Search
Close this search box.
Home | Privacy Program
SECURE CUSTOMER SERVICE

Call Center Studio Global Privacy Program

Call Center Studio, and its subsidiaries (collectively, “CallCenterStudio”) have been fully
compliant with The General Data Protection Regulation (GDPR) since 2018. This version is
valid from 08.07.2026.

Compliancy & Certifications

ISO/IEC 27001:2022 : Information Securtiy Management Systems

ISO 9001:2015 : Quality Management Systems

ISO 10002:2018 : Customer Satisfaction Management System

● PCI-DSS CallCenterStudio compliance

COMPLIANCE: EU GDPR

CCS operates a global data protection and privacy framework designed to align with applicable data protection laws and regulations, including the General Data Protection Regulation (GDPR), UK GDPR, and other relevant international and regional frameworks such as U.S. state privacy laws, the Philippines Data Privacy Act, and South Africa’s Protection of Personal Information Act (POPIA).

Call Center Studio operates a structured data protection and privacy framework designed to ensure compliance with applicable data protection laws and regulatory requirements, including the General Data Protection Regulation (GDPR), UK GDPR, and other relevant international frameworks.

Rather than relying on static policies, CCS implements compliance through a combination of:

  • clearly defined data protection roles (controller and processor);
  • platform-level technical and organizational measures;
  • contractual safeguards with customers and sub-processors;
  • internal governance and risk management processes;
  • continuous monitoring and improvement of data protection practices.
GDPR Applicability and Scope

CCS processes personal data in a global environment and applies GDPR principles where applicable, including in situations where:

  • services are provided to customers operating within the European Union or United Kingdom;
  • personal data of individuals located in the EU or UK is processed through the CCS platform;
  • CCS acts as a data processor on behalf of customers subject to GDPR obligations.
Controller and Processor Model

CCS operates under a dual-role model:

  • as a data controller for its own business operations (e.g. website, employee data, business contacts);
  • as a data processor (service provider) when processing personal data through its platform on behalf of its customers.

This distinction is fundamental to CCS’s compliance framework and defines how legal responsibilities are allocated and fulfilled.

Data Protection Principles

CCS aligns its data processing practices with core data protection principles, including:

  • lawfulness, fairness, and transparency;
  • purpose limitation;
  • data minimisation;
  • accuracy;
  • storage limitation;
  • integrity and confidentiality.

These principles are implemented through both platform design and organizational controls.

Breach Management and Accountability

CCS maintains processes to detect, assess, and respond to potential personal data breaches. Where required, CCS supports customers in fulfilling their legal obligations, including notification to supervisory authorities and affected individuals, in accordance with applicable law.

Continuous Compliance Approach

Data protection is treated as an ongoing process rather than a one-time implementation. CCS continuously develops and enhances its compliance framework through:

  • internal projects (e.g. access control, monitoring, data protection enhancements);
  • alignment with evolving legal requirements;
  • improvements to technical and organizational measures;
  • integration of data protection into platform and service design.

Cookie Policy - EU GDPR

Last Updated: June 2026

Introduction

This Cookie Policy explains how Call Center Studio (“we”, “us”, or “our”) uses cookies and similar tracking technologies on our website (https://callcenterstudio.com/). This policy is designed to provide you with clear and comprehensive information about the cookies we use, the purposes for which we use them, and your rights to control our use of them.

This Cookie Policy should be read in conjunction with our Global Privacy Program, which provides detailed information regarding how we collect, process, and protect your personal data.

What Are Cookies?

Cookies are small text files that are placed on your computer, tablet, or mobile device when you visit a website. They are widely used by website owners to make their websites work, or to work more efficiently, as well as to provide reporting information.

Cookies set by the website owner (in this case, Call Center Studio) are called “first-party cookies.” Cookies set by parties other than the website owner are called “third-party cookies.” Third-party cookies enable third-party features or functionality to be provided on or through the website (e.g., interactive content, analytics, and advertising). The parties that set these third-party cookies can recognize your computer both when it visits the website in question and when it visits certain other websites.

How We Use Cookies

We use first-party and third-party cookies for several reasons. Some cookies are required for technical reasons in order for our website to operate, and we refer to these as “strictly necessary” or “essential” cookies. Other cookies enable us to track and target the interests of our users to enhance the experience on our website. Third parties serve cookies through our website for advertising, analytics, and other purposes.

The specific types of first and third-party cookies served through our website and the purposes they perform are described below.

1. Strictly Necessary Cookies

These cookies are essential for the website to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in, or filling in forms. You can set your browser to block or alert you about these cookies, but some parts of the site will not then work. These cookies do not store any personally identifiable information.

Cookie / Technology Provider Purpose Duration
WordPress Session Call Center Studio Maintains user session state across page requests. Session
LiteSpeed Cache LiteSpeed Optimizes website performance and loading speeds. Session
CSRF Tokens Call Center Studio Protects against Cross-Site Request Forgery attacks. Session
2. Functional Cookies

These cookies enable the website to provide enhanced functionality and personalization. They may be set by us or by third-party providers whose services we have added to our pages. If you do not allow these cookies, then some or all of these services may not function properly.

Cookie / Technology Provider Purpose Duration
zc_consent, zc_show Zoho SalesIQ Remembers your chat widget preferences and display state. 1 Year
zc_cu, zc_cu_exp Zoho SalesIQ Identifies returning users for the live chat functionality. 1 Year
Intercom Intercom Provides customer messaging and support functionality. 9 Months
3. Analytics and Performance Cookies

These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site. All information these cookies collect is aggregated and therefore anonymous. If you do not allow these cookies, we will not know when you have visited our site and will not be able to monitor its performance.

Cookie / Technology Provider Purpose Duration
_ga, _gid, _gat Google Analytics 4 Calculates visitor, session and campaign data and tracks site usage for the site’s analytics report. Up to 2 Years
PageSense Zoho PageSense Generates heatmaps and tracks user interactions to optimize website layout. 1 Year
dd_anonymous_id DataDog RUM Monitors real user performance and website technical health. 1 Year
4. Marketing and Targeting Cookies

These cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Cookie / Technology Provider Purpose Duration
gclid, IDE Google Ads Registers a unique ID to keep statistics of what videos from YouTube the user has seen and tracks ad conversions. Up to 1 Year
_fbp, _fbc Meta (Facebook) Used by Meta to deliver a series of advertisement products such as real-time bidding from third-party advertisers. 3 Months
li_fat_id, _li_ss LinkedIn Tracks conversions, retargets website visitors, and unlocks additional insights about members interacting with our LinkedIn ads. 6 Months
_reb2buid, _reb2bgeo RB2B Identifies B2B visitors and their geographical location to optimize B2B marketing efforts. 1 Year
utm_source, utm_medium Call Center Studio Tracks the marketing campaigns and sources that directed the user to the website. Session

How Can You Control Cookies?

You have the right to decide whether to accept or reject cookies. You can exercise your cookie preferences by clicking on the appropriate opt-out links provided in the cookie consent banner presented when you first visit our website.

Furthermore, you can set or amend your web browser controls to accept or refuse cookies. If you choose to reject cookies, you may still use our website though your access to some functionality and areas of our website may be restricted. As the means by which you can refuse cookies through your web browser controls vary from browser to browser, you should visit your browser’s help menu for more information.

For more information on how to manage cookies, please visit All About Cookies.

Updates to This Cookie Policy

We may update this Cookie Policy from time to time in order to reflect, for example, changes to the cookies we use or for other operational, legal, or regulatory reasons. Please therefore re-visit this Cookie Policy regularly to stay informed about our use of cookies and related technologies.

The date at the top of this Cookie Policy indicates when it was last updated.

Contact Us

If you have any questions about our use of cookies or other technologies, please contact our Data Protection Officer at:

Email: GDPR@callcenterstudio.com
Address: 1 East Erie St Suite 525 PMB 4651 Chicago, IL 60611, United States

Data Protection Policy - EU GDPR

Effective Date: 27 April 2026
Document Reference: CCS Privacy Policy (Global)

Introduction

This Privacy Policy explains how Call Center Studio, Inc. and its affiliated entities (“CCS”, “we”, “our”, “us”) process personal data in connection with:

  • the use of our website (www.callcenterstudio.com);
  • the provision of our cloud-based communication and contact center platform;
  • our business operations, commercial relationships, and corporate activities.

Scope of Application

This Privacy policy applies to personal data processed in relation to:

  • website visitors;
  • business customers;
  • business contacts and partners;
  • individuals interacting with CCS services through our customers;
  • other individuals whose personal data is processed in the course of CCS operations.

Important Role Clarification

CCS operates through multiple legal entities and provides services within a business-to-business (B2B) model. As a result:

  • CCS may act as a data controller for certain processing activities (such as its own business operations, website, and corporate functions);
  • CCS acts as a data processor (i.e. a service provider processing personal data on behalf of its customers) in relation to personal data processed through its platform.

Where CCS acts as a data processor:

  • the relevant customer acts as the data controller;
  • this Privacy policy does not replace or override the privacy obligations of such customers.

1. Introduction & Transparency Commitment

This Privacy policy is designed to provide a clear and transparent explanation of how personal data is processed within the Call Center Studio group of companies. Call Center Studio operates a cloud-based communication and contact center platform that is used by business customers across multiple jurisdictions. Due to the nature of this service model, personal data may be processed in different contexts, involving multiple entities, systems, and roles. In particular:

  • Call Center Studio provides its platform to business customers on a Software-as-a-Service (SaaS) basis;
  • personal data processed through the platform typically relates to the end users of those customers;
  • in most cases, Call Center Studio processes such data strictly on behalf of its customers and under their instructions;
  • in certain limited scenarios, Call Center Studio may process personal data for its own purposes, such as for business operations, contractual relationships, or employment-related activities.

As a result, the role of Call Center Studio in relation to personal data processing may vary depending on the specific context. In particular:

  • Call Center Studio acts primarily as a service provider processing personal data on behalf of its customers;
  • Call Center Studio acts as an independent data controller only in relation to its own internal business activities.

This Privacy policy reflects this dual role structure and explains how personal data is handled in each context. We are committed to ensuring that personal data is processed in a lawful, fair, and transparent manner, and that individuals are provided with clear information regarding:

  • how and why their personal data is processed;
  • the roles and responsibilities involved in such processing;
  • their rights in relation to their personal data.

This Privacy policy is intended to provide an accurate representation of how personal data is processed in practice, based on our operational model, system architecture, and contractual relationships with our customers.

2. Who We Are

2.1 Group Identity

This Privacy policy applies to Call Center Studio, Inc. and its affiliated entities (together referred to as “CCS”, “we”, “our”, “us”). CCS operates as a multi-entity group providing cloud-based communication and contact center services to business customers across multiple jurisdictions.

2.2 Relevant Legal Entities

Depending on the context of your interaction with our services, the relevant CCS entity acting as the data controller may be:

  • Call Center Studio, Inc. (United States)
  • Call Center Studio Ltd (United Kingdom)
  • Call Center Studio S.R.L. (Romania)

The applicable entity is determined based on factors such as:

  • the location of the customer relationship;
  • the contractual entity providing services;
  • the context in which personal data is processed.
2.3 Role Clarification

CCS processes personal data in different roles depending on the context:

  • In most cases, CCS acts as a data processor (i.e. a service provider processing personal data on behalf of its business customers);
  • In certain cases, CCS acts as an independent data controller, for example in relation to:
    • business contact data;
    • customer relationship management;
    • internal administrative and operational activities;
    • employee-related processing.

Further details on these roles are provided in Section 4 of this Privacy policy.

2.4 EU Representative

Where required under applicable data protection laws, Call Center Studio S.R.L. (Romania) acts as the representative in the European Union for non-EU CCS entities in relation to personal data processing activities falling within the scope of EU data protection requirements.

2.5 UK Representative

Where required under applicable data protection laws, Call Center Studio Ltd (United Kingdom) acts as the representative in the United Kingdom for non-UK CCS entities in relation to personal data processing activities falling within the scope of UK data protection requirements.

3. Scope of This Policy

This Privacy policy applies to the processing of personal data in connection with the activities and services of CCS, as described in this document. This includes personal data processed in the following contexts:

  • individuals visiting or interacting with our website;
  • representatives of our business customers and partners;
  • individuals whose personal data is processed by CCS in connection with its internal business operations, including administrative, contractual, and employment-related activities;
  • individuals whose personal data is processed through the use of our platform by our business customers, where CCS acts as a data processor.

In relation to personal data processed through the CCS platform on behalf of our business customers:

  • CCS processes such data strictly under the instructions of the relevant customer;
  • the customer acts as the data controller and is responsible for determining the purposes and legal basis of processing;
  • CCS does not independently determine how such personal data is used.

This Privacy policy is intended to provide general transparency regarding CCS’s processing activities. Where personal data is processed by CCS on behalf of a customer, individuals should refer to the privacy policy of the relevant customer for information on how and why their personal data is processed.

4. Roles & Data Protection Positioning

4.1 When CCS Acts as a Data Controller

CCS acts as an independent data controller where it determines the purposes and means of processing personal data for its own activities. This includes, in particular:

  • management of business relationships with customers and partners;
  • processing of business contact data;
  • administration of contractual relationships;
  • internal operational and administrative activities;
  • processing of employee and recruitment-related data;
  • compliance with legal and regulatory obligations.

In these cases, CCS is responsible for ensuring that personal data is processed in accordance with applicable data protection requirements.

4.2 When CCS Acts as a Data Processor

CCS acts as a data processor (i.e. a service provider processing personal data on behalf of its business customers) in relation to personal data processed through its platform. In this context:

  • personal data is processed on behalf of CCS’s business customers;
  • the customer acts as the data controller and determines:
    • the purposes of processing;
    • the legal basis for processing;
    • the categories of personal data processed;
  • CCS processes personal data strictly in accordance with the documented instructions of the customer;
  • CCS does not independently determine how such personal data is used.

This applies to personal data processed through communication and interaction channels supported by the CCS platform, including:

  • voice communications and call recordings;
  • chat and messaging interactions;
  • communication metadata and system-generated data;
  • customer-configured workflows and analytics.
4.3 What This Means in Practice

The distinction between controller and processor roles has important implications for individuals whose personal data is processed.

Where CCS acts as a data controller:

  • CCS is responsible for determining how and why personal data is processed;
  • CCS is responsible for responding to requests from individuals regarding their personal data;
  • CCS is responsible for ensuring compliance with applicable data protection requirements.

Where CCS acts as a data processor:

  • CCS processes personal data only on behalf of and under the instructions of its customers;
  • CCS does not determine the purposes or legal basis of processing;
  • responsibility for responding to data subject requests primarily lies with the relevant customer acting as controller;
  • CCS supports its customers by providing the technical and operational means necessary to enable compliance with their obligations.

This role-based structure reflects the operational and contractual framework within which CCS provides its services and is fundamental to understanding how personal data is processed across the CCS platform environment.

5. Personal Data We Process

5.1 Overview

CCS processes different categories of personal data depending on the context in which processing takes place. In particular, the categories of personal data processed vary depending on whether CCS acts:

  • as a data controller in relation to its own business operations; or
  • as a data processor (i.e. a service provider processing personal data on behalf of its customers) in relation to the use of its platform.

The categories of personal data processed in each context are described below.

5.2 Personal Data Processed by CCS as Controller

Where CCS acts as a data controller, it processes personal data relating to:

  • employees and job applicants;
  • representatives of business customers and partners;
  • representatives of third-party service providers and vendors.

In this context, CCS may process the following categories of personal data:

(a) Identity Data

  • name and surname;
  • date of birth (where applicable);
  • identification-related information where required.

(b) Contact Data

  • email address;
  • telephone number;
  • business address information.

(c) Professional and Business Data

  • job title and role;
  • company affiliation;
  • business communication records.

(d) Financial and Contractual Data

  • billing and payment-related information;
  • contractual and transactional records.

(e) Employment and HR Data

  • employment records;
  • professional qualifications and background;
  • performance-related information;
  • internal administrative records.

This data is processed for CCS’s own business purposes, including relationship management, contractual administration, internal operations, and compliance with legal obligations.

5.3 Personal Data Processed by CCS as Processor

Where CCS acts as a data processor, it processes personal data on behalf of its business customers in connection with the use of its platform. In this context:

  • CCS does not determine the categories of personal data processed;
  • the scope of data processing is defined by the customer acting as data controller;
  • personal data processed reflects the configuration and use of the platform by the customer.

Depending on the services used, this may include:

(a) Communication Data

  • voice communications and call recordings;
  • chat and messaging content;
  • interaction content exchanged through communication channels.

(b) Communication Metadata

  • timestamps and duration of interactions;
  • routing and call-related data;
  • session identifiers and interaction references.

(c) Technical and System Data

  • IP addresses;
  • device and system identifiers;
  • log and access records related to platform usage.

Personal data processed in this context relates primarily to the end users of CCS’s business customers.

5.4 Processing Through Sub-Processors

In order to provide its services, CCS engages sub-processors that process personal data on its behalf and under its instructions. Such processing may include:

  • processing of voice data for transcription and analysis;
  • AI-supported processing of communication data, such as speech-to-text conversion and analytical outputs derived from customer interactions;
  • temporary or structured processing of communication data within defined service scopes;
  • infrastructure-level processing within cloud and hosting environments.

Sub-processors process personal data strictly within the scope of the services provided and:

  • act only under the instructions of CCS;
  • do not independently determine the purposes of processing;
  • do not use personal data for their own purposes, including independent analytics or model training.
5.5 Data Variability and Customer Control

Due to the nature of the CCS platform:

  • the categories and scope of personal data processed may vary depending on the customer’s use of the platform;
  • customers determine what data is collected, processed, and stored within their configured environments;
  • CCS processes such data only in accordance with customer instructions.

6. How We Collect Data

6.1 Overview

CCS collects and receives personal data through different mechanisms depending on the context in which processing takes place. In particular, personal data may be:

  • collected directly by CCS in connection with its own business operations; or
  • received and processed by CCS on behalf of its business customers through the use of its platform.
6.2 Data Collected Directly by CCS (Controller Context)

Where CCS acts as a data controller, personal data is collected directly from individuals or organizations, including:

  • when individuals or business representatives contact CCS;
  • during the establishment and management of business relationships;
  • through contractual and commercial interactions;
  • in connection with recruitment and employment processes;
  • through the use of CCS websites and related communication channels.

This data is provided directly by the relevant individual or organization.

6.3 Data Collected Through Customers (Processor Context)

Where CCS acts as a data processor, personal data is not collected independently by CCS. Instead:

  • personal data is collected by CCS’s business customers;
  • such data is submitted to or made available through the CCS platform based on customer configuration;
  • CCS processes this data strictly on behalf of and under the instructions of the customer.

This includes personal data relating to the end users of CCS’s customers.

6.4 Data Collected Through Communication Channels

Personal data may be generated and collected through the use of communication services supported by the CCS platform, including:

  • voice communications facilitated through telecommunications service providers (telco layer);
  • chat and messaging interactions;
  • digital communication channels integrated into the platform.

In this context:

  • communication data is received through the relevant communication channel and processed within the CCS platform environment;
  • the specific communication channels and configurations are determined by the customer;
  • CCS processes such data in accordance with customer-defined workflows and instructions.
6.5 Data Collected Through Third-Party Integrations

The CCS platform may be integrated with third-party services and communication platforms. In such cases:

  • personal data may be received through integrations configured by the customer;
  • data flows into the CCS platform from external systems and services;
  • CCS processes such data in accordance with customer instructions and configured workflows.
6.6 System-Generated and Technical Data

In addition to data provided directly or through platform usage, certain data is generated automatically as part of system operation, including:

  • technical and system identifiers;
  • log and access data;
  • communication metadata generated during platform usage.

This data is generated through the operation of the platform and supporting infrastructure.

6.7 Variability of Data Collection

Due to the configurable nature of the CCS platform:

  • the methods and scope of data collection may vary depending on how customers use the platform;
  • CCS does not standardize or control how customers collect personal data from their end users;
  • data collection mechanisms are determined by the customer’s configuration and operational use of the platform.

7. How We Use Personal Data

7.1 Overview

CCS uses personal data differently depending on the context in which the data is processed. Where CCS acts as a data controller, CCS uses personal data for its own business, administrative, employment, contractual, commercial, security, and compliance purposes. Where CCS acts as a data processor, CCS processes personal data only on behalf of its business customers and in accordance with their instructions. In that context, the customer determines the purposes for which personal data is processed.

7.2 Use of Personal Data Where CCS Acts as Controller

Where CCS acts as a data controller, CCS may use personal data for the following purposes:

  • managing business relationships with customers, partners, vendors, and service providers;
  • communicating with customer representatives, partner contacts, and other business contacts;
  • negotiating, entering into, and administering contracts;
  • managing billing, invoicing, payment, and accounting-related activities;
  • conducting internal administrative and operational activities;
  • managing recruitment, employment, HR, personnel administration, and related internal processes;
  • sending business communications and, where applicable, marketing communications;
  • maintaining records required for legal, regulatory, tax, accounting, or compliance purposes;
  • protecting CCS systems, business operations, and information security.
7.3 Use of Personal Data Where CCS Acts as Processor

Where CCS acts as a data processor, CCS uses personal data only to provide, operate, maintain, support, and secure the CCS platform on behalf of its business customers. This may include processing personal data for the following customer-directed purposes:

  • enabling customers to manage voice, chat, messaging, video, and other communication interactions with their end users;
  • routing and managing communication sessions;
  • storing communication metadata and operational platform data;
  • storing call, video, chat, or messaging content where enabled or configured by the customer;
  • supporting contact centre operations;
  • generating operational analytics, reporting, and service performance metrics;
  • supporting AI-enabled or automated features where configured by the customer, such as transcription, interaction analysis, or customer interaction support;
  • monitoring platform performance, reliability, and service availability;
  • troubleshooting, maintenance, technical support, and incident response;
  • maintaining system security and infrastructure integrity.
7.4 Customer Control Over Platform Use

In processor scenarios, CCS does not independently determine why personal data is processed through the platform. The relevant business customer determines:

  • the purpose of using the platform;
  • the categories of personal data processed;
  • the data subjects involved;
  • the communication channels used;
  • whether recording, analytics, transcription, or AI-supported features are enabled;
  • the retention period or configuration applied to customer-controlled data, where such configuration is available.

CCS processes such personal data only in accordance with the customer’s documented instructions and applicable contractual arrangements.

7.5 AI-Supported Processing

Certain CCS platform features may involve AI-supported processing, such as transcription, analytics, quality-related outputs, or interaction support. Where these features are used in connection with customer end-user data:

  • CCS processes personal data as a data processor;
  • the customer determines whether and how such features are used;
  • CCS does not use customer data for its own independent purposes;
  • CCS does not use customer data for independent model training unless expressly agreed and lawfully permitted;
  • final decisions based on platform outputs remain with the customer.
7.6 No Independent Use of Customer End-User Data

CCS does not use personal data processed through the platform on behalf of customers for independent purposes. In particular, CCS does not use customer end-user data to:

  • independently determine customer business purposes;
  • independently decide the legal basis for processing;
  • sell customer end-user data;
  • use customer end-user data for unrelated marketing;
  • independently make decisions about customer end users.
7.7 Security, Monitoring, and Operational Use

CCS may process technical, system, log, and metadata information for purposes necessary to:

  • operate and maintain the platform;
  • monitor service performance;
  • detect and respond to security incidents;
  • troubleshoot technical issues;
  • protect the confidentiality, integrity, and availability of the platform;
  • support compliance with contractual and legal obligations.

Such processing is limited to operational, technical, security, and support purposes.

8. Legal Basis

8.1 Overview

The legal basis for processing personal data depends on the context in which such data is processed. Where CCS acts as a data controller, CCS relies on specific legal grounds depending on the nature of the processing activity and the type of data involved. Where CCS acts as a data processor, the legal basis is determined by the relevant customer acting as data controller.

8.2 Legal Bases Where CCS Acts as Controller

(a) Contractual Necessity

CCS processes personal data where such processing is necessary for the performance of a contract or to take steps prior to entering into a contract. This typically applies to processing such as:

  • use of identity and contact data of business representatives to establish and manage customer and partner relationships;
  • processing of contact, contractual, and communication data for the negotiation, execution, and administration of agreements;
  • use of financial and transactional data for billing, invoicing, and payment handling;
  • maintenance of business communication records related to contractual interactions.

(b) Legitimate Interests

CCS processes personal data where it is necessary for its legitimate business interests, provided that such interests are not overridden by the rights and freedoms of individuals. This typically applies to processing such as:

  • use of contact and professional data for ongoing business relationship management;
  • processing of technical and system data (e.g. logs, access records) for security monitoring and system protection;
  • use of communication and interaction data for service improvement and operational efficiency;
  • internal administrative processing and organizational management activities.

Where required, CCS performs a balancing assessment to ensure that its interests do not override individual rights.

(c) Legal Obligations

CCS processes personal data where necessary to comply with legal and regulatory obligations. This typically applies to processing such as:

  • retention of financial, contractual, and transaction-related data for accounting and tax purposes;
  • maintenance of records required by law or regulatory authorities;
  • disclosure of relevant data in response to lawful requests by authorities;
  • compliance with regulatory, audit, and reporting requirements.

(d) Consent

CCS processes personal data based on consent where required by applicable law. This typically applies to processing such as:

  • use of contact data for marketing communications where consent is required;
  • use of certain optional technologies or features that require user consent;
  • any processing activity where no other legal basis is applicable.

Where consent is relied upon:

  • individuals may withdraw consent at any time;
  • withdrawal does not affect prior lawful processing.
8.3 Processing Where CCS Acts as Data Processor

Where CCS acts as a data processor (i.e. a service provider processing personal data on behalf of its customers):

  • CCS does not determine the legal basis for processing;
  • the applicable legal basis is determined by the customer acting as data controller;
  • CCS processes personal data strictly in accordance with customer instructions.

This includes processing of:

  • communication data (voice, chat, messaging);
  • communication metadata and interaction records;
  • technical and system data generated through platform usage;
  • analytics and AI-supported processing configured by the customer.
8.4 Customer Responsibility

In processor scenarios:

  • the customer is responsible for selecting and applying the appropriate legal basis;
  • the customer is responsible for providing required policies and obtaining any necessary consents;
  • CCS supports customers by providing technical and operational capabilities to enable compliance.

9. Data Sharing & Disclosure

9.1 Overview

CCS may share personal data with third parties depending on the context in which processing takes place. The nature and purpose of such sharing differ depending on whether CCS acts as a data controller or as a data processor.

9.2 Sharing Within the CCS Group

Personal data may be shared between CCS group entities where necessary for:

  • the provision of services;
  • internal administrative and operational purposes;
  • management of business relationships and contractual obligations;
  • ensuring consistency of service delivery across jurisdictions.

Such sharing is carried out in accordance with applicable data protection requirements and internal governance structures.

9.3 Sharing in Processor Context (Customer-Controlled Disclosure)

Where CCS acts as a data processor:

  • personal data may be shared or disclosed as part of the services provided to the customer;
  • such sharing is determined and controlled by the customer;
  • CCS does not independently decide to disclose personal data to third parties outside the scope of customer instructions.

This includes, for example:

  • routing of communications through external networks;
  • integrations configured by the customer;
  • communication flows involving third-party platforms.
9.4 Sharing with Sub-Processors and Service Providers

In order to provide its services, CCS engages third parties that process personal data on its behalf. These may include:

  • cloud infrastructure providers;
  • telecommunications providers supporting communication services;
  • service providers supporting platform functionality;
  • specialized processing providers (e.g. transcription or analytics services).

Where such providers act as sub-processors:

  • they process personal data solely on behalf of CCS and under its instructions;
  • they are contractually bound to implement appropriate technical and organizational measures;
  • they are not permitted to use personal data for their own independent purposes.

The use of sub-processors forms part of the structured processing chain: customer (controller) → CCS (processor) → sub-processor

9.5 Sharing for Legal and Regulatory Purposes

CCS may disclose personal data where required to do so by law or where necessary to:

  • comply with legal obligations;
  • respond to lawful requests from public authorities;
  • enforce contractual rights;
  • protect the rights, property, or safety of CCS, its customers, or others.

Such disclosures are carried out in accordance with applicable legal requirements.

9.6 No Independent Commercial Sharing

CCS does not sell personal data and does not disclose personal data to third parties for independent marketing or commercial purposes unrelated to the services provided.

9.7 Operational and Technical Sharing

Personal data may be shared within the CCS platform environment as part of:

  • system operation and service delivery;
  • infrastructure-level processing;
  • communication routing and handling;
  • platform analytics and reporting functions.

Such sharing is limited to what is necessary for the provision and maintenance of the services.

10. International Data Transfers

10.1 Overview

CCS operates a distributed platform architecture in which personal data is processed across multiple geographic regions as part of normal service delivery. This structure is defined within CCS’s internal governance framework and system architecture, including documented data flow models and infrastructure design. International data transfers arise from:

  • platform system design;
  • communication routing through telecommunications networks;
  • distributed cloud infrastructure;
  • integrations with third-party communication services.

The scope and nature of such transfers differ depending on whether data is processed in a controller or processor context.

10.2 Data Processed by CCS as Controller

Personal data processed by CCS as a data controller (including employee data and business contact data):

  • is processed and stored within the jurisdiction in which it is collected;
  • is not subject to the platform-based international transfer model described below.
10.3 Data Processed by CCS as Processor (Platform Data)

Where CCS acts as a data processor, personal data processed through the platform (relating to end users of CCS customers) follows a distributed processing model defined by system architecture. This model involves processing across multiple regions and is not limited to a single geographic location.

10.4 United States — Core Processing Layer

Certain categories of personal data are processed within systems hosted in the United States, including:

  • primary platform databases;
  • automatic call distribution (ACD) systems;
  • interaction handling and routing logic.

This includes processing of:

  • call detail records (CDR);
  • caller and called numbers;
  • session identifiers (e.g. SIP Call ID);
  • tenant-related operational data;
  • communication event data (such as call start and end events).

These systems support real-time platform functionality and communication handling.

10.5 European Union — Storage and Analytics Layer

Certain categories of personal data are processed and stored within the European Union, including:

  • voice recordings of communications;
  • video recordings;
  • analytics data and derived datasets;
  • reporting and performance-related outputs.

Such data may be stored across multiple EU regions and replicated for:

  • resilience;
  • availability;
  • system continuity.
10.6 Communication and Integration Flows

Personal data may enter and flow through the CCS platform via:

  • telecommunications networks (voice communications);
  • customer-configured communication channels;
  • third-party integrations (e.g. messaging platforms such as WhatsApp, Telegram, or similar services);
  • end-user devices interacting with the platform.

These flows may involve cross-border transmission of data as part of normal communication routing.

10.7 Nature of Transfers

International data transfers within the CCS platform:

  • occur as part of the technical operation of the system;
  • are driven by infrastructure design and communication routing;
  • may occur automatically without manual configuration at the user level.

Such transfers are inherent to the architecture of the platform and its global service delivery model.

10.8 Sub-Processor and Infrastructure Transfers

International transfers may also occur through CCS’s use of third-party providers, including:

  • cloud infrastructure providers;
  • telecommunications providers;
  • specialized processing providers (e.g. transcription services);
  • communication platform integrations.

These providers process personal data:

  • within defined service scopes;
  • as part of the structured processing chain;
  • under contractual and operational controls.
10.9 Governance and Safeguards

International data transfers are governed through a combination of:

  • contractual arrangements with customers and service providers;
  • data processing agreements defining roles and responsibilities;
  • technical and organizational measures implemented within the platform;
  • applicable legal mechanisms where required under relevant data protection laws.

These measures are designed to ensure that personal data remains protected when processed across jurisdictions.

11. Data Retention

11.1 Overview

The retention of personal data within CCS depends on the context in which the data is processed and the role performed by CCS. Retention periods are not uniform across all data categories and may vary depending on:

  • the purpose of processing;
  • the type of personal data involved;
  • the system or service through which the data is processed;
  • applicable legal and contractual requirements.
11.2 Personal Data Processed by CCS as Controller

Where CCS acts as a data controller, it determines the retention period of personal data based on:

  • the purpose for which the data was collected;
  • applicable legal, regulatory, and contractual obligations;
  • operational and business requirements.

In this context:

  • personal data is retained for as long as necessary to fulfil the relevant purpose;
  • retention may be required for compliance with legal obligations (e.g. accounting, tax, or regulatory requirements);
  • once retention is no longer necessary, data is deleted or anonymised in accordance with internal processes.
11.3 Personal Data Processed by CCS as Processor

Where CCS acts as a data processor (i.e. a service provider processing personal data on behalf of its customers):

  • CCS does not independently determine retention periods;
  • retention is defined by the customer acting as data controller;
  • CCS processes and retains personal data strictly in accordance with customer instructions and contractual arrangements.

This applies to personal data processed through the CCS platform, including:

  • communication data (voice, chat, messaging);
  • communication metadata and interaction records;
  • technical and system-generated data;
  • analytics and derived data outputs.
11.4 System-Based and Operational Retention

Retention within the CCS platform may be implemented through a combination of:

(a) System-Based Retention

Certain categories of data may be subject to system-level retention configurations, such as:

  • communication recordings stored within platform storage environments;
  • analytics data retained within defined system structures.

Such retention may be configurable depending on the service and customer setup.

(b) Operational Retention and Deletion

For other categories of personal data:

  • retention may be managed through operational processes rather than automated system controls;
  • deletion or anonymisation is performed based on customer instructions or internal procedures;
  • retention practices may vary depending on system design and service configuration.
11.5 Variability of Retention

Due to the configurable nature of the CCS platform:

  • retention periods may vary depending on how customers use the platform;
  • different data categories may be subject to different retention approaches;
  • CCS does not apply a single standardized retention period across all processing activities.
11.6 End of Processing

At the end of the processing relationship or upon instruction from the customer:

  • personal data processed on behalf of customers is deleted or returned, as applicable;
  • deletion or anonymisation is carried out in accordance with contractual arrangements and operational procedures.

12. Data Security

12.1 Overview

CCS applies technical and organizational measures to protect personal data processed within its business operations and platform environment. These measures are designed to protect personal data against:

  • unauthorized access;
  • unauthorized disclosure;
  • accidental or unlawful loss;
  • alteration;
  • misuse;
  • interruption of service;
  • security incidents affecting confidentiality, integrity, or availability.

The security model is based on the actual CCS platform environment, including cloud infrastructure, telecommunications components, platform systems, monitoring tools, access controls, and contractual obligations with sub-processors.

12.2 Layered Security Model

CCS applies security measures across several layers of the processing environment:

  • platform application layer;
  • cloud infrastructure layer;
  • database and storage layer;
  • communication and routing layer;
  • monitoring and logging layer;
  • operational support layer;
  • sub-processor and vendor layer.

This layered model reflects the distributed architecture of the CCS platform and the fact that personal data may be processed across multiple systems, services, and technical components.

12.3 Access Control and Authorization

Access to systems processing personal data is restricted to authorized personnel based on role, responsibility, and operational need. CCS applies access control measures including:

  • role-based access control principles;
  • restriction of access to authorized users;
  • controlled administrative access;
  • authentication mechanisms;
  • access permissions aligned with operational responsibilities;
  • logging of access to relevant systems where supported.

Access governance is implemented through structured access management processes and is subject to ongoing enhancement and standardization efforts across systems and applications.

12.4 Encryption and Secure Communication

CCS applies technical measures to protect personal data during transmission and within platform infrastructure. These measures include:

  • secure communication protocols for data transmitted between system components;
  • encryption of data in transit;
  • protection of communication between platform services and infrastructure components;
  • cryptographic safeguards within cloud-based processing environments where supported by the relevant infrastructure.

For platform communications, secure transport mechanisms are used to protect the confidentiality and integrity of personal data transmitted across networks. The DPA framework also refers to modern transport security mechanisms and secure communication between platform components. Where encryption or cryptographic measures are implemented by infrastructure or platform providers, CCS relies on contractual, technical, and operational controls to ensure that such measures support the security of processing.

12.5 Cloud and Infrastructure Security

CCS implements monitoring and logging mechanisms to support:

  • detection of security events;
  • operational visibility;
  • troubleshooting;
  • investigation of anomalies;
  • incident response;
  • platform performance and availability.

Monitoring and logging capabilities are continuously enhanced to support improved visibility, consistency, and centralized oversight across platform systems and infrastructure components.

12.6 Monitoring, Logging, and Detection

CCS applies data protection and data loss prevention measures designed to reduce the risk of unauthorized disclosure or leakage of personal data. These measures include:

  • endpoint security controls;
  • corporate communication safeguards;
  • data loss prevention mechanisms;
  • monitoring of information flows;
  • controls over data transfer and export where supported.

These controls are implemented across the CCS environment as part of the organization’s data protection framework.

12.7 Data Loss Prevention and Information Flow Controls

CCS uses data protection controls to reduce the risk of unauthorized disclosure or leakage of personal data. These controls may include:

  • endpoint security measures;
  • corporate email controls;
  • data loss prevention mechanisms;
  • monitoring of information flows;
  • restrictions or controls over certain transfers or exports where supported.

The audit confirms that DLP and related tooling exist centrally, but also identifies that coverage is not yet fully end-to-end across all SaaS platforms, mobile workflows, collaboration tools, and export/download scenarios. Therefore, this section describes DLP as a control layer, not as a complete guarantee.

12.8 Credential and Secret Management

CCS recognizes that technical credentials, API keys, tokens, usernames, passwords, and integration secrets may create security risks where they provide access to systems that process personal data. Security measures in this area may include:

  • restricted access to credentials;
  • operational controls over credentials used in integrations;
  • credential rotation or revocation where required;
  • internal procedures for handling technical access information;
  • incident response where credential exposure is identified.

This point is important because the audit specifically identified credential handling and third-party tool governance as an organization-wide control area requiring strong governance attention.

12.9 Incident Response and Breach Management

CCS maintains processes for identifying, assessing, managing, and responding to security incidents. These processes may include:

  • incident detection;
  • incident classification;
  • containment;
  • investigation;
  • root cause analysis;
  • corrective actions;
  • coordination with customers, sub-processors, infrastructure providers, and internal teams where required.

Where CCS acts as a processor, CCS supports the relevant customer in assessing and responding to incidents affecting personal data processed on behalf of that customer. Where CCS acts as a controller, CCS assesses notification requirements and takes action in accordance with applicable data protection laws.

12.10 Sub-Processor Security

CCS’s security model is implemented across a distributed platform and organizational environment. Security controls are maintained and continuously improved through:

  • structured governance processes;
  • ongoing system and process enhancements;
  • regular review of security practices;
  • alignment with evolving operational, technical, and regulatory requirements.

CCS applies a risk-based approach to ensure that appropriate measures are implemented to protect personal data within its platform and business operations.

12.11 Security Limitations and Continuous Improvement

CCS’s data security model is based on:

  • layered technical and organizational measures;
  • role-based access and authorization principles;
  • secure communication and infrastructure controls;
  • monitoring, logging, and incident response;
  • sub-processor security obligations;
  • continuous improvement of security capabilities.

This approach is designed to ensure an appropriate level of protection for personal data, taking into account the nature of CCS’s platform and services.

12.12 Governance Position

CCS’s data security model is based on:

  • layered technical and organizational measures;
  • role-based access and authorization principles;
  • secure communication and infrastructure controls;
  • monitoring, logging, and incident response;
  • sub-processor security obligations;
  • continuous improvement based on audit and operational findings.

This approach is intended to protect personal data processed within CCS’s platform and business operations while reflecting the actual distributed and evolving nature of the CCS technical environment.

13. Data Subject Rights

13.1 Overview

Individuals whose personal data is processed may have certain rights under applicable data protection laws. The scope and applicability of these rights depend on:

  • the context in which personal data is processed;
  • the role performed by CCS (data controller or data processor);
  • the applicable legal framework.
13.2 When CCS Acts as Data Controller

Where CCS acts as a data controller, individuals may have the following rights, subject to applicable legal conditions:

  • the right to access personal data;
  • the right to request correction of inaccurate or incomplete data;
  • the right to request deletion of personal data;
  • the right to request restriction of processing;
  • the right to object to certain types of processing;
  • the right to data portability, where applicable;
  • the right to withdraw consent, where processing is based on consent.

CCS will assess and respond to such requests in accordance with applicable legal requirements.

13.3 When CCS Acts as Data Processor

Where CCS acts as a data processor (i.e. a service provider processing personal data on behalf of its customers):

  • CCS does not determine the purposes or legal basis of processing;
  • the relevant customer acts as the data controller;
  • requests relating to personal data should generally be directed to the relevant customer.

In this context:

  • CCS does not independently respond to data subject requests regarding customer data;
  • CCS supports its customers by providing the technical and operational means necessary to enable them to respond to such requests;
  • where required, CCS may assist the customer in handling requests in accordance with contractual and legal obligations.
13.4 How to Exercise Your Rights

Where CCS acts as a data controller, individuals may submit requests relating to their personal data using the contact details provided in this Privacy policy. Where CCS acts as a data processor:

  • individuals should contact the relevant organization with which they have a direct relationship;
  • CCS may, where appropriate, redirect requests to the relevant customer.
13.5 Limitations and Conditions

The exercise of rights may be subject to certain limitations, including:

  • legal obligations requiring continued processing or retention;
  • the need to verify the identity of the requester;
  • technical or operational constraints depending on the nature of the request;
  • the role of CCS as a processor where rights must be exercised through the controller.
13.6 Complaints

Individuals may have the right to lodge a complaint with a competent supervisory authority if they believe that their personal data has been processed in violation of applicable data protection laws.

14. How to Exercise Your Rights

14.1 Overview

Individuals may exercise their data protection rights by submitting a request using the contact details provided in this Privacy policy. The handling of such requests depends on whether CCS acts as a data controller or a data processor in relation to the relevant personal data.

14.2 Requests Where CCS Acts as Data Controller

Where CCS acts as a data controller:

  • requests may be submitted directly to CCS using the contact information provided below;
  • CCS will assess and respond to requests in accordance with applicable legal requirements;
  • CCS may request additional information where necessary to verify the identity of the requester.

CCS aims to respond to requests within applicable legal timeframes.

14.3 Requests Where CCS Acts as Data Processor

Where CCS acts as a data processor (i.e. a service provider processing personal data on behalf of its customers):

  • individuals should direct their request to the relevant organization with which they have a direct relationship (the data controller);
  • CCS does not independently determine how such requests are handled;
  • CCS may, where appropriate, assist the relevant customer in responding to the request.

Where a request is submitted directly to CCS in this context:

  • CCS may redirect the request to the relevant customer;
  • CCS may inform the individual of the appropriate contact point.
14.4 Verification of Identity

To protect personal data, CCS may take reasonable steps to verify the identity of the individual submitting a request. Where necessary:

  • additional information may be requested;
  • requests may be limited or declined if identity cannot be verified.
14.5 Response and Handling

In handling requests, CCS:

  • assesses the nature and scope of the request;
  • determines its role (controller or processor);
  • coordinates with relevant internal teams or, where applicable, with customers;
  • applies appropriate legal and operational considerations.

Responses may vary depending on:

  • the nature of the request;
  • the data involved;
  • applicable legal requirements.
14.6 Escalation and Complaints

If an individual is not satisfied with the response received:

  • they may contact CCS for further clarification or escalation;
  • they may exercise their right to lodge a complaint with a competent supervisory authority, as described in Section 13.

15. Cookies and Tracking Technologies

15.1 Overview

CCS uses cookies and similar technologies in connection with its website and online services. Cookies are small text files that are stored on a user’s device (such as a computer, tablet, or smartphone) when visiting a website. These files are automatically created by the user’s browser and stored locally on the device. Cookies do not harm devices and do not contain viruses or other malicious software.

15.2 Types of Data Collected

Through cookies and related technologies, CCS may process certain technical and usage-related data, including:

  • IP address;
  • browser type and version;
  • operating system;
  • internet service provider;
  • date and time of access;
  • pages visited and usage behavior;
  • website navigation patterns and interaction data.

This data is processed in a manner that does not directly identify individuals without additional information.

15.3 Purpose of Cookies

Cookies are used to support the operation and security of the CCS website and to improve user experience. In particular, cookies are used for:

  • ensuring proper functioning of the website;
  • enabling navigation and usability;
  • maintaining system security and stability;
  • supporting administrative and technical operations.

The use of cookies is limited to purposes necessary for the operation and integrity of the website and related services.

15.4 Legal Basis

The processing of data through cookies is based on:

  • CCS’s legitimate interests in ensuring the proper functioning, security, and usability of its website (Article 6(1)(f) GDPR); and
  • where required, user consent for specific types of cookies or technologies.
15.5 Cookie Management and Control

Most web browsers accept cookies automatically. However, users can control or disable cookies through their browser settings. Users may:

  • configure their browser to refuse cookies;
  • delete previously stored cookies;
  • receive notifications before cookies are stored.

Please note that disabling cookies may affect the functionality and availability of certain features of the website.

15.6 No Unauthorized Disclosure

Data collected through cookies is not used for independent third-party purposes. Where cookies involve third-party services or integrations, such processing is subject to applicable legal and contractual safeguards.

15.7 Relationship with Other Data Collection

Cookies may operate in conjunction with other technical data collection mechanisms, including server log files. Such data may include:

  • IP addresses;
  • system activity data;
  • access timestamps.

This information is used to:

  • ensure secure and stable operation of the website;
  • prevent misuse or unauthorized access;
  • support system performance and maintenance.
15.8 Further Information

More detailed information about the use of cookies, including specific types of cookies and their functionality, is provided in the CCS Cookie Policy. Users are encouraged to review the Cookie Policy for additional details and choices regarding cookie usage.

16. Marketing Communications

16.1 Overview

CCS may use personal data to communicate with individuals about its services, subject to applicable legal requirements and, where required, the consent of the individual. Marketing communications are conducted in a manner consistent with CCS’s data protection commitments and applicable data protection laws.

16.2 Controller-Based Marketing Activities

Where CCS acts as a data controller, personal data may be used for communication purposes, including:

  • providing information about CCS services;
  • responding to inquiries or requests;
  • maintaining business relationships with customers, partners, and contacts;
  • sending updates regarding services where the individual has consented or where permitted by applicable law.

As stated in the existing policy: CCS uses personal data to keep individuals informed about services only where consent has been provided.

16.3 Legal Basis

Marketing-related communications are based on:

  • consent, where required by applicable law;
  • legitimate interests, where communication is related to existing business relationships and permitted under applicable regulations.

Where consent is required:

  • individuals will be asked to provide consent before receiving such communications;
  • consent may be withdrawn at any time.
16.4 No Sale or Independent Marketing Disclosure

CCS does not sell personal data and does not disclose personal data to third parties for their own independent marketing purposes. As stated in the existing policy:

  • personal data is not transferred to non-affiliated entities for their own direct marketing use without clear policy and explicit consent.
16.5 Opt-Out and Withdrawal

Individuals may opt out of marketing communications at any time. This may be done by:

  • using opt-out mechanisms included in communications;
  • contacting CCS using the contact details provided in this Privacy policy;
  • withdrawing previously given consent.

Withdrawal of consent does not affect the lawfulness of processing carried out prior to withdrawal.

16.6 Processor Context

Where CCS acts as a data processor (i.e. a service provider processing personal data on behalf of its customers):

  • CCS does not use such data for its own marketing purposes;
  • CCS does not contact end users of its customers for marketing purposes;
  • any marketing communication is carried out by the customer acting as the data controller.

17. Children’s Data

17.1 Overview

CCS services, platform, and website are designed for business use and are not intended for children. CCS does not knowingly collect personal data directly from children in its capacity as a data controller.

17.2 Controller Context

Where CCS acts as a data controller:

  • CCS does not target children with its services or website;
  • CCS does not intentionally collect personal data from individuals under the age of 16;
  • if CCS becomes aware that personal data of a child has been collected without appropriate authorization, such data will be deleted or handled in accordance with applicable legal requirements.
17.3 Processor Context

Where CCS acts as a data processor (i.e. a service provider processing personal data on behalf of its customers):

  • CCS may process personal data relating to end users of its customers;
  • such end users may include children, depending on the customer’s business activities;
  • CCS does not determine the categories of data subjects or the purposes of processing in this context.

In such cases:

  • the relevant customer acts as the data controller and is responsible for ensuring compliance with applicable legal requirements relating to children’s data;
  • CCS processes such data strictly in accordance with customer instructions and contractual obligations.
17.4 Responsibility and Safeguards

In processor scenarios involving children’s data:

  • CCS does not independently collect or use such data;
  • CCS does not interact directly with children;
  • CCS supports its customers in implementing appropriate technical and organizational measures within the platform environment.

18. Third-Party Links & Services

18.1 Overview

The CCS website is not designed to operate as a directory of third-party websites and does not generally provide links to external customer or partner websites as part of its standard content.

18.2 Third-Party Services and Integrations

CCS services and platform functionalities may involve third-party systems, communication channels, or integrations as part of service delivery. Such third-party services may include:

  • telecommunications providers;
  • messaging or communication platforms;
  • technical service providers or integrated systems.

Where such services are used:

  • they operate under their own technical and organizational frameworks;
  • they may process personal data in accordance with their own privacy policies and terms;
  • their use is typically determined by the customer’s configuration and service setup.

CCS does not control the privacy practices of third-party services that are not operated by CCS.

18.3 External Environments

Where users interact with third-party services or are redirected to external environments:

  • such environments are outside the control of CCS;
  • CCS is not responsible for the content, security, or privacy practices of such external services.
18.4 Third-Party Cookies and Tracking

Third-party services or external websites may use their own cookies or tracking technologies. Such technologies:

  • are not controlled by CCS;
  • are governed by the respective third party’s privacy and cookie policies.

Users are encouraged to review the relevant policies of those third parties.

18.5 User Awareness

Individuals should exercise caution and review applicable privacy policies when interacting with third-party services or external platforms.

19. Changes to This Policy

19.1 Updates to This Privacy Policy

CCS may update this Privacy policy from time to time to reflect:

  • changes in legal or regulatory requirements;
  • changes in CCS services or platform functionalities;
  • changes in data processing practices;
  • improvements to clarity and transparency.
19.2 Versioning and Effective Date

The current version of this Privacy policy is identified by the effective date indicated at the beginning of the document. Where material changes are made:

  • the effective date will be updated accordingly;
  • the updated version will replace previous versions.
19.3 Notification of Changes

Where required by applicable law, CCS may take appropriate steps to notify individuals of material changes, which may include:

  • notices on the website;
  • direct communication where appropriate.
19.4 Historical Versions

Previous versions of this Privacy policy may be retained for internal documentation and compliance purposes.

20. Contact Information

20.1 Overview

For any questions, requests, or concerns regarding this Privacy policy or the processing of personal data, individuals may contact CCS or the designated Data Protection Officer using the contact details below. The appropriate contact point may depend on the context of processing and the role performed by CCS.

20.2 CCS Group Contact Point

For general inquiries and data protection-related requests:

Call Center Studio
Website: https://callcenterstudio.com
Email: gdpr@callcenterstudio.com

This contact point serves as the primary communication channel and coordinates requests internally across CCS entities.

20.3 CCS Group Entities

Locations: United States of America

Call Center Studio, Inc.
1 East Erie St. Suite 525 PMB 4651, Chicago, IL, 60611
Website: https://callcenterstudio.com
E-Mail: GDPR@callcenterstudio.com
General Manager: Mr. Cenk SOYAK

Location: United Kingdom

Call Center Studio Ltd.
Unit 501 Leroy House
434–436 Essex Road
London N1 3FY
United Kingdom
E-Mail: GDPR@callcenterstudio.com
General Manager: Mr. Saygun Bektaş DOĞAN

Location: Romania

Call Center Studio S.R.L.
28–30 G-ral Gheorghe Magheru Blvd.
District 1, 010336
Bucharest, Romania
E-Mail: GDPR@callcenterstudio.com
General Manager: Mr. Saygun Bektaş DOĞAN

Locations: Türkiye

20.4 AloTech İletişim Teknolojileri A.Ş.

NidaKule Plaza,
Kozyatağı, Değirmen Sk.
No:18 Kat:13 D:22,
34720 Kadıköy/İstanbul
Kadıköy/İstanbul, Turkey
Website: https://alotech.com.tr/
E-Mail: gpdr@callcenterstudio.com
General Manager: Mr. Cenk SOYAK

Technopark Office (Branch office)

YTÜ Davutpaşa Kampüsü Teknoloji Geliştirme Bölgesi
Ar-Ge 1 Binası, B Blok Zemin Kat No: 2 Esenler,
34220 İstanbul, Türkiye
Website: https://alotech.com.tr/
E-Mail: GDPR@callcenterstudio.com
General Manager: Mr. Cenk SOYAK

20.4 Data Protection Officer (DPO)

CCS has appointed an independent Data Protection Officer:
Path Düsseldorf GmbH

Certified DPO: Kemal Hakan Hasserbetci
Gerresheimer Str. 86, 40233 Düsseldorf, Germany
Email: h.hasserbetci@pathdusseldorf.de
hakan@pathdusseldorf.com

20.5 EU Representative (EU GDPR)

For purposes of the General Data Protection Regulation (GDPR), the designated representative in the European Union is:

Call Center Studio S.R.L.
Bucharest, Romania

20.6 UK Representative (UK GDPR)

For purposes of the UK General Data Protection Regulation (UK GDPR), the designated representative is:

Call Center Studio Ltd.
London, United Kingdom

20.7 Supervisory Authorities

Individuals may also have the right to lodge a complaint with a competent supervisory authority, as described in Section 13.

Data Processing Agreement

Call Center Studio operates under a structured Data Processing Agreement (DPA) framework governing all processing of personal data carried out within its platform and service ecosystem.

This framework defines the allocation of roles, responsibilities, and processing obligations across the full data processing chain.

Role of Call Center Studio

Call Center Studio primarily acts as a data processor, providing platform-based communication and interaction services on behalf of its customers, who act as data controllers.

Processing is carried out strictly on documented instructions received from the relevant controller.

Sub-Processor Governance Model

To deliver its services, Call Center Studio engages authorised sub-processors under a controlled and contractually governed structure.

This model ensures that:

  • sub-processors act exclusively on behalf of Call Center Studio;
  • no sub-processor determines the purposes or means of processing;
  • no personal data is processed for independent or secondary purposes;
  • all sub-processors are bound by equivalent data protection obligations.

Sub-processing arrangements are governed through formal agreements ensuring compliance with applicable data protection laws and internal security requirements.

Processing Restrictions and Safeguards

Across all processing layers (Processor and Sub-Processor), the following principles apply:

  • processing is strictly limited to defined service purposes;
  • no use of personal data for analytics, benchmarking, or AI model training unless explicitly authorised;
  • no independent data exploitation by processors or sub-processors;
  • access to personal data is restricted to authorised personnel on a need-to-know basis.

Security and Technical Measures

All DPAs incorporate commitments relating to the implementation of appropriate technical and organisational measures, including:

  • access control and authentication mechanisms;
  • secure data transmission and storage practices;
  • logging and monitoring of processing activities;
  • incident detection, response, and reporting procedures.

Further details are defined within internal security and infrastructure governance frameworks.

Sub-Processor Transparency

Call Center Studio maintains transparency regarding the use of sub-processors and ensures that:

  • sub-processors are subject to prior authorisation requirements;
  • changes to sub-processors are controlled and communicated where required;
  • all sub-processors provide sufficient guarantees for data protection.

International Data Transfers

Where processing involves cross-border data transfers, such transfers are carried out in accordance with applicable data protection laws and supported by appropriate safeguards.

Sub-processors are not permitted to transfer personal data outside authorised jurisdictions without prior approval and without implementing required legal mechanisms.

Contractual Integration

The Data Processing Agreement forms an integral part of the contractual relationship between Call Center Studio and its customers.

It governs all processing activities performed through the platform and takes precedence in matters relating to data protection.

Policies

Call Center Studio maintains a set of internal privacy, data protection, information security, and governance policies designed to support the secure and lawful processing of personal data across its business operations and platform environment.

These policies support Call Center Studio’s Global Privacy Program and are aligned with its Privacy Notice, Data Processing Agreement framework, and technical and organisational measures.

The Policy Framework Includes:
  • GDPR Access Control Policy
  • GDPR Breach Notification Policy
  • GDPR Records Retention and Protection Policy
  • GDPR Use of Encryption and Encryption Management Policy
  • GDPR Subject Access Request Policy
  • GDPR Data Subject Rights Policy
  • Information Security Policy
  • GDPR Data Protection Impact Assessment Policy
  • Data Protection Anonymisation and Pseudonymisation Policy

These policies define internal governance rules relating to access management, breach response, retention, encryption, data subject rights, information security, DPIA processes, and anonymisation or pseudonymisation practices.

Policy Governance Position

Call Center Studio treats these policies as operational governance documents. They are intended to support:

  • role-based access and authorization;
  • secure handling of personal data;
  • incident detection and breach response;
  • retention and deletion control;
  • encryption and secure transmission;
  • data subject rights handling;
  • privacy-by-design and DPIA processes;
  • anonymisation and pseudonymisation where appropriate.

These policies are reviewed and updated as part of Call Center Studio’s ongoing data protection and information security governance activities.

These policies form part of Call Center Studio’s internal governance framework.

For transparency purposes, high-level information is made available through this page. Detailed internal procedures, technical configurations, and operational controls are managed internally and are not publicly disclosed for security and confidentiality reasons.

Cloud Security

Cloud Security

Call Center Studio operates its platform on cloud infrastructure designed to support secure, reliable, and scalable service delivery.

Cloud security is implemented through a combination of infrastructure-level safeguards and application-level controls.

Infrastructure Layer

Call Center Studio leverages cloud infrastructure provided by globally recognized providers, including Google Cloud Platform (GCP).

These environments are designed and maintained in accordance with industry-recognized security and compliance standards, including:

  • ISO 27001
  • PCI DSS (Service Provider Level 1)
  • SOC 2

Cloud infrastructure includes:

  • physically secured data centers;
  • controlled access to facilities;
  • environmental protections (power, cooling, fire suppression);
  • redundancy and resilience mechanisms.
Data Hosting and Regional Deployment

Call Center Studio uses geographically distributed data centers to support its global operations.

Depending on service configuration and customer requirements, data may be processed and stored in:

  • the United States;
  • the European Union;
  • other designated regions where services are delivered.

Regional deployment supports:

  • service availability;
  • performance optimization;
  • alignment with applicable data protection requirements.
Platform and Application Layer

In addition to infrastructure-level protections, Call Center Studio implements its own controls at the platform level, including:

  • access control and authentication mechanisms;
  • secure communication protocols;
  • system monitoring and logging;
  • configuration and deployment controls.

These measures ensure that personal data processed through the platform is protected throughout its lifecycle.

Shared Responsibility Model

Cloud security operates under a shared responsibility model:

  • infrastructure providers are responsible for the security of the underlying cloud environment;
  • Call Center Studio is responsible for the security of its platform, services, and data processing activities within that environment.
Continuous Improvement

Call Center Studio continuously evaluates and enhances its cloud security posture in line with:

  • evolving threats;
  • technological developments;
  • regulatory and compliance requirements.