Privacy & Cookie Notice

23 Telecom LTD

Last updated: 3 July 2026 — Version 2.0

1. Introduction

This Privacy & Cookie Notice (the “Notice”) explains how 23 Telecom LTD (“23 Telecom”, “we”, “us” or “our”) collects, uses, shares and protects personal data when you visit our website at 23telecom.co.uk (the “Site”), register for or use our products and services, including our A2P SMS, email and mobile app messaging services (the “Services”), access any 23 Telecom client or support portal (the “Client Portal”), or otherwise interact with us.

We provide this Notice to comply with our transparency obligations under the UK General Data Protection Regulation (“UK GDPR”), the Data Protection Act 2018 (as amended, including by the Data (Use and Access) Act 2025), the Privacy and Electronic Communications Regulations 2003 (as amended) (“PECR”) and, where applicable, the EU General Data Protection Regulation (“EU GDPR”). This Notice is an information notice, not a contract.

2. Who we are and how to contact us

23 Telecom LTD is a company registered in England and Wales (company number 12627541) with its registered office at 55 Riding House Street, London, England, W1W 7EE. We are registered with the Information Commissioner’s Office (“ICO”) under registration number [●].

For the purposes of the UK GDPR, 23 Telecom is the controller of the personal data described in this Notice, except where we act as a processor on behalf of our customers (see Section 3).

You can contact us about anything in this Notice, including to exercise your rights or make a complaint, at GDPR@23telecom.co.uk or by post to the registered office address above.

3. Our roles: controller and processor

Where we act as a controller. We are the controller of personal data relating to our business contacts, prospective and existing customers and their personnel, users of the Site and the Client Portal, job applicants, and individuals who correspond with us. We are also an independent controller of traffic, billing and security data that we must process to convey communications over electronic communications networks, to bill for our Services and to protect our network and platform.

Where we act as a processor. When customers use our platform and APIs to send messages, the message content and recipient data they submit is processed by us as a processor, only on the documented instructions of the relevant customer and under a data processing agreement. If you are a message recipient and wish to exercise your data protection rights in respect of such data, please contact the organisation that sent you the message; we will refer any request we receive to the relevant customer and provide reasonable assistance.

4. Personal data we collect

4.1. Data you provide to us

  • Identity and contact data — such as your name, job title, employer or company, postal address, email address and telephone number, provided when you contact us, register on the Site or the Client Portal, or enter into a contract with us;
  • Account and registration data — such as usernames, hashed credentials, account settings, preferences and communications history;
  • Support data — information you provide when you contact customer support through the Client Portal or otherwise, such as your name, contact details and the content of your enquiry;
  • Billing and payment data — such as billing contacts, VAT and company details, bank account details and transaction records (payment card data is handled by our payment service providers);
  • Correspondence — emails, letters and other communications you send us, which we may keep on file;
  • Marketing preferences — such as newsletter subscriptions and opt-in / opt-out records;
  • Recruitment data — information you submit with a job application, such as your CV, work history and survey responses.

4.2. Data we collect automatically (Site and Client Portal)

When you visit the Site or access the Client Portal, we and our service providers automatically collect certain technical and usage information from your device, including:

  • Network data — your IP address, and the approximate location (such as country or city) derived from it;
  • Device and browser data — browser type and version, operating system, device type and model, screen resolution, language and time-zone settings, and other hardware and software configuration attributes which, in combination, may form a unique or probabilistically unique “device fingerprint”;
  • Log and usage data — login and logout timestamps, session identifiers, successful and failed authentication attempts, pages viewed, features and API endpoints used, referring URLs and clickstream data;
  • Cookie data — data collected through cookies and similar technologies, as described in Section 6.

Client Portal users. When you log in to or use the Client Portal, we automatically record your IP address, your authentication and session events, and the device and browser characteristics described above, and we may derive and store a device fingerprint for your device. We use this information to secure your account, verify that access to it is legitimate, detect and prevent fraud, account takeover and other misuse of the Services, maintain audit logs, and comply with our legal and regulatory obligations. This processing is necessary for our legitimate interests in protecting our platform, our customers and message recipients, and for compliance with security obligations that apply to us as a communications provider. Where such technologies store or access information on your device solely for security or fraud-prevention purposes, or because it is strictly necessary to provide the Client Portal at your request, PECR does not require your prior consent.

4.3. Data we receive from third parties

  • Mobile network operators and carriers — such as mobile numbers (MSISDN), number-portability and routing data and delivery receipts, received in order to provision and deliver the messaging services requested through our platform;
  • Screening and fraud-prevention providers — such as identity-verification, credit-reference, sanctions and anti-fraud screening results obtained before or during our business relationship;
  • Publicly available and business sources — such as Companies House, business directories, professional networking sites and our partners and resellers.

4.4. Traffic and message data

As a provider of messaging services, we process traffic data and message metadata, such as originating and destination numbers or addresses, timestamps, message status and delivery information, routing data and encoding details, together with the message content submitted by our customers for transmission. We process message content as a processor on behalf of the relevant customer (see Section 3); we process traffic, routing and billing metadata as a controller to the extent necessary to convey communications, bill for them, comply with telecoms regulation and protect our network against fraud, spam and misuse.

4.5. Special category data

We do not intentionally collect special category data (such as data revealing health, religion or political opinions) or criminal offence data about our business contacts or users. Customers must not submit such data through the Services unless they have a lawful basis and an applicable condition for doing so.

5. How we use personal data and our lawful bases

We use personal data for the purposes, and on the lawful bases, set out below. Where we rely on legitimate interests, we have balanced those interests against your rights and freedoms; you can request information about this balancing at any time. In limited cases provided for by the Data Protection Act 2018 (as amended by the Data (Use and Access) Act 2025), such as disclosures necessary for the detection, investigation or prevention of crime or for safeguarding, we may rely on “recognised legitimate interests”.

Purpose Personal data used Lawful basis (UK GDPR Art. 6)
Providing, operating and supporting the Services, the Site and the Client Portal; managing your account Identity and contact data; account data; Portal usage data; support enquiries; traffic data Performance of a contract; legitimate interests (running our business)
Securing our network, platform and the Client Portal; authenticating users; preventing and detecting fraud, spam, smishing, artificially inflated traffic and other misuse; maintaining audit logs IP addresses; device and browser data (including device fingerprints); authentication and security logs; traffic data Legitimate interests (protecting our services, customers and message recipients); legal obligation (telecoms security and fraud-prevention duties)
Billing, invoicing, payment collection, credit checks and debt recovery Identity and contact data; billing and payment data; traffic data Performance of a contract; legitimate interests; legal obligation
Verifying customers and counterparties (know-your-customer, sanctions and anti-fraud screening) before and during the provision of Services Identity and contact data; company data; data from third-party screening providers Legal obligation; legitimate interests
Sending service-related announcements (e.g. maintenance, security or billing notices) Identity and contact data; account data Performance of a contract; legitimate interests
Marketing our services to business contacts, including newsletters, with the option to opt out at any time Identity and contact data; marketing preferences Legitimate interests (B2B marketing); consent where required
Improving and developing the Site and the Services, including aggregate statistical analysis Usage data; cookie data; anonymised or aggregated data Legitimate interests (improving our services)
Responding to enquiries, complaints and data subject rights requests Identity and contact data; correspondence; records of requests Legal obligation; legitimate interests
Processing job applications Recruitment data (CVs, application details) Steps prior to entering a contract; legitimate interests
Establishing, exercising or defending legal claims; complying with law, regulation and lawful requests from authorities Any of the categories described in this Notice, as relevant Legal obligation; legitimate interests

Automated decision-making. We do not make decisions based solely on automated processing which produce legal effects concerning you or similarly significantly affect you. Our platform uses automated filters to detect and block fraudulent, abusive or non-compliant traffic in real time; if such a filter affects you or your account, you may contact us to request human review.

Aggregated and anonymised data. We may aggregate or anonymise data so that it no longer identifies any individual, and use or disclose such data (for example, for statistics, benchmarking and service improvement) without restriction, as it is no longer personal data.

6. Cookies and similar technologies

Cookies are small text files placed on your device when you visit a website. We use cookies and similar technologies — including tracking pixels, scripts, local storage and device fingerprinting techniques — on the Site and in the Client Portal (together, “cookies”). PECR, as amended with effect from 5 February 2026 by the Data (Use and Access) Act 2025, governs our use of these technologies. We use the following categories:

  • Strictly necessary cookies. Required to provide the Site or the Client Portal at your request — for example session cookies that keep you logged in, load balancing and consent-management cookies. These do not require consent.
  • Security and fraud-prevention cookies. Used solely to protect your account and our Services — for example to recognise trusted devices, detect suspicious log-ins and prevent fraud. Under PECR as amended, these do not require consent.
  • Functionality cookies. Used to remember your choices and enhance the appearance or functionality of the Site in line with your preferences. Where permitted by PECR, these may be set without consent; otherwise we ask for your consent.
  • Analytics cookies. Used solely to collect statistical information about how visitors use the Site so that we can improve it. Under PECR as amended, we may use such cookies without prior consent, provided we give you clear information and a simple, free means to opt out — which we provide through our cookie preferences tool. Where this exemption does not apply, we ask for your consent.
  • Advertising and marketing cookies. Third-party cookies used for advertising, retargeting or cross-site tracking are set only with your prior consent.

You can review and change your choices at any time through the Cookie Preferences tool on the Site, and you can withdraw consent, or object to analytics cookies, as easily as you gave consent. You can also control cookies through your browser settings, although blocking strictly necessary cookies may prevent parts of the Site or the Client Portal from working.

7. How we share personal data

We do not sell personal data. We share personal data only as described below:

  • Service providers (processors) — hosting, cloud infrastructure, communications, payment, analytics, CRM, security and other providers who process personal data on our documented instructions under contracts containing appropriate data protection obligations;
  • Mobile network operators, carriers and interconnect partners — to the extent necessary to route and deliver messages; these parties act as independent controllers of the data they process on their own networks;
  • Our affiliates and group companies — for the purposes described in this Notice, with access limited to personnel who need it to perform their duties;
  • Professional advisers — lawyers, auditors, accountants, insurers and bankers, where reasonably necessary;
  • Fraud-prevention, screening and credit-reference agencies — to verify counterparties and protect our business and the wider messaging ecosystem;
  • Regulators, law enforcement and other authorities — including Ofcom, the ICO, HMRC and courts, where disclosure is required by law or regulation, or where we reasonably believe disclosure is necessary to comply with a legal process, protect our rights or property, or protect the safety of any person;
  • Corporate transactions — if 23 Telecom or its assets are acquired, merged or reorganised, personal data may be transferred to the acquirer or successor, which will assume the rights and obligations described in this Notice;
  • At your direction — where you ask us to share data or otherwise consent to sharing.

8. International transfers

We may transfer personal data to countries outside the United Kingdom, including to our affiliates, carriers and service providers. Where we do so, we ensure an adequate level of protection through one or more of the following safeguards:

  • transfers to countries covered by UK adequacy regulations;
  • the ICO’s International Data Transfer Agreement (IDTA) or the UK Addendum to the European Commission’s Standard Contractual Clauses, together with any measures identified in a transfer risk assessment;
  • for personal data subject to the EU GDPR, the European Commission’s Standard Contractual Clauses (2021) or an applicable EU adequacy decision. Transfers between the EEA and the UK are covered by the European Commission’s adequacy decisions for the United Kingdom, renewed on 19 December 2025 and valid until 27 December 2031.

You may request a copy of the relevant safeguards by contacting GDPR@23telecom.co.uk.

9. How long we keep personal data

We keep personal data only for as long as necessary for the purposes described in this Notice, and then delete or anonymise it. In determining retention periods, we apply the following criteria: the duration of our relationship with you or your organisation; statutory retention obligations (for example under tax, accounting and telecoms legislation); limitation periods for legal claims (generally up to six years in England and Wales); regulatory expectations for security and audit logs; and whether you have objected to or opted out of a given use. Typically, account and contractual data is retained for the duration of the business relationship plus applicable limitation periods; traffic and billing data is retained for the periods required or permitted by telecoms and tax law; security and access logs are retained for a limited period appropriate to threat detection and audit; and marketing data is retained until you opt out or become inactive.

10. Security

We apply appropriate technical and organisational measures to protect personal data against unauthorised or unlawful processing and against accidental loss, destruction or damage, including encryption of data in transit, firewalls, access controls based on the need-to-know principle, logging and monitoring, and staff confidentiality obligations. No system can be guaranteed to be completely secure; where we are required to do so by law, we will notify you and/or the ICO of a personal data breach.

11. Your rights

Subject to the conditions and exemptions in data protection law, you have the following rights in relation to personal data we hold about you as a controller:

  • Access — to obtain confirmation of whether we process your personal data, and a copy of it together with prescribed information;
  • Rectification — to have inaccurate personal data corrected and incomplete data completed;
  • Erasure — to have your personal data deleted in certain circumstances, for example where it is no longer necessary for the purposes for which it was collected;
  • Restriction — to restrict processing in certain circumstances, for example while a dispute about accuracy is resolved;
  • Objection — to object to processing based on legitimate interests, on grounds relating to your particular situation, and to object at any time to processing for direct marketing purposes, which we will always honour;
  • Portability — to receive personal data you provided to us, processed by automated means on the basis of consent or contract, in a structured, commonly used and machine-readable format, and to have it transmitted to another controller where technically feasible;
  • Withdrawal of consent — where processing is based on consent, to withdraw it at any time, without affecting the lawfulness of processing before withdrawal;
  • Automated decision-making — rights and safeguards in respect of decisions based solely on automated processing, as described in Section 5.

To exercise any of these rights, contact GDPR@23telecom.co.uk. We may need to verify your identity before acting on a request. We will respond without undue delay and in any event within one month, which may be extended by up to two further months for complex or numerous requests. We will not charge a fee unless a request is manifestly unfounded or excessive. If we act as a processor for the data concerned, we will refer your request to the relevant customer (see Section 3).

12. Complaints

If you have a concern about how we handle personal data, please contact us first at GDPR@23telecom.co.uk or through the contact form on the Site. In accordance with the Data Protection Act 2018 (as amended by the Data (Use and Access) Act 2025), we will acknowledge your data protection complaint within 30 days and respond to it without undue delay.

You also have the right to lodge a complaint at any time with the Information Commissioner’s Office (ICO), Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF, telephone 0303 123 1113, ico.org.uk/make-a-complaint, or with the supervisory authority of the EEA country where you live or work, if the EU GDPR applies to you.

13. Children

The Site, the Client Portal and the Services are intended for businesses and their personnel and are not directed at children. We do not knowingly collect personal data from anyone under 18. If you believe a child has provided us with personal data, please contact us and we will delete it.

14. Third-party websites and services

The Site may contain links to third-party websites and services that we do not own or control, and messages delivered over our network may originate from organisations with their own privacy practices. This Notice does not apply to those third parties, and we encourage you to read their privacy notices.

15. Customers in regulated sectors

Where we provide messaging services to healthcare providers subject to the US Health Insurance Portability and Accountability Act (HIPAA) and act as a “Business Associate”, we handle protected health information in accordance with the applicable Business Associate Agreement.

16. Changes to this Notice

We may update this Notice from time to time. We will post the updated version on the Site with a revised “Last updated” date, and where a change materially affects you, we will take reasonable steps to bring it to your attention, for example by notice on the Site, in the Client Portal or by email. Please review this Notice regularly.

We use cookies to ensure that we give you the best experience on our website. If you continue to use this site we will assume that you are happy with it. Learn more