Effective Date: December 18, 2019
Last Reviewed on: December 18, 2019
Hello there! We are Bandwidth, a cloud-based communications provider for enterprises. Our solutions include a broad range of software APIs for voice and text functionality, as well as our own IP voice network. A reference to "Bandwidth," "we," "us," or "our" is a reference to Bandwidth and the relevant affiliate involved in the processing activity.
Please read this Privacy Notice carefully to understand how we collect and process personal information.
This Privacy Notice applies to information we collect on this website, in email, chat, text, or other electronic messages, through Bandwidth portals, through customer support, through other Bandwidth websites, when you use Bandwidth products and services, and offline activities and communications. We may collect data, including personal information, about you as you use our websites, products, services, and interact with us.
This Privacy Notice does not cover handling of your personal information as an employee, intern or applicant of Bandwidth and does not cover any information collected by third-party sites or content or applications that may link to or be accessible from or on Bandwidth websites. If you do not agree with our policies and practices, your choice is not to use the Bandwidth websites, products, and services. By accessing or using the Bandwidth websites and/or using Bandwidth products and services, you agree to this Privacy Notice.
This Privacy Notice is provided in a layered format so you can click through to the specific areas set out below. Alternatively, you can download a pdf version of the policy here: https://www.bandwidth.com/wp-content/uploads/privacy-notice.pdf
"Bandwidth" and "Bandwidth group" includes Bandwidth Inc. and all its subsidiaries including: Bandwidth.com CLEC, LLC; UK Bandwidth Limited; NL Bandwidth B.V; Bandwidth Iberia SL; DE Bandwidth GmbH.
"Bandwidth portals" include: https://dashboard.bandwidth.com; http://app.bandwidth.com; https://dashboard.dashcs.com; https://support.bandwidth.com; https://my.bandwidth.com; https://cdrs.evs.bandwidth.com/; https://finance.bandwidth.com; https://dev.bandwidth.com/; https://status.bandwidth.com/; https://investors.bandwidth.com; https://new.dev.bandwidth.com; https://old.dev.bandwidth.com; https://simulator.bandwidth.com
"Personal information" is any information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular end user or device. This does not include anonymous or de-identified data, which cannot be linked to an individual.
"Personal data" is any information that can be used to identify an individual, directly or indirectly, and may include name, address, email address, phone number, an identification number, location data, online identifier, login information (account and password), marketing preferences, social media account information, or payment card information. For the purposes of this Notice, Personal data is included within the definition of personal information.
Bandwidth processes personal information of its customers (or potential customers) in the context of creating or maintaining a business relationship. We call this information "Customer Information." Sometimes you provide Customer Information to us directly, such as when you fill out a form on our website or request products or services information. Sometimes we collect it from you automatically, such as when you visit a Bandwidth website or click on a Bandwidth online advertisement.
Identifiers. Full name, postal address, registered address, email address, company name, company website, telephone number, unique personal identifier, online identifier, Internet Protocol ("IP") address.
Account Payment Information. Credit card number, debit card number, signature, telephone number, employer name, bank wire transfer information.
Commercial Information. Records of products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.
Internet or Similar Network Activity. Browsing history, search history, information on your interaction with our websites and advertisements.
Geolocation Data. Source and destination information about the communications delivered via the Bandwidth products or services.
Sensory Data. Your audio phone call to Bandwidth may be recorded for quality assurance and training purposes (e.g. customer support call).
We also process personal information of end users in the course of providing voice and messaging communications services. We call this information "Communications Information." This includes both the content of calls and messages sent or received via out platform ("Communications Content") and information about the communications delivered via our platform such as source and destination information, IP address, completion status, time and duration of use, registered address and/or real-time location information for emergency services, and caller ID information (known as "Metadata").
Identifiers. Full name, postal address, registered address and/or real-time location information for emergency service, unique personal identifier, caller ID information, telephone number, account name, company name.
Internet or Similar Network Activity. Media contained in voice calls and text messages sent or received via our platform, information about the communications delivered via our platform (e.g. completion status, time and duration of use, source and destination identifiers).
Sensory Data. Media contained in your voice calls and text messages, text-to-speech transcriptions, and DTMF tones.
We use different methods to collect personal information from and about you including through:
We may use the personal information we collect for one or more of the following purposes:
Bandwidth will not use the personal information we collected for materially different, unrelated, or incompatible purposes without providing you notice. We may use non-personal information for any business purpose. To improve our products and services, we commonly will de-identify or aggregate your personal information (so that it can no longer be associated with you), in which case we may use this information indefinitely without further notice to you.
We may disclose your personal information to a third party for a business purpose. Bandwidth may share your personal information in the following ways:
Bandwidth group is made up of different legal entities, details of which can be found in the Definitions section of this Notice. This Privacy Notice is issued on behalf of the Bandwidth group, so when we mention Bandwidth, “we”, “us” or “our” in this Privacy Notice, we are referring to the relevant company in the Bandwidth group responsible for processing your personal data.
Your personal data may be collected, transferred to, and stored by us in the United States and by our subsidiaries that are based in other countries. Therefore, your personal data may be processed outside your jurisdiction and in countries that may not provide for the same level of data protection as your jurisdiction, such as the European Economic Area ("EEA"). Where applicable law requires us to utilize a data transfer mechanism, we use one or more of the following: EU Standard Contractual Clauses, verification that the recipient has implemented Binding Corporate Rules, or verification that the recipient adheres to the EU-US Privacy Shield Framework. You may obtain a redacted copy (from which commercial information and information that is not relevant has been removed) of such EU Standard Contractual Clauses by sending a request to email@example.com.
Our legal basis for collecting and using the personal data described above will depend on the personal data concerned and the specific context in which we collect it. We will collect personal data from you when the processing is in our legitimate interests and not overridden by your data protection interests or fundamental rights and freedoms; to perform a contract with you; where we have your consent to do so. In some cases, we may also have a legal obligation to protect your vital interests or those of another person or to comply with a legal requirement.
EEA data protection laws require that businesses processing personal data provide the lawful basis for which they collect and process that personal information. Bandwidth processes personal information for the following purposes:
There may be more than one ground that form the basis of our use of your personal information. We will only use your personal data for the purposes outlined in this Privacy Notice or such purposes as may be reasonably compatible with the original purpose for which it was collected or there is an alternative legal basis for the further processing.
In the EEA, data privacy laws require us to enter into agreements with third parties who are acting as “sub-processors” of certain data. For a list of third parties who Bandwidth has engaged as sub-processors, please use the DATA SUBJECT RIGHT REQUEST FORM to request.
Under certain circumstances, you have the below rights under data protection laws in relation to your personal data.
Data controller of the Bandwidth websites: Bandwidth Inc., 900 Main Campus Drive, Suite #100, Raleigh, North Carolina, 27606, USA. Data controller for Bandwidth products and services is the entity that you contracted with.
To exercise any of the above rights or if you have any questions about this Privacy Notice, please enter them in the DATA SUBJECT RIGHT REQUEST FORM. You may also make a complaint to a relevant data protection supervisory authority in the EU and UK. We would, however, appreciate the opportunity to address your concerns before you do so.
Fees. You will not have to pay a fee to access your personal data or to exercise any of the other rights. However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we could refuse to comply with your request in these circumstances.
Information we may need from you. We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data or to exercise any of your other rights. This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to assist with our response.
Timing. We try to respond to all legitimate requests within one month of receipt of the request. Occasionally, it could take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.
Bandwidth may transfer your personal data to Bandwidth in the United States, to other Bandwidth entities worldwide, or to third parties and service providers as described above that are located in various countries around the world who perform services on our behalf. The United States and other countries may not have the same data protection laws as the country from which you initially provided the information. By using our website and/or our products and services, you consent to any such transfer of information outside of your country of residence or the country where the data was collected.
With respect to personal data received or transferred pursuant to the Privacy Shield Frameworks, Bandwidth is subject to the regulatory enforcement powers of the U.S. Federal Trade Commission. Bandwidth may use third-party service providers to assist us in providing services to our customers. We are liable for ensuring that the third-parties we engage support our Privacy Shield commitments. In certain situations, Bandwidth may be required to disclose personal data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.
In compliance with the Privacy Shield Principles, we commit to resolving complaints about our collection or use of your personal information. EU individuals with inquiries or complaints regarding our Privacy Shield policy should first contact us at firstname.lastname@example.org. If we are unable to resolve any complaint related to the Privacy Shield or if we fail to acknowledge your complaint in a timely manner, you may refer a complaint to your local data authority. Bandwidth has further committed to cooperate with the panel established by the EU data protection authorities (DPAs) with regard to unresolved Privacy Shield complaints concerning data transferred from the EU.
Under certain conditions, described more fully on the Privacy Shield website (https://www.privacyshield.gov/article?id=How-to-Submit-a-Complaint), you may invoke binding arbitration when other dispute resolution procedures have been exhausted. Some international users, including those whose information we collect under the Privacy Shield, have rights to access certain information we hold about them and to obtain its deletion. To exercise those rights, please contact us at email@example.com.
We also use web beacons on the Bandwidth websites and in email communications. For example, we may place web beacons in marketing emails that notify us when you click on a link in the email that directs you to one of the Bandwidth websites. To unsubscribe from our marketing emails, click the link at the bottom of the email marked “Unsubscribe” or manage your email subscriptions at https://go.bandwidth.com/UnsubscribePage.html. Please note that you cannot opt out of receiving transactional emails related to our products and services.
The following describes how we use different categories of cookies and your options:
Strictly Necessary Cookies. Strictly necessary cookies are necessary for the Bandwidth websites to function and cannot be switched off in our systems. Some examples include: session cookies needed to transmit the website, authentication cookies, and security cookies. If you have chosen to identify yourself to us, we may place a cookie on your device that allows us to uniquely identify you when you are logged into the Bandwidth websites and to process your online transactions and requests. If you are in the EEA (based on IP address), the Bandwidth websites will only serve you strictly necessary cookies.
Functional Cookies. Functional cookies enhance function, performance, and services on the Bandwidth websites. If you do not allow these cookies then some or all services may not function properly.
Targeting Cookies. Targeting cookies may be set through the Bandwidth websites by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant advertisements on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. Some examples include: cookies used for remarketing or interest-based marketing. Our website uses Google Analytics, a web analysis service provided by Google Inc., which utilizes cookies to find out how visitors use our website. You can opt out of Google Analytics by downloading, installing, and enabling the Google Analytics’ Opt-out Browser Add-on, which can be found at https://tools.google.com/dlpage/gaoptout/.
Performance Cookies. These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our Bandwidth websites. They help us to know which pages are the most and least popular.
This section is effective as of January 1, 2020. The California Consumer Privacy Act (“CCPA”) provides California residents with specific rights regarding their personal information. This section describes your CCPA rights and explains how to exercise those rights.
To exercise the rights described above, please submit a verifiable consumer request to us by either:
Only you, or someone legally authorized to act on your behalf (this includes an authorized agent), may make a verifiable consumer request ("request") related to your personal information. You may only make a request for access or data portability twice within a 12-month period. An authorized agent making a request on your behalf must provide us with written authorization providing the agent with the ability to make a CCPA request signed by you. Additionally, you will need to verify your identity directly with us. Please note that this authorized agent requirement is not applicable when the authorized agent has a power of attorney. The request must: (1) provide sufficient information that allows us to reasonably verify you are the person about whom we collected personal information or an authorized representative; and (2) describes your request with sufficient detail that allows us to properly understand, evaluate, and respond to it.
Any disclosures we provide will cover the 12-month period preceding receipt of the request. We will provide a response to a request within forty-five (45) days of its receipt. If we reasonably require an extension of time, we will notify you within the first forty-five (45) day period and such extension will not exceed an additional forty-five (45) days. We will not discriminate against you for exercising any of your CCPA rights. Any personal information provided to us for verification and fraud-prevention purposes will only be used for that purpose and such information will be deleted as soon as practical after processing of your request. In the preceding 12-months to the effective date of this section, we disclosed the following categories of personal information for a business purpose: Cookie Information, which included Identifiers and Internet or Similar Network Activity. This information was provided to advertising companies and networks to select and serve relevant advertisements and content to you and to data analytic providers. We will not sell (as defined under the CCPA) California resident personal information we collect.
Do not track is a privacy preference that you can set in your web browser. When you turn on the do not track signal, the browser sends a message to websites requesting them not to track you. For information about do not track, visit http://www.allaboutdnt.org. At this time, we do not respond to do not track browser settings or signals.
We will only retain your personal information for as long as reasonably necessary to fulfill the purposes we collected it for, including the purposes of satisfying any legal, regulatory, tax, accounting or reporting requirements. We may retain your personal information for a longer period in the event of a complaint or if we reasonably believe there is a prospect of litigation in respect to our relationship with you.
To determine the appropriate retention period for personal information, we consider the amount, nature and sensitivity of the personal information, the potential risk of harm from unauthorized use or disclosure of your personal information, the purposes for which we process your personal information and whether we can achieve those purposes through other means and the applicable legal, regulatory, tax, accounting or other requirements. After expiration of the applicable retention periods, your personal information will be deleted. If there is any personal information that we are unable, for technical reasons, to delete entirely from our systems, we will put in place appropriate measures to prevent any further use of such personal information. To improve our products and services, we commonly will de-identify or aggregate your personal information (so that it can no longer be associated with you), in which case we may use this information indefinitely without further notice to you.
Bandwidth takes precautions including administrative, technical, and physical measures to help safeguard against the accidental or unlawful destruction, loss, alteration and unauthorized disclosure of, or access to, the personal information we process or use. Bandwidth is ISO 27001:20013 certified and SOC II compliant. Bandwidth is a PCI Level 3 Merchant and has met Payment Card Industry Data Security Standard’s SAQ-A. To learn more about our security controls, please see https://www.bandwidth.com/wp-content/uploads/security-controls-overview.pdf.
Please note, though, that no provider can guarantee security, especially when providing services that rely on the public internet or during transmission through the interconnected landscape of telecommunications. You are solely responsible for protecting your account password(s), limiting access to your devices, and signing out of websites after your sessions. You are responsible for any activity conducted using your credentials or passwords. We ask you not to share your password with anyone and to take care when using public Wi-Fi. If you believe your password to any Bandwidth portal or system has been compromised, please notify us immediately at firstname.lastname@example.org.
For your convenience, hyperlinks may be posted on our Bandwidth websites that links to other websites ("third-party sites"). We are not responsible for the privacy practices of any third-party sites or of any companies that we do not own or control. This Privacy Notice does not apply to third-party sites. Third-party sites may collect information in addition to that which we collect on the Bandwidth websites. We do not endorse any of these third-party sites, the services or products described or offered on such third-party sites, or any of the content contained on the third-party sites. We encourage you to read the privacy notice of each third-party site that you visit to understand how the information that is collected about you is used and protected.
The Bandwidth websites, products, and services are not directed to children (under the age of 13 in the United States or under the age of 16 in the EEA) and Bandwidth does not knowingly collect online personal information directly from children. If you are a parent or guardian of a minor child and believe that the child has disclosed online personal information to us, please contact us at email@example.com.
This Privacy Notice does not form part of any contract and we may update it at our discretion from time to time. When we do so, we will post the updated Privacy Notice on our website and update the Privacy Notice’s Effective Date at the beginning of the notice. We will notify our customers of material changes to this Privacy Notice, either by sending a notice to the customer email address you have provided us, or by placing a prominent notice on the Bandwidth website. We will obtain your consent to any material Privacy Notice changes if and where this is required by applicable data protection laws. We encourage you to periodically review this Privacy Notice. Historic versions are archived here: http://www.phonebooth.com/privacy/archive.
If you have questions about this Privacy Notice, concerns, or questions, please contact firstname.lastname@example.org.
If you have questions that specifically relate to Bandwidth's compliance with the GDPR, please email email@example.com. You may also make a complaint to a relevant data protection supervisory authority in the EU and UK. We would, however, appreciate the opportunity to address your concerns before you do so.
If you no longer wish to receive marketing or informational materials from us, you can opt-out at any time by using the link to unsubscribe contained in each communication. You can also manage your email subscriptions at https://go.bandwidth.com/UnsubscribePage.html.
To contact us in writing, please use:
Attn: Legal - Privacy
900 Main Campus Drive, Suite 100
Raleigh, North Carolina 27606