Skip to content
Legal

Privacy Policy

BULKASMS — Enterprise SMS & CPaaS Platform · Version 1.0 · Effective date: 24 June 2026 · Data controller: BULKASMS, Istanbul, Republic of Türkiye · Privacy / DPO contact: privacy@bulkasms.com

Last updated: 24 June 2026

On this page
  1. 1. Introduction and Scope
  2. 2. Key Definitions
  3. 3. Personal Data We Collect
  4. 4. Recipient Data on Behalf of Customers
  5. 5. How and Why We Use Personal Data
  6. 6. Marketing and Communications
  7. 7. Cookies and Similar Technologies
  8. 8. How We Share Personal Data
  9. 9. International Data Transfers
  10. 10. Data Retention
  11. 11. Information Security
  12. 12. Your Data-Protection Rights
  13. 13. Region-Specific Disclosures
  14. 14. Third-Party Sites and Services
  15. 15. Changes to this Policy
  16. 16. How to Contact Us
At a glance. This Policy explains our practices as a controller for our website, accounts, and business operations. When we send messages on behalf of business customers, we act as a processor under our customers' instructions — those customers are the controller of recipient data and their own privacy notices apply. We support GDPR data-subject rights, maintain security controls aligned with ISO/IEC 27001 and SOC 2, and use Standard Contractual Clauses for international transfers where required.

1. Introduction and Scope

1.1 Who we are. BULKASMS ("we", "us", or "our") operates a carrier-grade Communications-Platform-as-a-Service ("CPaaS") and a multi-tenant, white-label SMS panel that enables business customers to send transactional, OTP, bulk, and marketing SMS through direct operator connectivity. Our registered office is in Istanbul, Republic of Türkiye.

1.2 Purpose of this Policy. This Privacy Policy describes how we collect, use, disclose, retain, and protect personal data, and the rights individuals have in relation to that personal data. It applies to: (a) visitors to our websites and marketing properties; (b) users and administrators of accounts on the platform; (c) billing, procurement, and other business contacts of our customers and partners; and (d) individuals whose personal data we process in operating and securing the Services.

1.3 Our dual role. Our privacy responsibilities depend on the context:

  • Controller. For our website, account registration, authentication, billing, support, security, and our own marketing, we determine the purposes and means of processing and therefore act as a controller.
  • Processor. When our business customers use the platform to send messages, they decide which recipients to contact and what to send. In that context, the customer is the controller and we act as a processor on the customer's documented instructions under our Data Processing Addendum ("DPA"). If you are a message recipient, please contact the business that messaged you to exercise your rights; we will support that business as required.

1.4 Other notices. This Policy is supplemented by our Cookie Notice, our DPA (for customers), and any product- or region-specific notices we provide.

2. Key Definitions

  • Personal data — Any information relating to an identified or identifiable natural person.
  • Processing — Any operation performed on personal data, such as collection, storage, use, disclosure, or deletion.
  • Controller — The party that determines the purposes and means of processing personal data.
  • Processor — A party that processes personal data on behalf of, and on the instructions of, a controller.
  • Data subject — The individual to whom personal data relates.
  • GDPR — Regulation (EU) 2016/679, the General Data Protection Regulation, and equivalent UK provisions.
  • Sub-processor — A third party engaged by us to process personal data on our behalf.
  • SCCs — The European Commission's Standard Contractual Clauses for international data transfers.
  • Recipient data — Personal data of message recipients (e.g., phone numbers, message content) processed when delivering customer messages.

3. Personal Data We Collect

We collect personal data directly from you, automatically through your use of our properties, and from third parties. The categories below describe data we process as a controller; recipient data processed on behalf of customers is addressed in Section 4.

3.1 Data you provide

CategoryExamplesTypical source
Identity & contactName, business email, phone, job title, employerRegistration, sales enquiries
Account & profileUsername, password (hashed), roles, preferences, MFA settingsAccount setup
Verification / KYCBusiness registration, identity documents, beneficial ownership, Sender ID documentsOnboarding
Billing & financialBilling address, tax ID, payment-method tokens, invoicesCheckout, billing
Support & commsMessages to support, survey responses, call notesSupport channels

3.2 Data collected automatically

CategoryExamples
Device & technicalIP address, browser type, device identifiers, operating system
Usage & logPages viewed, features used, API calls, timestamps, referring URLs
Security & auditLogin events, access logs, IP allow-list activity, anomaly signals
Platform operationalTraffic volumes, route and delivery statistics, error and performance metrics
Cookies & similarIdentifiers set via cookies, pixels, and local storage (see Cookie Notice)

3.3 Data from third parties

  • Payment processors (confirmation of payment, fraud signals — we do not store full card numbers).
  • Identity-verification and anti-fraud providers (verification outcomes).
  • Mobile operators, carriers, and aggregators (delivery receipts and traffic status).
  • Marketing, enrichment, and analytics partners, and publicly available business sources.

3.4 Special categories

We do not seek to collect special-category data (such as health, religion, or biometric data) about account users in the ordinary course. Customers must not use the Services to transmit special-category or sensitive recipient data without an appropriate lawful basis and required safeguards.

3.5 Children

The Services are intended for business use and are not directed to children. We do not knowingly collect personal data from individuals under 16. If we learn we have done so, we will delete it.

4. Recipient Data Processed on Behalf of Customers

4.1 Processor role. When a customer uses the platform to send messages, the customer uploads or transmits recipient phone numbers, message content, contact-group data, and related metadata. We process this recipient data only to provide the messaging Services on the customer's instructions, to route and deliver messages, to return delivery receipts, to generate the customer's reports, to maintain security, and as required by law.

4.2 Customer responsibilities. The customer is the controller of recipient data and is responsible for establishing a lawful basis (such as consent), providing privacy notices to recipients, honouring opt-outs, and responding to recipient rights requests. We assist customers with these obligations as set out in the DPA.

4.3 Recipients' requests. If you received a message and wish to opt out or exercise your rights, please follow the opt-out instruction in the message or contact the business that sent it. If you contact us directly, we will, where we can identify the relevant customer, forward your request and support the customer in responding.

4.4 Onward transmission. To deliver messages, recipient numbers and content are necessarily transmitted to mobile operators, carriers, and aggregators in the destination country, which may be outside the EEA.

5. How and Why We Use Personal Data (Purposes and Lawful Bases)

As a controller, we process personal data for the purposes and on the legal bases set out below (GDPR Article 6). Where we rely on legitimate interests, we have balanced those interests against individuals' rights.

PurposeExamplesLawful basis
Provide the ServicesCreate and operate accounts, authenticate users, deliver platform featuresContract
Billing & paymentsInvoice, collect fees, prevent payment fraudContract; legal obligation
Verification / KYCVerify identity and eligibility, meet operator/regulatory rulesLegal obligation; legitimate interests
Security & fraudDetect, prevent, and investigate abuse, intrusion, and AITLegitimate interests; legal obligation
SupportRespond to requests, troubleshoot, manage ticketsContract; legitimate interests
Improve & analyseUnderstand usage, improve features, ensure reliabilityLegitimate interests
MarketingSend service and product communications to business contactsConsent or legitimate interests
Legal & complianceComply with law, enforce terms, establish/defend claimsLegal obligation; legitimate interests

5.1 Aggregated and de-identified data. We may create aggregated or de-identified statistics (for example, route performance and delivery benchmarks) that do not identify any individual, and use them for analytics, security, and improving the Services.

5.2 Automated decisions. We may use automated tools for fraud and abuse detection (for example, anomaly scoring of traffic). These do not produce legal or similarly significant effects on individuals without human review where required by law.

6. Marketing and Communications

6.1 Service communications. We send administrative and transactional messages (for example, security alerts, billing notices, and service updates) that are necessary to provide the Services; these are not promotional and you cannot opt out of them while you hold an account.

6.2 Promotional communications. We send marketing communications to business contacts where permitted, relying on consent or legitimate interests depending on jurisdiction. You can opt out at any time using the unsubscribe link or by contacting privacy@bulkasms.com.

6.3 Preferences. We honour opt-outs promptly and maintain suppression records to respect your choices.

7. Cookies and Similar Technologies

7.1 Use of cookies. We and our partners use cookies, pixels, software development kits, and local storage to operate our websites, remember preferences, measure performance, and support marketing. Strictly necessary cookies are always active; other categories are used in accordance with your choices where consent is required.

7.2 Managing cookies. You can manage non-essential cookies through our cookie banner or preference centre and through your browser settings. Disabling some cookies may affect functionality. Further detail is provided in our Cookie Notice.

8. How We Share Personal Data

We do not sell personal data. We share personal data only as described below.

  • Service providers / sub-processors. Hosting and infrastructure, payment processing, analytics, communications, customer-support tooling, and security providers that process data on our behalf under contract.
  • Mobile operators, carriers, and aggregators. To route and deliver messages and obtain delivery receipts.
  • Our customers. Where you are a user within a customer's account, the customer (and its administrators) can access account and usage data within that tenant.
  • Professional advisers. Legal, accounting, audit, and insurance advisers, under confidentiality.
  • Authorities. Regulators, courts, law-enforcement, and operators where required by law, legal process, or to protect rights, safety, and network integrity.
  • Corporate transactions. Acquirers or successors in a merger, acquisition, financing, or sale of assets, subject to appropriate safeguards.

8.1 Sub-processors. We maintain a list of sub-processors and impose data-protection obligations on them consistent with this Policy and the DPA. Customers may request the current sub-processor list and information about material changes as provided in the DPA.

9. International Data Transfers

9.1 Cross-border processing. We operate internationally, and personal data may be processed in, and transferred to, countries other than your own, including outside the European Economic Area (EEA) and the United Kingdom. Delivering messages also necessarily transfers recipient data to destination-country operators.

9.2 Safeguards. Where we transfer personal data from the EEA, UK, or other regulated regions to a country without an adequacy decision, we rely on appropriate safeguards, principally the European Commission's Standard Contractual Clauses (and the UK Addendum), supplemented by technical and organisational measures and transfer-impact assessments where appropriate.

9.3 Copies. You may request information about the safeguards we use by contacting privacy@bulkasms.com.

10. Data Retention

10.1 Retention principles. We retain personal data only as long as necessary for the purposes for which it was collected, including to provide the Services, to comply with legal, tax, accounting, and regulatory obligations, to resolve disputes, and to enforce agreements. Retention periods vary by data type and context.

Data typeTypical retentionRationale
Account & profileFor the life of the account + a limited period after closureService provision; disputes
Billing & tax recordsAs required by tax/accounting law (often several years)Legal obligation
KYC / verificationDuration of relationship + retention period required by lawCompliance
Message metadata / reportsPer plan and customer instruction; then deleted or aggregatedService; processor instructions
Message contentLimited operational period unless customer requires otherwiseDelivery; troubleshooting
Security & audit logsA defined security-retention windowSecurity; incident response
Marketing dataUntil opt-out or inactivity thresholdConsent / legitimate interests

10.2 Deletion and anonymisation. When personal data is no longer required, we delete or irreversibly anonymise it. Where deletion is not immediately possible (for example, in backups), we isolate the data and protect it from further use until deletion occurs.

11. Information Security

11.1 Measures. We maintain technical and organisational measures designed to protect personal data against unauthorised or unlawful processing and accidental loss, destruction, or damage, consistent with recognised standards (including controls aligned with ISO/IEC 27001 and SOC 2 Type II). Measures include:

  • Role-based access control, least-privilege access, and multi-factor authentication for authorised users.
  • Encryption of sensitive data at rest and encryption of data in transit.
  • Logical multi-tenant isolation segregating each tenant's data, balances, Sender IDs, and reports.
  • Network controls, including IP restrictions and controlled, monitored access.
  • Continuous logging, monitoring, vulnerability management, and periodic risk assessment.
  • Personnel confidentiality obligations, security training, and vendor due diligence.

11.2 No absolute guarantee. No method of transmission or storage is completely secure. While we work to protect personal data, we cannot guarantee absolute security, and you are responsible for safeguarding your credentials and access.

11.3 Breach notification. We maintain an incident-response process and will notify affected controllers, regulators, and, where required, individuals of personal-data breaches in accordance with applicable law and the DPA.

12. Your Data-Protection Rights

Subject to applicable law and verification of your identity, you have the following rights in relation to personal data we hold about you as a controller:

  • Access. Obtain confirmation of whether we process your personal data and a copy of it.
  • Rectification. Correct inaccurate or incomplete personal data.
  • Erasure. Request deletion in certain circumstances (the "right to be forgotten").
  • Restriction. Request that we limit processing in certain circumstances.
  • Portability. Receive certain data in a structured, commonly used, machine-readable format and, where feasible, have it transmitted to another controller.
  • Objection. Object to processing based on legitimate interests, and to direct marketing at any time.
  • Automated decisions. Not be subject to solely automated decisions with legal or similarly significant effects, except as permitted by law.
  • Withdraw consent. Where processing is based on consent, withdraw it at any time without affecting prior processing.
  • Complain. Lodge a complaint with your supervisory authority (in Türkiye, the Personal Data Protection Authority (KVKK); in the EEA, your local data-protection authority).

12.1 How to exercise. Submit requests to privacy@bulkasms.com. We will respond within the time required by applicable law (generally one month under the GDPR, extendable for complex requests). We may need to verify your identity and may decline requests that are manifestly unfounded or excessive, as permitted by law.

12.2 Recipients. If your request concerns messages you received, please contact the business that sent them, as that business is the controller of recipient data (see Section 4).

13. Region-Specific Disclosures

13.1 European Economic Area and United Kingdom (GDPR / UK GDPR). Where the GDPR or UK GDPR applies, the lawful bases in Section 5 govern our processing, the rights in Section 12 are available, and international transfers are protected as described in Section 9. Our representative and Data Protection contact can be reached at privacy@bulkasms.com.

13.2 Türkiye (KVKK). Where Law No. 6698 on the Protection of Personal Data (KVKK) applies, we process personal data in line with its principles, provide the rights set out in Article 11 of the KVKK (which broadly correspond to the rights in Section 12), and rely on the lawful processing conditions and transfer mechanisms permitted under the KVKK.

13.3 Other jurisdictions. Where other data-protection laws apply to you, we honour the rights and obligations those laws require. Mandatory local rights are not limited by this Policy.

14. Third-Party Sites and Services

Our websites and the platform may link to or integrate with third-party sites and services (such as payment, CRM, and analytics tools). We are not responsible for their privacy practices. Please review the privacy notices of any third party before providing personal data.

15. Changes to this Policy

We may update this Policy from time to time to reflect changes in our practices, technology, or law. We will post the updated version with a new "Last updated" date and, for material changes, provide additional notice (for example, by email or in-product notice). Continued use of the Services after the effective date constitutes acceptance of the updated Policy.

16. How to Contact Us

If you have questions about this Policy or our privacy practices, or wish to exercise your rights, please contact us:

ChannelDetail
Privacy / Data Protectionprivacy@bulkasms.com
General contacthello@bulkasms.com
Security incidentssecurity@bulkasms.com
PostalBULKASMS, Istanbul, Republic of Türkiye