CENTILI is a global digital monetisation company that enables innovative mobile payment solutions in 80+ countries worldwide and partners with over 280 mobile network operators and leading digital content providers. We lead the innovation with seamless setup of the complete carrier billing ecosystem with advanced features for one time and recurring payments drives business growth for telecoms, online businesses, app developers, and digital content providers. Centili’s in-house carrier billing platform is built on top of deep industry knowledge and years of large-scale cooperation with mobile operators.
We believe that the responsible use of data supports business growth and builds strong relationships between partners, consumers, and brands. We are committed to respecting and protecting personal data and privacy of all individuals with whom we interact.
We set a high bar for security and privacy and we follow holistically intelligent approach to manage the risks to maintain the trust of our clients and business partners. As we move into our second decade in digital monetisation, we are as vigilant as ever about trust – a multifaceted virtue in need of constant attention from all parts of our organization.
The term "CENTILI" or "us" or "we" refers to the company CENTILI Ltd, with its registered office at London SW1Y 6AW, 5th Floor, 86 Jermyn Street, and registration number 7911314.
The term "personal data" means any information by which a natural person can be identified, directly or indirectly.
The term "data controller" means natural or legal person which, alone or jointly with others, determines the purposes and means of the data processing and is responsible for processing such data in a manner consistent with the applicable legislation.
The term "data processor" means the natural or legal person which processes personal data on behalf of a data controller. When we processes personal data by the means and for the purposes determined by our business partners, we act as a data processor. For more information on cases in which we act as data processor, please read our Terms of service.
2. WHAT DATA WE COLLECT AND HOW WE COLLECT IT
CENTILI processes, as a data controller, personal data in the following situations:
Business cooperation - when you use our services, ask us for a support, send us enquiry, and do business with us;
Sales activities - when you register in order to get information for a specific service, and/or ask to communicate with us;
Marketing activities - when you subscribe to our newsletter or our event, visit our website or social network profile, send us information through a contact form, or you are a part of our marketing campaign;
Recruiting and selection processes - when we try to find best employees and you apply for a job to some of the published open positions;
Security reasons - we make sure that our information systems are following principles of confidentiality, integrity, and availability. For that reason we keep track of business activities and keep track of log files and other digital traces.
Legal, financial and compliance obligations – we make sure to respect all relevant legal and compliance obligations and for that reason we ask you to provide us with necessary data.
3. BUSINESS COOPERATION
We collect and process personal data connected with usage of our services, e.g. if you create an CENTILI account, ask for a support and become a client or a business associate.
For that purpose, we will collect personal data of our clients and contact persons of our clients, such as name, contact information (e-mail, phone number, address, job title, log files, registered client name, log-in details, information on incidents and reports, and User-Agent), and billing information (name, address, VAT number) connected with the client/business associate.
Processing these types of personal data is necessary to us in order to enter into a business relationship or to fulfil our obligations arising from an existing contract/business relationship. If you are our client as an individual, we obtain this data directly from you. If your organisation is our client, we may obtain your personal data either directly from you or via your organisation.
When we process personal data on behalf of our clients for the purposes of providing our services to clients, in accordance with the Terms of Service, and/or the agreement for the Services and Data Processing Agreement concluded with our clients, the client is data controller and CENTILI is data processor regarding such personal data processing activities.
4. SALES ACTIVITIES
We process personal data about visitors of our website and people who contact us through e-mail, phone call, social networks or website contact forms or some other way of communication.
Based on our legitimate interest for doing business and sell our products and services, we will collect only basic contact information (such as name, surname, phone number, email address, company, job title, position, address) as well as any other information you choose to send us, depending on a nature of your contact. For this purpose, please do not send any sensitive data to us.
5. MARKETING ACTIVITIES
We process personal data when people subscribe to our newsletter, webinar, event, blog, case study or our other services through which we provide the information about our business and services.
For this purpose, we process data based on your consent, such as, name, surname, employer/company, country, mobile phone, email address and for this we use Mailchimp services. We also process data regarding opening e-mails, bounce rate, clicks, subscription, news segments.
We publish our online events and recordings from our offline events on our Youtube channel (owned by Google). We publish our guest speakers and our employees but we do not publish personal data of participants to our events.
We also process personal data based on our legitimate interest for performing direct marketing activities. If you are our current client or you were in contact with us, we will send you some news on our products, services and events, and for this we use Mailchimp services.
If you contact us through webforms on our website, through an e-mail, phone, or social network profile we will process data from contact form and a message based on our legitimate interest to connect and communicate with potential clients/business associates. In any case you may unsubscribe from our news by clicking the link in our email or responding to us with your request. In such case we will stop with marketing activities and store your data in unsubscribed list for 6 years from the day of unsubscribing, based on our legitimate interest to prove facts on compliance steps we need to take within the period of statutory limitations.
When you visit our website, we use third-party services such as Ahrefs for SEO optimization, Google Analytics in order to collect internet log information and details on visitor behaviour patterns (browser, cookie ID, language, device, page visited) and we also perform Google Ads campaigns and use Youtube Ads services. We connect Google Ads services with Zoho CRM system. Google Ads provides unique GCLID (Google Click ID) for every click that comes to our website from an Google Ads ad. The GCLID gives as information such as the ad campaign, ad group, keyword. This information is combined with Zoho CRM account along with the lead information that we collect from the visitor who fills up the web form on our website.
We also use Facebook Ads for advertising purposes for which Facebook Ireland is a joint controller of the Joint Processing and further information on how Facebook Ireland processes Personal Data, including the legal basis Facebook Ireland relies on and the ways to exercise Data Subject rights against Facebook Ireland, can be found in Facebook Ireland’s Data Policy. Centili and Facebook Ireland have entered into the Controller Addendum to determine the respective responsibilities for compliance with the obligations under the GDPR with regard to the joint processing, according to which Centili is responsible for providing data subjects with the information on data processing, and Facebook Ireland is responsible for enabling data subjects’ rights under Articles 15-20 of the GDPR with regard to the personal data stored by Facebook Ireland.
6. RECRUITING AND SELECTION PROCESSES
For the purpose of recruiting and selecting new employees we collect personal data from people who sent us open job application or applied for some open position. We process personal data, such as, name, surname, title, working experience, picture, qualifications, education, skills, interview notes and comments, test results etc. We store this data in our own software. We also collect professional information about you from recruiters and LinkedIn and we use Linkedin Talent Solutions.
Please do not send us any sensitive personal data, such as, religious beliefs, health data. We may process sensitive data if such processing is required by law in connection with labour agreement.
We process this personal data on basis of precontractual obligations and/or legitimate interest. We retain personal data for the period of 2 years from sending an open application or date of rejection. In each case, you may ask us to delete your personal data before expiration of the retention period.
Centili information security management system is established by the security and management board, and governed by information security policy and procedures. Centili adheres to the NIST, ISO 27001, and GDPR and UK GDPR standards. These include topics such as asset management, identity and access management regulations, IT operations and administrations, incident response management.
Communications to external entities uses HTTPS (TLS 1.2 or above), APIs are authenticated and secured through the use of industry standard OAUTH2 protocol. Fraud management firewall examines the source and behaviour of the traffic to identify rogue traffic and filters it before it is processed. Fraud management technology includes both rules-based protection as well as machine-learning. Centili has also established procedures for system backups and disaster recovery. Security and data protection training sessions are organized periodically for all employees to ensure that they know what is expected of them and how to maintain compliance within their role.
Based on our legitimate interest to protect our employees, associates and our property we process personal data, such as, log files, IP address, traffic data, metadata, clicks, views, incident reports, data form data breaches.
In case of personal data breach, we must perform risk assessment and based on this assessment we will inform supervisory authority, data controller and data subjects, in accordance with the UK GDPR and relevant laws on cybersecurity.
8. LEGAL OBLIGATIONS
As a company registered in the UK, we have to comply with legal obligations in the UK law. Regarding data protection laws, we also comply with necessary laws with regards to certain data subject.
We process and store all the necessary financial records, invoices, reports, transaction, agreements and statements. We also process data based on our legitimate interest to defend our claims in court proceeding or similar proceeding.
9. DATA RETENTION
We keep personal data for the period of time that is prescribed by law. For the general business activities we keep the data for 6 years, and we keep accounting and financial records for 6 years from the end of the last company financial year for which data relates to.
In some cases, where the law does not define maximum data retention period, we keep some personal data based on legitimate interest, in case, we need to defend our claim at court or some other public authority, in accordance with statutory limitations periods.
In case of providing a consent for processing personal data, your personal data will be retained in our database for a period specified in such consent. Data used for analytics purposes is retained for 2 years.
If you wish to withdraw your consent for processing of your personal data for any purpose and to delete your data from our database, you can do that at any time by sending an email to email@example.com.
10. DATA RECIPIENTS
Data processors - we share personal data with authorised data processor for providing IT support, accounting, legal, HR, marketing, and sales services. For these type of activities we also engage affiliated CENTILI and Infobip companies.
Network operators and/or other communications service providers - when necessary for the set-up of proper connectivity.
Third-party service providers - to the extent strictly necessary for them to perform specific actions on our behalf. We may share personal information with our trusted and verified third-party service providers for example in order to enable them to process payments for us or to prevent fraud.
Relevant legislation - in case we are presented with a legal obligation, we will share the data from users with such third parties that are legally entitled and authorized to request the same, such as within criminal procedures or threats to the public security.
Mergers and acquisitions - personal data may be transferred to data recipients who are in the process of buying our company or part of our company (for example, in case of due diligence process), or personal data can be transferred to a company which merged with our company or to company who bought partially or in whole our company in case of business acquisitions or resolution/bankruptcy proceeding.
11. DATA TRANSFERS
For providing our services, unless otherwise agreed with a client, we use data centre located within European Union (Frankfurt, Germany).
We transfer data to USA in cases in which we use services of our data processors. We use Zoho for processing contact details of contact persons from our sales and marketing leads, and we use Microsoft Office 365, Atlassian, and Google Re-captcha services for performing business activities and communication.
For IT support, accounting, legal, HR, marketing, and sales services we also engage affiliated CENTILI in Serbia and Malaysia, as well as certain affiliated Infobip companies as data processors.
In cases in which personal data has been transferred to third countries, we take all the appropriate and necessary steps to ensure that such data is processed in accordance with the applicable data protection laws, including signing standard contractual clauses.
12. BREXIT NOTICE
From 1 January 2021, the UK is no longer considered as an EU Member State and UK GDPR started to apply. Based on the agreement between the UK and the EU, until April 2021 (and possibly June 2021) all the personal data transfers from the EU to the UK are not considered as transfers to a third country.
For the transfer from the UK to the EU, UK finds this transfer as transfer with adequate protection so currently there are no additional requirements needed for such personal data transfers.
13. DATA ABOUT MINORS
We generally do not process data about minors. In case we need to process personal data of a person under age of 18, we ask for guardian’s or parent’s permission. Please do not use our website and our company profiles on social networks if you are under age of 18.
In accordance with the UK General Data Protection Regulation (UK GDPR), in relation to the offer of information society services directly to a child, the processing of the personal data of a child shall be lawful where the child is at least 16 years old. Where the child is below the age of 16 years, such processing shall be lawful only if and to the extent that consent is given or authorised by the holder of parental responsibility over the child.
14. YOUR RIGHTS
In accordance with applicable law, you have the right to:
· Access your personal data to learn the origin of the data, the purposes of processing and the period for which your personal data will be processed, who are the controllers and processors of your personal data and to whom your data may be disclosed;
· Withdraw your consent at any time where your personal data is processed pursuant to your consent;
· Update or correct your personal data;
· Delete your personal data from our records if it is no longer needed for the purposes indicated above or it is not needed in respect to some legal obligation and overcoming legitimate interest;
· Restrict the processing of your personal data in certain circumstances;
· If we process your personal data by automated means based on your consent or upon a contractual relation with you, you can exercise the right of data portability,
· In certain cases, you have the right to object to the processing and you may also have specific rights in exceptional cases when we may carry out automated decision-making operations, including profiling.
To exercise any of your right or to file a complaint to us you may contact us on firstname.lastname@example.org.
You have right to file a complaint to our data protection supervisory authority:
Information Commissioner's Office Wycliffe House Water Lane Wilmslow Cheshire SK9 5AF
Telephone: 0303 123 1113
If we process your personal data upon our legitimate interest, you have the right to object to the processing. In such a case we will reassess its legitimacy and will no longer process your personal data unless we are able to demonstrate compelling legitimate grounds for the processing which override your interests, rights, and freedoms, or for the establishment, exercise or defence of legal claims.
However, when we process your personal data for direct marketing purposes, you have the right to object at any time to such processing of your personal data, and in this case, your personal data will no longer be processed for marketing purposes.
You may exercise these rights by contacting us by the contact information specified below providing your name, email address and purpose of your request.
Date: 15 March 2021