Privacy Policy
Last updated: 24 June 2026
On this page
- 1. Introduction and Scope
- 2. Key Definitions
- 3. Personal Data We Collect
- 4. Recipient Data on Behalf of Customers
- 5. How and Why We Use Personal Data
- 6. Marketing and Communications
- 7. Cookies and Similar Technologies
- 8. How We Share Personal Data
- 9. International Data Transfers
- 10. Data Retention
- 11. Information Security
- 12. Your Data-Protection Rights
- 13. Region-Specific Disclosures
- 14. Third-Party Sites and Services
- 15. Changes to this Policy
- 16. How to Contact Us
1. Introduction and Scope
1.1 Who we are. BULKASMS ("we", "us", or "our") operates a carrier-grade Communications-Platform-as-a-Service ("CPaaS") and a multi-tenant, white-label SMS panel that enables business customers to send transactional, OTP, bulk, and marketing SMS through direct operator connectivity. Our registered office is in Istanbul, Republic of Türkiye.
1.2 Purpose of this Policy. This Privacy Policy describes how we collect, use, disclose, retain, and protect personal data, and the rights individuals have in relation to that personal data. It applies to: (a) visitors to our websites and marketing properties; (b) users and administrators of accounts on the platform; (c) billing, procurement, and other business contacts of our customers and partners; and (d) individuals whose personal data we process in operating and securing the Services.
1.3 Our dual role. Our privacy responsibilities depend on the context:
- Controller. For our website, account registration, authentication, billing, support, security, and our own marketing, we determine the purposes and means of processing and therefore act as a controller.
- Processor. When our business customers use the platform to send messages, they decide which recipients to contact and what to send. In that context, the customer is the controller and we act as a processor on the customer's documented instructions under our Data Processing Addendum ("DPA"). If you are a message recipient, please contact the business that messaged you to exercise your rights; we will support that business as required.
1.4 Other notices. This Policy is supplemented by our Cookie Notice, our DPA (for customers), and any product- or region-specific notices we provide.
2. Key Definitions
- Personal data — Any information relating to an identified or identifiable natural person.
- Processing — Any operation performed on personal data, such as collection, storage, use, disclosure, or deletion.
- Controller — The party that determines the purposes and means of processing personal data.
- Processor — A party that processes personal data on behalf of, and on the instructions of, a controller.
- Data subject — The individual to whom personal data relates.
- GDPR — Regulation (EU) 2016/679, the General Data Protection Regulation, and equivalent UK provisions.
- Sub-processor — A third party engaged by us to process personal data on our behalf.
- SCCs — The European Commission's Standard Contractual Clauses for international data transfers.
- Recipient data — Personal data of message recipients (e.g., phone numbers, message content) processed when delivering customer messages.
3. Personal Data We Collect
We collect personal data directly from you, automatically through your use of our properties, and from third parties. The categories below describe data we process as a controller; recipient data processed on behalf of customers is addressed in Section 4.
3.1 Data you provide
| Category | Examples | Typical source |
|---|---|---|
| Identity & contact | Name, business email, phone, job title, employer | Registration, sales enquiries |
| Account & profile | Username, password (hashed), roles, preferences, MFA settings | Account setup |
| Verification / KYC | Business registration, identity documents, beneficial ownership, Sender ID documents | Onboarding |
| Billing & financial | Billing address, tax ID, payment-method tokens, invoices | Checkout, billing |
| Support & comms | Messages to support, survey responses, call notes | Support channels |
3.2 Data collected automatically
| Category | Examples |
|---|---|
| Device & technical | IP address, browser type, device identifiers, operating system |
| Usage & log | Pages viewed, features used, API calls, timestamps, referring URLs |
| Security & audit | Login events, access logs, IP allow-list activity, anomaly signals |
| Platform operational | Traffic volumes, route and delivery statistics, error and performance metrics |
| Cookies & similar | Identifiers set via cookies, pixels, and local storage (see Cookie Notice) |
3.3 Data from third parties
- Payment processors (confirmation of payment, fraud signals — we do not store full card numbers).
- Identity-verification and anti-fraud providers (verification outcomes).
- Mobile operators, carriers, and aggregators (delivery receipts and traffic status).
- Marketing, enrichment, and analytics partners, and publicly available business sources.
3.4 Special categories
We do not seek to collect special-category data (such as health, religion, or biometric data) about account users in the ordinary course. Customers must not use the Services to transmit special-category or sensitive recipient data without an appropriate lawful basis and required safeguards.
3.5 Children
The Services are intended for business use and are not directed to children. We do not knowingly collect personal data from individuals under 16. If we learn we have done so, we will delete it.
4. Recipient Data Processed on Behalf of Customers
4.1 Processor role. When a customer uses the platform to send messages, the customer uploads or transmits recipient phone numbers, message content, contact-group data, and related metadata. We process this recipient data only to provide the messaging Services on the customer's instructions, to route and deliver messages, to return delivery receipts, to generate the customer's reports, to maintain security, and as required by law.
4.2 Customer responsibilities. The customer is the controller of recipient data and is responsible for establishing a lawful basis (such as consent), providing privacy notices to recipients, honouring opt-outs, and responding to recipient rights requests. We assist customers with these obligations as set out in the DPA.
4.3 Recipients' requests. If you received a message and wish to opt out or exercise your rights, please follow the opt-out instruction in the message or contact the business that sent it. If you contact us directly, we will, where we can identify the relevant customer, forward your request and support the customer in responding.
4.4 Onward transmission. To deliver messages, recipient numbers and content are necessarily transmitted to mobile operators, carriers, and aggregators in the destination country, which may be outside the EEA.
5. How and Why We Use Personal Data (Purposes and Lawful Bases)
As a controller, we process personal data for the purposes and on the legal bases set out below (GDPR Article 6). Where we rely on legitimate interests, we have balanced those interests against individuals' rights.
| Purpose | Examples | Lawful basis |
|---|---|---|
| Provide the Services | Create and operate accounts, authenticate users, deliver platform features | Contract |
| Billing & payments | Invoice, collect fees, prevent payment fraud | Contract; legal obligation |
| Verification / KYC | Verify identity and eligibility, meet operator/regulatory rules | Legal obligation; legitimate interests |
| Security & fraud | Detect, prevent, and investigate abuse, intrusion, and AIT | Legitimate interests; legal obligation |
| Support | Respond to requests, troubleshoot, manage tickets | Contract; legitimate interests |
| Improve & analyse | Understand usage, improve features, ensure reliability | Legitimate interests |
| Marketing | Send service and product communications to business contacts | Consent or legitimate interests |
| Legal & compliance | Comply with law, enforce terms, establish/defend claims | Legal obligation; legitimate interests |
5.1 Aggregated and de-identified data. We may create aggregated or de-identified statistics (for example, route performance and delivery benchmarks) that do not identify any individual, and use them for analytics, security, and improving the Services.
5.2 Automated decisions. We may use automated tools for fraud and abuse detection (for example, anomaly scoring of traffic). These do not produce legal or similarly significant effects on individuals without human review where required by law.
6. Marketing and Communications
6.1 Service communications. We send administrative and transactional messages (for example, security alerts, billing notices, and service updates) that are necessary to provide the Services; these are not promotional and you cannot opt out of them while you hold an account.
6.2 Promotional communications. We send marketing communications to business contacts where permitted, relying on consent or legitimate interests depending on jurisdiction. You can opt out at any time using the unsubscribe link or by contacting privacy@bulkasms.com.
6.3 Preferences. We honour opt-outs promptly and maintain suppression records to respect your choices.
7. Cookies and Similar Technologies
7.1 Use of cookies. We and our partners use cookies, pixels, software development kits, and local storage to operate our websites, remember preferences, measure performance, and support marketing. Strictly necessary cookies are always active; other categories are used in accordance with your choices where consent is required.
7.2 Managing cookies. You can manage non-essential cookies through our cookie banner or preference centre and through your browser settings. Disabling some cookies may affect functionality. Further detail is provided in our Cookie Notice.
8. How We Share Personal Data
We do not sell personal data. We share personal data only as described below.
- Service providers / sub-processors. Hosting and infrastructure, payment processing, analytics, communications, customer-support tooling, and security providers that process data on our behalf under contract.
- Mobile operators, carriers, and aggregators. To route and deliver messages and obtain delivery receipts.
- Our customers. Where you are a user within a customer's account, the customer (and its administrators) can access account and usage data within that tenant.
- Professional advisers. Legal, accounting, audit, and insurance advisers, under confidentiality.
- Authorities. Regulators, courts, law-enforcement, and operators where required by law, legal process, or to protect rights, safety, and network integrity.
- Corporate transactions. Acquirers or successors in a merger, acquisition, financing, or sale of assets, subject to appropriate safeguards.
8.1 Sub-processors. We maintain a list of sub-processors and impose data-protection obligations on them consistent with this Policy and the DPA. Customers may request the current sub-processor list and information about material changes as provided in the DPA.
9. International Data Transfers
9.1 Cross-border processing. We operate internationally, and personal data may be processed in, and transferred to, countries other than your own, including outside the European Economic Area (EEA) and the United Kingdom. Delivering messages also necessarily transfers recipient data to destination-country operators.
9.2 Safeguards. Where we transfer personal data from the EEA, UK, or other regulated regions to a country without an adequacy decision, we rely on appropriate safeguards, principally the European Commission's Standard Contractual Clauses (and the UK Addendum), supplemented by technical and organisational measures and transfer-impact assessments where appropriate.
9.3 Copies. You may request information about the safeguards we use by contacting privacy@bulkasms.com.
10. Data Retention
10.1 Retention principles. We retain personal data only as long as necessary for the purposes for which it was collected, including to provide the Services, to comply with legal, tax, accounting, and regulatory obligations, to resolve disputes, and to enforce agreements. Retention periods vary by data type and context.
| Data type | Typical retention | Rationale |
|---|---|---|
| Account & profile | For the life of the account + a limited period after closure | Service provision; disputes |
| Billing & tax records | As required by tax/accounting law (often several years) | Legal obligation |
| KYC / verification | Duration of relationship + retention period required by law | Compliance |
| Message metadata / reports | Per plan and customer instruction; then deleted or aggregated | Service; processor instructions |
| Message content | Limited operational period unless customer requires otherwise | Delivery; troubleshooting |
| Security & audit logs | A defined security-retention window | Security; incident response |
| Marketing data | Until opt-out or inactivity threshold | Consent / legitimate interests |
10.2 Deletion and anonymisation. When personal data is no longer required, we delete or irreversibly anonymise it. Where deletion is not immediately possible (for example, in backups), we isolate the data and protect it from further use until deletion occurs.
11. Information Security
11.1 Measures. We maintain technical and organisational measures designed to protect personal data against unauthorised or unlawful processing and accidental loss, destruction, or damage, consistent with recognised standards (including controls aligned with ISO/IEC 27001 and SOC 2 Type II). Measures include:
- Role-based access control, least-privilege access, and multi-factor authentication for authorised users.
- Encryption of sensitive data at rest and encryption of data in transit.
- Logical multi-tenant isolation segregating each tenant's data, balances, Sender IDs, and reports.
- Network controls, including IP restrictions and controlled, monitored access.
- Continuous logging, monitoring, vulnerability management, and periodic risk assessment.
- Personnel confidentiality obligations, security training, and vendor due diligence.
11.2 No absolute guarantee. No method of transmission or storage is completely secure. While we work to protect personal data, we cannot guarantee absolute security, and you are responsible for safeguarding your credentials and access.
11.3 Breach notification. We maintain an incident-response process and will notify affected controllers, regulators, and, where required, individuals of personal-data breaches in accordance with applicable law and the DPA.
12. Your Data-Protection Rights
Subject to applicable law and verification of your identity, you have the following rights in relation to personal data we hold about you as a controller:
- Access. Obtain confirmation of whether we process your personal data and a copy of it.
- Rectification. Correct inaccurate or incomplete personal data.
- Erasure. Request deletion in certain circumstances (the "right to be forgotten").
- Restriction. Request that we limit processing in certain circumstances.
- Portability. Receive certain data in a structured, commonly used, machine-readable format and, where feasible, have it transmitted to another controller.
- Objection. Object to processing based on legitimate interests, and to direct marketing at any time.
- Automated decisions. Not be subject to solely automated decisions with legal or similarly significant effects, except as permitted by law.
- Withdraw consent. Where processing is based on consent, withdraw it at any time without affecting prior processing.
- Complain. Lodge a complaint with your supervisory authority (in Türkiye, the Personal Data Protection Authority (KVKK); in the EEA, your local data-protection authority).
12.1 How to exercise. Submit requests to privacy@bulkasms.com. We will respond within the time required by applicable law (generally one month under the GDPR, extendable for complex requests). We may need to verify your identity and may decline requests that are manifestly unfounded or excessive, as permitted by law.
12.2 Recipients. If your request concerns messages you received, please contact the business that sent them, as that business is the controller of recipient data (see Section 4).
13. Region-Specific Disclosures
13.1 European Economic Area and United Kingdom (GDPR / UK GDPR). Where the GDPR or UK GDPR applies, the lawful bases in Section 5 govern our processing, the rights in Section 12 are available, and international transfers are protected as described in Section 9. Our representative and Data Protection contact can be reached at privacy@bulkasms.com.
13.2 Türkiye (KVKK). Where Law No. 6698 on the Protection of Personal Data (KVKK) applies, we process personal data in line with its principles, provide the rights set out in Article 11 of the KVKK (which broadly correspond to the rights in Section 12), and rely on the lawful processing conditions and transfer mechanisms permitted under the KVKK.
13.3 Other jurisdictions. Where other data-protection laws apply to you, we honour the rights and obligations those laws require. Mandatory local rights are not limited by this Policy.
14. Third-Party Sites and Services
Our websites and the platform may link to or integrate with third-party sites and services (such as payment, CRM, and analytics tools). We are not responsible for their privacy practices. Please review the privacy notices of any third party before providing personal data.
15. Changes to this Policy
We may update this Policy from time to time to reflect changes in our practices, technology, or law. We will post the updated version with a new "Last updated" date and, for material changes, provide additional notice (for example, by email or in-product notice). Continued use of the Services after the effective date constitutes acceptance of the updated Policy.
16. How to Contact Us
If you have questions about this Policy or our privacy practices, or wish to exercise your rights, please contact us:
| Channel | Detail |
|---|---|
| Privacy / Data Protection | privacy@bulkasms.com |
| General contact | hello@bulkasms.com |
| Security incidents | security@bulkasms.com |
| Postal | BULKASMS, Istanbul, Republic of Türkiye |
