In this Privacy Policy, “we”, “us”, “our” or “PaaSoo” will refer collectively to PAASOO TECHNOLOGY LIMITED, a company incorporated under the laws of Hong Kong with Business Registration number 65995993 and having its registered office at Flat G, 17/F, King Palace Plaza, No. 55 King Yip Street, Kwun Tong, Kowloon, Hong Kong SAR and any and all its Affiliates. As used herein, the term “Affiliate” shall mean any entity controlling, controlled by or under common control with a Party, where "control" means an entity’s (a) ownership, directly or indirectly, of equity securities entitling it to exercise in the aggregate at least 50% of the voting power of the entity in question; or (b) possession directly or indirectly, of the power to direct or cause the direction of the management and policies of or with respect to the entity in question, whether through ownership of voting securities, by contract or otherwise. The terms “you,” “your” and “Customer” will refer to any client, visitor, or user of PaaSoo Services.

PaaSoo is a cloud communications platform providing reliable and high-quality text, voice and omnichannel APIs and applications, enabling enterprise and aggregator customers to reach their global users.

Here at PaaSoo we treat the protection of your personal data and your customers’ personal data (hereinafter referred to as “End-User(s)” or “End-User(s) Data) very seriously. This privacy policy will explain you your rights regarding your personal identifying information that you share with us, how we will process this information in connection with your use of our services, including our website, and how to contact us. We want to make sure that you make informed decisions about your personal information when using PaaSoo applications or building your own software applications on PaaSoo’s platform. We also want to provide you with relevant information to help your End Users make informed decisions about their personal information when they use your software applications built on PaaSoo’s platform.

What is personal data?

According to the Personal Data (Privacy) Ordinance (the “PDPO”), personal data means information which relates to a living individual and can be used to identify that individual. It must also exist in a form which access to or processing of is practicable. If it is possible to identify an individual directly from the information processed, then that information may be personal data. What identifies an individual could be as simple as a name or a number or could include other identifiers such as an IP address or a cookie identifier, or other factors.

Which categories of personal information are being collected and processed by PaaSoo?

PaaSoo processes the following categories of personal information when you use our services:

• Your personal information as a customer (or potential customer) of PaaSoo’s services — hereinafter referred to as "Customer Account Data".The Customer Account data is all the personal data we collect from you to manage your PaaSoo account including providing you support and charging you for our services. If you have a multi-user account, the personal information of your invited users will also be considered as Customer Account Data. Please note that personal data does not include generic business names, business addresses, generic email addresses (e.g., billing@ or info@) or any other general business information, as long as this information has not been linked to an individual.
• The personal data you share with PaaSoo when you send or receive communications through your use of our services — hereinafter referred to as “Customer Usage data”. For example, when you visit our websites, we use cookies to collect the log information such as your Internet Protocol address, browser type, bowser language and the date and time of your query. For more information on what cookies are and how we use them, please read our Cookies Policy.
• The personal information of your End Users who use or interact with your application that you’ve built on PaaSoo’s platform, like the people you communicate by way of that application — hereinafter referred to as “Traffic Data”. Traffic Data is processed by PaaSoo to handle the communication exchanged during the use of PaaSoo’s services. The Traffic Data include the data on the routing, type, duration, and time of the communication and the data used to trace and identify the source and destination of a communication (e.g., communications metadata, contents of communications, SMS terminated to or originated from your End-Users and their phone numbers). Customers shall comply with all applicable laws and regulations when they collect, record and process End-Users Data using PaaSoo APIs, services or applications.

Multi-User Account. In case of multi-user account, the account administrator (referred in this clause as the “Customer”) is responsible for the collection and processing of personal data of all users of the PaaSoo account. The Customer shall comply with all applicable legal and regulatory provisions, and in particular the regulations applicable to the protection of personal data and obtain any prior authorizations required.

How does PaaSoo use and process the personal information?

The PDPO differentiates between "data users" and "data processors" of personal data. The data user is the person who, either alone or jointly with other persons, controls the collection, holding, processing or use of personal data. The data processor is a person who processes personal data on behalf of another person (a data user), instead of for his/her own purpose(s). Data processors are not directly regulated under the PDPO. Instead, data users are required to, by contractual or other means, ensure that their data processors meet the applicable requirements of the PDPO.

PaaSoo is both a data user and a data processor:

- As a data user, PaaSoo collects and processes personal data from visitors to PaaSoo’s website and from customers that sign up for our services, including personal data from users to whom customers have granted permission to access and use the Services. In this context, PaaSoo determines how this personal data is collected, processed, and shared.

- As a data processor, PaaSoo collects and processes personal data from End Users of PaaSoo’s registered customers and only does so as per customer’s requirements.

What personal information does PaaSoo collect?

According to the PDPO, personal data shall only be collected for a lawful purpose directly related to a function or activity of the data user. The data collected should also be necessary and adequate but not excessive for such purpose. The means of collection should be lawful and fair.

The following table explains what personal data we collect from you, how we process it, how we classify your personal data and, according to personal data protection regulations, what is the lawful purpose for the processing of your personal data.

Personal data collected	Personal data processing	Type of personal data	Lawful purpose for processing
Contact data (name, phone number, email address, company name). In case of a multi-user account, the contact data includes the contact data of the account administrator and all invited users. PaaSoo may require additional information such as your passport or ID to verify your identity while processing to payment. You will be specifically informed in such event.	This data is used throughout your relationship with PaaSoo including opening an account, managing your account, configure your settings, send emails/alerts, giving you support and communicating with you through our sales team or customer support team. We also use this data to carry out core business operations such as accounting, filing taxes, and fulfilling regulatory obligations. We may also use this data to help us detect, prevent, or investigate security incidents, fraud and other abuse and/or misuse of our services.	Customer Account Data	Performance of a contract: we process this information to fulfill our contractual obligations to you as part of your engagement with PaaSoo.
Commercial information, history of our customers and information about your organization and contacts, such as colleagues or people within your organization	We collect commercial information when we keep track of the services that you purchase from us and our communications history about those services.	Customer Account Data	Performance of a contract: we process this information to fulfill our contractual obligations to you as part of your engagement with PaaSoo.
Sending and receiving phone numbers and message content	We use this data to be able to provide you with SMS services.	Customer Usage Data Traffic Data	Performance of a contract: we process this information to fulfill our contractual obligations to you as part of your engagement with PaaSoo.
Payment management	In order to pay for our services, we need information about your payment method. We also keep history of your usage and payments for you to be able to verify our charges and if necessary, dispute any billing. PaaSoo does not collect your credit card information since the whole payment process is hosted and handled by PayPal. For more information, we recommend you read PayPal terms of use.	Customer Account Data Customer Usage Data	Performance of a contract: we process this information to fulfill our contractual obligations to you as part of your engagement with PaaSoo.
Voice recording	As part of our services, we store voice recordings for you, and we provide you with other services such as IVR.	Customer Usage data Traffic Data	Performance of a contract: we process this information to fulfill our contractual obligations to you as part of your engagement with PaaSoo.
Internet and other electronic activity information	We collect Internet and other electronic activity information, such as communications metadata, as you browse our website or use our services. This metadata may be information about how you browse our websites and what features you use on our service.	Customer Usage Data	Consent: by clicking you have given us consent to the processing of your personal data for one or more specific purposes.
Cookies tracking including IP address, browser type and language, location, date and time of your query	When you visit our websites, we may collect the log information such as your IP address, and browser type and language. We can also collect geolocation information. Depending on the product or service, this could be location based on your IP address, or such as if you are using our IoT products and services, based on the cell tower to which a mobile device is connected, or Wi-Fi triangulation. We use this information to understand who is using our services and how, and to detect, prevent and investigate fraud, abuse, or security incidents.	Customer Usage Data	Consent: we only collect and process your data for the purposes set out in our Privacy Policy and Cookies Policy or for specific purposes that we share with you and/or that you have consented to. You have the right to withdraw your consent at any time.
Professional or employment information	We may collect professional or employment information, such as the company you work for or your position in this company.	Customer Account Data	Performance of a contract: we process this information to fulfill our contractual obligations to you as part of your engagement with PaaSoo.
Your feedback about our service	If you attend an event or fill out a form or survey with us, we might collect your age, your gender, or other information that counts as characteristics of protected classifications; however, we will only collect those with your knowledge and opt-in consent.	Customer Usage Data	Consent: we only collect and process your data for specific purposes that we share with you and/or that you have consented to. You have the right to withdraw your consent at any time.

How long does PaaSoo store the personal information?

According to the PDPO, once collected, the personal data should only be kept for as long as necessary for the fulfillment of the purposes of using the data.

Customer Account Data

PaaSoo will retain these records for as long you instruct and:

• If no specific instruction is given to delete these records, then PaaSoo will store the Customer Account Data for as long as it is necessary to maintain your customer account and provide you with our services and in no event later than seven (7) years after deletion of your Customer account unless there are outstanding claims or complaints that will reasonably require personal information to be retained.
• In the event you have requested PaaSoo to delete your Customer Account Data, PaaSoo shall keep the corresponding records including the transaction details up to seven (7) years to respond to legal requirements. Please note that in such case, your customer account will be automatically deleted, and no further services will be provided to you.

What happens if you request the deletion of your Customer Account Data?

Customer Account Data is necessary to maintain your account and to provide you with the services. Please be aware that should you request PaaSoo to delete your Customer Account Data, no further services will be provided to you and your customer account will be deleted. In such event you will not be relieved of your payment obligation. In the event your Customer account is deleted, or our partnership is terminated, your Customer Account Data will be automatically deleted and subject to the policy described in this section in terms of retention period.

Traffic Data

In terms of retention period, PaaSoo will treat differently your End Users’ message content and phone numbers as explained below.

Please note that in no event shall PaaSoo treat directly the requests from your End Users. PaaSoo is only responsible to respond to your requests.

1. Message Content

PaaSoo will retain these records for as long you instruct and:

• If no specific instruction is given to delete these records, then PaaSoo will retain the Message content (sender ID and content) for as long as needed to provide SMS services to you and for the purposes of providing customer support (in particular in the event of problems with encoding, concatenation of long SMS, blacklisted keywords, etc.) and respond to any request from law enforcement authorities, but in no event later than one (1) year after the collection of such data.
• At the end of the retention period mentioned above, such data will be automatically deleted from PaaSoo records. For this purpose, please read the section “About Deletion”.

2. End-users Phone Numbers

PaaSoo will retain these records for as long you instruct and:

• If no specific instruction is given to delete these records, then PaaSoo will store your End Users phone numbers for as long as it is necessary to maintain your customer account, provide you with our services and resolve any billing dispute and in no event later than three (3) years after the collection of this data. If there is any billing dispute, we may need to verify the phone numbers to investigate the reason for the discrepancies. This retention will take place in a restricted access secure system and will not be used for commercial purposes.
• In the event you have requested PaaSoo to delete your end-users’ phone numbers, such data will be automatically deleted from PaaSoo records unless a copy of those records shall be kept to respond to some specific legal matters. For this purpose, please read the section “About Deletion”.
• If we need to keep this data after the retention period mentioned above, we will anonymize it so that it can no longer be associated with identified or identifiable natural person.

3. Common rules of Traffic Data

What happens if you request the deletion of the Traffic Data?

The Traffic Data is necessary to provide you with the services and support. Please be aware that should you request PaaSoo to delete such data, no further services nor support will be provided to you and your customer account will be automatically deleted. In such event, you will not be relieved of your payment obligation.

PaaSoo may keep the analytics provided that they do not allow PaaSoo to identify you or any other individual. For this purpose, the data will be anonymized. An example of analytic that PaaSoo may record is the delivery rate per country.

What are your rights on personal information and how to exercise them?

At any time, you have the right to access to your personal information, request modification or oppose the processing of your personal information.

Depending on the circumstances, you may:

• Have the right to access and to be informed about the collection and the use of your personal data by PaaSoo, including the categories of data and how PaaSoo collects, processes and shares your personal data.
• Withdraw your consent at any time when processing is based on the latter;
• Object to the use of your personal data for direct marketing purposes or for transferring the data to a third party for direct marketing;
• Request the restriction of the processing of your personal data in specific cases;
• Ask us to make the necessary correction to your personal data, when a copy of personal data has been supplied by the data user in compliance with a data access request;
• Ask us to delete your personal data when it is no longer necessary in relation to the purposes for which it was collected or otherwise processed, when you have withdrawn your consent on which the processing is based, or you are opposed to use. Withdrawing your consent will not affect the lawfulness of any processing PaaSoo conducted prior to your withdrawal.

You may exercise any of these rights by sending an email and specifying your request at privacy@paasoo.com.

In case of multi-user account, it is up to the invited user to contact the account administrator (referred in this clause as the “Customer”) regarding the processing of the corresponding personal data. The Customer shall inform and guarantee its users of all their rights under the applicable data protection laws and PaaSoo shall assist the Customer in exercising these rights.

About Deletion

You have the right to instruct us to delete your personal information. Please note that it may take a few days for the data to be completely removed from all systems. In some cases, a copy of those records, including the personal information contained in them, may nonetheless be retained to carry out necessary functions like billing, invoice reconciliation, troubleshooting, and detecting, preventing, and investigating spam, fraudulent activity, and network exploits and abuse. Sometimes legal matters arise that also require us to preserve records, including those containing personal information. These matters include litigation, law enforcement requests, or government investigations. If we have to do this, we will delete the impacted records when no longer legally obligated to retain them. We may, however, retain or use records after they have been anonymized, if the law requires to do so.

Transfer of personal information between countries

We always make sure that we share your personal data when it is absolutely necessary to give you the best products and services and we ensure that we do so in a safe and controlled way. PaaSoo does not sell or share your personal data for any monetary or business reason that will directly benefit PaaSoo’s business interests. No mobile information will be shared with third parties/affiliates for marketing/promotional purposes. All the above categories exclude text messaging originator opt in data and consent; this information will not be shared with any third parties.

As a global organization, we may need to transfer your personal information to PaaSoo affiliates, contractors, service providers, and to third parties in various countries and jurisdictions around the world. We have servers in Singapore, Hong Kong, China mainland, Taiwan, India, and Ireland. If the customers send API requests with paasoo.com endpoint, user data will be stored in Singapore. If they send requests with local endpoints (paasoo.hk, paasoo.cn, paasoo.com.tw, paasoo.in and paasoo.eu), then the data would be stored in the corresponding local servers. In each case, we take care to use appropriate safeguards to ensure your personal information remains protected.

PaaSoo complies with laws on the transfer of personal data between countries to help ensure your data is protected, wherever it may be.

Transfer due to storage

PaaSoo is using third-party service providers (notably AWS) in order to back-up the data.

According to the PDPO, if a data user engages a data processor, whether within or outside Hong Kong, to process personal data on the data user’s behalf, the data user must adopt contractual or other means to prevent unauthorized or accidental access, processing, erasure, loss or use of the data transferred to the data processor for processing.

Please note that we have data protection addendums in place with our third- party service providers that transfer your personal identifying information outside of Hong Kong. These data protection addendums ensure that sufficient measures are taken by our service providers to protect your personal identifying information in accordance with the applicable data protection laws.

Transfer due to provision of the service

When PaaSoo acts as a data processor, we act based on our clients’ instructions, so the content of communication is transferred from one country to another depending on our clients’ request. In such event we do not have control on the location of the data which may be transferred in or outside Hong Kong.

However, PaaSoo is implemented data protection addendum with its partners and make its best efforts to ensure your personal data is protected in accordance with the applicable data protection laws.

Sub-processing

A sub-processor is a third-party data processor engaged by PaaSoo and who process personal data (i) on behalf of PaaSoo customers; (ii) in accordance with the customer's written instructions as communicated by PaaSoo; and (iii) in accordance with the terms of a written contract between PaaSoo and the sub-processor that specifies the sub-processor's processing activities and imposes on the sub-processor equivalent terms as those imposed on PaaSoo.

PaaSoo only engages sub-processors providing sufficient guarantees to implement appropriate technical and organisational measures ensuring that the sub-processing of personal data meet the requirements of the applicable data protection laws and ensure the protection of the rights of the data subject.

PaaSoo uses the sub-processors below to process personal data. For each sub-processor, processing of personal data will be for the duration that the customer uses and continues to use the applicable service(s), and for the retention periods as set out above or in customer’s service agreement with PaaSoo.

Sub-Processor	Subject matter	Nature and purpose of processing	Regional endpoint
AWS	Personal data in communications	Infrastructure Provider providing hosting services and storage	Singapore, Ireland, India, China mainland
Azure	Personal data contained in voice communications.	Text to speech functionality for customers using Azure TTS.	Singapore, Ireland
China Mobile International	Personal data in communications	Network provider	China mainland
China Telecom Global	Personal data in communications	Infrastructure provider	China mainland, Hong Kong
Google Cloud	Personal data in communications	Infrastructure Provider providing hosting services and storage	Taiwan
Huawei Cloud	Personal data in communications	Infrastructure Provider providing hosting services and storage	Hong Kong only
Leyun	Personal data in communications	Network infrastructure management	Taiwan
Scalegrid	Personal data in communications	Database infrastructure management	Singapore, Ireland, India, Taiwan

How does PaaSoo secure personal information?

PaaSoo takes appropriate security measures to protect against unauthorized access to or unauthorized alteration, disclosure or destruction of data. All detailed measures are listed below. Encryption method are part of these measures. PaaSoo makes sure that the Traffic Data and your passwords are being encrypted when stored. Also, PaaSoo restricts access to your personal identifying information to employees who need this information in order to operate, develop or improve our services.

Security measures:

• Encrypted communications: to prevent any misuse of your data, we have implemented various robust security mechanisms. HTTPS uses X.509 signed certificates allowing your browser to authenticate our server. HTTPS also uses cryptographic algorithms to encrypt any data in transit between your browser and our servers. This protects your data against eavesdropping / man-in-the-Middle attacks. Our traffic is protected if using the following protocols: HTTPS, SMPP over TLS, SMPP over VPN.
• IP addresses whitelisting: upon requests, PaaSoo is able to restrict the customer dashboard and API requests access to whitelisted IP addresses only.
• Encrypted data: Traffic Data and Customer Usage Data are stored in databases (in Ireland, France, Singapore, Hong Kong, Taiwan) using advanced encryption technologies.
• Traffic Data and Customer Usage Data on customer dashboard: upon requests, PaaSoo is able to hide End User data (phone numbers and message contents) on customer dashboard.

Confidentiality. PaaSoo restricts its personnel from processing personal data without authorization and shall ensure that any person who is authorized by PaaSoo to process personal data is under an appropriate contractual obligation of confidentiality.

PaaSoo’s contact information

If you have any question about how PaaSoo collects, uses, or protects your personal data or if you have any questions about this Privacy Policy, including any requests to exercise your personal data rights, you may contact us at privacy@paasoo.com.

Changes to this Policy

We may, from time to time, make updates or changes to this Privacy Policy because of changes in applicable laws or regulations or because of changes in our personal data practices. The latest version of the Privacy Policy will always be posted on this site, and we will give you notice of any material changes that impact your personal data. Where consent is necessary to make a change apply to our practices with respect to your personal data, we will not apply the changes to your personal data until we have that consent.