Twilio Privacy Notice
Privacy is Twilio’s code: Twilio has built our global privacy program based on our Binding Corporate Rules (BCRs), which serve as our code of conduct that governs our global processing of personal data. No matter where you are in the world, where you reside, where your citizenship lies, or where your data comes from, we offer the same high standards of privacy protection to all our customers. More specifically, “No Shenanigans” is one of our company values, and we intend to exemplify that with our Privacy Notice, which we hope will provide clear, detailed, and easy-to-read information about Twilio's privacy practices and how we process personal data.
In addition, we provide in-time and in-context information about how you can control the data you collect and retain in our API documentation. Because we offer many different products — and our customers can configure them in many different ways — we provide privacy-specific information in our documentation to enable our customers to make choices when using our products. Please check the documentation for the product you’re using to learn more about the data elements it collects and how you can make decisions about that information.
When we refer to Twilio, we mean the Twilio entity with which you have contracted. For ease of reference throughout this Privacy Notice, “Twilio” also refers to the companies that are members of the Twilio Group (the “Twilio Group Members”) listed in our Binding Corporate Rules. If there are any capitalized terms in this Privacy Notice that are not defined, then those terms will have the meaning defined in your agreement with us.
What can you find there?
Twilio collects personal data such as Customer Account Data directly from you — as a customer or a visitor — when you visit Twilio’s website, request a product, service or access to an event, or when you contact a member of the Twilio team or sign up for a Twilio account to use our products and services. Twilio also indirectly collects the personal data of your end users called Customer Usage Data (e.g., communications metadata) and Customer Content (e.g., communications content).
We process customer contact details such as your name, email, and phone number directly from you when you make a request, contact a member of our team, or sign-up for a Twilio account. Read this section to learn more about the types of data we collect about you, why we collect it, and how we store it.
We process your end users’ communications-related data such as phone numbers, email addresses, friendly names that you create for your end users. We also process the content of communications sent by you or your end users to provide services to you and to carry out necessary functions of our business as a communications service provider. Please read this section to learn more about the types of data we collect about your end users, why we collect it, and how we store it.
First things first: we do not sell your personal data, or the personal data of your end users. We also do not allow any personal data to be used by third parties for their own marketing purposes (except in cases where you explicitly request or provide consent for us to do so, such as at a conference when you direct us to share your information with a sponsor).
However, we do need to share it in some circumstances. These may be to provide you services (e.g., to route a call or send an email), or when necessary for our suppliers to provide services to us, or for another reason listed here, or share personal data for cross-context behavioral advertising.
Twilio provides you with many ways to make choices about your data and your end users’ data, such as accessing it, correcting it, deleting it, or updating your choices about how it is used.
Twilio uses common information-gathering tools such as cookies, web beacons, pixels and other similar tracking technologies to automatically collect information as you navigate our websites, our services or when you interact with emails we sent to you. You can manage these technologies easily on our websites.
Twilio is a global company that is committed to complying with privacy laws around the world. Read this section to learn more about our global privacy compliance and how we protect the personal data of specific groups, such as employees and employee applicants.
Twilio relies on our Binding Corporate Rules (“BCRs”) as our primary data transfer mechanism. Where Twilio’s BCRs do not apply, such as to cross-border data transfers of the SendGrid services, we will rely instead on other safeguards to transfer personal data, as described in this section.
Some of our products, such as Authy, Frontline, SendGrid and Segment, work a bit differently in terms of applicable privacy protections. We’ve provided this section to explain where there are differences and how we are continuing to ensure privacy compliance.
While there is no such thing as perfect security, we are committed to maintaining reasonable and appropriate security measures to ensure that your personal data is protected both online and offline. Read this section to learn more about our security measures and how you can better protect your account.
In the unlikely event that we are unable to resolve a privacy concern quickly and thoroughly, we provide a path of dispute resolution.
Here you’ll find other useful information about our data protection practices and about this notice. Our use of automated decision making is minimal; we use it primarily for anti-fraud purposes. Finally, we may update our Privacy Notice from time to time, and we will notify our customers in advance of material changes.
When we talk about “personal data,” we’re talking about a broad range of information. Data protection laws around the world define this concept in different ways, but in general, we mean any information that relates to an identifiable, living individual person. In other words, a person’s phone number is personal data, while a business’s phone number is not.
In addition, some data protection laws and privacy laws in certain jurisdictions differentiate between “controllers” and “processors” of personal data. A controller decides why and how to process personal data. A processor does not make decisions about personal data; it only processes personal data on behalf of a controller based on the controller’s instructions.
With this background, let’s take a high level look at the personal data Twilio collects and how we process it.
If you are a customer of ours, Twilio processes personal data in different ways when you use our products and services.
- We process your personal data as a customer (or potential customer) of Twilio’s services — information that we refer to as Customer Account Data (e.g., your contact information) — when you visit a Twilio public-facing website like twilio.com; sign up for a Twilio event, like SIGNAL; reach out to our Sales team; or sign up for a Twilio, Authy, Segment, or SendGrid account and use our products and services.
- We process the personal data of your end users who use or interact with your application that you’ve built on Twilio’s platform, like the people you communicate with by way of that application. This includes information we use to route messages and metadata about messages — we refer to this information as Customer Usage Data — and it also includes the contents of communications, which we refer to as your Customer Content. You can see a more detailed definition of “Customer Content” in our Data Protection Addendum, which is part of our agreement with you.
Twilio processes these categories of personal data differently because the direct relationship we have with you, our customer, is different from the indirect relationship we have with your end users.
When Twilio processes your Customer Account Data and your Customer Usage Data, Twilio is acting as a controller. We are also a controller for our employees’ personal data. When Twilio processes your Customer Content, we are acting as a processor.
If you are a visitor to our website (by which we mean any website that links back to this Privacy Notice in its footer, such as to twilio.com, segment.com, or sendgrid.com), or if you are not a Twilio user and you are attending one of our events, like SIGNAL, we collect a minimal amount of data about you (depending on how much you’ve chosen to share with us). This might be as little as an IP address or a cookie, and it might be your contact information. We also consider this Customer Account Data. You can read below about how we process visitors’ Customer Account Data.
If you are an applicant to a job at Twilio, or you are a Twilio employee, you can read below about how we process employee and applicant data. You can also read our Employee Privacy Notice, which we extend to job applicants.
In short, Twilio requires the minimal amount of data necessary to provide services to you, and the amount or type of data we collect depends on the product or service you choose or how you use it. If you choose to share additional information with us so that we can better customize your account and our services, we’ll process that with the same care and respect. We do not sell your personal data and we do not share your information with third parties for those third parties’ own business interests. This Privacy Notice describes the data we collect from our customers at a high level, but you can always learn more by reading our API documentation.
We use the information we collect and share it with our service providers primarily to provide the services you’ve requested from us, and as needed for our operational purposes (e.g., to do the things we need to do to function as a business, such as to collect payment). In addition, we may use data about our customers to detect, prevent, or investigate security incidents, fraud, or abuse and misuse of our platform and services.
When you sign up for an account with us, we ask for certain information like your contact details and billing information to facilitate payment and communication. We also collect some information automatically, like your IP address, when you log in to your account or when your software application built on Twilio makes requests to our APIs. We use this to understand who is using our services and how, and to detect, prevent and investigate fraud, abuse, or security incidents.
SIDs. When you sign up for an account with Twilio, we’ll automatically assign you and each of your accounts a unique ID — a SID — and we’ll automatically generate an API token for each of your accounts. These are used like a username and password to make API requests. Instead of using these API tokens, you can provision API Keys and use your API key for authentication when making requests to our APIs. We keep a record of these credentials so we know it is you making the requests when your application makes requests to our API using these credentials.
Device information and IP addresses. When you use our account portal, we collect your IP address and other data through tracking technologies like cookies, web beacons, and similar technologies. We also collect IP addresses when you make requests to our APIs and in our server logs. We use this information to understand how customers are using our platform, who those customers are (if they are a company and the IP address is associated with that company), what country they are logging in from (for analytics and export control purposes), and to help improve the navigation experience. You can learn more about cookies in the section titled “Cookies and Tracking Technologies” below.
When you use our account portal, we also collect information about your device, such as your computer or mobile device operating system type and version number, manufacturer and model, browser type, screen resolution, unique identifiers, and general location information such as city or town. We do not collect precise geographical information.
When you visit our website, sign up for a Twilio event or request more information about Twilio, we collect information automatically using tracking technologies, like cookies, and through web forms where you type in your information. We collect this information to provide you with what you request through the web form, to learn more about who is interested in our products and services, and to improve navigation experience on our pages. You can learn more about cookies in the section titled “Cookies and Tracking Technologies” below.
In some places on Twilio’s public-facing websites, you can fill out web forms to ask to be contacted by our Sales Team, sign up for a newsletter, register for a Twilio event, or take a survey. The specific personal data requested on these forms will vary based on the purpose of the form. We will ask you for information necessary for us to provide you with what you request through the form (for example, we will ask you for your email address if you want to sign up for an email newsletter and for your phone number if you want a member of our Sales Team to call you). We may also ask you for additional information to help us understand you better as a customer, such as your Twilio use case, your company name, or your role at your company. If you sign up to receive ongoing marketing communications from Twilio, like a newsletter, you can always choose to opt out of further communications through a preferences page which will be linked from any marketing email you receive from Twilio. You can also contact our Customer Support Team to communicate your choice to opt out.
If you contact our Sales or Customer Support Teams, those teams keep a record of that communication, including your contact details and other information you share during the course of the communication. We store this information to help us keep track of the inquiries we receive from you and from customers generally so we can improve our products and services and provide training to team members. This information also helps our teams manage our ongoing relationships with our customers. Because we store a record of these communications, please be thoughtful about what information you share with our Sales and Customer Support Teams. While we will take appropriate measures to protect any sensitive information you share with us, it is best to avoid sharing any personal or other sensitive information in these communications not necessary for these teams to assist you.
We use your email address to send you information about other Twilio products, services or events in which we think you may be interested. You can opt out of receiving marketing communications from us at any time through your marketing preferences page by clicking the “unsubscribe” link at the bottom of any marketing email you receive from Twilio. You can also update your communication preferences using our online form or contact our Customer Support Team to communicate your choice to opt out. Please note that it may take up to three days to remove your contact information from our marketing communications lists, so you may receive correspondence from us for a short time after you make your request. You will not be able to opt out of service emails from us, such as password reset emails, billing emails, or notifications of updates to our terms, unless you deactivate your account.
We may also use publicly-available information about you that we have gathered through services like LinkedIn, or we may obtain information about you or your company from third party providers. We use this information to help us understand our customer base better, such as your industry, the size of your company, and your company’s website URL. We also use this information to reach out to potential candidates for roles at Twilio.
When you visit a Twilio website, we process your information to market our services to you on other websites. You are able to opt out of targeted advertisements by using the cookie consent management tool, TrustArc. To learn more about how we process this information and how to make choices about what is collected, please see the “Cookies and Tracking Technologies” Section below.
Twilio will store your Customer Account Data as long as needed to provide you with our services and to operate our business. If you ask Twilio to delete specific personal data from your Customer Account Data (see ‘Choices About Your Customer Account Data’ below), we will honor this request unless deleting that information prevents us from carrying out necessary business functions, such as billing for our services, calculating taxes, or conducting required audits.
More specifically, within 60 days following closure of your account, we will either delete other Customer Account Data or transform it such that it can no longer be used to identify you, with the following exceptions, depending on and in accordance with applicable law:
- Customer Account Data is stored for up to seven years following closure of your account. However, we may retain invoice records, including their digital equivalent, for longer periods for accounting, tax, and audit purposes.
- Where we collect subscriber records, we will retain this data for such time as needed for legal, security and anti-fraud purposes.
- We may retain your communications with Twilio’s Customer Support Teams for up to three years after your account is closed.
- We may need to retain data due to special circumstances (such as due to an open investigation, audit, or other legal matter).
Please read our support page on data retention for more detailed information about our retention and deletion practices.
We use Customer Usage Data and Customer Content to provide services to you and to carry out necessary functions of our business as a communications service provider. We do not sell your end users’ personal data and we do not share your end users’ information with third parties for those third parties’ own business interests or cross-context behavioral advertising.
The particular end user personal data Twilio processes when you, our customer, use our products and services, and the reasons Twilio processes end user personal data, depends on how you use our products and services and which Twilio products and services you use. For that reason, our API docs for each of our products and services are the best place to find information about our processing of personal data when you use that Twilio product and service. In many cases, you can opt to store records of your communications or other activities in your Twilio account, and these records may include your end users’ personal data. You may also have the option to use additional features or tools within Twilio’s products or services that allow you to do things such as analyze the records, including end user personal data, in your Twilio account. In those cases, Twilio will process this information to provide you with the service you request.
For Twilio’s customers, our Data Protection Addendum describes more about how we process Customer Content in accordance with your instructions. That Data Protection Addendum is a part of your agreement with us by default.
Details regarding how long your end user personal data may be stored on Twilio systems will depend on which Twilio products and services you are using and how you are using them. For that reason, our API docs for each of our products and services, along with SendGrid’s documentation and Segment’s documentation, are the best place to find more detailed information about managing end user data collected and stored in connection with your use of our products and services. We also provide an overview of our retention periods in our support documentation.
As a Twilio customer, if the Twilio product or service you use enables you to store records of your usage on Twilio, including personal data contained within those records, and you choose to do so, then Twilio will retain these records for as long as you instruct, up until termination of your account. In some cases, use of extended storage may cost more. If you later instruct us to delete those records (please see below for information on how to delete your records), we will do so. Please note that it may take up to 30 days for the data to be completely removed from all systems.
Telephony operators as necessary for proper routing and connectivity.
Twilio provides an easier way for developers to build applications that make use of the publicly switched telephone network (PSTN) to send communications. Therefore, communications-related data is shared with and received from telephony operators as necessary to route and connect those communications from the sender to the intended recipient. How those telephony operators handle this data is generally determined by those operators’ own policies and local regulations.
Other communications service providers for proper routing and connectivity.
Twilio also enables sending or receiving communications through communications service providers that do not use the PSTN, such as Viber and Facebook Messenger (referred to as Over-the-Top (OTT) communications service providers). If you choose to use Twilio to send or receive communications by way of these providers, Twilio will share communications data with these providers as necessary to route and connect those communications from the sender to the intended recipient. How those OTT communications service providers handle this data is determined by their own policies.
Third-party service providers or consultants.
Twilio engages certain third-party vendors and service providers to carry out certain data processing functions on our behalf. These providers are limited to only accessing or using this data to provide services to us and must provide reasonable assurances they will appropriately safeguard the data.
A sub-processor is a vendor that is permitted to process data for which we are a processor — in other words, Customer Content. We share Customer Content with sub-processors who assist in providing the Twilio services, like our infrastructure provider, or as necessary to provide optional functionality like transcriptions. An up-to-date list of Twilio sub-processors is located here.
Add-ons are additional features, functionality or services offered by Twilio’s Add-on partners (who are third parties not affiliated with Twilio). Twilio may make Add-ons available through the Twilio Marketplace. Some Add-ons may need to access or collect some of your information, including personal data. If you choose to use an Add-on, Twilio will share your information with the Add-on partner so you can use the Add-on. Twilio does not control Add-on partners’ use of your information and their use of your information will be in accordance with their own policies. If you do not want your information to be shared with an Add-on partner, then you should not use the Add-on.
Compliance with Legal Obligations.
We may disclose your or your end users’ personal data to a third party if (i) we reasonably believe that disclosure is compelled by applicable law, regulation, legal process, or a government request (including to meet national security, emergency services, or law enforcement requirements), (ii) to enforce our agreements and policies, (iii) to protect the security or integrity of our services and products, (iv) to protect ourselves, our other customers, or the public from harm or illegal activities, or (v) to respond to an emergency which we believe in good faith requires us to disclose data to assist in preventing a death or serious bodily injury. For more details, please see the procedure laid out in our Binding Corporate Rules.
If Twilio is required by law to disclose any personal data of you or your end user, we will notify you of the disclosure requirement, unless we are prohibited by law. Further, we object to requests we do not believe were issued properly.
Twilio Group Members
We may share your personal data or your end users’ personal data among Twilio Group Members. Twilio Group Members will only use the information as described in this notice. You may see who Twilio Group Members are by looking in our Binding Corporate Rules.
If we go through a corporate sale, merger, reorganization, dissolution or similar event, data we gather from you may be part of the assets transferred or shared in connection with the due diligence for any such transaction. In that situation, and that situation only, we might transfer your data in a way that constitutes a sale under applicable law. If we do, we’ll let you know ahead of time, and we will require any acquirer or successor of Twilio to continue to process data consistent with this Privacy Notice.
Aggregated or de-identified data.
We might also share data about our customers with third parties if the data has been de-identified or aggregated in a way so it cannot be used to identify you or your end users.
Accessing and Controlling Account Data. As part of the services we provide to our customers, we provide you with a number of self-service features at no additional cost within the Twilio console itself, including the ability to access your data, update any incorrect data, download a copy of your data, delete your data, or restrict the use of your data. You can make various choices about your Customer Account Data through the account portal when you log into your Twilio account or through the marketing preferences center. Any other requests about your data you cannot make through these self-service tools, you can contact Customer Support.
Closing Your Account and Deletion. To request closure or deletion of your Twilio account, you can contact Customer Support. Please be aware that closure or deletion of your Twilio account will result in you permanently losing access to your account and the data in the account. After closure of your account, certain information associated with your account may remain on Twilio’s servers in an aggregated form that does not identify you or your end users. Similarly, after you close your account, we will retain data — including personal data — associated with your account that we are required to maintain for legal purposes or for necessary business operations (see “How Long We Store Your Customer Account Data” section above) until it’s no longer needed.
Our Support portal provides documentation regarding how to delete the data you control and how long we retain it.
Other Choices About Your Customer Account Data. In addition, you can express other choices about your Customer Account Data (e.g., accessing it, deleting it, restricting its use, porting it, or withdrawing consent for its use) by contacting Customer Support.
We also offer you the ability to delete, access, or exercise other choices about end user data, namely Customer Usage Data and Customer Content. Your ability to make choices about this data depends on the Twilio product or service you use and how you use the product or service. For that reason, our API docs for each of our products and services, along with SendGrid’s documentation and Segment’s documentation, are the best place to find more detailed information about managing end user data collected and stored in connection with your use of our products and services.
In some cases, we may retain a copy of your usage records, including the personal data contained in them, to carry out necessary functions like billing, invoice reconciliation, troubleshooting, along with detecting, preventing, and investigating spam, fraudulent activity, and network exploits and abuse. Sometimes legal matters arise that also require us to preserve records, including those containing personal data. These matters include litigation, law enforcement requests, or government investigations. If we have to do this, we will delete the impacted records when we are no longer legally obligated to retain them. We may, however, retain or use records after they have been anonymized, if the law allows.
Twilio also uses web beacons to gather data about your use of our websites, your account, and how you interact with emails we have sent to you. Web beacons are clear electronic images that can recognize certain types of data on your computer, like when you view a particular website tied to the web beacon, and a description of a website tied to the web beacon. Additionally, we may put web beacons in marketing emails that notify us when you click on a link in the email that directs you to a Twilio website. We use web beacons to operate and improve our websites and email communications to you.
Twilio is a global company with customers and offices all around the world. As such, our approach to privacy compliance is a global one. No matter where you are located, whether in the United States, the European Economic Area (EEA), the United Kingdom (UK), Latin America, or the Asia-Pacific region, we remain committed to abiding by all applicable data protection laws.
If you are from a region that requires a legal basis for processing personal data (such as the EEA or the UK), our legal basis for collecting and using the personal data described above will depend on the personal data concerned and the specific context in which we collect it.
However, we will normally collect personal data from you only where we need the personal data to perform a contract with you, or where the processing is in our legitimate interests and not overridden by your data protection interests or fundamental rights and freedoms, or where we have your consent to do so. In some cases, we may also have a legal obligation to collect personal data from you or may otherwise need the personal data to protect your vital interests or those of another person, such as in the case where we request personal data from you in the context of a government audit or in response to a request from law enforcement.
If you have questions about or need further information concerning the legal basis on which we collect and use your personal data, please contact us using the contact information provided below.
Broadly speaking, we use Customer Account Data to further our legitimate interests to:
- understand who our customers and potential customers are and their interests in Twilio’s product and services;
- manage our relationship with you and other customers;
- carry out core business operations such as accounting, filing taxes, and fulfilling regulatory obligations; and
- help detect, prevent, or investigate security incidents, fraud and other abuse or misuse of our products and services.
For those customers that would like more information about our use of Customer Account Data or Customer Usage Data, you have the ability to request:
- that we provide details about the categories of personal data that we collect about you, including how we collect and share it;
- that we provide you access to, and a copy of, the personal data we collect about you;
- that we update or correct any inaccurate personal data we have about you; and
- that we delete the personal data we have about you.
Please scroll up to our section above on How to make choices about your data for more information about how to make a request.
Please be aware that when you ask us for these things, we will take steps to verify that you are authorized to make the request. You do not have to be from any specific state, such as California, Colorado, Utah, or Virginia, to make this request. We won’t discriminate against you or change the price of our services if you make a request, but if you ask us to delete your data, it may affect your ability to use our service.
If you’re a Californian interested in what personal data we have shared lately for our business purposes, here’s a list:
- Commercial information
- Financial information
- Internet or other electronic activity information
- Geolocation information
- Professional or employment information
By “our business purposes,” we mean that we only share personal data as we describe in the section above (in other words, with telephony operators, communications providers, and so on).
If you are in a region other than the EEA, the UK, or the United States, we aren’t forgetting you! There are just some specific requirements those regions ask us to put in our Privacy Notice. Some countries, like Brazil, also have specific privacy notice requirements, and we address those requirements in our general privacy sections above. If there are specific changes we need to make to our legal language to comply with a country’s privacy or data protection laws, you can find those changes in our Data Protection Addendum.
Employee Applicant and Employee Data. Whether you are applying for a position at Twilio or are a current or former employee, we remain committed to practicing a “no shenanigans” approach to your personal data. For up to date information on the types of data we process about you and how we protect it, please see our Employee Privacy Notice.
Information from Children. We do not knowingly permit children (under the age of 13 in the US and UK or 16, if you live in the EEA) to sign up for a Twilio account. If we discover someone who is underage has signed up for a Twilio account, we will take reasonable steps to promptly remove that person’s personal data from our records. If you believe a person who is underage has signed up for a Twilio account, please contact us at firstname.lastname@example.org.
As a global organization, we may need to transfer your personal data to Twilio affiliates, contractors, service providers, and to third parties in various countries and jurisdictions around the world. In each case, we take care to use appropriate safeguards to ensure your personal data remains protected.
Data transfers to the United States and elsewhere. When you use our account portal, or our other products and services, personal data of you and your end users processed by Twilio may be transferred to the United States, where our primary processing facilities are located, and possibly to other countries where we or our service providers operate. These transfers will often be made in connection with routing your communications in the most efficient way.
Safeguards for data transfers. Twilio employs appropriate safeguards for cross-border transfers of personal data, as required by applicable local law. Where we must transfer end users’ personal data to a third country, we conduct a transfer impact assessment, which we make available on our support pages. Our Data Protection Addendum, which we provide to all customers, includes more detailed information about our cross-border data transfers.
EU-US Data Privacy Framework (“EU-US DPF”) and Swiss-US Data Privacy Framework (Swiss-US DPF). As set forth by the U.S. Department of Commerce Twilio is officially certified under the EU-US DPF and Swiss-US DPF and relies on these certifications as its primary transfer mechanisms for transfers of personal data from the EU and Switzerland to the US. Twilio adheres to the DPF principles for onward transfers of personal data to third parties and remains liable for damages caused by third parties under the DPF unless Twilio did not cause the event giving rise to damage. The U.S. Federal Trade Commission has jurisdiction over Twilio’s compliance with the EU-US DPF and the Swiss-US DPF.To learn more about the DPF Program, and to view our certifications, please visit the DPF website here.
Twilio’s Binding Corporate Rules. Twilio has established and implemented a set of Binding Corporate Rules for internal transfers of personal data between Twilio Group Members in the European Union and Twilio Group Members elsewhere. Twilio’s BCRs have been approved by European Union Data Protection Authorities and are a commitment by Twilio to adequately protect personal data that Twilio processes regardless of where the information resides. You can access Twilio’s BCR controller and processor policies here.
Where neither the EU-US DPF, Swiss-EU DPF nor Twilio's BCRs apply, such as to cross-border data transfers of the SendGrid services to a country other than the US, we rely instead on other data transfer mechanisms to transfer personal data outside the EEA, the UK, and Switzerland, such as Standard Contractual Clauses and the International Data Transfer Agreement.
Transfers from other countries. When we transfer personal data outside countries other than those in the EEA, the UK, and Switzerland, we strive to comply with the cross-border data transfer rules of those countries, such as by cooperating with that country’s data protection authority or providing a written agreement to each customer that meets the data protection requirements of the country.
APEC CBPR & PRP Participation. Twilio’s privacy practices, described in this Privacy Notice, comply with the APEC Cross Border Privacy Rules (“CBPR”) and Privacy Recognition for Processors (“PRP”) Systems. The APEC CBPR and PRP systems provide a framework for organizations to ensure protection of personal data transferred among participating APEC economies. More information about the APEC framework can be found here.
The Authy service is our standalone two-factor authentication (2FA) service for desktop and mobile. The Authy apps generate one time passwords and push notifications that can be used as a part of a two-step verification process with your Authy-compatible accounts to add another layer of security. Authy’s 2FA can be used on its own or with applications that directly integrate with Authy’s 2-factor authentication API.
Data Collection and Authy. For the most part, Authy collects the same data the Twilio services collect, and for the same reasons. However, Authy collects slightly different data elements due to the nature of the service.
Identifiers. Once you open the Authy app, we ask you to provide us with a phone number to create your Authy account. We send a verification code to that phone number to be sure that the person creating the Authy account also has control over the phone number entered. This phone number is considered your “primary device,” and will be the identifier for your Authy account. We use that phone number to identify you, to provide you 2FA services, and to maintain logs for security and anti-fraud purposes. We do not use that phone number to provide sales or support to you; however, if you sign up for other Twilio services, we may ask you for your phone number in those contexts, and use it for those purposes.
We collect your email address, and we use it for identity verification and account recovery purposes. We will also use your email address to send system emails to you, such as to let you know about suspicious logins or updates to this policy. We may also send notices about Twilio products or events to you, but you may click on the unsubscribe link that will appear at the bottom of any of our marketing emails or you can contact customer support to opt out.
If you are a user of an application that directly integrates with Authy’s 2-Factor Authentication API, those applications collect your phone number, user name, and email address and share that information with us so we can use it to associate your account on that application with your Authy account. When that application shares your phone number, user name, and email address with us, we will create an Authy account for you if you do not have one already. We will use your phone number to communicate to you verification codes so you can log into your account on that application.
Device Information. When you download and open the Authy desktop or mobile app, we automatically collect information about the type of device you have downloaded the app on and your device identifier. We collect this to ensure we deliver the right version of the app for your device and so that we can provide appropriate follow up support as necessary. We also use your device information to ensure proper delivery of our service and to provide and deliver support and maintenance of the Authy app.
Login History and Authy Account History. When you use an Authy token to log into an account, whether the token was generated on the app or one sent to you via your phone number, we collect and keep information associated with your login activity including information like your IP address, what application you logged in to, that you logged in, and when. If you change your phone number or email associated with your Authy account, we will also keep a log of that. We collect this information to monitor for suspicious activity and also as another piece of information that could be used to verify your identity if we suspect your account may be compromised.
Geolocation information. If you have location services turned on, we collect your location based on your IP address. We use this information for anti-fraud purposes, to check for suspicious activity and, again, as another piece of information we can use to verify your identity if we suspect your account may be compromised.
How we share personal data. In general, Authy shares personal data in the same way Twilio does (see How Twilio shares personal data for more). Authy does not sell personal data and does not share personal data for third parties’ behavioral advertising purposes.
However, Authy users should be aware that an application that integrates with the Authy 2-Factor API can access your phone number, email address, and user name. It will also be able to access your primary device type and information associated with your login activity to that application. It may also retain this information on its own servers. We may also share other information related to your account with that application to help them and us detect suspicious or fraudulent activity on your account. That application will only be able to see information related to your account on their service; it will not be able to see other accounts for which you use Authy to provide 2FA.
To use the Frontline services, you must log in to the Frontline app using a third party account (through your Single Sign-On provider). The authentication of your login details is handled by that third party and we only collect the information you expressly agree to share with us at the time you give permission to link the Frontline app with the third party account. We only gather the information you and our customers give us access to, and we only use it for the purposes for which you and our customers have provided it to us. Please see the Frontline App Terms for specific details about your relationship with us.
If you are an end user of the Frontline services, Twilio is a processor of your personal data. Please reach out to your employer (or the entity that has authorized your access to the Frontline app) to make a request for us to update or erase any information about you or to stop using any information about you.
The Segment services are treated the same as the rest of Twilio’s products and are covered by our Data Protection Addendum and our Binding Corporate Rules. For more specific information, you can learn more about the Segment services in the Segment documentation.
The SendGrid services work a little differently from the rest of Twilio’s services, and we’d like to make sure you’re aware of those differences. Most importantly, SendGrid services are not currently covered by Twilio’s Binding Corporate Rules, which means that we rely on Standard Contractual Clauses (which you can find in our Data Protection Addendum) for any cross-border data transfers relating to the SendGrid services. However, even where SendGrid services are not covered by our Binding Corporate Rules, we are committed to providing a high level of data protection for our SendGrid customers.
Data Collection and Email. For the most part, the SendGrid services collect the same data the Twilio services collect, and for the same reasons. The SendGrid services also collect some additional data in the form of web beacons placed in the body of emails delivered using the SendGrid platform. This allows us to keep track of whether or not an email has been delivered, opened, clicked on, whether it bounced or was treated as spam. You can learn more about web beacons in the section titled “Cookies and Tracking Technologies” above.
Customer Content and Email Recipients’ Personal Data. Like Twilio, SendGrid is a data processor for Customer Content, like email communications contents and the contents of marketing campaigns. SendGrid is also a data processor for email recipients’ email addresses and other recipients’ personal data. If you’re a customer, our Data Protection Addendum describes more about how we process Customer Content in accordance with your instructions.
Our security measures. We use appropriate security measures to protect the security of your personal data both online and offline. These measures vary based on the sensitivity of the personal data we collect, process and store and the current state of technology. We also take measures to ensure service providers that process personal data on our behalf also have appropriate security controls in place. When we transfer data across borders, we also take supplementary measures to ensure that data is protected. You may read more about our security measures in our Security Overview, and if you are located in a country that requires you to obtain information about our supplemental measures, you may read more about those measures here.
Please note that no service is completely secure. While we strive to protect your data, we cannot guarantee that unauthorized access, hacking, data loss or a data breach will never occur.
Security measures you can take. To protect the confidentiality of your account and protect against unauthorized use of your account, we recommend enabling two-factor authentication for your account. Additionally, you must keep your account password and Auth Token confidential and not disclose them publicly or to unauthorized individuals — this includes accidentally distributing them in a binary or checking them into source control. Please let us know right away if you think your password or Auth Token was compromised or misused. For instructions on changing your password, click here. For instructions on changing your Auth Token, click here.
Similarly, if you provision an API Key, you should keep your secret, well... secret. You should store your API Key, Account SID, and secret in a secure location. Information on provisioning and revoking API Keys can be found here.
If you have any Twilio service, such as Authy or Frontline, on your mobile device, you should take measures to protect your device. First, you should set a password and activate biometrics (like Touch ID), where available, for all devices on which you have downloaded your Twilio app. For the Authy mobile app, you also have the option of setting an app-specific protection pin. You can do this by going into your Authy app and clicking on settings. In settings, you should click on “Protection Pin.” You can choose to include a Protection Pin which will require you to enter a pin number of your choosing before accessing settings and your Account Info. Depending on your device’s capabilities, you may also be able to add biometric protection. You can also choose to protect the entire app which will require you to enter your chosen Pin and/or use biometric to open the Authy app on your device. We recommend that if you have downloaded Authy onto a shared device, that you use this last option of protecting the entire app.
If you have multiple devices associated with your account and one of your devices is lost or stolen, you can remove that device from your circle of trusted devices by going into one of the other devices associated with your account, and over which you still control, and remove the lost or stolen device under Settings > Devices. If you only have a single device that is associated with your account and that device is lost or stolen, you can alert us by contacting our Customer Support Team.
We may collect and use Customer Account Data or Customer Usage Data to detect, prevent, or investigate security incidents, fraud, or abuse and misuse of our platform and services. In addition, we also use records containing end user personal data to debug, troubleshoot, or investigate security incidents; to detect and prevent spam or fraudulent activity; and to detect and prevent network exploits and abuse. Specifically, we monitor text message content to detect spam, fraudulent activity, and violations of our Acceptable Use Policy. We may anonymize personal data and use it for our legitimate business needs, and, where allowed by law, this may include records containing end user personal data.
Twilio may use automated decision making leveraging a variety of signals derived from records we collect to help monitor, identify, and suspend accounts sending spam or engaging in other abusive or fraudulent activity. Holders of accounts suspended under these circumstances are notified of the suspension and given an opportunity to request human review of the suspension decision.
We may change this Privacy Notice from time to time, and if we do, the most current version will be available at https://www.twilio.com/legal/privacy with the date indicating when it was last updated. These changes might be minor, such as updating an address or fixing a typo, or they might be material, such as making a change that affects your rights. If we make changes that affect your rights, we will provide advance notice to you, such as by posting a message in the Twilio console, or we’ll send an email via the address we have on file for you. We will comply with applicable law with respect to any changes we make to this notice and seek your consent to any material changes if this is required by applicable law.