1. Who we are
VOIP2 Ltd ("VOIP2", "we", "us") is the data controller responsible for the personal data described in this policy. We are registered in England and Wales and our registered address is 60 Copthorne Avenue, Ilford, Greater London, IG6 2SQ, United Kingdom.
Where we process personal data on behalf of a Customer (for example, the personal data of a Customer's end-users transmitted through our platform), we act as a data processor. Our Data Processing Agreement ("DPA") is available on request and forms part of the customer relationship.
2. Information we collect
2.1 Information you provide
- Account data — name, business name, email, phone number, billing address, role.
- KYC data — identity documents, address proofs, company registration numbers, where required to allocate phone numbers.
- Payment data — cardholder name, last 4 digits, billing address. Full card details are processed by our PCI-DSS compliant payment provider.
- Communications — messages you send to support, sales or via web forms.
2.2 Information generated through your use of the Services
- Call detail records (CDRs) — caller and called numbers, timestamps, duration, route, codecs.
- SMS metadata — sender, recipient, timestamps, delivery status.
- API and portal logs — IP address, user-agent, request URL, response status.
- Voice recordings — only when explicitly enabled by the Customer for their own service.
2.3 Information from third parties
- Identity-verification providers (for KYC compliance).
- Anti-fraud and credit-reference agencies.
- Underlying carriers (for porting confirmations, regulator audits).
3. How we use information
| Purpose | Categories of data |
|---|
| Provide and operate the Services | Account, CDRs, SMS metadata, API logs |
| Bill and collect payment | Account, payment, CDRs |
| Comply with telecoms regulations & KYC | KYC, account, identity documents |
| Detect and prevent fraud / abuse | API logs, CDRs, IP address, device data |
| Provide customer support | Account, communications, support tickets |
| Improve products and analytics (aggregated) | Usage statistics, anonymised CDRs |
| Marketing (opt-in) | Email, name, company |
4. Lawful bases (UK GDPR)
We rely on the following lawful bases for processing personal data:
- Contract — to provide the Services you have purchased.
- Legal obligation — to comply with telecommunications regulations, tax law and law-enforcement requests.
- Legitimate interests — fraud prevention, network security, business administration, direct marketing to existing customers (you can opt out at any time).
- Consent — for non-essential cookies and certain marketing communications. You may withdraw consent at any time.
5. Sharing & disclosure
We share personal data only where necessary and only with parties bound by appropriate confidentiality and data-protection obligations. Categories of recipients include:
- Underlying carriers and PSTN operators required to deliver calls and SMS.
- Regulators and competent authorities (e.g., Ofcom, ICO, equivalents abroad), where required by law.
- Cloud-infrastructure and hosting providers under data-processing terms.
- Payment processors and credit-reference agencies.
- Professional advisers (lawyers, accountants, auditors).
- Successors in interest in the event of a corporate restructuring, merger or acquisition.
We do not sell personal data.
6. International transfers
VOIP2 operates globally. Where personal data is transferred outside the United Kingdom or European Economic Area, we rely on appropriate safeguards such as the UK International Data Transfer Agreement (IDTA), the UK Addendum to the EU Standard Contractual Clauses, or recognised adequacy decisions.
7. Data retention
Personal data is retained only as long as necessary for the purposes for which it was collected:
- Account data: for the duration of the contract plus 7 years (statutory accounting and tax retention).
- CDRs & SMS metadata: typically 12 months for billing and dispute purposes; longer where required by local regulation.
- KYC documents: 5 years after the end of the customer relationship (anti-money-laundering rules).
- Marketing data: until you opt out or after 24 months of inactivity.
8. Your rights
Subject to applicable law, you have the right to:
- Access the personal data we hold about you;
- Rectify inaccurate or incomplete data;
- Erase data ("right to be forgotten") where lawful grounds for processing no longer apply;
- Restrict or object to certain types of processing;
- Port your data to another provider in a structured, machine-readable format;
- Withdraw consent at any time where processing is based on consent;
- Lodge a complaint with your supervisory authority — in the UK, the Information Commissioner's Office (ico.org.uk).
To exercise these rights, email [email protected]. We will respond within 30 days.
9. Cookies
Our website uses cookies and similar technologies. See our Cookie Policy for full details and to manage your preferences.
10. Security
We implement appropriate technical and organisational measures, including:
- Encryption in transit (TLS 1.2+) and at rest (AES-256);
- Strict role-based access control with multi-factor authentication;
- Regular vulnerability scanning and penetration testing;
- Background checks for personnel with access to production data;
- Documented incident-response and breach-notification procedures.
11. Children's privacy
The Services are intended for businesses and adult users. We do not knowingly collect personal data from individuals under 18. If you believe we have done so, please contact us so we can delete the data.
12. Changes to this policy
We may update this policy from time to time. The "Last updated" date at the top reflects the most recent revision. Material changes will be communicated by email or via a notice in the customer portal.
13. Complaints & contact
For any privacy-related question or to exercise your rights, please contact our Data Protection Officer:
You may also lodge a complaint with the UK Information Commissioner's Office at ico.org.uk.