PRIVACY POLICY
TEMPTERA LIMITED
Romanou 2, Tlais Tower, Office 601, 1070 Nicosia, Cyprus
VAT: CY60154949E
Version: 1.0
Effective Date: 01.05.2025
Last Updated: 01.05.2025
1. About this Policy
This Privacy Policy explains how TEMPTERA LIMITED ("Tempera", "we", "us", "our"), a private limited liability company duly incorporated and existing under the laws of the Republic of Cyprus, processes personal data in connection with the supply of Direct Inward Dialling ("DID") numbers, voice services, SMS / MMS / RCS messaging services, sender ID provisioning, two-factor authentication delivery, SIP trunking, number lookup, number porting, and related electronic communications services (collectively, the "Services").
This Policy is issued in accordance with:
- Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (General Data Protection Regulation, "GDPR");
- The Cyprus Law on the Protection of Natural Persons against the Processing of Personal Data and the Free Movement of such Data 125(I)/2018 (the "Cyprus DP Law"), implementing the GDPR;
- Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 (the "ePrivacy Directive"), as amended;
- The Cyprus Law on the Regulation of Electronic Communications and Postal Services 112(I)/2004, as amended (the "ECS Law");
- The Cyprus Law on the Retention of Telecommunications Data for the Investigation of Serious Criminal Offences 183(I)/2007, as amended;
- The Cyprus Law on the Privilege of Private Communications 92(I)/1996;
- Directive (EU) 2018/1972 establishing the European Electronic Communications Code (the "EECC");
- the numbering-plan rules and identification regimes of each country whose Numbering Resources are issued through the Services (which may include, where applicable, prepaid-identification regimes equivalent to the Cyprus Law on the Identification of Holders and/or Users of SIM or eSIM Cards for Prepaid Mobile Telephony Services 63(I)/2024); and
- All other applicable laws and regulations of the Republic of Cyprus, the European Union, and the European Economic Area.
This Policy applies to natural persons whose personal data we process in any of the following capacities:
(a) representatives, beneficial owners, employees, or contact persons of our business customers;
(b) end users (called parties, recipients of messages, persons whose CLI is presented) of communications routed through the Services, where we process their personal data as part of our role as an electronic communications provider;
(c) website visitors to our Platform;
(d) prospects, marketing contacts, and event attendees;
(e) applicants, suppliers, and counterparties.
A separate Cookie Policy applies to cookies and equivalent technologies on our Platform.
2. Identity of the Controller and Contact Details
Controller: TEMPTERA LIMITED
Address: Romanou 2, Tlais Tower, Office 601, 1070 Nicosia, Cyprus
VAT: CY60154949E
Email (privacy): privacy@temptera.com
Email (general): privacy@temptera.com
Data Protection Officer: We have not at present appointed a Data Protection Officer under Article 37 of the GDPR. We are reviewing whether the appointment of a DPO is required, in the light of the nature, scope, and scale of our processing activities and the guidance issued by the European Data Protection Board (in particular WP243 rev.01, endorsed by the EDPB). In the meantime, all data-protection enquiries, requests by data subjects to exercise their rights, and complaints should be sent to privacy@temptera.com or to the postal address above, marked "Data Protection."
3. Roles: When We Are a Controller, Joint Controller, or Processor
3.1 Controller. We act as the controller for the processing of personal data described in Sections 4 and 5 of this Policy, including in particular:
(a) customer-relationship and account data of our customers and their representatives;
(b) identity verification (KYC) data required under anti-money-laundering rules and the Cyprus Law 63(I)/2024;
(c) billing data (Article 6 of the ePrivacy Directive permits processing for billing and interconnection purposes);
(d) traffic data and location data that we are required, as an electronic communications service provider, to generate, retain, secure, or disclose under the EECC, the ePrivacy Directive, the ECS Law, and the Law 183(I)/2007;
(e) fraud-prevention and network-security data (recital 49 GDPR);
(f) website-visitor data, including any data collected via cookies under the ePrivacy Directive.
3.2 Processor. We act as processor in respect of personal data that our customers, acting as controllers, upload, transmit, or otherwise process via the Services for their own purposes (for example, the contents of A2P messages drafted by the customer, contact lists uploaded by the customer to a campaign tool). Such processing is governed by the Article 28(3) GDPR processor terms set out in clause 10 of our Terms of Service, which form a written contract for the purposes of Article 28(3) GDPR. Where the customer is itself a processor for an upstream controller, the customer must ensure that we are validly engaged as a sub-processor under Article 28(2) and (4) GDPR.
3.3 Confidentiality of communications. Save where Article 5 of the ePrivacy Directive and Article 17 of the Cyprus ECS Law permit (in particular, technical storage and processing strictly necessary for the conveyance of the communication, billing, fraud detection, and network security), we do not access the content of communications. The metadata (traffic data, location data, signalling data) that we necessarily generate is processed under the lawful bases set out below.
3.4 Joint controllership. Where we engage in any joint determination of the means and purposes of processing with a third party, an Article 26 GDPR arrangement will apply, the essence of which will be made available to data subjects.
4. Categories of Personal Data We Process
We process the categories of personal data listed below. Not every category will apply to every data subject.
4.1 Identification and KYC data
Full legal name; date of birth; nationality; identification document type, number, and image (passport, ID card, driver's licence); proof of address; tax identification number; VAT number; corporate registration documents; beneficial-ownership information; politically-exposed-person screening results; sanctions-screening results; signature; photograph (selfie verification); video-call recordings (liveness verification, where used).
4.2 Account and contact data
Username; password (hashed); email address; postal address; telephone number; job title; company name; preferred language; preferred currency; account preferences; communication history with our support and sales teams.
4.3 Billing and financial data
Invoicing data; payment-method tokens (we do not store full card numbers; cards are processed by our PCI-DSS-compliant payment provider); bank-account details (where applicable for SEPA / wire transfers); transaction history; credit limit; credit-history information obtained from credit-reference agencies; tax data.
4.4 Traffic and location data (electronic communications metadata)
For each call, message, or signalling event routed via the Services we generate or receive Call Detail Records (CDRs) and Message Detail Records (MDRs) containing, depending on the technology and service: A-number (calling line identification, "CLI"); B-number (called party); originating and terminating IP addresses, ports, and SBC identifiers; SIP signalling fields; sender ID; message identifier (UDH, SMPP message ID); routing identifiers; HLR / MNP lookup results (mobile number portability database results); Carrier identifiers; cell-ID and cell-area information where conveyed; date, time, and duration of the communication; volume of data exchanged; delivery receipts (DLRs); status codes; failure codes; cost calculation data; mediation records.
4.5 Content of communications
We do not access the content of voice calls. We do not access the content of SMS / MMS / RCS messages except to the strictly necessary extent for routing, fraud detection, anti-spam filtering, malware filtering, sender ID validation, regulatory compliance, content category classification (for example, A2P-vs-P2P classification), and Carrier-required filtering. Where temporary storage of content occurs as a technical step in transmission, it is purged in accordance with Section 8 below.
4.6 Technical and device data
IP address; user-agent string; device identifier; operating-system version; browser; referring URL; pages visited; session identifiers; API access logs; rate-limiting data.
4.7 Cookie and analytics data
As described in our Cookie Policy.
4.8 Communications with us
Records of telephone calls (where calls to support are recorded, with notice), email correspondence, support tickets, chat transcripts, and meeting recordings (where notice is given).
4.9 Marketing data
Marketing-preference flags; campaign-engagement data; webinar and event-registration data; lead-source data.
4.10 Compliance and security data
Records of consent; records of opt-outs; abuse reports; fraud markers; spam scores; STIR/SHAKEN attestation data (where applicable); SIM-swap markers; security-incident logs.
4.11 Special-category data
We do not intentionally collect any special-category personal data within the meaning of Article 9 GDPR. To the extent that any such data may incidentally be present in communications content, traffic data, or KYC documents (for example, biometric facial geometry derived from an ID-document image), we process it strictly under the lawful bases set out in Section 5.
4.12 Children's data
The Services are not directed to persons under 18. We do not knowingly collect personal data from children. Where a child's data has been provided to us, contact us and we will erase it promptly, save where retention is required by law.
5. Lawful Bases and Purposes of Processing
We rely on the following lawful bases under Article 6 GDPR (and, where applicable, Article 9 GDPR) for the processing described above:
| Purpose | Lawful basis |
|---|---|
| Performing the contract with you, providing the Services, and managing your Account | Article 6(1)(b) — contract |
| Processing CDRs and MDRs strictly necessary for the conveyance of the communication and for billing | Article 6(1)(b) — contract; Article 6 ePrivacy Directive |
| Identity verification required by the country-of-issue rules of each Numbering Resource (national numbering authority, prepaid-identification regimes including, where applicable, Cyprus Law 63(I)/2024, local-presence and end-user-residency requirements) | Article 6(1)(c) — legal obligation; Article 6(1)(b) — performance of contract |
| Identity verification required by upstream Carriers, numbering authorities, or to satisfy sanctions-screening obligations applicable to us as an EU person under Council Regulations adopted pursuant to Article 215 TFEU | Article 6(1)(b) — performance of contract; Article 6(1)(c) — legal obligation (sanctions); Article 6(1)(f) — legitimate interest in fraud prevention and security |
| Customer due diligence under the Cyprus Law on the Prevention and Suppression of Money Laundering and Terrorist Financing 188(I)/2007 (as amended), Directive (EU) 2015/849, and related instruments — only where and to the extent that we are, or become, an "obliged entity" thereunder | Article 6(1)(c) — legal obligation |
| Retention of communications data for the investigation of serious criminal offences under Law 183(I)/2007, where lawfully required | Article 6(1)(c) — legal obligation, subject to the case-law of the Court of Justice of the European Union (Tele2 Sverige C-203/15, La Quadrature du Net C-511/18, and subsequent jurisprudence) |
| Fraud prevention, anti-spam, anti-fraud, network security, and protection of our infrastructure | Article 6(1)(f) — legitimate interest (recital 49 GDPR); Article 6 ePrivacy Directive |
| Direct marketing of similar services to existing customers | Article 6(1)(f) — legitimate interest, subject to Article 13(2) of the ePrivacy Directive (right to object at any time) |
| Direct marketing to prospects | Article 6(1)(a) — consent, where required by law |
| Cookies and similar technologies on our Platform | Article 6(1)(a) — consent (Article 5(3) ePrivacy Directive) |
| Tax, accounting, and statutory record-keeping | Article 6(1)(c) — legal obligation |
| Establishment, exercise, or defence of legal claims | Article 6(1)(f) — legitimate interest; Article 9(2)(f) GDPR for any special-category data |
| Compliance with sanctions screening | Article 6(1)(c) — legal obligation; Article 6(1)(f) — legitimate interest |
| Compliance with lawful interception orders, court orders, requests from competent authorities | Article 6(1)(c) — legal obligation |
| Quality assurance, training, and improvement of the Services (using anonymised or pseudonymised data wherever practicable) | Article 6(1)(f) — legitimate interest |
Balancing test for legitimate interests. Where we rely on legitimate interests, we have carried out a balancing test that weighs our interests, and the interests of third parties, against the rights and freedoms of data subjects. You may request a copy of the relevant balancing test in summary form by contacting us.
6. Recipients and Categories of Recipients
We disclose personal data only to those who have a legitimate need to receive it, under appropriate contractual safeguards. Recipients include:
(a) Carriers and upstream suppliers — including providers comparable to Twilio, Infobip, Sinch, Vonage, DIDXL, DIDLogic, Bandwidth, Plivo, Telnyx, DIDWW, Voxbone, Commio, VoIP Innovations, Bird (formerly MessageBird), Clickatell, Messente, ClickSend, SignalWire, Flowroute, and BulkVS — to the extent strictly necessary to originate, route, terminate, or deliver the relevant Traffic, including the disclosure of CLI and other signalling fields as required by SS7, SIP, SMPP, and equivalent protocols;
(b) Numbering authorities and telecommunications regulators, including the Office of the Commissioner for Electronic Communications and Postal Regulation of the Republic of Cyprus ("OCECPR") and equivalent regulators in jurisdictions where Numbering Resources are issued;
(c) Mobile number portability databases (HLR lookup, MNP databases) and STIR/SHAKEN attestation infrastructure;
(d) Payment service providers, banks, credit-reference agencies, and tax authorities;
(e) Cloud and hosting providers, security providers, fraud-detection providers, customer-relationship-management providers, analytics providers, ticketing providers, and email-delivery providers, in each case under data-processing agreements that comply with Article 28 GDPR;
(f) Professional advisors (lawyers, accountants, auditors, insurers);
(g) Public authorities where disclosure is required by law or court order, including law-enforcement, tax, AML/CFT, and data-protection authorities;
(h) Successors in interest in the event of a merger, acquisition, restructuring, or sale of business, in which case the recipient will be bound by terms no less protective than this Policy.
A current list of our material sub-processors is available on request to privacy@temptera.com. Material sub-processors include the Carriers and upstream suppliers identified by reference in clause 3.2 of our Terms of Service.
7. International Transfers
7.1 Geographical scope. Our primary processing infrastructure is located in the European Economic Area. However, the very nature of international voice and messaging services means that signalling and content must transit, terminate, or originate outside the EEA — otherwise, the Service would not function (a call to a number in the United States, for example, must be terminated in the United States). By using the Services, you acknowledge and consent to the international nature of telecommunications.
7.2 Adequacy decisions. Where personal data is transferred to a country in respect of which the European Commission has issued an adequacy decision under Article 45 GDPR, we rely on that decision.
7.3 Standard contractual clauses. Where transfers are made to a country without an adequacy decision, we rely on the Standard Contractual Clauses approved by Commission Implementing Decision (EU) 2021/914 of 4 June 2021, supplemented, where necessary, by additional technical, organisational, and contractual measures following the Schrems II judgment of the Court of Justice of the European Union (Case C-311/18). A copy of the Standard Contractual Clauses we use, with redaction of commercial terms, is available on request.
7.4 Derogations. Where neither an adequacy decision nor appropriate safeguards apply, we rely on the derogations in Article 49 GDPR, in particular Article 49(1)(b) (transfer necessary for the performance of a contract between the data subject and the controller) and Article 49(1)(c) (transfer necessary for the conclusion or performance of a contract concluded in the interest of the data subject).
7.5 Onward transfers. Our sub-processors are required to apply equivalent safeguards to any onward transfer.
8. Retention
8.1 Service-related data. We retain personal data for as long as is necessary to fulfil the purposes for which it was collected and to comply with legal, regulatory, accounting, and contractual obligations. Indicative retention periods:
| Category | Retention |
|---|---|
| Account and contact data | Duration of the customer relationship + 6 years (limitation period under Cyprus contract law) |
| Identity verification records collected to satisfy country-of-issue numbering rules (including, where applicable, Cyprus Law 63(I)/2024) | For the period required by the law of the country of issue and any implementing measure, and not less than the duration of the customer's holding of the Numbering Resource |
| Identity verification records collected under upstream Carrier requirements, sanctions screening, or fraud prevention | Duration of the customer relationship + 6 years (limitation period under Cyprus contract law); shorter where a shorter period is required by law |
| Records collected under the Cyprus AML Law 188(I)/2007 — only where and to the extent we are, or become, an obliged entity | 5 years after the end of the business relationship; extendable up to 10 years where required by law |
| Billing data | 6 years (Cyprus Companies Law and tax law); CDRs / MDRs as far as necessary for billing dispute resolution |
| Traffic data and location data not required for billing | Erased or anonymised at the earliest opportunity, in accordance with Article 6 of the ePrivacy Directive, save where retention is mandated under Law 183(I)/2007 (subject to the CJEU jurisprudence above) |
| Content of communications (where temporarily stored as a technical step) | The shortest period strictly necessary for delivery, normally not exceeding 72 hours, save where law requires longer or where the customer has instructed longer retention as part of a campaign-archive feature |
| Marketing data | Until objection / withdrawal of consent + 24 months for evidential purposes |
| Cookie data | As specified in the Cookie Policy |
| Records of consent, opt-out, abuse reports | 5 years after the end of the relevant communication |
| Litigation hold | Duration of the dispute + applicable limitation period |
| Security incident logs | 24 months minimum |
8.2 Anonymisation. Where we no longer need data for the original purpose but it remains useful for statistical or analytical purposes, we anonymise it irreversibly so that it falls outside the scope of the GDPR.
9. Your Rights
9.1 Subject to the conditions and exceptions in the GDPR and the Cyprus DP Law, you have the right to:
(a) access your personal data and obtain a copy (Article 15 GDPR);
(b) rectify inaccurate or incomplete data (Article 16 GDPR);
(c) erasure ("right to be forgotten") (Article 17 GDPR);
(d) restriction of processing (Article 18 GDPR);
(e) data portability in respect of data processed under contract or consent and by automated means (Article 20 GDPR);
(f) object to processing based on legitimate interests (Article 21(1) GDPR), and at any time and free of charge to processing for direct marketing (Article 21(2) GDPR; Article 13 ePrivacy Directive);
(g) not be subject to a decision based solely on automated processing, including profiling, that produces legal or similarly significant effects (Article 22 GDPR);
(h) withdraw consent at any time (Article 7(3) GDPR), without affecting the lawfulness of processing carried out before withdrawal;
(i) lodge a complaint with a supervisory authority (Article 77 GDPR), in particular the Cyprus Office of the Commissioner for Personal Data Protection, Iasonos 1, 1082 Nicosia, Cyprus; tel +357 22 818 456; email commissioner@dataprotection.gov.cy; web https://www.dataprotection.gov.cy, or with the supervisory authority of your habitual residence, place of work, or place of the alleged infringement;
(j) judicial remedy under Articles 78 and 79 GDPR; and
(k) compensation under Article 82 GDPR.
9.2 How to exercise your rights. Send a written request to the contact details in Section 2. We will respond within one month under Article 12(3) GDPR, extendable by a further two months for complex requests with prior notice. We may need to verify your identity, including by requesting copies of identification documents. We do not charge a fee unless requests are manifestly unfounded or excessive.
9.3 Limitations. Some rights are subject to legal exceptions, in particular where processing is necessary for compliance with a legal obligation imposed on us as an electronic communications service provider, for the establishment, exercise, or defence of legal claims, or where another person's rights and freedoms would be affected.
10. Automated Decision-Making and Profiling
10.1 We use automated systems to detect fraud, spam, abuse, route abuse, and unusual patterns of usage. These systems may temporarily flag, throttle, or suspend accounts, sender IDs, or DIDs. Where such a measure produces legal effects concerning you or similarly significantly affects you, we will provide meaningful information about the logic involved and the consequences, and you may request human review under Article 22(3) GDPR.
10.2 We do not engage in profiling for direct-marketing purposes that goes beyond ordinary business analytics.
11. Security
11.1 We implement appropriate technical and organisational measures (TOMs) to ensure a level of security appropriate to the risk, in accordance with Article 32 GDPR and Article 40 of the EECC.
11.2 Our TOMs include, without limitation: access control on a strict need-to-know basis; multi-factor authentication; encryption of data in transit (TLS 1.2+) and at rest; network segmentation; regular vulnerability scanning and penetration testing; staff training; vendor due-diligence; logging and monitoring; backup and disaster-recovery; incident-response procedures.
11.3 No system is impenetrable. We cannot and do not warrant absolute security. You are responsible for keeping your credentials secure.
12. Personal Data Breaches
12.1 In the event of a personal data breach within the meaning of Article 4(12) GDPR, we will notify the competent supervisory authority within 72 hours of becoming aware where required by Article 33 GDPR, and we will notify affected data subjects without undue delay where required by Article 34 GDPR.
12.2 We will additionally notify the OCECPR and affected end users in accordance with Article 40 EECC and any equivalent national rule applicable to electronic communications service providers.
13. Lawful Interception, Data Retention Orders, and Disclosures to Authorities
13.1 As an electronic communications service provider, we are required, where lawfully ordered, to assist competent authorities in the lawful interception of communications, to retain certain categories of communications data, and to disclose data pursuant to court orders, production orders, or equivalent legal instruments.
13.2 Such cooperation is governed by, among others, the Cyprus Law on the Privilege of Private Communications 92(I)/1996, the Cyprus Law on the Retention of Telecommunications Data 183(I)/2007, the Cyprus Code of Criminal Procedure, the Cyprus Law on the European Investigation Order 181(I)/2017, the Mutual Legal Assistance frameworks of the European Union, the case-law of the Court of Justice of the European Union (in particular Tele2 Sverige C-203/15, La Quadrature du Net C-511/18, H.K. v Prokuratuur C-746/18, SpaceNet C-793/19, VD and SR C-339/20, and Commissioner of An Garda Síochána C-140/20), and the equivalent legal instruments of any country whose Numbering Resources are issued through the Services and that may, through our Carriers, be the subject of lawful demands.
13.3 Where lawfully permitted, we will inform affected data subjects of any disclosure. Where prohibited from doing so, we will publish aggregated transparency information.
14. Cookies
14.1 Our use of cookies and equivalent technologies on our Platform is described in the Cookie Policy, which is published on our Platform and available on request to privacy@temptera.com. The Cookie Policy implements Article 5(3) of the ePrivacy Directive and the corresponding provision of the Cyprus ECS Law. Non-essential cookies are set only with your prior consent.
15. Changes to This Policy
15.1 We may update this Policy from time to time. The current version is identified by the version number and effective date at the top. Material changes will be notified via the Platform or by email to registered customers, at least fifteen (15) days before they take effect.
16. Information for End Users
16.1 If you are a person whose CLI, telephone number, or other identifier is processed by us because you have called or messaged a number that is provisioned through us, or because a customer of ours has used the Services to send you a communication, please note:
(a) we process your traffic and metadata strictly to enable the conveyance of the communication and to comply with our obligations as an electronic communications service provider;
(b) the content of any commercial communication, the basis on which you have been contacted, and the validity of any consent you may have given are determined by our customer, who acts as the controller of that processing;
(c) you should direct any access, rectification, erasure, restriction, portability, objection, or consent-withdrawal request relating to the substance of the communication to the customer who initiated it; the sender details should be present in the message;
(d) we will assist any such customer in handling your request, in accordance with Article 28 GDPR;
(e) you may always contact us directly for any matter concerning the processing for which we are controller, or to lodge a complaint;
(f) you have the right to opt out of direct marketing at any time and free of charge under Article 13(2) of the ePrivacy Directive. Reply STOP, write to the customer who sent you the communication, or contact us, and we will route your request as appropriate;
(g) if you receive a communication that you believe is unlawful, fraudulent, deceptive, or otherwise abusive, please notify us at privacy@temptera.com.
17. Special Notes
17.1 No emergency services. As described in our Terms of Service, the Services do not, in general, support reliable connection to emergency services. Personal data processed in connection with an attempt to use the Services to reach emergency services will be processed under the lawful bases above and may be disclosed to public-safety authorities.
17.2 Number lookup and CNAM. Where you initiate a number-lookup request via the Services, the numbers queried are processed for the purpose of returning the lookup result and for fraud-prevention.
17.3 Recording. Where the Services are used to enable call-recording functionality by our customers, the customer is the controller of the recordings. The customer must comply with all consent and notice requirements applicable in the jurisdictions of all participants. We are processor in respect of such recordings.
18. Governing Law
18.1 This Policy is governed by the laws of the Republic of Cyprus, without prejudice to the application of mandatory provisions of the GDPR and the law of the data subject's habitual residence.
TEMPTERA LIMITED
Romanou 2, Tlais Tower, Office 601, 1070 Nicosia, Cyprus
VAT: CY60154949E
© 2025 TEMPTERA LIMITED. All rights reserved.