PAASOO (IRELAND) PRIVACY POLICY
Effective date: February 19, 2024
In this Privacy Policy, “we”, “us”, “our” or “PaaSoo” will refer collectively to PAASOO TECHNOLOGY (IRELAND) LIMITED, a private company limited by shares incorporated under the Irish Companies Act 2014 with company registration number 675998, VAT number IE3724088JH and having its registered office at Landscape House, Baldonnell Business Park, Baldonnell, Dublin 22, D22 P3K7, Ireland and any and all its Affiliates. As used herein, the term “Affiliate” shall mean any entity controlling, controlled by or under common control with PaaSoo, where "control" means an entity’s (a) ownership, directly or indirectly, of equity securities entitling it to exercise in the aggregate at least 50% of the voting power of the entity in question; or (b) possession directly or indirectly, of the power to direct or cause the direction of the management and policies of or with respect to the entity in question, whether through ownership of securities, by contract or otherwise. The terms “you,” “your” and “Customer” will refer to any client, visitor, or user of PaaSoo Services.
PaaSoo is a cloud communications platform providing reliable and high-quality text, voice and omnichannel APIs and applications, enabling enterprise and aggregator customers to reach their global users.
Here at PaaSoo we treat the protection of your personal data and your end customers’ personal data (hereinafter referred to as “End-User(s)” or “End-User(s) Data) very seriously. This privacy policy will explain you your rights regarding the personal identifying information that you share with us, how we will process this information in connection with your use of our services, including our website and how to contact us. We want to make sure that you make informed decisions about personal information when using PaaSoo applications or building your own software applications on PaaSoo’s platform. We also want to provide you with relevant information to help your End Users make informed decisions about their personal information when they use your software applications built on PaaSoo’s platform.
What is personal data?
“Personal data” means any information about a living person (the “data subject”), where that person either is identified or could be identified. Personal data can cover various types of information, such as name, date of birth, email address, phone number, address, physical characteristics, or location data – once it is clear to whom that information relates, or it is reasonably possible to find out. Even where personal information is partially anonymised, or pseudonymised, but this could be reversed and the data subject could possibly be identified using additional information, it should still be considered personal data. However, if information is truly anonymised, irreversibly, and could not be traced back to an identified person, it is not considered personal data
Which categories of personal information are being collected and processed by PaaSoo?
PaaSoo processes the following categories of personal information when you use our services:
- Your personal information as a customer (or potential customer) of PaaSoo’s services — hereinafter referred to as "Customer Account Data". The Customer Account data is all the personal data we collect from you to manage your PaaSoo account including providing you support and charging you for our services. If you have a multi-user account, the personal information of your invited users will also be considered as Customer Account Data. Please note that personal data does not include generic business names, business addresses, generic email addresses (e.g., billing@ or info@) or any other general business information, as long as this information has not been linked to an individual.
- The personal data you share with PaaSoo when you send or receive communications through your use of our services — hereinafter referred to as “Customer Usage data”. For example, when you visit our websites, we use cookies to collect the log information such as your Internet Protocol address, browser type, bowser language and the date and time of your query. For more information on what cookies are and how we use them, please read our Cookies Policy.
- The personal information of your End Users who use or interact with your application that you’ve built on PaaSoo’s platform, like the people you communicate by way of that application — hereinafter referred to as “Traffic Data”. Traffic Data is processed by PaaSoo to handle the communication exchanged during the use of PaaSoo’s services. The Traffic Data include the data on the routing, type, duration, and time of the communication and the data used to trace and identify the source and destination of a communication (e.g., communications metadata, contents of communications, SMS terminated to or originated from your End-Users and their phone numbers). PaaSoo processes these categories of personal information differently because the direct relationship we have with you, our Customer, is different than the indirect relationship we have with your End Users. Customers shall comply with all applicable laws and regulations when they collect, record and process End-Users Data using PaaSoo APIs, services or applications.
Multi-User Account. In case of multi-user account, the account administrator (referred in this clause as the “Customer”) is responsible for the collection and processing of personal data of all users of the PaaSoo account. The Customer shall comply with all applicable legal and regulatory provisions, and in particular the regulations applicable to the protection of personal data and obtain any prior authorizations required.
How does PaaSoo use and process the personal information?
The collection and process of personal information from individuals based in the European Economic Area (EEA) are governed by the General Data Protection Regulation n 2016/679 well known as GDPR. Such regulation has implemented a high-level standard of personal data protection. Although the GDPR is directly applicable as a law in all Member States of the European Union, it allows for certain issues to be given further effect in national law. In Ireland, the national law, which, amongst other things, gives further effect to the GDPR, is the Data Protection Act 2018 which was signed into law on 24 May 2018.
According to these regulations, any processing of personal data should be lawful and fair. It should be transparent to individuals that personal data concerning them are collected, used, consulted, or otherwise processed and to what extent the personal data are or will be processed. Personal data should only be collected for specified, explicit, and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
As a global communication service provider, PaaSoo aims to comply with the GDPR and any other applicable data privacy law to ensure the best security for your personal data and your End Users personal information.
The GDPR differentiates between "controllers" and "processors" of personal information. A controller refers to a person, company, or other body that decides how and why a data subject’s personal data are processed. A processor refers to a person, company, or other body which processes personal data on behalf of a controller. A processor does not decide how or why processing takes place, but instead carry out processing on the orders of a controller.
PaaSoo is both a data controller and a data processor:
- As a data controller, PaaSoo collects and processes personal data from visitors to PaaSoo’s website and from customers that sign up for our services, including personal data from users to whom customers have granted permission to access and use the Services. In this context, PaaSoo determines how this personal data is collected, processed and shared.
- As a data processor, PaaSoo collects and processes personal data from End Users of PaaSoo’s registered customers and only does so as per customer’s requirements.
When PaaSoo processes Traffic Data, we generally act as a processor. When we process Customer Account Data, we act as a processor in many respects, but we may act as a controller in others. For example, we may need to use certain Customer Account Data for the legitimate interests of billing and in the context of troubleshooting and detecting problems with the network.
The following table explains what personal data we collect from you, how we process it, how we classify personal data and, according to personal data protection regulations, what is the legal basis for the processing of this personal data.
In data protection terms a “legal basis” (also referred to as a “lawful basis” or “lawful reason”) means the legal justification for the processing of personal data. A valid legal basis is required in all cases if a data subject’s personal data are to be lawfully processed in line with data protection law. Under the GDPR, there are six possible legal bases for processing personal data, found in Article 6, namely: consent; contractual necessity; compliance with a legal obligation; protecting vital interests; performance of an official or public task; and legitimate interests (where the interest is not outweighed by the data subject’s).
| Personal data collected | Personal data processing | Type of personal data | Legal basis for processing |
|---|---|---|---|
| Contact data (name, phone number, email address). In case of a multi-user account, the contact data includes the contact data of the account administrator and all invited users. PaaSoo may require additional information such as your passport or ID to verify your identity while processing to payment. You will be specifically informed in such event. | This data is used throughout your relationship with PaaSoo including opening an account, managing your account, configure your settings, send emails/alerts, giving you support and communicating with you through our sales team or customer support team. We also use this data to carry out core business operations such as accounting, filing taxes, and fulfilling regulatory obligations. We may also use this data to help us detect, prevent, or investigate security incidents, fraud and other abuse and/or misuse of our services. | Customer Account Data | Performance of a contract: we process this information to fulfil our contractual obligations to you as part of your engagement with PaaSoo. |
| Commercial information, history of our customers and information about your organization and contacts, such as colleagues or people within your organization. | We collect commercial information when we keep track of the services that you purchase from us and our communications history about those services. | Customer Account Data | Performance of a contract: we process this information to fulfil our contractual obligations to you as part of your engagement with PaaSoo. |
| Sending and receiving phone numbers and message content | We use this data to be able to provide you with SMS services. | Customer Usage Data Traffic Data | Performance of a contract: we process this information to fulfil our contractual obligations to you as part of your engagement with PaaSoo. |
| Payment management | In order to pay for our services, we need information about your payment method. We also keep history of your usage and payments for you to be able to verify our charges and if necessary, dispute any billing. PaaSoo does not collect your credit card information since the whole payment process is hosted and handled by PayPal. For more information, we recommend you to read PayPal terms of use. | Customer Account Data Customer Usage Data | Performance of a contract: we process this information to fulfil our contractual obligations to you as part of your engagement with PaaSoo. |
| Voice recording | As part of our services, we store voice recordings for you, and we provide you with other services such as IVR. | Customer Usage data Traffic Data | Performance of a contract: we process this information to fulfil our contractual obligations to you as part of your engagement with PaaSoo. |
| Internet and other electronic activity information | We collect Internet and other electronic activity information, such as communications metadata, as you browse our website or use our services. This metadata may be information about how you browse our websites and what features you use on our service. | Customer Usage Data | Consent: by clicking you have given us consent to the processing of your personal data for one or more specific purposes. |
| Cookies tracking including IP address, browser type and language, location, date and time of your query | When you visit our websites, we may collect the log information such as your IP address, and browser type and language. We can also collect geolocation information. Depending on the product or service, this could be location based on your IP address, or such as if you are using our IoT products and services, based on the cell tower to which a mobile device is connected, or Wi-Fi triangulation. We use this information to understand who is using our services and how, and to detect, prevent and investigate fraud, abuse, or security incidents. | Customer Usage Data | Consent: we only collect and process your data for the purposes set out in our Privacy Policy and Cookies Policy or for specific purposes that we share with you and/or that you have consented to. You have the right to withdraw your consent at any time. |
| Professional or employment information | We may collect professional or employment information, such as the company you work for or your position in this company. For more information, please see our Employment Privacy Notice. | Customer Account Data | Performance of a contract: we process this information to fulfil our contractual obligations to you as part of your engagement with PaaSoo. |
| Your feedback about our service | If you attend an event or fill out a form or survey with us, we might collect your age, your gender, or other information that counts as characteristics of protected classifications; however, we will only collect those with your knowledge and opt-in consent. | Customer Usage Data | Consent: we only collect and process your data for specific purposes that we share with you and/or that you have consented to. You have the right to withdraw your consent at any time. |
How long does PaaSoo store the personal information?
Personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.
Details regarding how long personal information may be stored on PaaSoo systems and how to delete, access, or exercise other rights about this personal data will depend on which PaaSoo products and services you are using and how you are using them. For example, device information and information obtained using cookie technologies will be used and retained for a maximum period of two years after the collection whereas accounting records detailing company transactions, including supporting documents, should be retained for a period of seven years.
Customer Account Data
PaaSoo will retain these records for as long you instruct and:
- If no specific instruction is given to delete these records, then PaaSoo will store the Customer Account Data for as long as it is necessary to maintain your customer account and provide you with our services and in no event later than seven (7) years after deletion of your Customer account unless there are outstanding claims or complaints that will reasonably require personal information to be retained.
- In the event you have requested PaaSoo to delete your Customer Account Data, PaaSoo shall keep the corresponding records including the transaction details up to seven (7) years to respond to legal requirements. Please note that in such case, your customer account will be automatically deleted, and no further services will be provided to you.
What happens if you request the deletion of your Customer Account Data?
Customer Account Data is necessary to maintain your account and to provide you with the services. Please be aware that should you request PaaSoo to delete your Customer Account Data, no further services will be provided to you and your customer account will be deleted. In such event you will not be relieved of your payment obligation.
In the event your Customer account is deleted, or our partnership is terminated, your Customer Account Data will be automatically deleted and subject to the policy described in this section in terms of retention period.
Traffic Data
In terms of retention period, PaaSoo will treat differently your End Users’ message content and phone numbers as explained below.
Please note that in no event shall PaaSoo treat directly the requests from your End Users. PaaSoo is only responsible to respond to your requests.
1. Message Content
PaaSoo will retain these records for as long you instruct and:
- If no specific instruction is given to delete these records, then PaaSoo will retain the Message content (sender ID and content) for as long as needed to provide SMS services to you and for the purposes of providing customer support (in particular in the event of problems with encoding, concatenation of long SMS, blacklisted keywords, etc.) and respond to any request from law enforcement authorities, but in no event later than one (1) year after the collection of such data.
At the end of the retention period mentioned above, such data will be automatically deleted from PaaSoo records. For this purpose, please read the section “About Deletion”.
2. End-users Phone Numbers
PaaSoo will retain these records for as long you instruct and:
- If no specific instruction is given to delete these records, then PaaSoo will store your End Users phone numbers for as long as it is necessary to maintain your customer account, provide you with our services and resolve any billing dispute and in no event later than three (3) years after the collection of this data. If there is any billing dispute, we may need to verify the phone numbers to investigate the reason for the discrepancies. This retention will take place in a restricted access secure system and will not be used for commercial purposes.
- In the event you have requested PaaSoo to delete your end-users’ phone numbers, such data will be automatically deleted from PaaSoo records unless a copy of those records shall be kept to respond to some specific legal, accounting or reporting requirements. For this purpose, please read the section “About Deletion”.
- If we need to keep this data after the retention period mentioned above, we will anonymise it so that it can no longer be associated with identified or identifiable natural person.
3. Common rules of Traffic Data
What happens if you request the deletion of the Traffic Data?
The Traffic Data is necessary to provide you with the services and support. Please be aware that should you request PaaSoo to delete such data, no further services nor support will be provided to you and your customer account will be automatically deleted. In such event, you will not be relieved of your payment obligation.
PaaSoo may keep the analytics provided that they do not allow PaaSoo to identify you or any other individual. For this purpose, the data will be anonymized. An example of analytic that PaaSoo may record is the delivery rate per country.
What are your rights on personal information and how to exercise them?
Individuals have a number of specific rights under data protection law to keep them informed and in control of the processing of their personal data. The most commonly exercised of those rights are those found under the GDPR (in Articles 12-22 and 34).
Depending on the circumstances, individuals may:
- Have the right to access and to be informed about the collection and the use of their personal data by PaaSoo, including the categories of data and how PaaSoo collects, processes and shares their personal data.
- Withdraw their consent at any time when processing is based on the latter;
- Object to the processing for marketing purposes or on grounds relating to your particular situation;
- Request the restriction of the processing of their personal data in specific cases;
- Receive their personal data in a machine-readable format and request that their data be shared to another controller when we hold it on the basis of a contract or your consent (right to data portability);
- Ask us to rectify or modify their personal data (right to rectification);
- Ask us to delete their personal data when it is no longer necessary in relation to the purposes for which it was collected or otherwise processed, when they have withdrawn their consent on which the processing is based or they are opposed to use, (right to be forgotten). Withdrawing consent will not affect the lawfulness of any processing PaaSoo conducted prior to your withdrawal.
- Have the right to be notified about a data breach that may impact the integrity, availability or confidentiality of their personal data.
You may exercise any of these rights by sending an email and specifying your request at privacy@paasoo.com.
In case of multi-user account, it is up to the invited user to contact the account administrator (referred in this clause as the “Customer”) regarding the processing of the corresponding personal data. The Customer shall inform and guarantee its users of all their rights under the applicable data protection laws and PaaSoo shall assist the Customer in exercising these rights.
About Deletion
You have the right to instruct us to delete your personal information. Please note that it may take a few days for the data to be completely removed from all systems. In some cases, a copy of those records, including the personal information contained in them, may nonetheless be retained to carry out necessary functions like billing, invoice reconciliation, troubleshooting, and detecting, preventing, and investigating spam, fraudulent activity, and network exploits and abuse. Sometimes legal matters arise that also require us to preserve records, including those containing personal information. These matters include litigation, law enforcement requests, or government investigations. If we have to do this, we will delete the impacted records when no longer legally obligated to retain them. We may, however, retain or use records after they have been anonymized, if the law requires to do so.
Transfer of personal information outside EEA
The first thing to consider when transferring personal data to a third country is if there is an “adequacy decision”. An adequacy decision means that the European Commission has decided that a third country or an international organisation ensures an adequate level of data protection. In the absence of an adequacy decision, the GDPR does allow a transfer if the controller or processor has provided “appropriate safeguards”. These safeguards may include, for example, Standard data protection clauses. They are model data protection clauses that have been approved by the European Commission and enable the free flow of personal data when embedded in a contract. The clauses contain contractual obligations on the Data Exporter and the Data Importer, and rights for the individuals whose personal data is transferred. Individuals can directly enforce those rights against the Data Importer and the Data Exporter. These are known as the “Standard Contractual Clauses”.
Derogations under Article 49 of GDPR are exemptions from the general principle that personal data may only be transferred to a third country if an adequate level of protection is provided for in that third country. These derogations or exceptions allow transfers in specific situations, such as based on consent, for the performance or conclusion of a contract, for the exercise of legal claims, to protect the vital interests of the data subject where they cannot give consent or for important reasons of public interest.
As a global organization, we may need to transfer your personal information to PaaSoo affiliates, contractors, service providers, and to third parties in various countries and jurisdictions around the world. We have servers in Singapore, Hong Kong, China mainland, Taiwan, India, and Ireland. If the customers send API requests with paasoo.com endpoint, user data will be stored in Singapore. If they send requests with local endpoints (paasoo.hk, paasoo.cn, paasoo.com.tw, paasoo.in and paasoo.eu), then the data would be stored in the corresponding local servers. In each case, we take care to use appropriate safeguards to ensure your personal information remains protected.
We always make sure that we share personal data when it is absolutely necessary to give you the best products and services and we ensure that we do so in a safe and controlled way. PaaSoo does not sell or share personal data for any monetary or business reason that will directly benefit PaaSoo’s business interests.No mobile information will be shared with third parties/affiliates for marketing/promotional purposes. All the above categories exclude text messaging originator opt in data and consent; this information will not be shared with any third parties.
Paasoo complies with laws on the transfer of personal data between countries to help ensure personal data is protected, wherever it may be.
Transfer due to storage
PaaSoo is using third-party service providers (notably AWS) in order to back-up the data.
For transfer of personal data from individuals based in the EEA, we ensure that we have the appropriate international transfer mechanism in place such as Standard Contractual Clauses. Please note that we also have data protection addendums in place with our third-party service providers that transfer your personal identifying information outside of the European Union. These data protection addendums ensure that sufficient measures are taken by our service providers to protect your personal identifying information in accordance with the European regulation on data protection (GDPR).
Transfer due to provision of the service
When PaaSoo acts as a processor, we act based on your instruction so the content of communication is transferred from one country to another depending on your request. In such event we do not have control on the location of the data which may be transferred in or outside the EEA.
However, PaaSoo is implemented data protection addendum with its partners so that they are warrantying the same level of protection as the one stated in the GDPR.
Sub-processing
A sub-processor is a third-party data processor engaged by PaaSoo and who process personal data (i) on behalf of PaaSoo customers; (ii) in accordance with the customer's written instructions as communicated by PaaSoo; and (iii) in accordance with the terms of a written contract between PaaSoo and the sub-processor that specifies the sub-processor's processing activities and imposes on the sub-processor equivalent terms as those imposed on PaaSoo.
PaaSoo only engages sub-processors providing sufficient guarantees to implement appropriate technical and organisational measures ensuring that the sub-processing of personal data meet the requirements of the applicable data protection laws and ensure the protection of the rights of the data subject.
PaaSoo uses the sub-processors below to process personal data. For each sub-processor, processing of personal data will be for the duration that the customer uses and continues to use the applicable service(s), and for the retention periods as set out above or in customer’s service agreement with PaaSoo.
| Sub-Processor | Subject matter | Nature and purpose of processing | Regional endpoint |
|---|---|---|---|
| AWS | Personal data in communications | Infrastructure Provider providing hosting services and storage | Singapore, Ireland, India, China mainland |
| Azure | Personal data contained in voice communications. | Text to speech functionality for customers using Azure TTS. | Singapore, Ireland |
| China Mobile International | Personal data in communications | Network provider | China mainland |
| China Telecom Global | Personal data in communications | Infrastructure provider | China mainland, Hong Kong |
| Google Cloud | Personal data in communications | Infrastructure Provider providing hosting services and storage | Taiwan |
| Huawei Cloud | Personal data in communications | Infrastructure Provider providing hosting services and storage | Hong Kong only |
| Leyun | Personal data in communications | Network infrastructure management | Taiwan |
| Scalegrid | Personal data in communications | Database infrastructure management | Singapore, Ireland, India, Taiwan |
How does PaaSoo secure personal information?
The Data Protection Act 2018 and the GDPR do not detail specific security measures that a data controller or data processor must have in place. The GDPR, in articles 25 and 32, does however place an obligation on controllers and processors to implement data protection by design and default and 'appropriate technical and organisational measures' to ensure a level of security appropriate to the risk, taking into account:
- the state of the art;
- the costs of implementation;
- the nature, scope, context and purposes of processing; and
- the likelihood and severity of the risk to the rights and freedoms of individuals.
PaaSoo takes appropriate security measures to protect against unauthorized access to or unauthorized alteration, disclosure or destruction of data. All detailed measures are listed below. Encryption method are part of these measures. PaaSoo makes sure that the Traffic Data and your passwords are being encrypted when stored. Also, PaaSoo restricts access to personal identifying information to employees who need this information in order to operate, develop or improve our services.
Security measures:
- Encrypted communications: to prevent any misuse of your data, we have implemented various robust security mechanisms. HTTPS uses X.509 signed certificates allowing your browser to authenticate our server. HTTPS also uses cryptographic algorithms to encrypt any data in transit between your browser and our servers. This protects your data against eavesdropping / man-in-the-Middle attacks. Our traffic is protected if using the following protocols: HTTPS, SMPP over TLS, SMPP over VPN.
- IP addresses whitelisting: upon requests, PaaSoo is able to restrict the customer dashboard and API requests access to whitelisted IP addresses only.
- Encrypted data: Traffic Data and Customer Usage Data are stored in databases (in Ireland, France, Singapore, Hong Kong, Taiwan) using advanced encryption technologies.
- Traffic Data and Customer Usage Data on customer dashboard: upon requests, PaaSoo is able to hide End User data (phone numbers and message contents) on customer dashboard.
Incident Notification. Upon becoming aware of a personal data breach, PaaSoo shall promptly notify you and shall provide information relating to the personal data breach as reasonably requested by you.
Confidentiality. PaaSoo restricts its personnel from processing personal data without authorization and shall ensure that any person who is authorized by PaaSoo to process personal data is under an appropriate contractual obligation of confidentiality.
PaaSoo’s contact information
If you have any question about how PaaSoo collects, uses or protects personal data or if you have any questions about this Privacy Policy, including any requests to exercise your personal data rights, you may contact us at privacy@paasoo.com.
Changes to this Policy
We may, from time to time, make updates or changes to this Privacy Policy because of changes in applicable laws or regulations or because of changes in our personal data practices. The latest version of the Privacy Policy will always be posted on this site, and we will give you notice of any material changes that impact your personal data. Where consent is necessary to make a change apply to our practices with respect to your personal data, we will not apply the changes to your personal data until we have that consent.
