All documents

Privacy policy for Mediaburst (Textburst, Clockwork and SurveyMill)

Version 2.0.0

Published 23 May 2018

See what changed since the previous version

We take our responsibility for looking after your personal information seriously.

The General Data Protection Regulation (GDPR) applies (from 25 May 2018) in Europe and the United Kingdom (where we are based) and requires us to give you much more information about and control over the data we hold about you. This policy covers the key things you need to know. For more information about your rights as a UK citizen contact the Information Commissioner’s Office. If you are elsewhere, contact your equivalent national government organisation.

Textburst.com, clockworksms.com, surveymill.co.uk and mediaburst.co.uk (our ‘products’ or ‘apps’) are sites operated by Mediaburst, a trading name of SRCL Limited (‘us’, ‘we’) which is registered in England and Wales under company number 03226910 and with a registered office at Indigo House, Sussex Avenue, Leeds LS10 2LF.

1. Information we collect about you as an account owner

We don’t need to know a lot about you in order to provide you with our text messaging products. The majority of what we do collect is necessary in order to provide you with the services. The only thing we might do with your data that isn’t essential – so we ask you to opt-in if you want it – is to send you useful updates, news or offers from us or our group partners.

Here’s a list of the data we collect about you, and what we do with it:

Your first and last name

When you sign up (and if you change your profile settings) we ask you for your name, because when you agree to be bound by our terms and conditions you make a contract with us, so we need to know who you are. (And it’s nice to address you by name if we need to get in touch.) We store the data on our own servers until you change your settings or close your account. We may keep some data in our logs for a period of time in line with our data retention policy which takes into account, amongst other things, our legal obligations. Technical support and customer support have access, plus additional parties who may need to know your name for legal reasons.

When you first sign up we may send you a series of onboarding emails to help you discover features and benefits of the product and we sometimes like to address you using your name. We store your data on our own servers and our third party email provider’s servers until the series of emails is complete and for up to six months thereafter so we can view aggregate statistics about how well the emails performed so we can make them better. Technical support and customer support have access. Our third party email provider has access only as a data processor.

If you consent for us to send you certain emails (see below) we sometimes like to address you using your name. We store your name on our own servers and on our third party email provider’s servers for as long as we have your consent to send you these types of email, or until your account is closed. Technical support and customer support have access. Our third party email provider has access only as a data processor.

Your email address

When you sign up and if you modify your profile settings, you give us your email address so it can be used as your login name, to confirm your account creation and to send you important information about your account or the service. Without it, you simply can’t create an account.

When you first sign up we may send you a series of onboarding emails to help you discover features and benefits of the product. We believe you’d expect us to help you get started so we enrol you on this limited number of emails automatically. We’ll need to use your email address for this purpose until the series of emails is complete, and we keep it there for up to six months thereafter so we can view aggregate statistics about how well they performed so we can make them better.

As an account owner, we also use your email address to send you important notices such as security notifications, service updates and terms and conditions changes. We believe you would expect us to send you this kind of information, so we enrol you on the corresponding product’s list automatically when you sign up.

If you consent (or ‘opt in’) for us to send you certain emails (see below) we’ll use your email address to do so, for as long as we have your permission to send you these types of email, or until your account is closed.

If an account administrator invites you from one of the apps to create a new linked account, we’ll send you an invitation email and store a record of your invitation on our servers ready for you to accept. In this context, the account administrator is acting as a Data Controller, us as a Data Processor. We’ll keep this record of your email address and the invitation until your invitation expires, or you accept it and create a new account where you’ll have the opportunity to enter your details yourself.

We store your address our own servers and on our third party email provider’s servers, until you change your settings or your account is closed. We may keep some data in our logs for a period of time in line with our data retention policy which takes into account, amongst other things, our legal obligations. Technical support and customer support have access, and any additional parties who may need to know your email address for legal reasons, such as in the event of a breach of agreed terms and conditions.

A password

You set a password when you sign up (and if you change or reset it) so you can log in securely. The data is saved on our own servers, one way encrypted using salts, cyclic key encryption and a strong HMAC (which means nobody can read it from our database), until you close your account or change the password. Technical support have access to your encrypted password, but can never know your actual password.

Your company name

When you first sign up (and if you modify your company profile) we ask for your company name to help us verify that you are representing a proper business in line with our terms and conditions. We store this information on our own servers until you change your settings or your account is closed. We may keep some data in our logs for a period of time in line with our data retention policy which takes into account, amongst other things, our legal obligations. Technical support and customer support have access, plus any additional parties we may provide the information to who may need to know your company name for legal reasons.

Your country

When you first sign up (and if you modify your company profile settings) we ask for your country to help us confirm that you are in a nation that we are legally able to do business with, to help us verify that you are representing a proper business in line with our terms and conditions, and to help us ensure we provide a service that is legally appropriate for the country in which you operate.

We store this information on our own servers until you change your settings or your account is closed. We may keep some data in our logs for a period of time in line with our data retention policy which takes into account, amongst other things, our legal obligations. Technical support and customer support have access plus any additional parties who we may share it with if they need to know your country for legal reasons.

Your preferred currency

When you modify your company details settings we ask for it so we can continually bill you in the currency you prefer. We store this information on our own servers and on our third party payment gateway provider’s servers until you change your settings or your account is closed. We may keep some data in our logs for a period of time in line with our data retention policy which takes into account, amongst other things, our legal obligations. Our technical support and customer support have access. Our payment provider’s technical and customer support also have access.

Your company VAT number

When you modify your company details settings we ask for your VAT number so we can add it to invoices if you’d like us to. We store it on our own servers in our databases and any generated invoices, until you change your settings or your account is closed. We may keep some data in our logs for a period of time in line with our data retention policy which takes into account, amongst other things, our legal obligations. Our technical support and customer support have access.

Your payment card details

When you make a payment in one of our apps we’ll use the information you provide so we can process your payment in association with our payment service providers (see below). Your card details are passed directly from your browser to our third party payment provider’s servers. We do not otherwise process or store your card details on our own servers. A record of the transaction will be stored on their servers in line with their legal obligations and a ‘receipt’ of the transaction, not including your card details, is passed back to our server. We keep such a record of the transaction on our servers for a period in line with our data retention policy. Our technical support and customer support have access to the transaction details, as do our payment provider’s technical and customer support.

If you asked us to save your card details when making a payment so you don’t need to fill in the same details every time you try to make a payment, our payment provider will store your card details on their servers.

During the onboarding process when you first sign up to one of our products, we may ask if you would like to request a call back so, for example, we can help you set up your account or discover some of the features. When you request a call back we send your details to our third party support service (see below) which alerts our support team so they can contact you about the specific thing you agreed to in the app. Your details are stored for as long as is necessary to respond to your initial enquiry. We may however collect other information about you during these conversations if it’s necessary to answer your queries or administer your account. Our technical support and customer support teams have access to our support service.

Email opt in explicit consent

During the onboarding process when you first sign up to one of our products (and when you change your communication preferences) you can opt-in (and subsequently ‘unsubscribe’ or opt-out) of certain types of email that are not essential for you to receive in order to use our products, but which might still be useful or valuable. We’ll store a record of your explicit consent (or withdrawal of consent) for us to email you such content, including the text shown alongside the checkbox when you selected it, so we can be sure exactly what you agreed to and when. We’ll keep this record of your opt-ins and opt-outs on our own servers until your account is closed, unless we need to keep it for a longer period of time such as in the event of a legal dispute. Our technical support and customer support have access. Our third party email provider may also keep a record of your ‘unsubscribe’ in their own suppression lists.

Terms and conditions and privacy policy agreement confirmation

When you sign up, or when we ask you to agree to a change in order to continue using our products, we store a record of your acceptance along with the text next to the checkbox to show what you agreed to, and the version number of the terms and conditions and privacy policy we gave you a link to. We normally keep this record on our own servers until your account is deleted, or longer if there’s a legal reason to do so, such as a dispute. Our technical support have access and we may provide the information to additional parties who may need to confirm what you agreed to for legal reasons.

2. Information about other people you give us while using our products

When you are giving us information about other people in the course of using our products, either via a web interface or API, you are acting as the Data Controller and have the legal responsibilities that come with it in line with legislation in the regions in which you are based and operating, and the locations of the people whose data you are using.

In this context we are the Data Processor and we don’t have direct control over the information you pass us. We will, of course, look after our information security responsibilities and anything else required of us by law.

Other users you invite

Where our products allow you to invite other users to your account, you enter their email address and send an invite. Their email address is their own personal information (even if it’s a business email) and will be stored on our servers. You should only invite users when you have a proper reason to do so.

Contacts and manually-entered numbers

Our products allow you to input or upload contacts, enter mobile numbers manually on web interfaces, or use mobile numbers to send messages via our APIs. With contacts, you can also save other information, such as first name, last name and ‘custom’ fields. You are able to store any information you like in these fields, so long as you have the proper legal right to use the information.

Message content

Message content may contain personal information, especially if you are using merge fields or creating personalised messages with you own system to send using our APIs. A record of sent and received messages is stored on our servers, which shows the content of each text message, the number it was sent to, your account or customer ID and information relating to whether it was successfully delivered to the mobile phone. We keep this information for period in line with our data retention policy. Our technical team may review the content of specific messages or groups of messages if there is a suspicion of spam activity, unlawfulness or a breach of agreed terms and conditions. We may also pass message content onto other parties where we have a legal obligation to do so.

3. Information sent by text to one of our numbers

Our products are able to receive text messages and we store those messages on our servers.

Long numbers and short codes

Users of our products are able to ‘rent’ a long number from us (which looks like a normal UK mobile phone number), or a five digit shortcode. People can text these numbers and the text messages are stored on our servers, ready to be displayed on our customer’s product web interfaces or via API calls.

Our shared shortcode and keywords

Users of our products can reserve a keyword which, when texted to our shared shortcode (84433), associates the message with our customer’s account. The message content may show in our customer’s web interface or be downloaded using an API call. The number that was texted from will also be added to our customer’s list of contacts in a named subscription group linked to their reserved keyword.

Unsubscribing from our customers’ lists

If you text ‘STOP’ to one of our long numbers or short codes, we will match your request with the customer likely to have sent you the most recent message. On Textburst your number will be added to our customer’s account ‘blacklist’ which prevents your number from being sent to from their account. On SurveyMill you will be opted out of the current survey. If you’re sending your stop request to a long number associated with a Clockwork API customer, we’ll forward your request to them to deal with appropriately.

Responsibility

We act as the Data Processor, our customers act as the Data Controller. We do not have any direct control over the messages that are sent to us, or how the long numbers, short codes and keywords associated with our customers’ accounts are advertised. We also do not have direct control over how long those messages are stored on our customers’ accounts, other than our maximum period in line with our data retention policy. It is our customer’s responsibility as Data Controller to ensure they have proper lawful permission to retain and use any subscription lists and contact lists they create using our products. Where we cannot match a received message to a specific customer, we retain the message content for a short period in line with our data retention policy.

4. Where we store your data

We take great care to keep your personal information safe. All our live services and databases operate from computers that are housed in secure data centres with heavily restricted access. We operate numerous levels of security to prevent unauthorised access to data stored on those computers.

5. Third party services we use

To help us deliver our products we use various third party services:

Google Analytics (anonymous aggregated behaviour tracking)

Google Analytics collects statistical data about the use of our websites and applications. The information we see is aggregated and does not contain any personally identifiable data. We use the information to understand the way people use our products so we can make them better. Here’s the Google’s privacy policy.

Google Adwords (search advertising)

We use Google Adwords to give us paid-for search results in Goole Search. If you click on one of those ads to visit one of our product marketing sites, Google Adwords will track your activity on our site to help us see how effective our advertising was. Here’s the Google privacy policy.

Campaign Monitor (email provider)

We use Campaign Monitor as our emailing service for sending certain types of emails to you. In order to send you important information such as security updates, or opted-in information such as news and offers, we maintain lists on our emailing service which contain your name and email address. This list is synchronised with our database so when you unsubscribe, or your related data is deleted from our system, it is also automatically removed from our emailing service’s lists. Here’s the Campaign Monitor privacy policy.

Zendesk (customer support tool)

We use Zendesk as our customer support tool to help us efficiently manage our conversations with you . When you call us, or send us a message at hello@mediaburst.co.uk, hello@textburst.com, hello@clockworksms.com or hello@surveymill.co.uk, through the contact or support forms on our websites or apps or during the onboarding process if you request a call back, we create a new support ‘ticket’. This ticket contains details of our conversation, including your name and email address (if you contacted us online) and any other relevant information you provided during the conversation. We normally delete closed tickets after a period in line with our data retention policy or when your account is deleted, unless we have a legal obligation to retain them for longer or they contain information necessary to provide you with our service. Here’s the Zendesk privacy policy.

Olark (webchat)

We use Olark to provide a chat service on our marketing websites. If you have a chat conversation with us on our websites, a transcript of the conversation is stored on Olark’s servers, and is accessible by them and our customer support team. We routinely delete our Olark transcripts which are older than a period in line with our data retention policy. Here’s the Olark privacy policy.

Braintree (payment provider)

We use Braintree as a payment provider for secure online payments from you to us within our products. When you make a card payment in one of our products, the payment card details you enter on the product’s payment screen are passed directly from your browser to the payment provider who process the payment and send us a notification so we can update the balance in your product account and generate an invoice for you. For legal reasons, the payment provider keeps a record of the transaction in line with their own data retention policy. We keep a record of the transaction for a period of time in line with our own data retention policy. If you asked us to save your card details for next time, our payment provider will store them securely along with your customer ID. Here’s the Braintree privacy policy for the United Kingdom.

PayPal (payment provider)

We use PayPal as a payment provider for secure online payments from you to us within our products. When you choose to pay using PayPal in one of our products, you enter your payment details into PayPal’s service. They then process the payment and send us a notification so we can update the balance in your product account and generate an invoice for you. For legal reasons, the payment provider keeps a record of the transaction in line with their own data retention policy. We keep a record of the transaction for a period of time in line with our own data retention policy. Here’s the PayPal privacy policy.

Maxmind (payment fraud protection)

We use Maxmind to help us prevent fraudulent transactions. When you make a payment through one of our products, we share the details you have provided with Maxmind and they give us a score that allows us to automatically approve or reject a payment. We need to do this for every transaction so we can catch the bad looking ones, and we do it on a legal basis as part of our responsibility to help prevent fraud. Here’s the Maxmind privacy policy.

SMS network providers

We send and receive your text messages between our servers and your recipients through mobile networks either directly or via ‘network aggregators’. Your messages could be sent though any of these routes. We work with leading SMS Aggregators and networks to send and receive your text messages. We undertake all regulatory due diligence and checks. Further disclosure is available upon signature of an NDA (non-disclosure agreement). See our data processing agreement for specific detail on our legal position with subprocessors.

Other support teams within our group

Other teams in our group provide services to us, such as billing credit control, for which we need to disclose certain information. We only ever provide them with the information necessary to complete a certain task. They may keep a record of such information in line with their legal responsibilities.

Postcode Anywhere (address confirmation)

We use Postcode Anywhere to provide postal address prediction on our online payment forms. So, when you start to type in your address, the PostCode Anywhere plugin will try to help you fill in the rest of your address, saving you time. Postcode anywhere can see your address. We can only see what you submit with the form. Here’s the Postcode Anywhere privacy policy.

Avvanda (phone system provider)

We use Avvanda to provide IP-based telephony services to our office. Which means if we ever talk with you over the phone, our conversation and the basic details about it (including your phone number) will be processed by them. Here’s the Avvanda privacy policy.

Jam Media (call overflow handling)

On the occasions when we can’t take your call, Jam Media answer it for us and take a message from you. They can see your number, and will pass it on with any message directly into our customer support system. Here’s the Jam Media privacy policy.

Node4 Ltd (secure data centres)

Node4 provide us with our secure data centres for our servers. They have physical access to our servers and follow strict security protocols. Only approved members of our technical team have physical or remote access.

Microsoft (email provider)

Microsoft provide us with email services for our team members. If you have a direct conversation with them over email your message is likely to go through Microsoft’s servers. Here’s the Microsoft 365 privacy policy.

HighRise (Sales CRM)

We use HighRise to help us organise our sales leads so we can make sure we provide assistance to anyone who has expressed an interest in our products. Our sales team have access to the information on the account. Here’s the HighRise privacy policy.

Wordstream (Google Adwords monitoring)

We use Wordstream to help us monitor our Google Adwords performance so we can learn how to better target our ads to those people who might be interested in our products. We share our Google Analytics data with Wordstream, including information about your clicks. Here’s the Wordstream privacy policy.

Where we’ve included links to our third party service providers’ privacy policies, these were the links that were available at the time of writing. The links may since have changed. The content of the policies themselves may have changed. We regularly review our partners and their policies, but we do not have any direct control over the content of these policies or where they are held, so if you follow a link check you are looking at the latest version that applies.

6. Cookies

We don’t use many Cookies.

We set a cookie on your device when you log in so that we can check your account is logged in and secure as you move through the app. Disabling cookies may prevent you from logging in to the app. You can’t opt out of this because we need it in order to provide you with the service.

Google Analytics sets a cookie (_ga) on your device so it can effectively link the different things you do on our website or product during a browsing session. That helps us understand how users move through the apps so we can make things better. The data Google Analytics collects is anonymous. The data we see is aggregated and only used to look at overall performance by groups of users. Stopping Google Analytics from tracking you can be done in most modern browsers. Check with your browser manufacturer to see how to do it in the browser(s) you use.

7. Opting out of emails

If you opt out of a certain kind of email communication from us, you will be removed from that list on our email service provider’s system and a record of your opt out will be recorded on our system (in case we need to prove you opted out). We store this record of your opt out on our system until your account is deleted, unless we need to keep a record for longer, for legal reasons such as a dispute. Our email provider may store your email address in their own ‘suppression list’ so they can also be sure you don’t receive any more emails from that list unless you opt back in. We will remove you from that list when your account is deleted.

You can opt out of non-essential emails in any of our products’ communication settings pages, or by clicking the ‘unsubscribe’ link in one of the emails (which will opt you out of that particular list).

It is possible to stop receiving some of the essential notification messages you would reasonably expect us to send you by clicking the unsubscribe link at the bottom of one of the emails. These messages may include security notifications, terms update notifications and service update alerts and we automatically enrol you on the list when you sign up to one of our products. We do this because we believe it’s important you receive this information as part of your use of the products. If you do choose to ‘unsubscribe’ you can re-start the emails in your communication preferences.

8. Deleting your data

If you would like your data to be deleted, you can request that your account is closed. To do this contact our support team for assistance. We will respond to your request within 28 days unless we have good reason to extend that period.

We will delete your personally identifiable information with the exception of any data we are required by law to keep for longer, any data that is properly anonymised or held within aggregate statistics, or if there is an ongoing legal dispute for which it is necessary to retain evidence. In all circumstances, when the statutory period has ended, or a legal dispute resolved and we no longer need to keep your data, it will be deleted. Unless we think your request is excessive, we will not charge you a fee for deleting your data.

If your account becomes inactive for more than three years in line with our data retention policy we will assume you no longer need the account and we will automatically delete your data for you. You will lose all data including contacts, message history, long numbers and API keys associated with your account. You will be able to create a new account with the same email address should you wish to return.

9. Access, update and transfer the data we have about you

You can ask us to provide you with a structured, commonly used, machine-readable format copy of the personally identifiable data we hold about you, or to transfer it to a third party on your behalf.

To do this contact our support team for assistance. We will respond within 28 days for your request unless we have good reason to extend that period. Any data which is properly anonymised or held within aggregate statistics is not available for us to extract, so cannot be provided. Unless we think your request is excessive, we will not charge you a fee for accessing a copy of your data.

10. Objecting, restricting and withdrawing your consent

You can object to us processing your personal data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground as you feel it impacts on your fundamental rights and freedoms. You also have the right to object where we are processing your personal data for direct marketing purposes. In some cases, we may demonstrate that we have compelling legitimate grounds to process your information which override your rights and freedoms.

You can request restriction of processing of your personal data. This enables you to ask us to suspend the processing of your personal data in the following scenarios: (a) if you want us to establish the data’s accuracy; (b) where our use of the data is unlawful but you do not want us to erase it; (c) where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims; or (d) you have objected to our use of your data but we need to verify whether we have overriding legitimate grounds to use it.

You can withdraw your consent at any time where we are relying on consent to process your personal data. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain products or services to you. We will advise you if this is the case at the time you withdraw your consent.

11. Privacy policy updates

We may, from time to time, update this privacy policy and, if necessary (such as if we change something that affects your or our legal position), we’ll ask you to re-confirm you’ve read and understood it the next time you log in to one of our products.

You can always refer to the version of the policy that currently applies to your account by following the link in the bottom of our products when you are logged in.

12. Law and jurisdiction

Use of our marketing websites and products is governed by English law. Any dispute arising from, or related to, such usage shall be subject to the exclusive jurisdiction of the courts of England and Wales.