
Protecting the privacy of children is important to Sinch. For that reason, the Site is structured specifically to not attract anyone under 13, nor do We collect or maintain Personal Data on the Site from those who Sinch actually knows are under 13. If Sinch learns or is notified that it has collected information from users under the age of 13, Sinch will immediately delete such Personal Data. If you think that we have collected information from your children or children that are in your care, please contact DPO@sinch.com.
We don’t sell personal data
[ As a matter of policy, We do not sell or rent any of your information to third parties for any advertising or marketing purposes. We may disclose your information in the normal course of providing Our services or sending of Information (so towards subprocessors that act on behalf of Sinch).
Which information will we have and what will we use the data for?
We will only process this personal data to fulfil the purposes stated in this notice and the Data Processing Matrix below, and to comply with the law and what is necessary according to law in each jurisdiction. Please note that this privacy statement does not cover our career website as this website has a separate statement.
Disclosures for the purposes of defending our legal position or authority requests under “legitimate interest”.
One topic that we need to explain according to the GDPR, is why we consider that we have a legitimate interest for processing part of this personal data.
Sinch is very much a global organisation and plans all work globally or for specific regions (e.g. EU) or departments (e.g. Engineering) or even products (e.g. our Sinch SMS products). In order to be able to do this and to fulfil the obligations that we and Sinch Group has, the personnel that is responsible for this, needs to be able to plan and execute, and need data for this. Personal data will also be stored based on Sinch’s legal interest to defend itself against alleged legal claims for as long a claim can be invoked against Sinch. This may for example be when a customer has terminated his agreement or has gone bankrupt and we need to make sure that all communication surrounding this termination/bankruptcy is documented and kept as long as necessary.
That does not mean that we just provide the information to anyone without limitations. We do look at the nature of the data and whether it is necessary for our purpose. If not, then we do not use it. We will, of course, only use data in ways that you would reasonably expect and that have a minimal privacy impact (we put appropriate safeguards in place, such as limiting access to the information and anonymise/pseudonymise the personal data where possible). Based on the reasons we want to process the personal data and our efforts to minimize the privacy impact, we do not expect that it is likely that you will object to it. If you might want to object to it or just would like to receive more information, please read “Right to object” below, and contact us on firstname.lastname@example.org.
In the context of the purposes that we addressed above, such as for example the transmission of personal data within the Sinch Group for internal administrative purposes as described within the matrix we are aware legitimate interest is the basis for the transfer but we also still need to fulfil the requirements on transferring personal data to a company in a third country still apply. More about this below.
How long will you process my personal data?
We only keep your personal data as long as necessary for the purposes that are described above in the Data Processing Matrix: as long as we have a legitimate interest, to comply with the relevant law in your country or fulfil a legal request by a supervisor authority. Most of the time, how long we need to keep the data is decided by law on a local/national level. It can however be that there are deviations due to legal obligations on Sinch Group.
Accordingly, when the purpose has been fulfilled in relation to a specific type of personal data, we will stop using the personal data for that purpose and, if the same data is not relevant for any other purpose, delete the relevant personal data as soon as reasonably possible. Deletion is done in accordance with best business practices or as is required in accordance with any ISO or other relevant certifications that the Sinch Group may hold.
If you want us to delete or block your personal data, please go to “how can I make use of my rights?”
Who has access to my personal data?
Personal data will only be available to authorized employees holding a position that requires them to process personal data to perform their work. These employees will only be granted access in accordance with the principle of “least privilege”, meaning that our personnel will only have access to personal data that is strictly necessary for the purpose of the processing to perform their work.
Due to the fact that Sinch carries out business activities in a number of different countries, personal data may need to be transferred to Sinch affiliates and/or subsidiaries outside of your own home country that need to receive the personal data for the Sinch group’s internal administrative purposes or the purposes in this statement. This transfer is based on a legitimate interest (see above) as it is necessary within the Sinch Group for internal administrative purposes as described within the matrix.
Below you will find a schedule of Sinch Group Companies where Sinch Group employees sit that may have access to your personal data. In case of questions, please contact the DPO via email@example.com.
Sinch may need to provide personal data to relevant authorities (e.g. social insurance agencies and the tax authority) in accordance with mandatory law, in order to fulfil legal obligations in the jurisdiction where we (in the future) employ our employees and/or when we get a request of an authority. We will only do this when we have a legal ground to do this and will ensure to take appropriate security measure to protect the personal data.
Companies engaged by Sinch
In addition to the Sinch Group internal companies, your personal data may also be transferred to and processed by third party providers and suppliers which perform services for Sinch (also known as “data processors”), to enable these companies to perform the services requested by us.
Services which may be requested include the provision of infrastructure and IT devices, insurance, administration, and IT services. Only personal data that is necessary to fulfil the purposes for which we engage these third parties will be provided. Currently, the list of companies can be found here.
All third-party providers and suppliers must follow our instructions and have entered into a, by law required, written agreement. Our third-party providers must implement appropriate technical and organizational measures for the protection of the personal data and we regularly check whether they fulfill the requirements that we have given to these companies.
To which kind of countries will my personal data be transferred?
Even within the Sinch Group, your personal data may be transferred to countries outside of the European Union. To ensure that Sinch compliant with legislation and Sinch Group’s current policies regarding transfer of personal data, and that we take the appropriate measures to keep your personal data secure, Sinch uses a data processing agreement that fulfils the requirements set by the GDPR, in combination with appropriate technical and organizational measures for the protection of the personal data. If personal data needs to be transferred to a country that offers a lower level of protection for personal data than is required by applicable law (for example: USA or India), we will conclude the European Standard Contractual Clauses (that were decided upon by the European Commission) and do regular follow-ups to see whether our requirements are fulfilled.
Legal and Authority requests
Our customers and Authorities require us to have processes and procedures in place to ensure that we only provide information when we are required to do so. Sinch however also knows that it is our responsibility to fulfil requests of authorities whenever the law obliges us to do so. Sinch acknowledges that there is a fine line here that requires internal documentation and thorough assessment and has set up a process to implement these practices within the entire group. All requests for data and information, preservation requests, preservation extension requests should be submitted to firstname.lastname@example.org or, if the request needs to be served in person or via mail to the registered address of the company of which you request the information. Requests concerning support with legal matter can be send to email@example.com.
What are my rights with regards to my personal data?
Right to access and rectification
You have the right to request access to the personal data relating to you. This includes the right to be informed whether personal data about you is being processed, what personal data is being processed, and for which purposes we use the personal data. You also have the right to request rectification or add personal data if you feel that the personal data that we are processing, is inaccurate or incomplete.
Right to erasure
You may also request that your personal data be erased if e.g. the personal data is no longer necessary for the purposes for which it was collected, the processing is unlawful, or the personal data has to be erased to enable us to comply with a legal requirement. There are other circumstances where your personal data can be erased; please contact us if you would like to find out whether your personal data can be erased (see below for contact details). Please note that we may need to reject your request if the processing is permitted or even required according to law or any other relevant legal ground. We will of course block any information for purposes that are not covered by this. If so, we will of course inform you of this (and if possible, include the date that we can delete the information).
Please note that if you object to receiving service announcements, the following applies: Generally, you cannot opt-out of these communications, which are not promotional in nature. If you do not wish to receive them, you have the option to deactivate your account or object to receiving these messages within the applicable portal. This may cause you not to know about any disruptions or changes within our services. We do not take any responsibility for this as this is by your own choice.
Right to revoke
If you have provided us with consent to process or transfer certain data, you have the right to withdraw your consent under the GDPR at any time. The withdrawal of consent shall not affect the legality of the processing carried out based on the consent until such withdrawal. You can contact our Data Protection Officer (DPO) via firstname.lastname@example.org if you want to revoke your consent.
Right to data portability
If you request access to personal data about you that you yourself have provided and if the personal data is being processed automatically with your consent or in accordance with a contract between you and Sinch, you may request that the data is provided in a structured, commonly used and machine readable format and you may also request that the personal data is transmitted to another controller, if this is technically feasible.
How do I make use of my rights?
If you want to use any of the rights that are listed above, you can contact our Data Protection Officer (DPO) via email@example.com. You can use the same contact details if you should have any questions in relation to the processing of your personal data. If you want to send our DPO something by normal mail, you can use the same address as where Sinch AB is established. This is valid for all companies within the Sinch Group. If necessary, we ensure that it will reach the correct person.
Sinch AB – Data Protection Officer Lindhagensgatan 74 112 18 Stockholm, Sweden
Please note that we may contact you and ask you to confirm your identity to ensure that we do not disclose your personal data to any unauthorized person, and that we may ask you to specify your request before we perform any actions. Once we have confirmed your identity and understood exactly what you would like, we will handle your request in accordance with applicable law.
What should I do if I have any questions or complaints?
If you have any questions, the Data Protection Officer of Sinch Group can be reached via firstname.lastname@example.org. You, of course, also write to our Data Protection Officer if you have a complaint and you have the right to file a complaint with the relevant authority in the country where you live, work or where an alleged infringement of the GDPR has occurred.
For Sinch AB (publ.), the relevant authority in Sweden is IMY, formerly known as Datainspektionen (The Swedish Data Protection Authority, www.IMY.se). If you are not located within the EU: you should reach out to the relevant authority in Europe where the infringement has occurred. If you are unsure of which competent authority to turn to, you can of course always contact the DPO via email@example.com.
Changes to this Privacy Statement and Cookie Statement
We will post the revised statement on the website and other places We deem it to be appropriate. If we change the material content of the statements, We will summarize these within the next statement. All such changes shall be binding on moment of publication.
If we change the cookies, this will be visible in our tool.
Last change June 2nd, 2021
Change: we have updated our privacy statement to improve on readability, add more information on how we are processing personal data, our subprocessors and our processes for authority requests and legal requests.