Personally Identifiable Information (PII)
Personally Identifiable Information (PII), or personal data, is data that corresponds to a single person. PII might be a phone number, national ID number, email address, or any data that can be used, either on its own or with any other information, to contact, identify, or locate a person.
How PII is determined
In response to businesses collecting and storing more and more individuals’ PII (also known as personal data), individuals and regulators have been applying greater scrutiny to how businesses use and safeguard that data. As a result, various jurisdictions have passed legislation to limit the use, distribution, and accessibility of PII, while allowing companies who need it to manage the data safely.
As PII (or personal data) is a legal concept rather than a technical concept, legislation around PII varies across different jurisdictions. Global privacy laws like GDPR in the European Union, sectoral laws like HIPAA and PCI in the United States, state laws like CCPA, CPRA, CalOPPA, state and regional data breach laws, and other regulations control what defines PII. Which data is classified as PII may also differ by use case. For instance, depending on the jurisdiction or your use case, IP addresses may or may not be considered PII.
How Twilio manages PII
Twilio takes the management of our customers’ information seriously. We have software, configurations, processes, and guidelines for managing data internally to keep your data safe and secure. Inside Twilio’s systems, we manage data that could be PII in different ways.
- Twilio is committed to making clear which data is managed as PII in our system to help you make sure your data is managed the right way for your jurisdictions and use cases.
- Twilio has a Data Protection Addendum which extends the specification of your legal relationship with Twilio and can help clarify how Twilio manages data on your behalf.
- If you are in Europe, explore Twilio’s GDPR Program. This page clarifies how we manage data where some parts of your data may originate in Europe. Note: While you may not be in Europe or a phone number may not be European, the person at the other end of the phone could be a European in Europe.
Tools like Twilio’s Phone Number redaction, Message Body redaction, and Call Recording Encryption allow you to remove PII or encrypt it so no one can see it but you.
Twilio manages fields marked PII in Twilio’s documentation as though they contain PII, also known as personal information or personal data. This means that Twilio implements appropriate technical and organizational security controls as appropriate to the risk associated with that data. For example, data will not be visible to Twilio’s employees unless they are acting as a surrogate for you (e.g., debugging on your behalf) or have some other legitimate businesses need to access it. As well, values are anonymized or removed when we need to hold on to information for statistical analysis, reporting, and capacity planning - none of which require the PII itself. Names, your end users’ phone numbers, or transcriptions of voice calls and chats are all examples of fields that Twilio treats as containing PII. Phone numbers that you rented from Twilio, whether a long code or short code, because they are owned by Twilio, are managed differently from non-Twilio numbers.
Each Twilio field marked as PII is also marked with an MTL - a Minimum Time to Live. This is the number of days after creation that data will be stored in Twilio's systems for carrier reconciliation, tax management, or other business purpose that requires us to hold the data. Outside of the MTL, deletions from a Twilio API will be applied immediately, however it may take up to 30 days to delete from backups and other interconnected systems. For example, if a resource has MTL of 90 days, and you delete it on day 1 after creation, information will be completely gone 91 days after creation, because of the MTL. If you delete it on day 90, it will be gone by day 120, taking 30 days. If you have special retention requirements, check with our support team or success manager for potential options.
PII management when you leave Twilio
When you leave Twilio following a reasonable grace period to allow you to change your mind, all PII data is anonymized or removed from Twilio’s systems where possible within 30 days except where the MTL is longer.
Please note that in addition to the MTL listed, we may also retain PII in connection with detecting, preventing, and investigating spam, fraudulent activity, and network exploits and abuse, or if required to do so in connection with legal matters such as litigation, law enforcement requests, or government investigations.
Fields marked “Not PII”
Fields marked with “Not PII” are stored in Twilio and may be used for counting or other operations as Twilio runs its systems. These fields generally cannot be redacted or removed.
In some instances, you might be able to control the data in these fields. You should take care not to place PII in fields with this designation. Twilio does not treat this data as PII, and its value may be visible to Twilio employees, stored long-term, and may continue to be stored after you’ve left Twilio’s platform.
If you think you need to put PII in these fields, please check with our support team to see if there’s a better way to manage your data.
Where to next?
Check out these resources to better understand data privacy at Twilio:
- Read more about what Twilio is doing to protect your data
- Read about Twilio and the General Data Protection Regulation (GDPR)