Icetrak Limited’s Privacy Notice

1 Definitions

We use the following definitions in this notice:

The term “Icetrak” or “us” or “we” or “our” refers to the company Icetrak.
The term “you” refers to a natural person (an individual) whose personal data Icetrak collects and processes.
The term “Services” means Icetrak’s cloud-based communication (CPaaS – Communications Platform-as-a-Service and SaaS – Software-as-a-Service) and other products and services.
The term “personal data” means any information about you from which you can be identified, directly or indirectly.
The term “controller” means the organisation which determines the purposes and means of the data processing and is responsible for processing such data in a manner consistent with the applicable privacy law.
The term “processor” means an organisation who processes personal data on behalf of the controller.
The term “end-user” means recipient of communications.

2 Responsibilities

Icetrak Limited is responsible for processing your personal data.

The Controller is Icetrak Ltd, 2 Nimrod House, Malvern, Worcestershire with a Company Registration Number of 04415020

If you have any questions regarding this Privacy Notice or our privacy practices, you may contact our Privacy team and Data Protection Officer via the email address dpo@icetrak.net.

3 About icetrak Services

Icetrak is a Communications Platform-as-a-Service (CPaaS) provider. While providing Services to our customers, we act either as the controller or the processor, depending on the situation.

When we act as a processor

Our customers are mainly companies that integrate our Services into their business operations through their own software. By using our Services, our customers are able to send or exchange communications with their end-users using different communication channels (SMS, fax etc.). We do not have a direct relationship with our customers’ end-users. Therefore we simply distribute our Customers communications requests through telecom operators and other communications providers. When we do this, we act as the processor on behalf of our customers, and process the relevant data for the sole purpose of providing our Services to them. We do that within limits and according to customers’ instructions and in line with our Terms of Services.

In this scenario i.e. when you as an end-user of a communication from one of our customers it means that the customer is the controller, and Icetrak is the processor. Any request we may receive from customers’ communication recipients regarding their rights related to our activities taken on behalf of our customers will be forwarded to customers, or the end-user will be asked to contact them directly.

When we act as a controller

This Privacy Notice describes the activities which Icetrak undertakes as a controller. Icetrak is a controller when we process personal data for our own purposes and do not act on behalf of someone else.

4 How we obtain personal data

The personal data we process is mostly provided to us directly by you when you register to use and subsequently send communication requests to end-users via our Services

We also collect data when you visit our website, or otherwise communicate with us.

We can also receive personal information from other sources, such as in the following situations:

If you are employed by one of our customers they may provide us with certain information so that you can use our Services
If you are an end-user of one of our customers they may provide us with certain information in order to use our Services
If you visit our website or use our Services, we automatically collect certain information, such as your Internet protocol (IP) address, user settings, and other unique identifiers.

5 What Personal data do we collect, why do we collect it and how do we use it.

We typically collect and use personal data for 2 different reasons.

5.1 To provide communication services to our customers

We collect personal data to provide communication services for our customers.

In this instance we are acting as a Data Controller.

5.1.1 Why

Icetrak collects customer data in order to maintain a business relationship with that customer, create a customer account so the customer can use our Services and bill the customer accordingly. Collecting this data is in our legitimate interest in the sense of providing our Services to your organisation.

In order to create an account for a customer and provide services to our customers Icetrak will collect the following data directly from the customer typically during the customer registration process.

Registration details of a customer and account users (e.g. name and surname, (business) address, phone number, email address, company’s name and industry, business role, business registration number)
Billing and financial details of a customer (e.g. billing address, prepaid or postpaid customer, bank account details, VAT number, information about creditworthiness and payment behaviour, and other additional information as required under applicable laws)
Business contacts’ details (e.g. name and surname, (business) address, phone number and email address, company’s name and industry, and business role)

5.1.2 Retention

The customer account data will be kept for 7 years after the account is closed.

5.2 To allow customer to communicate and send messages to their end users and produce billing data.

We collect personal data to allow our customers to send messages to their end users and produce billing reports for those transactions.

In this instance we are acting as a Data Processor only.

5.2.1 What we collect

Icetrak collects communications data sent directly to us by the customer that includes:

“Communications content”: message text, documents, or images exchanged between the customer and their end-users via Icetrak Services
“Traffic data”: data that is processed and required for the transmission of a communication exchanged by using our Services or for billing related to that communication. It includes information on the communication itself (e.g. routing, type, duration and time of communication) and on the source and destination of the communication (including the customer’s end-users’ phone number and the business users email address).

We also collect “usage data”, which is information created during your use of our Services. This includes information communicated by the customers application to Icetrak (e.g. IP addresses, information on your usage, routing information), as well as logs of your activities.

5.2.2 How we collect it

Communications content is received from our customers or their end-users.
Customers’ end-users’ phone numbers are received from our customers.

5.2.3 Why we collect it

Communications content is collected and processed solely on behalf of a given customer. We act as a processor and in line with the customer’s instructions.

Traffic data is generally kept in the form of communication detail records, and we collect it and use it to:

Manage traffic with the purpose of transmitting customer’s communications toward or from telecom operators and other communications providers and handling customer’s enquiries.

Troubleshoot and detect problems with the network, prevent fraud and other illicit activities, and keep our Services secure.

Calculate charges and settle interconnection payments with telecom operators and other communications providers or resolve a billing dispute with our customer or our communications provider. In some cases we might also utilize account data as part of this activity.

The carrying out of these activities is in our legitimate interest in the sense of handling payments and resolving financial disputes.

Please note that in order to comply with our legal obligations, we may be obliged to share communications related data upon government request.

5.2.4 Retention

Communications content is retained for 7 days.
Traffic data containing end-users’ personal data (such as phone number) is deleted from communication detail records after 7 days.
Other traffic data (such as time, type, duration of communication, routing details, destination phone number, customers sending email address) is retained in billing records for up to ten (10) years following the year of communication.

6 How do we share personal data

We may engage suppliers (also known as vendors or service providers) to help us in the processing of your personal data for the activities that we conduct as a controller and that we describe in this Privacy Notice.

For example we use a 3rd party accounts system to manage our accounts and invoices. Details of this can be found at www.kashflow.com.

We do not share personal data with third parties except when strictly necessary and on a need-to-know basis, such as with:

Telecom operators and other communications service providers when necessary for the set-up of proper routing and connectivity.
Service and technology providers to the extent strictly necessary for them to perform specific actions on our behalf. These might be related both to our Services (e.g. as part of the functionality of our Services) and to our other processes (e.g. Accounts and Invoicing).
Third parties when required to comply with our legal obligations. We may share your personal data with authorised legal authorities due to relevant legislation, such as a judicial proceeding, court order, or legal process served on us (e.g. for criminal procedures) or because of threats to public security, regulatory requirement, or in the context of investigations or bankruptcy. As a communications provider, we are required to retain certain communications-related data for law enforcement purposes and will be required to share that data with authorized law enforcement authorities upon their request. Also, if we are under an obligation to demonstrate compliance with relevant accounting, financial and tax legislation, your data can be shared with auditors and tax authorities for those purposes.
Merger and acquisition stakeholders as part of disclosure in the event of a merger, sale, or other asset transfer. Your information may be transferred as part of such a transaction, as permitted by law or contract.

8 Data Security

For Accounting and Invoicing purposes Icetrak uses a 3^rd party product www.kashflow.com. We upload customers billing contact details and Invoice details to this platform.

Other than our Invoicing system all personal data where we act as a controller is stored on our secure servers in the UK.

Only Icetrak staff have any access to these servers.

9 Your Data Protection Rights

Under data protection law, you have rights including:

Your right of access - You have the right to ask us for copies of your personal information.

Your right to rectification - You have the right to ask us to rectify personal information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete.

Your right to erasure - You have the right to ask us to erase your personal information in certain circumstances.

Your right to restriction of processing - You have the right to ask us to restrict the processing of your personal information in certain circumstances.

Your right to object to processing - You have the the right to object to the processing of your personal information in certain circumstances.

Your right to data portability - You have the right to ask that we transfer the personal information you gave us to another organisation, or to you, in certain circumstances.

You are not required to pay any charge for exercising your rights. If you make a request, we have one month to respond to you.

Please contact us at dpo@icetrak.net if you wish to make a request.

10 Personal Data Retention Periods

Retention periods are listed under the activities in section 5 of this Privacy Notice. The retention periods listed are the standard default periods. In some cases, exceptions apply due to local laws related to law enforcement, tax, or other purposes. Additionally, if legal matters such as litigation, law enforcement requests, or government investigations require us to preserve records, including those containing personal information, for longer periods than listed in section 5, then we will delete the records in question when we are no longer legally obligated to retain them.