Effective Date: 27 April 2026
Document Reference: CCS Privacy Policy (Global)
Introduction
This Privacy Policy explains how Call Center Studio, Inc. and its affiliated entities (“CCS”, “we”, “our”, “us”) process personal data in connection with:
- the use of our website (www.callcenterstudio.com);
- the provision of our cloud-based communication and contact center platform;
- our business operations, commercial relationships, and corporate activities.
Scope of Application
This Privacy policy applies to personal data processed in relation to:
- website visitors;
- business customers;
- business contacts and partners;
- individuals interacting with CCS services through our customers;
- other individuals whose personal data is processed in the course of CCS operations.
Important Role Clarification
CCS operates through multiple legal entities and provides services within a business-to-business (B2B) model. As a result:
- CCS may act as a data controller for certain processing activities (such as its own business operations, website, and corporate functions);
- CCS acts as a data processor (i.e. a service provider processing personal data on behalf of its customers) in relation to personal data processed through its platform.
Where CCS acts as a data processor:
- the relevant customer acts as the data controller;
- this Privacy policy does not replace or override the privacy obligations of such customers.
1. Introduction & Transparency Commitment
This Privacy policy is designed to provide a clear and transparent explanation of how personal data is processed within the Call Center Studio group of companies. Call Center Studio operates a cloud-based communication and contact center platform that is used by business customers across multiple jurisdictions. Due to the nature of this service model, personal data may be processed in different contexts, involving multiple entities, systems, and roles. In particular:
- Call Center Studio provides its platform to business customers on a Software-as-a-Service (SaaS) basis;
- personal data processed through the platform typically relates to the end users of those customers;
- in most cases, Call Center Studio processes such data strictly on behalf of its customers and under their instructions;
- in certain limited scenarios, Call Center Studio may process personal data for its own purposes, such as for business operations, contractual relationships, or employment-related activities.
As a result, the role of Call Center Studio in relation to personal data processing may vary depending on the specific context. In particular:
- Call Center Studio acts primarily as a service provider processing personal data on behalf of its customers;
- Call Center Studio acts as an independent data controller only in relation to its own internal business activities.
This Privacy policy reflects this dual role structure and explains how personal data is handled in each context. We are committed to ensuring that personal data is processed in a lawful, fair, and transparent manner, and that individuals are provided with clear information regarding:
- how and why their personal data is processed;
- the roles and responsibilities involved in such processing;
- their rights in relation to their personal data.
This Privacy policy is intended to provide an accurate representation of how personal data is processed in practice, based on our operational model, system architecture, and contractual relationships with our customers.
2. Who We Are
2.1 Group Identity
This Privacy policy applies to Call Center Studio, Inc. and its affiliated entities (together referred to as “CCS”, “we”, “our”, “us”). CCS operates as a multi-entity group providing cloud-based communication and contact center services to business customers across multiple jurisdictions.
2.2 Relevant Legal Entities
Depending on the context of your interaction with our services, the relevant CCS entity acting as the data controller may be:
- Call Center Studio, Inc. (United States)
- Call Center Studio Ltd (United Kingdom)
- Call Center Studio S.R.L. (Romania)
The applicable entity is determined based on factors such as:
- the location of the customer relationship;
- the contractual entity providing services;
- the context in which personal data is processed.
2.3 Role Clarification
CCS processes personal data in different roles depending on the context:
- In most cases, CCS acts as a data processor (i.e. a service provider processing personal data on behalf of its business customers);
- In certain cases, CCS acts as an independent data controller, for example in relation to:
- business contact data;
- customer relationship management;
- internal administrative and operational activities;
- employee-related processing.
Further details on these roles are provided in Section 4 of this Privacy policy.
2.4 EU Representative
Where required under applicable data protection laws, Call Center Studio S.R.L. (Romania) acts as the representative in the European Union for non-EU CCS entities in relation to personal data processing activities falling within the scope of EU data protection requirements.
2.5 UK Representative
Where required under applicable data protection laws, Call Center Studio Ltd (United Kingdom) acts as the representative in the United Kingdom for non-UK CCS entities in relation to personal data processing activities falling within the scope of UK data protection requirements.
3. Scope of This Policy
This Privacy policy applies to the processing of personal data in connection with the activities and services of CCS, as described in this document. This includes personal data processed in the following contexts:
- individuals visiting or interacting with our website;
- representatives of our business customers and partners;
- individuals whose personal data is processed by CCS in connection with its internal business operations, including administrative, contractual, and employment-related activities;
- individuals whose personal data is processed through the use of our platform by our business customers, where CCS acts as a data processor.
In relation to personal data processed through the CCS platform on behalf of our business customers:
- CCS processes such data strictly under the instructions of the relevant customer;
- the customer acts as the data controller and is responsible for determining the purposes and legal basis of processing;
- CCS does not independently determine how such personal data is used.
This Privacy policy is intended to provide general transparency regarding CCS’s processing activities. Where personal data is processed by CCS on behalf of a customer, individuals should refer to the privacy policy of the relevant customer for information on how and why their personal data is processed.
4. Roles & Data Protection Positioning
4.1 When CCS Acts as a Data Controller
CCS acts as an independent data controller where it determines the purposes and means of processing personal data for its own activities. This includes, in particular:
- management of business relationships with customers and partners;
- processing of business contact data;
- administration of contractual relationships;
- internal operational and administrative activities;
- processing of employee and recruitment-related data;
- compliance with legal and regulatory obligations.
In these cases, CCS is responsible for ensuring that personal data is processed in accordance with applicable data protection requirements.
4.2 When CCS Acts as a Data Processor
CCS acts as a data processor (i.e. a service provider processing personal data on behalf of its business customers) in relation to personal data processed through its platform. In this context:
- personal data is processed on behalf of CCS’s business customers;
- the customer acts as the data controller and determines:
- the purposes of processing;
- the legal basis for processing;
- the categories of personal data processed;
- CCS processes personal data strictly in accordance with the documented instructions of the customer;
- CCS does not independently determine how such personal data is used.
This applies to personal data processed through communication and interaction channels supported by the CCS platform, including:
- voice communications and call recordings;
- chat and messaging interactions;
- communication metadata and system-generated data;
- customer-configured workflows and analytics.
4.3 What This Means in Practice
The distinction between controller and processor roles has important implications for individuals whose personal data is processed.
Where CCS acts as a data controller:
- CCS is responsible for determining how and why personal data is processed;
- CCS is responsible for responding to requests from individuals regarding their personal data;
- CCS is responsible for ensuring compliance with applicable data protection requirements.
Where CCS acts as a data processor:
- CCS processes personal data only on behalf of and under the instructions of its customers;
- CCS does not determine the purposes or legal basis of processing;
- responsibility for responding to data subject requests primarily lies with the relevant customer acting as controller;
- CCS supports its customers by providing the technical and operational means necessary to enable compliance with their obligations.
This role-based structure reflects the operational and contractual framework within which CCS provides its services and is fundamental to understanding how personal data is processed across the CCS platform environment.
5. Personal Data We Process
5.1 Overview
CCS processes different categories of personal data depending on the context in which processing takes place. In particular, the categories of personal data processed vary depending on whether CCS acts:
- as a data controller in relation to its own business operations; or
- as a data processor (i.e. a service provider processing personal data on behalf of its customers) in relation to the use of its platform.
The categories of personal data processed in each context are described below.
5.2 Personal Data Processed by CCS as Controller
Where CCS acts as a data controller, it processes personal data relating to:
- employees and job applicants;
- representatives of business customers and partners;
- representatives of third-party service providers and vendors.
In this context, CCS may process the following categories of personal data:
(a) Identity Data
- name and surname;
- date of birth (where applicable);
- identification-related information where required.
(b) Contact Data
- email address;
- telephone number;
- business address information.
(c) Professional and Business Data
- job title and role;
- company affiliation;
- business communication records.
(d) Financial and Contractual Data
- billing and payment-related information;
- contractual and transactional records.
(e) Employment and HR Data
- employment records;
- professional qualifications and background;
- performance-related information;
- internal administrative records.
This data is processed for CCS’s own business purposes, including relationship management, contractual administration, internal operations, and compliance with legal obligations.
5.3 Personal Data Processed by CCS as Processor
Where CCS acts as a data processor, it processes personal data on behalf of its business customers in connection with the use of its platform. In this context:
- CCS does not determine the categories of personal data processed;
- the scope of data processing is defined by the customer acting as data controller;
- personal data processed reflects the configuration and use of the platform by the customer.
Depending on the services used, this may include:
(a) Communication Data
- voice communications and call recordings;
- chat and messaging content;
- interaction content exchanged through communication channels.
(b) Communication Metadata
- timestamps and duration of interactions;
- routing and call-related data;
- session identifiers and interaction references.
(c) Technical and System Data
- IP addresses;
- device and system identifiers;
- log and access records related to platform usage.
Personal data processed in this context relates primarily to the end users of CCS’s business customers.
5.4 Processing Through Sub-Processors
In order to provide its services, CCS engages sub-processors that process personal data on its behalf and under its instructions. Such processing may include:
- processing of voice data for transcription and analysis;
- AI-supported processing of communication data, such as speech-to-text conversion and analytical outputs derived from customer interactions;
- temporary or structured processing of communication data within defined service scopes;
- infrastructure-level processing within cloud and hosting environments.
Sub-processors process personal data strictly within the scope of the services provided and:
- act only under the instructions of CCS;
- do not independently determine the purposes of processing;
- do not use personal data for their own purposes, including independent analytics or model training.
5.5 Data Variability and Customer Control
Due to the nature of the CCS platform:
- the categories and scope of personal data processed may vary depending on the customer’s use of the platform;
- customers determine what data is collected, processed, and stored within their configured environments;
- CCS processes such data only in accordance with customer instructions.
6. How We Collect Data
6.1 Overview
CCS collects and receives personal data through different mechanisms depending on the context in which processing takes place. In particular, personal data may be:
- collected directly by CCS in connection with its own business operations; or
- received and processed by CCS on behalf of its business customers through the use of its platform.
6.2 Data Collected Directly by CCS (Controller Context)
Where CCS acts as a data controller, personal data is collected directly from individuals or organizations, including:
- when individuals or business representatives contact CCS;
- during the establishment and management of business relationships;
- through contractual and commercial interactions;
- in connection with recruitment and employment processes;
- through the use of CCS websites and related communication channels.
This data is provided directly by the relevant individual or organization.
6.3 Data Collected Through Customers (Processor Context)
Where CCS acts as a data processor, personal data is not collected independently by CCS. Instead:
- personal data is collected by CCS’s business customers;
- such data is submitted to or made available through the CCS platform based on customer configuration;
- CCS processes this data strictly on behalf of and under the instructions of the customer.
This includes personal data relating to the end users of CCS’s customers.
6.4 Data Collected Through Communication Channels
Personal data may be generated and collected through the use of communication services supported by the CCS platform, including:
- voice communications facilitated through telecommunications service providers (telco layer);
- chat and messaging interactions;
- digital communication channels integrated into the platform.
In this context:
- communication data is received through the relevant communication channel and processed within the CCS platform environment;
- the specific communication channels and configurations are determined by the customer;
- CCS processes such data in accordance with customer-defined workflows and instructions.
6.5 Data Collected Through Third-Party Integrations
The CCS platform may be integrated with third-party services and communication platforms. In such cases:
- personal data may be received through integrations configured by the customer;
- data flows into the CCS platform from external systems and services;
- CCS processes such data in accordance with customer instructions and configured workflows.
6.6 System-Generated and Technical Data
In addition to data provided directly or through platform usage, certain data is generated automatically as part of system operation, including:
- technical and system identifiers;
- log and access data;
- communication metadata generated during platform usage.
This data is generated through the operation of the platform and supporting infrastructure.
6.7 Variability of Data Collection
Due to the configurable nature of the CCS platform:
- the methods and scope of data collection may vary depending on how customers use the platform;
- CCS does not standardize or control how customers collect personal data from their end users;
- data collection mechanisms are determined by the customer’s configuration and operational use of the platform.
7. How We Use Personal Data
7.1 Overview
CCS uses personal data differently depending on the context in which the data is processed. Where CCS acts as a data controller, CCS uses personal data for its own business, administrative, employment, contractual, commercial, security, and compliance purposes. Where CCS acts as a data processor, CCS processes personal data only on behalf of its business customers and in accordance with their instructions. In that context, the customer determines the purposes for which personal data is processed.
7.2 Use of Personal Data Where CCS Acts as Controller
Where CCS acts as a data controller, CCS may use personal data for the following purposes:
- managing business relationships with customers, partners, vendors, and service providers;
- communicating with customer representatives, partner contacts, and other business contacts;
- negotiating, entering into, and administering contracts;
- managing billing, invoicing, payment, and accounting-related activities;
- conducting internal administrative and operational activities;
- managing recruitment, employment, HR, personnel administration, and related internal processes;
- sending business communications and, where applicable, marketing communications;
- maintaining records required for legal, regulatory, tax, accounting, or compliance purposes;
- protecting CCS systems, business operations, and information security.
7.3 Use of Personal Data Where CCS Acts as Processor
Where CCS acts as a data processor, CCS uses personal data only to provide, operate, maintain, support, and secure the CCS platform on behalf of its business customers. This may include processing personal data for the following customer-directed purposes:
- enabling customers to manage voice, chat, messaging, video, and other communication interactions with their end users;
- routing and managing communication sessions;
- storing communication metadata and operational platform data;
- storing call, video, chat, or messaging content where enabled or configured by the customer;
- supporting contact centre operations;
- generating operational analytics, reporting, and service performance metrics;
- supporting AI-enabled or automated features where configured by the customer, such as transcription, interaction analysis, or customer interaction support;
- monitoring platform performance, reliability, and service availability;
- troubleshooting, maintenance, technical support, and incident response;
- maintaining system security and infrastructure integrity.
7.4 Customer Control Over Platform Use
In processor scenarios, CCS does not independently determine why personal data is processed through the platform. The relevant business customer determines:
- the purpose of using the platform;
- the categories of personal data processed;
- the data subjects involved;
- the communication channels used;
- whether recording, analytics, transcription, or AI-supported features are enabled;
- the retention period or configuration applied to customer-controlled data, where such configuration is available.
CCS processes such personal data only in accordance with the customer’s documented instructions and applicable contractual arrangements.
7.5 AI-Supported Processing
Certain CCS platform features may involve AI-supported processing, such as transcription, analytics, quality-related outputs, or interaction support. Where these features are used in connection with customer end-user data:
- CCS processes personal data as a data processor;
- the customer determines whether and how such features are used;
- CCS does not use customer data for its own independent purposes;
- CCS does not use customer data for independent model training unless expressly agreed and lawfully permitted;
- final decisions based on platform outputs remain with the customer.
7.6 No Independent Use of Customer End-User Data
CCS does not use personal data processed through the platform on behalf of customers for independent purposes. In particular, CCS does not use customer end-user data to:
- independently determine customer business purposes;
- independently decide the legal basis for processing;
- sell customer end-user data;
- use customer end-user data for unrelated marketing;
- independently make decisions about customer end users.
7.7 Security, Monitoring, and Operational Use
CCS may process technical, system, log, and metadata information for purposes necessary to:
- operate and maintain the platform;
- monitor service performance;
- detect and respond to security incidents;
- troubleshoot technical issues;
- protect the confidentiality, integrity, and availability of the platform;
- support compliance with contractual and legal obligations.
Such processing is limited to operational, technical, security, and support purposes.
8. Legal Basis
8.1 Overview
The legal basis for processing personal data depends on the context in which such data is processed. Where CCS acts as a data controller, CCS relies on specific legal grounds depending on the nature of the processing activity and the type of data involved. Where CCS acts as a data processor, the legal basis is determined by the relevant customer acting as data controller.
8.2 Legal Bases Where CCS Acts as Controller
(a) Contractual Necessity
CCS processes personal data where such processing is necessary for the performance of a contract or to take steps prior to entering into a contract. This typically applies to processing such as:
- use of identity and contact data of business representatives to establish and manage customer and partner relationships;
- processing of contact, contractual, and communication data for the negotiation, execution, and administration of agreements;
- use of financial and transactional data for billing, invoicing, and payment handling;
- maintenance of business communication records related to contractual interactions.
(b) Legitimate Interests
CCS processes personal data where it is necessary for its legitimate business interests, provided that such interests are not overridden by the rights and freedoms of individuals. This typically applies to processing such as:
- use of contact and professional data for ongoing business relationship management;
- processing of technical and system data (e.g. logs, access records) for security monitoring and system protection;
- use of communication and interaction data for service improvement and operational efficiency;
- internal administrative processing and organizational management activities.
Where required, CCS performs a balancing assessment to ensure that its interests do not override individual rights.
(c) Legal Obligations
CCS processes personal data where necessary to comply with legal and regulatory obligations. This typically applies to processing such as:
- retention of financial, contractual, and transaction-related data for accounting and tax purposes;
- maintenance of records required by law or regulatory authorities;
- disclosure of relevant data in response to lawful requests by authorities;
- compliance with regulatory, audit, and reporting requirements.
(d) Consent
CCS processes personal data based on consent where required by applicable law. This typically applies to processing such as:
- use of contact data for marketing communications where consent is required;
- use of certain optional technologies or features that require user consent;
- any processing activity where no other legal basis is applicable.
Where consent is relied upon:
- individuals may withdraw consent at any time;
- withdrawal does not affect prior lawful processing.
8.3 Processing Where CCS Acts as Data Processor
Where CCS acts as a data processor (i.e. a service provider processing personal data on behalf of its customers):
- CCS does not determine the legal basis for processing;
- the applicable legal basis is determined by the customer acting as data controller;
- CCS processes personal data strictly in accordance with customer instructions.
This includes processing of:
- communication data (voice, chat, messaging);
- communication metadata and interaction records;
- technical and system data generated through platform usage;
- analytics and AI-supported processing configured by the customer.
8.4 Customer Responsibility
In processor scenarios:
- the customer is responsible for selecting and applying the appropriate legal basis;
- the customer is responsible for providing required policies and obtaining any necessary consents;
- CCS supports customers by providing technical and operational capabilities to enable compliance.
9. Data Sharing & Disclosure
9.1 Overview
CCS may share personal data with third parties depending on the context in which processing takes place. The nature and purpose of such sharing differ depending on whether CCS acts as a data controller or as a data processor.
9.2 Sharing Within the CCS Group
Personal data may be shared between CCS group entities where necessary for:
- the provision of services;
- internal administrative and operational purposes;
- management of business relationships and contractual obligations;
- ensuring consistency of service delivery across jurisdictions.
Such sharing is carried out in accordance with applicable data protection requirements and internal governance structures.
9.3 Sharing in Processor Context (Customer-Controlled Disclosure)
Where CCS acts as a data processor:
- personal data may be shared or disclosed as part of the services provided to the customer;
- such sharing is determined and controlled by the customer;
- CCS does not independently decide to disclose personal data to third parties outside the scope of customer instructions.
This includes, for example:
- routing of communications through external networks;
- integrations configured by the customer;
- communication flows involving third-party platforms.
9.4 Sharing with Sub-Processors and Service Providers
In order to provide its services, CCS engages third parties that process personal data on its behalf. These may include:
- cloud infrastructure providers;
- telecommunications providers supporting communication services;
- service providers supporting platform functionality;
- specialized processing providers (e.g. transcription or analytics services).
Where such providers act as sub-processors:
- they process personal data solely on behalf of CCS and under its instructions;
- they are contractually bound to implement appropriate technical and organizational measures;
- they are not permitted to use personal data for their own independent purposes.
The use of sub-processors forms part of the structured processing chain: customer (controller) → CCS (processor) → sub-processor
9.5 Sharing for Legal and Regulatory Purposes
CCS may disclose personal data where required to do so by law or where necessary to:
- comply with legal obligations;
- respond to lawful requests from public authorities;
- enforce contractual rights;
- protect the rights, property, or safety of CCS, its customers, or others.
Such disclosures are carried out in accordance with applicable legal requirements.
9.6 No Independent Commercial Sharing
CCS does not sell personal data and does not disclose personal data to third parties for independent marketing or commercial purposes unrelated to the services provided.
9.7 Operational and Technical Sharing
Personal data may be shared within the CCS platform environment as part of:
- system operation and service delivery;
- infrastructure-level processing;
- communication routing and handling;
- platform analytics and reporting functions.
Such sharing is limited to what is necessary for the provision and maintenance of the services.
10. International Data Transfers
10.1 Overview
CCS operates a distributed platform architecture in which personal data is processed across multiple geographic regions as part of normal service delivery. This structure is defined within CCS’s internal governance framework and system architecture, including documented data flow models and infrastructure design. International data transfers arise from:
- platform system design;
- communication routing through telecommunications networks;
- distributed cloud infrastructure;
- integrations with third-party communication services.
The scope and nature of such transfers differ depending on whether data is processed in a controller or processor context.
10.2 Data Processed by CCS as Controller
Personal data processed by CCS as a data controller (including employee data and business contact data):
- is processed and stored within the jurisdiction in which it is collected;
- is not subject to the platform-based international transfer model described below.
10.3 Data Processed by CCS as Processor (Platform Data)
Where CCS acts as a data processor, personal data processed through the platform (relating to end users of CCS customers) follows a distributed processing model defined by system architecture. This model involves processing across multiple regions and is not limited to a single geographic location.
10.4 United States — Core Processing Layer
Certain categories of personal data are processed within systems hosted in the United States, including:
- primary platform databases;
- automatic call distribution (ACD) systems;
- interaction handling and routing logic.
This includes processing of:
- call detail records (CDR);
- caller and called numbers;
- session identifiers (e.g. SIP Call ID);
- tenant-related operational data;
- communication event data (such as call start and end events).
These systems support real-time platform functionality and communication handling.
10.5 European Union — Storage and Analytics Layer
Certain categories of personal data are processed and stored within the European Union, including:
- voice recordings of communications;
- video recordings;
- analytics data and derived datasets;
- reporting and performance-related outputs.
Such data may be stored across multiple EU regions and replicated for:
- resilience;
- availability;
- system continuity.
10.6 Communication and Integration Flows
Personal data may enter and flow through the CCS platform via:
- telecommunications networks (voice communications);
- customer-configured communication channels;
- third-party integrations (e.g. messaging platforms such as WhatsApp, Telegram, or similar services);
- end-user devices interacting with the platform.
These flows may involve cross-border transmission of data as part of normal communication routing.
10.7 Nature of Transfers
International data transfers within the CCS platform:
- occur as part of the technical operation of the system;
- are driven by infrastructure design and communication routing;
- may occur automatically without manual configuration at the user level.
Such transfers are inherent to the architecture of the platform and its global service delivery model.
10.8 Sub-Processor and Infrastructure Transfers
International transfers may also occur through CCS’s use of third-party providers, including:
- cloud infrastructure providers;
- telecommunications providers;
- specialized processing providers (e.g. transcription services);
- communication platform integrations.
These providers process personal data:
- within defined service scopes;
- as part of the structured processing chain;
- under contractual and operational controls.
10.9 Governance and Safeguards
International data transfers are governed through a combination of:
- contractual arrangements with customers and service providers;
- data processing agreements defining roles and responsibilities;
- technical and organizational measures implemented within the platform;
- applicable legal mechanisms where required under relevant data protection laws.
These measures are designed to ensure that personal data remains protected when processed across jurisdictions.
11. Data Retention
11.1 Overview
The retention of personal data within CCS depends on the context in which the data is processed and the role performed by CCS. Retention periods are not uniform across all data categories and may vary depending on:
- the purpose of processing;
- the type of personal data involved;
- the system or service through which the data is processed;
- applicable legal and contractual requirements.
11.2 Personal Data Processed by CCS as Controller
Where CCS acts as a data controller, it determines the retention period of personal data based on:
- the purpose for which the data was collected;
- applicable legal, regulatory, and contractual obligations;
- operational and business requirements.
In this context:
- personal data is retained for as long as necessary to fulfil the relevant purpose;
- retention may be required for compliance with legal obligations (e.g. accounting, tax, or regulatory requirements);
- once retention is no longer necessary, data is deleted or anonymised in accordance with internal processes.
11.3 Personal Data Processed by CCS as Processor
Where CCS acts as a data processor (i.e. a service provider processing personal data on behalf of its customers):
- CCS does not independently determine retention periods;
- retention is defined by the customer acting as data controller;
- CCS processes and retains personal data strictly in accordance with customer instructions and contractual arrangements.
This applies to personal data processed through the CCS platform, including:
- communication data (voice, chat, messaging);
- communication metadata and interaction records;
- technical and system-generated data;
- analytics and derived data outputs.
11.4 System-Based and Operational Retention
Retention within the CCS platform may be implemented through a combination of:
(a) System-Based Retention
Certain categories of data may be subject to system-level retention configurations, such as:
- communication recordings stored within platform storage environments;
- analytics data retained within defined system structures.
Such retention may be configurable depending on the service and customer setup.
(b) Operational Retention and Deletion
For other categories of personal data:
- retention may be managed through operational processes rather than automated system controls;
- deletion or anonymisation is performed based on customer instructions or internal procedures;
- retention practices may vary depending on system design and service configuration.
11.5 Variability of Retention
Due to the configurable nature of the CCS platform:
- retention periods may vary depending on how customers use the platform;
- different data categories may be subject to different retention approaches;
- CCS does not apply a single standardized retention period across all processing activities.
11.6 End of Processing
At the end of the processing relationship or upon instruction from the customer:
- personal data processed on behalf of customers is deleted or returned, as applicable;
- deletion or anonymisation is carried out in accordance with contractual arrangements and operational procedures.
12. Data Security
12.1 Overview
CCS applies technical and organizational measures to protect personal data processed within its business operations and platform environment. These measures are designed to protect personal data against:
- unauthorized access;
- unauthorized disclosure;
- accidental or unlawful loss;
- alteration;
- misuse;
- interruption of service;
- security incidents affecting confidentiality, integrity, or availability.
The security model is based on the actual CCS platform environment, including cloud infrastructure, telecommunications components, platform systems, monitoring tools, access controls, and contractual obligations with sub-processors.
12.2 Layered Security Model
CCS applies security measures across several layers of the processing environment:
- platform application layer;
- cloud infrastructure layer;
- database and storage layer;
- communication and routing layer;
- monitoring and logging layer;
- operational support layer;
- sub-processor and vendor layer.
This layered model reflects the distributed architecture of the CCS platform and the fact that personal data may be processed across multiple systems, services, and technical components.
12.3 Access Control and Authorization
Access to systems processing personal data is restricted to authorized personnel based on role, responsibility, and operational need. CCS applies access control measures including:
- role-based access control principles;
- restriction of access to authorized users;
- controlled administrative access;
- authentication mechanisms;
- access permissions aligned with operational responsibilities;
- logging of access to relevant systems where supported.
Access governance is implemented through structured access management processes and is subject to ongoing enhancement and standardization efforts across systems and applications.
12.4 Encryption and Secure Communication
CCS applies technical measures to protect personal data during transmission and within platform infrastructure. These measures include:
- secure communication protocols for data transmitted between system components;
- encryption of data in transit;
- protection of communication between platform services and infrastructure components;
- cryptographic safeguards within cloud-based processing environments where supported by the relevant infrastructure.
For platform communications, secure transport mechanisms are used to protect the confidentiality and integrity of personal data transmitted across networks. The DPA framework also refers to modern transport security mechanisms and secure communication between platform components. Where encryption or cryptographic measures are implemented by infrastructure or platform providers, CCS relies on contractual, technical, and operational controls to ensure that such measures support the security of processing.
12.5 Cloud and Infrastructure Security
CCS implements monitoring and logging mechanisms to support:
- detection of security events;
- operational visibility;
- troubleshooting;
- investigation of anomalies;
- incident response;
- platform performance and availability.
Monitoring and logging capabilities are continuously enhanced to support improved visibility, consistency, and centralized oversight across platform systems and infrastructure components.
12.6 Monitoring, Logging, and Detection
CCS applies data protection and data loss prevention measures designed to reduce the risk of unauthorized disclosure or leakage of personal data. These measures include:
- endpoint security controls;
- corporate communication safeguards;
- data loss prevention mechanisms;
- monitoring of information flows;
- controls over data transfer and export where supported.
These controls are implemented across the CCS environment as part of the organization’s data protection framework.
12.7 Data Loss Prevention and Information Flow Controls
CCS uses data protection controls to reduce the risk of unauthorized disclosure or leakage of personal data. These controls may include:
- endpoint security measures;
- corporate email controls;
- data loss prevention mechanisms;
- monitoring of information flows;
- restrictions or controls over certain transfers or exports where supported.
The audit confirms that DLP and related tooling exist centrally, but also identifies that coverage is not yet fully end-to-end across all SaaS platforms, mobile workflows, collaboration tools, and export/download scenarios. Therefore, this section describes DLP as a control layer, not as a complete guarantee.
12.8 Credential and Secret Management
CCS recognizes that technical credentials, API keys, tokens, usernames, passwords, and integration secrets may create security risks where they provide access to systems that process personal data. Security measures in this area may include:
- restricted access to credentials;
- operational controls over credentials used in integrations;
- credential rotation or revocation where required;
- internal procedures for handling technical access information;
- incident response where credential exposure is identified.
This point is important because the audit specifically identified credential handling and third-party tool governance as an organization-wide control area requiring strong governance attention.
12.9 Incident Response and Breach Management
CCS maintains processes for identifying, assessing, managing, and responding to security incidents. These processes may include:
- incident detection;
- incident classification;
- containment;
- investigation;
- root cause analysis;
- corrective actions;
- coordination with customers, sub-processors, infrastructure providers, and internal teams where required.
Where CCS acts as a processor, CCS supports the relevant customer in assessing and responding to incidents affecting personal data processed on behalf of that customer. Where CCS acts as a controller, CCS assesses notification requirements and takes action in accordance with applicable data protection laws.
12.10 Sub-Processor Security
CCS’s security model is implemented across a distributed platform and organizational environment. Security controls are maintained and continuously improved through:
- structured governance processes;
- ongoing system and process enhancements;
- regular review of security practices;
- alignment with evolving operational, technical, and regulatory requirements.
CCS applies a risk-based approach to ensure that appropriate measures are implemented to protect personal data within its platform and business operations.
12.11 Security Limitations and Continuous Improvement
CCS’s data security model is based on:
- layered technical and organizational measures;
- role-based access and authorization principles;
- secure communication and infrastructure controls;
- monitoring, logging, and incident response;
- sub-processor security obligations;
- continuous improvement of security capabilities.
This approach is designed to ensure an appropriate level of protection for personal data, taking into account the nature of CCS’s platform and services.
12.12 Governance Position
CCS’s data security model is based on:
- layered technical and organizational measures;
- role-based access and authorization principles;
- secure communication and infrastructure controls;
- monitoring, logging, and incident response;
- sub-processor security obligations;
- continuous improvement based on audit and operational findings.
This approach is intended to protect personal data processed within CCS’s platform and business operations while reflecting the actual distributed and evolving nature of the CCS technical environment.
13. Data Subject Rights
13.1 Overview
Individuals whose personal data is processed may have certain rights under applicable data protection laws. The scope and applicability of these rights depend on:
- the context in which personal data is processed;
- the role performed by CCS (data controller or data processor);
- the applicable legal framework.
13.2 When CCS Acts as Data Controller
Where CCS acts as a data controller, individuals may have the following rights, subject to applicable legal conditions:
- the right to access personal data;
- the right to request correction of inaccurate or incomplete data;
- the right to request deletion of personal data;
- the right to request restriction of processing;
- the right to object to certain types of processing;
- the right to data portability, where applicable;
- the right to withdraw consent, where processing is based on consent.
CCS will assess and respond to such requests in accordance with applicable legal requirements.
13.3 When CCS Acts as Data Processor
Where CCS acts as a data processor (i.e. a service provider processing personal data on behalf of its customers):
- CCS does not determine the purposes or legal basis of processing;
- the relevant customer acts as the data controller;
- requests relating to personal data should generally be directed to the relevant customer.
In this context:
- CCS does not independently respond to data subject requests regarding customer data;
- CCS supports its customers by providing the technical and operational means necessary to enable them to respond to such requests;
- where required, CCS may assist the customer in handling requests in accordance with contractual and legal obligations.
13.4 How to Exercise Your Rights
Where CCS acts as a data controller, individuals may submit requests relating to their personal data using the contact details provided in this Privacy policy. Where CCS acts as a data processor:
- individuals should contact the relevant organization with which they have a direct relationship;
- CCS may, where appropriate, redirect requests to the relevant customer.
13.5 Limitations and Conditions
The exercise of rights may be subject to certain limitations, including:
- legal obligations requiring continued processing or retention;
- the need to verify the identity of the requester;
- technical or operational constraints depending on the nature of the request;
- the role of CCS as a processor where rights must be exercised through the controller.
13.6 Complaints
Individuals may have the right to lodge a complaint with a competent supervisory authority if they believe that their personal data has been processed in violation of applicable data protection laws.
14. How to Exercise Your Rights
14.1 Overview
Individuals may exercise their data protection rights by submitting a request using the contact details provided in this Privacy policy. The handling of such requests depends on whether CCS acts as a data controller or a data processor in relation to the relevant personal data.
14.2 Requests Where CCS Acts as Data Controller
Where CCS acts as a data controller:
- requests may be submitted directly to CCS using the contact information provided below;
- CCS will assess and respond to requests in accordance with applicable legal requirements;
- CCS may request additional information where necessary to verify the identity of the requester.
CCS aims to respond to requests within applicable legal timeframes.
14.3 Requests Where CCS Acts as Data Processor
Where CCS acts as a data processor (i.e. a service provider processing personal data on behalf of its customers):
- individuals should direct their request to the relevant organization with which they have a direct relationship (the data controller);
- CCS does not independently determine how such requests are handled;
- CCS may, where appropriate, assist the relevant customer in responding to the request.
Where a request is submitted directly to CCS in this context:
- CCS may redirect the request to the relevant customer;
- CCS may inform the individual of the appropriate contact point.
14.4 Verification of Identity
To protect personal data, CCS may take reasonable steps to verify the identity of the individual submitting a request. Where necessary:
- additional information may be requested;
- requests may be limited or declined if identity cannot be verified.
14.5 Response and Handling
In handling requests, CCS:
- assesses the nature and scope of the request;
- determines its role (controller or processor);
- coordinates with relevant internal teams or, where applicable, with customers;
- applies appropriate legal and operational considerations.
Responses may vary depending on:
- the nature of the request;
- the data involved;
- applicable legal requirements.
14.6 Escalation and Complaints
If an individual is not satisfied with the response received:
- they may contact CCS for further clarification or escalation;
- they may exercise their right to lodge a complaint with a competent supervisory authority, as described in Section 13.
15. Cookies and Tracking Technologies
15.1 Overview
CCS uses cookies and similar technologies in connection with its website and online services. Cookies are small text files that are stored on a user’s device (such as a computer, tablet, or smartphone) when visiting a website. These files are automatically created by the user’s browser and stored locally on the device. Cookies do not harm devices and do not contain viruses or other malicious software.
15.2 Types of Data Collected
Through cookies and related technologies, CCS may process certain technical and usage-related data, including:
- IP address;
- browser type and version;
- operating system;
- internet service provider;
- date and time of access;
- pages visited and usage behavior;
- website navigation patterns and interaction data.
This data is processed in a manner that does not directly identify individuals without additional information.
15.3 Purpose of Cookies
Cookies are used to support the operation and security of the CCS website and to improve user experience. In particular, cookies are used for:
- ensuring proper functioning of the website;
- enabling navigation and usability;
- maintaining system security and stability;
- supporting administrative and technical operations.
The use of cookies is limited to purposes necessary for the operation and integrity of the website and related services.
15.4 Legal Basis
The processing of data through cookies is based on:
- CCS’s legitimate interests in ensuring the proper functioning, security, and usability of its website (Article 6(1)(f) GDPR); and
- where required, user consent for specific types of cookies or technologies.
15.5 Cookie Management and Control
Most web browsers accept cookies automatically. However, users can control or disable cookies through their browser settings. Users may:
- configure their browser to refuse cookies;
- delete previously stored cookies;
- receive notifications before cookies are stored.
Please note that disabling cookies may affect the functionality and availability of certain features of the website.
15.6 No Unauthorized Disclosure
Data collected through cookies is not used for independent third-party purposes. Where cookies involve third-party services or integrations, such processing is subject to applicable legal and contractual safeguards.
15.7 Relationship with Other Data Collection
Cookies may operate in conjunction with other technical data collection mechanisms, including server log files. Such data may include:
- IP addresses;
- system activity data;
- access timestamps.
This information is used to:
- ensure secure and stable operation of the website;
- prevent misuse or unauthorized access;
- support system performance and maintenance.
15.8 Further Information
More detailed information about the use of cookies, including specific types of cookies and their functionality, is provided in the CCS Cookie Policy. Users are encouraged to review the Cookie Policy for additional details and choices regarding cookie usage.
16. Marketing Communications
16.1 Overview
CCS may use personal data to communicate with individuals about its services, subject to applicable legal requirements and, where required, the consent of the individual. Marketing communications are conducted in a manner consistent with CCS’s data protection commitments and applicable data protection laws.
16.2 Controller-Based Marketing Activities
Where CCS acts as a data controller, personal data may be used for communication purposes, including:
- providing information about CCS services;
- responding to inquiries or requests;
- maintaining business relationships with customers, partners, and contacts;
- sending updates regarding services where the individual has consented or where permitted by applicable law.
As stated in the existing policy: CCS uses personal data to keep individuals informed about services only where consent has been provided.
16.3 Legal Basis
Marketing-related communications are based on:
- consent, where required by applicable law;
- legitimate interests, where communication is related to existing business relationships and permitted under applicable regulations.
Where consent is required:
- individuals will be asked to provide consent before receiving such communications;
- consent may be withdrawn at any time.
16.4 No Sale or Independent Marketing Disclosure
CCS does not sell personal data and does not disclose personal data to third parties for their own independent marketing purposes. As stated in the existing policy:
- personal data is not transferred to non-affiliated entities for their own direct marketing use without clear policy and explicit consent.
16.5 Opt-Out and Withdrawal
Individuals may opt out of marketing communications at any time. This may be done by:
- using opt-out mechanisms included in communications;
- contacting CCS using the contact details provided in this Privacy policy;
- withdrawing previously given consent.
Withdrawal of consent does not affect the lawfulness of processing carried out prior to withdrawal.
16.6 Processor Context
Where CCS acts as a data processor (i.e. a service provider processing personal data on behalf of its customers):
- CCS does not use such data for its own marketing purposes;
- CCS does not contact end users of its customers for marketing purposes;
- any marketing communication is carried out by the customer acting as the data controller.
17. Children’s Data
17.1 Overview
CCS services, platform, and website are designed for business use and are not intended for children. CCS does not knowingly collect personal data directly from children in its capacity as a data controller.
17.2 Controller Context
Where CCS acts as a data controller:
- CCS does not target children with its services or website;
- CCS does not intentionally collect personal data from individuals under the age of 16;
- if CCS becomes aware that personal data of a child has been collected without appropriate authorization, such data will be deleted or handled in accordance with applicable legal requirements.
17.3 Processor Context
Where CCS acts as a data processor (i.e. a service provider processing personal data on behalf of its customers):
- CCS may process personal data relating to end users of its customers;
- such end users may include children, depending on the customer’s business activities;
- CCS does not determine the categories of data subjects or the purposes of processing in this context.
In such cases:
- the relevant customer acts as the data controller and is responsible for ensuring compliance with applicable legal requirements relating to children’s data;
- CCS processes such data strictly in accordance with customer instructions and contractual obligations.
17.4 Responsibility and Safeguards
In processor scenarios involving children’s data:
- CCS does not independently collect or use such data;
- CCS does not interact directly with children;
- CCS supports its customers in implementing appropriate technical and organizational measures within the platform environment.
18. Third-Party Links & Services
18.1 Overview
The CCS website is not designed to operate as a directory of third-party websites and does not generally provide links to external customer or partner websites as part of its standard content.
18.2 Third-Party Services and Integrations
CCS services and platform functionalities may involve third-party systems, communication channels, or integrations as part of service delivery. Such third-party services may include:
- telecommunications providers;
- messaging or communication platforms;
- technical service providers or integrated systems.
Where such services are used:
- they operate under their own technical and organizational frameworks;
- they may process personal data in accordance with their own privacy policies and terms;
- their use is typically determined by the customer’s configuration and service setup.
CCS does not control the privacy practices of third-party services that are not operated by CCS.
18.3 External Environments
Where users interact with third-party services or are redirected to external environments:
- such environments are outside the control of CCS;
- CCS is not responsible for the content, security, or privacy practices of such external services.
18.4 Third-Party Cookies and Tracking
Third-party services or external websites may use their own cookies or tracking technologies. Such technologies:
- are not controlled by CCS;
- are governed by the respective third party’s privacy and cookie policies.
Users are encouraged to review the relevant policies of those third parties.
18.5 User Awareness
Individuals should exercise caution and review applicable privacy policies when interacting with third-party services or external platforms.
19. Changes to This Policy
19.1 Updates to This Privacy Policy
CCS may update this Privacy policy from time to time to reflect:
- changes in legal or regulatory requirements;
- changes in CCS services or platform functionalities;
- changes in data processing practices;
- improvements to clarity and transparency.
19.2 Versioning and Effective Date
The current version of this Privacy policy is identified by the effective date indicated at the beginning of the document. Where material changes are made:
- the effective date will be updated accordingly;
- the updated version will replace previous versions.
19.3 Notification of Changes
Where required by applicable law, CCS may take appropriate steps to notify individuals of material changes, which may include:
- notices on the website;
- direct communication where appropriate.
19.4 Historical Versions
Previous versions of this Privacy policy may be retained for internal documentation and compliance purposes.
20. Contact Information
20.1 Overview
For any questions, requests, or concerns regarding this Privacy policy or the processing of personal data, individuals may contact CCS or the designated Data Protection Officer using the contact details below. The appropriate contact point may depend on the context of processing and the role performed by CCS.
20.2 CCS Group Contact Point
For general inquiries and data protection-related requests:
Call Center Studio
Website: https://callcenterstudio.com
Email: gdpr@callcenterstudio.com
This contact point serves as the primary communication channel and coordinates requests internally across CCS entities.
20.3 CCS Group Entities
Locations: United States of America
Call Center Studio, Inc.
1 East Erie St. Suite 525 PMB 4651, Chicago, IL, 60611
Website: https://callcenterstudio.com
E-Mail: GDPR@callcenterstudio.com
General Manager: Mr. Cenk SOYAK
Location: United Kingdom
Call Center Studio Ltd.
Unit 501 Leroy House
434–436 Essex Road
London N1 3FY
United Kingdom
E-Mail: GDPR@callcenterstudio.com
General Manager: Mr. Saygun Bektaş DOĞAN
Location: Romania
Call Center Studio S.R.L.
28–30 G-ral Gheorghe Magheru Blvd.
District 1, 010336
Bucharest, Romania
E-Mail: GDPR@callcenterstudio.com
General Manager: Mr. Saygun Bektaş DOĞAN
Locations: Türkiye
20.4 AloTech İletişim Teknolojileri A.Ş.
NidaKule Plaza,
Kozyatağı, Değirmen Sk.
No:18 Kat:13 D:22,
34720 Kadıköy/İstanbul
Kadıköy/İstanbul, Turkey
Website: https://alotech.com.tr/
E-Mail: gpdr@callcenterstudio.com
General Manager: Mr. Cenk SOYAK
Technopark Office (Branch office)
YTÜ Davutpaşa Kampüsü Teknoloji Geliştirme Bölgesi
Ar-Ge 1 Binası, B Blok Zemin Kat No: 2 Esenler,
34220 İstanbul, Türkiye
Website: https://alotech.com.tr/
E-Mail: GDPR@callcenterstudio.com
General Manager: Mr. Cenk SOYAK
20.4 Data Protection Officer (DPO)
CCS has appointed an independent Data Protection Officer:
Path Düsseldorf GmbH
Certified DPO: Kemal Hakan Hasserbetci
Gerresheimer Str. 86, 40233 Düsseldorf, Germany
Email: h.hasserbetci@pathdusseldorf.de
hakan@pathdusseldorf.com
20.5 EU Representative (EU GDPR)
For purposes of the General Data Protection Regulation (GDPR), the designated representative in the European Union is:
Call Center Studio S.R.L.
Bucharest, Romania
20.6 UK Representative (UK GDPR)
For purposes of the UK General Data Protection Regulation (UK GDPR), the designated representative is:
Call Center Studio Ltd.
London, United Kingdom
20.7 Supervisory Authorities
Individuals may also have the right to lodge a complaint with a competent supervisory authority, as described in Section 13.