GDPR Compliance

GDPR Overview

Last updated: June 29th, 2025.

The General Data Protection Regulation (GDPR) is a comprehensive data protection law that came into effect on May 25, 2018, across the European Union. SMS-iT is committed to full compliance with GDPR requirements and protecting the privacy rights of all EU data subjects.

This document outlines how SMS-iT processes personal data in accordance with GDPR principles, including lawfulness, fairness, transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity, confidentiality, and accountability.

SMS-iT serves as both a data controller and data processor, depending on the specific use case and customer configuration. We are committed to ensuring that all personal data processing activities comply with GDPR requirements.

Data Controller Information

When SMS-iT acts as a data controller, we determine the purposes and means of processing personal data. Our data controller details are:

When our customers use SMS-iT services to process personal data of their own customers or contacts, our customers act as data controllers, and SMS-iT acts as a data processor on their behalf.

Lawful Basis for Processing

SMS-iT processes personal data only when we have a lawful basis under Article 6 of the GDPR. Our lawful bases include:

Consent (Article 6(1)(a))

• Marketing communications when explicitly consented to
• Optional features that require additional data processing
• Cookies and tracking technologies (where required)

Contract Performance (Article 6(1)(b))

• Account creation and management
• Service delivery and platform functionality
• Payment processing and billing
• Customer support and technical assistance

Legal Obligation (Article 6(1)(c))

• Tax and accounting requirements
• Regulatory compliance (TCPA, CAN-SPAM, etc.)
• Law enforcement requests

Legitimate Interests (Article 6(1)(f))

• Security monitoring and fraud prevention
• Service improvement and analytics
• Business operations and administration

Data Collection and Use

SMS-iT collects and processes the following categories of personal data:

Account and Profile Data

• Name, email address, phone number
• Company information and job title
• Account preferences and settings
• Profile photos and avatars

Communication Data

• SMS, email, and voice message content
• Contact lists and recipient information
• Message delivery and engagement metrics
• Communication preferences and opt-out requests

Usage and Analytics Data

• Platform usage statistics and feature utilization
• Login times and session duration
• Device and browser information
• IP addresses and geolocation data

Payment and Billing Data

• Billing address and payment method information
• Transaction history and invoices
• Tax identification numbers (where required)

Data Subject Rights

Under the GDPR, EU data subjects have the following rights regarding their personal data:

Right of Access (Article 15)

You have the right to obtain confirmation of whether we process your personal data and, if so, access to that data along with specific information about the processing.

Right to Rectification (Article 16)

You have the right to have inaccurate personal data corrected and incomplete personal data completed.

Right to Erasure (Article 17)

You have the right to have your personal data erased in certain circumstances, including when the data is no longer necessary for the original purpose.

Right to Restrict Processing (Article 18)

You have the right to restrict the processing of your personal data in specific situations, such as when you contest the accuracy of the data.

Right to Data Portability (Article 20)

You have the right to receive your personal data in a structured, commonly used, and machine-readable format and to transmit that data to another controller.

Right to Object (Article 21)

You have the right to object to processing based on legitimate interests or for direct marketing purposes.

Rights Related to Automated Decision-Making (Article 22)

You have the right not to be subject to decisions based solely on automated processing that produce legal effects or significantly affect you.

Exercising Your Rights

To exercise any of these rights, please contact us at [email protected]. We will respond to your request within one month, though this may be extended by two additional months for complex requests.

Data Retention

SMS-iT retains personal data only for as long as necessary to fulfill the purposes for which it was collected, unless a longer retention period is required by law. Our retention periods include:

Account Data

• Active accounts: Retained while account is active
• Closed accounts: Deleted within 90 days unless legal obligations require longer retention

Communication Data

• Message content: Retained according to customer settings (typically 30-365 days)
• Delivery logs: Retained for 2 years for compliance purposes
• Opt-out records: Retained indefinitely to honor preferences

Analytics and Usage Data

• Aggregated analytics: Retained for 3 years
• Individual usage logs: Retained for 1 year

Financial Data

• Billing records: Retained for 7 years for tax and accounting purposes
• Payment information: Deleted immediately after processing (not stored)

Data Security Measures

SMS-iT implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

Technical Safeguards

• End-to-end encryption for data in transit and at rest
• Multi-factor authentication for account access
• Regular security assessments and penetration testing
• Automated backup and disaster recovery systems
• Network security monitoring and intrusion detection

Organizational Measures

• Employee training on data protection and security
• Access controls and need-to-know principles
• Regular security policy reviews and updates
• Vendor security assessments and contracts
• Incident response and breach notification procedures

Compliance Certifications

• SOC 2 Type II compliance
• ISO 27001 information security management
• Regular third-party security audits

International Data Transfers

SMS-iT may transfer personal data outside the European Economic Area (EEA) to provide our services. When we do so, we ensure adequate protection through:

Adequacy Decisions

We transfer data to countries that have received an adequacy decision from the European Commission, confirming they provide adequate data protection.

Standard Contractual Clauses

For transfers to countries without adequacy decisions, we use Standard Contractual Clauses approved by the European Commission to ensure appropriate safeguards.

Additional Safeguards

• Technical measures such as encryption
• Organizational measures including access controls
• Regular monitoring of data protection laws in destination countries
• Suspension of transfers if adequate protection cannot be ensured

Cookies and Tracking Technologies

SMS-iT uses cookies and similar tracking technologies in compliance with GDPR requirements:

Essential Cookies

These cookies are necessary for the website to function and cannot be switched off. They are usually set in response to actions you take, such as logging in or filling in forms.

Analytics Cookies

These cookies help us understand how visitors interact with our website by collecting and reporting information anonymously. We only use these with your consent.

Marketing Cookies

These cookies track your online activity to help advertisers deliver more relevant advertising. We only use these with your explicit consent.

Cookie Consent

We obtain your consent before placing non-essential cookies on your device. You can withdraw your consent at any time through our cookie preference center.

Data Breach Procedures

SMS-iT has established procedures to detect, report, and investigate personal data breaches:

Detection and Assessment

• Continuous monitoring systems to detect potential breaches
• Immediate assessment of breach scope and risk
• Documentation of all breach incidents

Notification Requirements

• Supervisory authority notification within 72 hours (when required)
• Data subject notification without undue delay (when high risk)
• Customer notification for breaches affecting their data

Remediation Actions

• Immediate containment of the breach
• Assessment and mitigation of potential harm
• Implementation of measures to prevent recurrence
• Regular review and improvement of security measures

Data Protection Officer

SMS-iT has appointed a Data Protection Officer (DPO) to oversee our data protection strategy and GDPR compliance:

You can contact our DPO with any questions about our data processing activities, to exercise your data subject rights, or to raise concerns about our data protection practices.

Complaints and Supervisory Authority

If you believe that our processing of your personal data violates the GDPR, you have the right to lodge a complaint with a supervisory authority.

Internal Complaints

We encourage you to contact us first at [email protected] so we can try to resolve your concern directly.

Supervisory Authority

You can lodge a complaint with the supervisory authority in the EU member state where you live, work, or where the alleged infringement occurred. You can find contact information for EU supervisory authorities at: https://edpb.europa.eu/about-edpb/board/members_en

Lead Supervisory Authority

For cross-border processing activities, our lead supervisory authority is the Irish Data Protection Commission, as our EU representative is located in Ireland.