Privacy Statement

 

We are Sinch. We’re not just experts in messaging…we’re #1. Our cloud communications platform reaches every mobile phone on the planet - in seconds or less.  Customers (and their end-users) need to be able to trust us. Customers trust us to have privacy as a top priority. They trust us to implement the security measures to protect their data. And trust us to not provide information to just anyone that asks.

The following Privacy Statement is applicable on the use of our websites, products, services, or otherwise by interacting with Us. It applies to the processing of personal data carried out by Sinch AB (publ) or any of its subsidiaries (“We”, “Our”, “Us” or “Sinch”). The websites and Portals of Sinch are operated by Sinch Sweden AB unless we state otherwise.  Please do not engage in any of these activities if you do not agree with the terms of this Privacy Statement.

This statement is divided into two parts. Our Privacy Statement and our Cookie Statement. Our Cookie Statement that you find here is connected to a tool on our website that contains more information and allows you to arrange which cookies you may want to accept and which ones you do not want to accept.

In general, Sinch will collect personal data from you based upon our (business) relationship, your use of the Site, Our services and Our products, as set out in the Privacy Statement below. We encourage you to read the entire statement (even if it might be a bit long) but by clicking on the various sections, you can also skip to the sections of the statement that you find most interesting. If you plan to click&skip or just accept or ignore, please do note a quick overview:

  • That Sinch does not sell your personal data to third parties.
  • That Sinch may share your personal data within the group if necessary, to provide the service that you requested or to answer your question in the best way possible.
  • That Sinch website is structured specifically to not attract anyone under 13, nor do We collect or maintain Personal Data on the Site from those who Sinch actually knows are under 13.
  • That Sinch may transfer your personal data to countries outside of the EU/EEA. If we do this, we take sufficient technical, organisational and contractual measures to ensure that an adequate level of data protection is provided.
  • That our recruitment website is covered by a different privacy statement that you can find on the website itself.
  • That Sinch has a Group Data Protection Officer, based in Stockholm, Sweden. She can be reached via DPO@sinch.com whenever you want to use the rights to access, rectification, erasure, object, revoke consent or block data or have any questions.

 

Table of Contents

  • Let’s start at the beginning: who is “we”?
  • So why are we informing you?
    • Sinch as a Controller
    • Sinch as a Processor
  • Next questions: Who provides us with personal data, which information will we have and what will we use the data for?
    • Who provides us with your personal data?
    • We do not process personal data of children
    • We don’t sell personal data.
    • Which information will we have and what will we use the data for?
  • How long will you process my personal data?
  • Who has access to my personal data?
    • Sinch Internal
    • Authorities
    • Companies engaged by Sinch
  • To which kind of countries will my personal data be transferred?
  • Legal and Authority requests
  • What are my rights with regards to my personal data?.
    • Right to access and rectification
    • Right to erasure
    • Right to object and blocking of data
    • Right to revoke
    • Right to data portability
  • How do I make use of my rights?
  • What should I do if I have any questions or complaints?
  • Changes to this Privacy Statement and Cookie Statement

 

Let’s start at the beginning: who is “we”?

The Privacy Statement applies to the processing of personal data carried out by Sinch AB (publ) or any of its subsidiaries (“We”, “Our”, “Us” or “Sinch”). The websites and Portals of Sinch are operated by Sinch Sweden AB unless we state otherwise.  We belong to the Sinch Group of which the head office is Sinch AB (publ.) located at the Lindhagensgatan 74 (postal code: 112 18) in Stockholm, Sweden (hereafter: “Sinch Group”).  Sinch Group is a global leader in cloud communications for mobile customer engagement. We ensure that Sinch is compliant with local data protection laws of the countries where we are established and other applicable data protection laws that may be applicable on your personal data because of where you live.

 

So why are we informing you?

To enable us to fulfil our legal and contractual obligations, to conduct business securely and efficiently and for other specific purposes that are described in this notice, we need to process certain personal information about you (referred to as “personal data”).

Personal data is any information that relates to an identified or identifiable living individual. Different pieces of information, which when collected together or combined with other information can lead to the identification of a particular person, is also personal data.

 

Sinch as a Controller

Sinch is what is known as the “controller”. That means that we are responsible for the processing of your personal data and if you want to use your rights, have any questions or complaints concerning what we do, you can contact us.

This Privacy Statement outlines the kind of personal data that is processed by Sinch in relation to you, how and why we need this personal data, ensure equal and secure treatment of personal data, inform you about your and Sinch’s rights, and ensure that Sinch is in compliance with data protection law, including the general data protection regulation (the “GDPR”).

For more information on which personal data we are processing, please read “Next questions: Who provides us with personal data, which information will we have and what will we use the data for?”

 

Sinch as a Processor

Sinch also acts as a “processor” for most of our services. In that case we process personal data on behalf of our customers (which are mainly companies and institutions). As Processor, Sinch will only process Personal Data pursuant to the instructions of our customer.

We encourage you to also read the privacy statements and policies of your providers. Sinch does not review, comment upon, or monitor its Customers’ compliance with their respective privacy statements and policies, nor does Sinch review Customer instructions to determine whether they are in compliance or conflict with the terms of a Customer’s published privacy policy or statements.

If you have a data subject rights request that is connected to data for which We are the processor, we will ask you to contact the company or institution that is the controller of your personal data.

 

Next questions: Who provides us with personal data, which information will we have and what will we use the data for?

Who provides us with your personal data?

There are three sources that provide us with personal data: you yourself, Sinch and third parties.

We might ask you to provide us with personal data in preparation of the concluding of your new customer agreement or when you are in contact with company within the Sinch Group or want to stay up to date and ask for newsletters.

Third parties may also have provided information about you.

For example: if we are working with a third party that helps us collect feedback from our campaign, you might be approached by them to provide information (if you agreed to this). You will be told clearly whether this information is collected anonymously or that your feedback is provided to us with information that allows us to identify you (most of the time, we will leave the choice to you!). You are then informed about this by this third party (or they inform you together with us). They are responsible for ensuring that the data they provide to us is provided in compliance with applicable data protection law.

And thirdly, Sinch may also produce new personal data in the coming months.

For example: When you are included in our CRM system as you have showed interest in receiving a newsletter or want to be contacted by our salesperson, we may also add information on what kind of information we have provided you with, why you are interested in our services etc.

 

We do not process personal data of children

Protecting the privacy of children is important to Sinch. For that reason, the Site is structured specifically to not attract anyone under 13, nor do We collect or maintain Personal Data on the Site from those who Sinch actually knows are under 13. If Sinch learns or is notified that it has collected information from users under the age of 13, Sinch will immediately delete such Personal Data. If you think that we have collected information from your children or children that are in your care, please contact DPO@sinch.com.

 

We don’t sell personal data

As a matter of policy, We do not sell or rent any of your information to third parties for any advertising or marketing purposes. We may disclose your information in the normal course of providing Our services or sending of Information (so towards subprocessors that act on behalf of Sinch).

 

Which information will we have and what will we use the data for?

We will only process this personal data to fulfil the purposes stated in this notice and the Data Processing Matrix below, and to comply with the law and what is necessary according to law in each jurisdiction. Please note that this privacy statement does not cover our career website as this website has a separate statement.

 

 

Purpose  Personal data type and source  Legal ground  Retention time or criteria 
To enable Sinch to provide you the service that you have requested, for example send you an answer to a question that you have filled into a form or send you a white paper  Contact data; such as phone number, email address, address,  name, company, position, contact preference and any other information that you may provide to Sinch.

Source: Directly from you and/or via third party and/or created by Sinch 

Consent and /or Legitimate interest and/or required by law  As long as required in accordance with applicable law or 2 years after contact without business relationship or 5 years after end of the business relationship or when requested to be deleted and request can be honoured. 
To enable Sinch to administer any consent/opt-out/opt-in that you may have given to us and/or send you emails such as newsletters, invites for seminars/webinars  Contact data; such as phone number, email address, address,  name, company, position, contact preference and any other information that you may provide to Sinch 

Source: Directly from you and/or via third party and/or created by Sinch 

Consent and/or required by law  As long as required by law, required by business process (you are informed at the time when you give us the information) or until you request that we remove you from the opt-out/opt-in list or you have revoked your consent 
To enable Sinch to fulfil its obligations in accordance with the contract between Sinch and its customers, this may include sending you service announcements on elements included within the contract, customer service enquiries  Contact data; such as phone number, email address, address,  name, company, position, contact preference and any other information that you may provide to Sinch

Source: Directly from you and/or via third party and/or created by Sinch 

Consent and /or Legitimate interest and/or required by law and/or to administer contracts that you have with Sinch.  As long as required in accordance with applicable law or 2 years after contact without business relationship or 5 years after end of the business relationship or when requested to be deleted and request can be honoured. 
To enable Sinch to administer, foster and develop your relationship (with the use of a customer relationship management system), perform credit checks and, verification of personal or business data and payment details and other checks before offering our services to customers.  Contact data and financial data; such as phone number, email address, address,  name, company, position, (in very limited cases) personal financial information, contact preference and any other information that you may provide to Sinch

Source: Directly from you and/or via third party and/or created by Sinch 

Consent and /or Legitimate interest and/or required by law and/or to administer contracts that you have with Sinch.  As long as required in accordance with applicable law or 2 years after contact without business relationship or 5 years after end of the business relationship or when requested to be deleted and request can be honoured. 
To enable Sinch to operate, administer access and use of the forums, websites, portals it provides to customers, resellers, developers and other user groups. This may include sending you services announcement (for instance, if Our service is temporarily suspended for maintenance).  Contact data; such as phone number, email address, name, company, position, contact preference and any other information that you may provide to Sinch

Technical data: such as but not limited to, http headers, computer settings when stored, log information on use of portal/forum

Source: Directly from you and/or via third party and/or created by Sinch 

Consent and /or Legitimate interest and/or required by law and/or to administer contracts that you have with Sinch.  As long as required in accordance with applicable law or 2 years after contact or 5 years after end of the business relationship or when requested to be deleted and request can be honoured. 
To enable Sinch to protect its forums, websites, portals and the customer data within these portals against threats and fraud and find vulnerabilities.  Contact data; such as phone number, email address, address, name, company, position, contact preference and any other information that you may provide to Sinch

Technical data: such as but not limited to, http headers, computer settings when stored, log information on use of portal/forum,

Source: Directly from you and/or via third party and/or created by Sinch 

Legitimate interest and/or required by law  As long as required in accordance with applicable law or 2 years after contact or 5 years after end of the business relationship or when requested to be deleted and request can be honoured. 
To enable Sinch to (prepare to) administer and fulfil our obligations under mandatory law including providing correct information to relevant authorities)  Contact data; such as phone number, email address, address,  name, company, position, contact preference and any other information that you may provide to Sinch or is created during our communication with you.

Technical data:such as but not limited to, http headers, computer settings when stored, log information on use of portal/forum

Source: Directly from you and/or via third party and/or created by Sinch 

Legitimate interest and/or required by law  As long as required in accordance with applicable law 
To defend the legal position of Sinch.  Contact data; such as phone number, email address, address, name, company, position, contact preference and any other information that you may provide to Sinch or is created during our communication with you.

Technical data: such as but not limited to, http headers, computer settings when stored, log information on use of portal/forum

Source: Directly from you and/or via third party and/or created by Sinch 

Legitimate interest and/or required by law and/or operator agreements  During the as long as required in accordance with applicable law or after the obligatory retention time after 

 

Disclosures for the purposes of defending our legal position or authority requests under “legitimate interest”.

We reserve the right to disclose information as required by law or regulation and when We believe that disclosure is necessary to protect Our rights and/or to comply with a judicial proceeding, court order, or legal process. Notwithstanding any provisions herein, We may disclose Personal Data to governmental authorities when required or reasonably requested to do so by such governmental authorities. This Privacy Policy does not apply to the extent that it is in conflict with any law that may be applicable to the Personal Data of a Data Subject.

One topic that we need to explain according to the GDPR, is why we consider that we have a legitimate interest for processing part of this personal data.

Sinch is very much a global organisation and plans all work globally or for specific regions (e.g. EU) or departments (e.g. Engineering) or even products (e.g. our Sinch SMS products). In order to be able to do this and to fulfil the obligations that we and Sinch Group has, the personnel that is responsible for this, needs to be able to plan and execute, and need data for this. Personal data will also be stored based on Sinch’s legal interest to defend itself against alleged legal claims for as long a claim can be invoked against Sinch. This may for example be when a customer has terminated his agreement or has gone bankrupt and we need to make sure that all communication surrounding this termination/bankruptcy is documented and kept as long as necessary.

That does not mean that we just provide the information to anyone without limitations. We do look at the nature of the data and whether it is necessary for our purpose. If not, then we do not use it.  We will, of course, only use data in ways that you would reasonably expect and that have a minimal privacy impact (we put appropriate safeguards in place, such as limiting access to the information and anonymise/pseudonymise the personal data where possible). Based on the reasons we want to process the personal data and our efforts to minimize the privacy impact, we do not expect that it is likely that you will object to it. If you might want to object to it or just would like to receive more information, please read “Right to object” below, and contact us on dpo@sinch.com.

In the context of the purposes that we addressed above, such as for example the transmission of personal data within the Sinch Group for internal administrative purposes as described within the matrix we are aware legitimate interest is the basis for the transfer but we also still need to fulfil the requirements on transferring personal data to a company in a third country still apply. More about this below.

 

How long will you process my personal data?

We only keep your personal data as long as necessary for the purposes that are described above in the Data Processing Matrix: as long as we have a legitimate interest, to comply with the relevant law in your country or fulfil a legal request by a supervisor authority.  Most of the time, how long we need to keep the data is decided by law on a local/national level. It can however be that there are deviations due to legal obligations on Sinch Group.

Accordingly, when the purpose has been fulfilled in relation to a specific type of personal data, we will stop using the personal data for that purpose and, if the same data is not relevant for any other purpose, delete the relevant personal data as soon as reasonably possible. Deletion is done in accordance with best business practices or as is required in accordance with any ISO or other relevant certifications that the Sinch Group may hold.

If you want us to delete or block your personal data, please go to “how can I make use of my rights?”

 

Who has access to my personal data?

Sinch Internal

Personal data will only be available to authorized employees holding a position that requires them to process personal data to perform their work. These employees will only be granted access in accordance with the principle of “least privilege”, meaning that our personnel will only have access to personal data that is strictly necessary for the purpose of the processing to perform their work.

Due to the fact that Sinch carries out business activities in a number of different countries, personal data may need to be transferred to Sinch affiliates and/or subsidiaries outside of your own home country that need to receive the personal data for the Sinch group’s internal administrative purposes or the purposes in this statement. This transfer is based on a legitimate interest (see above) as it is necessary within the Sinch Group for internal administrative purposes as described within the matrix.

Below you will find a schedule of Sinch Group Companies where Sinch Group employees sit that may have access to your personal data. In case of questions, please contact the DPO via dpo@sinch.com.

Name company  Address 
Sinch AB (publ) 

 

Lindhagensgatan 74, 112 18 Stockholm (Sweden)

Org. number 556882-8908 – Stockholm 

Sinch Sweden AB 

 

Lindhagensgatan 74, 112 18 Stockholm (Sweden)

Org. number 556747-5495 – Stockholm 

Sinch Holding AB  Lindhagensgatan 74, 112 18 Stockholm (Sweden)

Org. number 559061-2791 – Stockholm 

Sinch UK Ltd.  Cap House, 9-12 Long Lane,  London, EC1A 9HA (UK)

Org.-number 03049312 – London 

Sinch America Inc. (only for specific purposes and specific companies) 

 

 7000 Central Parkway Suite 1480. Atlanta, GA 30328 (USA)

Org. number 77220277010 – USA

 MyElefant SAS   43, rue de Dunkerque, 75010, Paris (France)

Org. number  524 353 299 – France

Chatlayer B.V.  Oudeleeuwenrui 39 1st floor, 2000 Antwerp (Belgium)

Org. number 0691.917.430 – Belgium

   

 

 

If Sinch acquires a company or its assets, Sinch will inform the customers and ensure that they can envoke the same rights as they If another company acquires Sinch or its assets, that company will (a) process that Personal Data held by Sinch, and (b) assume the rights and obligations regarding such Personal Data described in this Privacy Policy.

 

Authorities

Sinch may need to provide personal data to relevant authorities (e.g. social insurance agencies and the tax authority) in accordance with mandatory law, in order to fulfil legal obligations in the jurisdiction where we (in the future) employ our employees and/or when we get a request of an authority. We will only do this when we have a legal ground to do this and will ensure to take appropriate security measure to protect the personal data.

 

Companies engaged by Sinch

In addition to the Sinch Group internal companies, your personal data may also be transferred to and processed by third party providers and suppliers which perform services for Sinch (also known as “data processors”), to enable these companies to perform the services requested by us.

Services which may be requested include the provision of infrastructure and IT devices, insurance, administration, and IT services. Only personal data that is necessary to fulfil the purposes for which we engage these third parties will be provided. Currently, the list of companies can be found here.

All third-party providers and suppliers must follow our instructions and have entered into a, by law required, written agreement. Our third-party providers must implement appropriate technical and organizational measures for the protection of the personal data and we regularly check whether they fulfill the requirements that we have given to these companies.

 

To which kind of countries will my personal data be transferred?

Even within the Sinch Group, your personal data may be transferred to countries outside of the European Union. To ensure that Sinch compliant with legislation and Sinch Group’s current policies regarding transfer of personal data, and that we take the appropriate measures to keep your personal data secure, Sinch uses a data processing agreement that fulfils the requirements set by the GDPR, in combination with appropriate technical and organizational measures for the protection of the personal data. If personal data needs to be transferred to a country that offers a lower level of protection for personal data than is required by applicable law (for example: USA or India), we will conclude the European Standard Contractual Clauses (that were decided upon by the European Commission) and do regular follow-ups to see whether our requirements are fulfilled.

 

Legal and Authority requests

Our customers and Authorities require us to have processes and procedures in place to ensure that we only provide information when we are required to do so. Sinch however also knows that it is our responsibility to fulfil requests of authorities whenever the law obliges us to do so. Sinch acknowledges that there is a fine line here that requires internal documentation and thorough assessment and has set up a process to implement these practices within the entire group.

All requests for data and information, preservation requests, preservation extension requests should be submitted to authorityrequests@sinch.com or, if the request needs to be served in person or via mail to the registered address of the company of which you request the information.

Requests concerning support with legal matter can be send to legal@sinch.com.

 

What are my rights with regards to my personal data?

Right to access and rectification

You have the right to request access to the personal data relating to you. This includes the right to be informed whether personal data about you is being processed, what personal data is being processed, and for which purposes we use the personal data. You also have the right to request rectification or add personal data if you feel that the personal data that we are processing, is inaccurate or incomplete.

 

Right to erasure

You may also request that your personal data be erased if e.g. the personal data is no longer necessary for the purposes for which it was collected, the processing is unlawful, or the personal data has to be erased to enable us to comply with a legal requirement. There are other circumstances where your personal data can be erased; please contact us if you would like to find out whether your personal data can be erased (see below for contact details).

Please note that we may need to reject your request if the processing is permitted or even required according to law or any other relevant legal ground. We will of course block any information for purposes that are not covered by this. If so, we will of course inform you of this (and if possible, include the date that we can delete the information).

 

Right to object and blocking of data

You are also entitled to object to certain processing or request that the processing of the personal data be restricted or blocked if you believe the personal data may not be correct, if you believe the processing is unlawful, or if you believe that Sinch no longer needs the personal data for the purposes stated in this policy.

We would like to inform you in advance that there are however two situations that even if you object, we might need to continue processing:

  • This when we may need continue this processing when we are permitted or even required to do so by law. This could for example be to enable us to fulfil legal requirements, administer the employment, fulfil legal obligations, or fulfil obligations under a contract with you.
  • This is when we process of your information is based on a legitimate interest and we can demonstrate compelling and legitimate reasons for such processing that overrides your privacy interest or for the establishment, exercise, or defence of legal claims.

We will of course block any information for purposes that are not covered by this. If so, we will of course inform you of this.

Please note that if you object to receiving service announcements, the following applies: Generally, you cannot opt-out of these communications, which are not promotional in nature. If you do not wish to receive them, you have the option to deactivate your account or object to receiving these messages within the applicable portal. This may cause you not to know about any disruptions or changes within our services. We do not take any responsibility for this as this is by your own choice.

 

Right to revoke

If you have provided us with consent to process or transfer certain data, you have the right to withdraw your consent under the GDPR at any time. The withdrawal of consent shall not affect the legality of the processing carried out based on the consent until such withdrawal. You can contact our Data Protection Officer (DPO) via dpo@sinch.com if you want to revoke your consent.

 

Right to data portability

If you request access to personal data about you that you yourself have provided and if the personal data is being processed automatically with your consent or in accordance with a contract between you and Sinch, you may request that the data is provided in a structured, commonly used and machine readable format and you may also request that the personal data is transmitted to another controller, if this is technically feasible.

 

How do I make use of my rights?

If you want to use any of the rights that are listed above, you can contact our Data Protection Officer (DPO) via dpo@sinch.com. You can use the same contact details if you should have any questions in relation to the processing of your personal data. If you want to send our DPO something by normal mail, you can use the same address as where Sinch AB is established. This is valid for all companies within the Sinch Group. If necessary, we ensure that it will reach the correct person.

Please note that we may contact you and ask you to confirm your identity to ensure that we do not disclose your personal data to any unauthorized person, and that we may ask you to specify your request before we perform any actions. Once we have confirmed your identity and understood exactly what you would like, we will handle your request in accordance with applicable law.What should I do if I have any questions or complaints?If you have any questions, the Data Protection Officer of Sinch Group can be reached via dpo@sinch.com. You, of course, also write to our Data Protection Officer if you have a complaint and you have the right to file a complaint with the relevant authority in the country where you live, work or where an alleged infringement of the GDPR has occurred.For Sinch AB (publ.), the relevant authority in Sweden is IMY, formerly known as Datainspektionen (The Swedish Data Protection Authority, www.IMY.se).If you are not located within the EU: you should reach out to the relevant authority in Europe where the infringement has occurred. If you are unsure of which competent authority to turn to, you can of course always contact the DPO via dpo@sinch.com.Changes to this Privacy Statement and Cookie StatementWe reserve the right to modify this Privacy Statement and the Cookie Statement at any time, so please review it regularly. If We make changes to this Privacy Policy or the Cookie Statement,We will post the revised statement on the website and other places We deem it to be appropriate. If we change the material content of the statements, We will summarize these within the next statement. All such changes shall be binding on moment of publication.If we change the cookies, this will be visible in our tool.Last change June 2nd, 2021Change: we have updated our privacy statement to improve on readability, add more information on how we are processing personal data, our subprocessors and our processes for authority requests and legal requests.

 

Sinch AB – Data Protection Officer
Lindhagensgatan 74
112 18
Stockholm, Sweden

Please note that we may contact you and ask you to confirm your identity to ensure that we do not disclose your personal data to any unauthorized person, and that we may ask you to specify your request before we perform any actions. Once we have confirmed your identity and understood exactly what you would like, we will handle your request in accordance with applicable law.

 

What should I do if I have any questions or complaints?

If you have any questions, the Data Protection Officer of Sinch Group can be reached via dpo@sinch.com. You, of course, also write to our Data Protection Officer if you have a complaint and you have the right to file a complaint with the relevant authority in the country where you live, work or where an alleged infringement of the GDPR has occurred.

For Sinch AB (publ.), the relevant authority in Sweden is IMY, formerly known as Datainspektionen (The Swedish Data Protection Authority, www.IMY.se).

If you are not located within the EU: you should reach out to the relevant authority in Europe where the infringement has occurred. If you are unsure of which competent authority to turn to, you can of course always contact the DPO via dpo@sinch.com.

 

Changes to this Privacy Statement and Cookie Statement

We reserve the right to modify this Privacy Statement and the Cookie Statement at any time, so please review it regularly. If We make changes to this Privacy Policy or the Cookie Statement,

We will post the revised statement on the website and other places We deem it to be appropriate. If we change the material content of the statements, We will summarize these within the next statement. All such changes shall be binding on moment of publication.

If we change the cookies, this will be visible in our tool.

 

Last change June 2nd, 2021

Change: we have updated our privacy statement to improve on readability, add more information on how we are processing personal data, our subprocessors and our processes for authority requests and legal requests.