Privacy Policy
This Privacy Policy explains how Centili Group Ltd. collects, uses, shares and protects personal data, and the rights you have under the UK GDPR and the Data Protection Act 2018.
Overview & who we are
Centili Group Ltd. (trading as Centili, “we”, “us” or “our”) is a company incorporated in England and Wales, United Kingdom. We provide direct carrier billing, mobile-payments, content-monetisation and SIM-security services to mobile network operators, merchants, content providers and other business partners. We are committed to protecting the privacy of everyone whose personal data we handle and to processing that data fairly, lawfully and transparently.
For most of the personal data described in this policy — for example data about visitors to our websites, our business contacts, and job applicants — we act as the controller, meaning we determine the purposes and means of the processing. For certain end-user data processed on behalf of our operator and merchant customers in the course of delivering carrier-billing and payment services, we typically act as a processor. See Controller vs processor below for the distinction.
Our controller details are:
| Controller | Centili Group Ltd. |
|---|---|
| Registered office | [Registered office address — to be confirmed], United Kingdom |
| Company number | [Company number — to be confirmed] |
| ICO registration | [ICO registration number — to be confirmed] |
| Privacy enquiries | privacy@centili.co.uk |
| Data Protection Officer | dpo@centili.co.uk |
We are registered with the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection, under registration [ICO registration number — to be confirmed].
Scope of this policy
This policy applies to personal data we process in connection with our corporate websites at centiligroup.com, our business platforms and APIs, our commercial relationships with customers and partners, our recruitment activities, and our general business operations. It describes the categories of data we handle, why and how we use it, who we share it with, how long we keep it, and the rights available to you.
Where we provide services as a processor on behalf of an operator or merchant customer, that customer is the controller of the relevant end-user data and its own privacy notice governs how that data is used. Our processing in those cases is governed by the Data Processing Agreement we enter into with the customer. This policy should be read together with our Cookie Policy and our Terms of Service.
Personal data we collect
We collect different categories of personal data depending on your relationship with us. The table below summarises the main categories and the types of individual they relate to. We do not routinely seek to collect special category data (such as data revealing health, racial or ethnic origin, religious beliefs or biometric data) and ask that you do not submit it to us unless necessary.
| Who you are | Categories of personal data |
|---|---|
| Website visitors | Device and connection data (IP address, browser type, operating system), pages viewed, referring URLs, approximate location derived from IP, and cookie and similar identifiers. See our Cookie Policy. |
| Enquirers & newsletter subscribers | Name, business email address, company, job title, the content of your enquiry, and marketing preferences. |
| Customers & partners (and their staff) | Contact details of authorised representatives, account credentials, contractual and commercial information, billing and settlement details, correspondence, support requests, and platform usage and audit logs. |
| End-users (via carrier billing, where we act as processor for an operator or merchant) | Mobile number (MSISDN) or pseudonymised identifier, mobile network operator, the product or service purchased, transaction amount, date and status, and limited anti-fraud and risk signals. We process this data on documented instructions from the relevant controller and do not use it for our own purposes. |
| Job applicants | Name, contact details, CV and cover letter, employment and education history, references, right-to-work information, interview notes and assessment outcomes. |
| All individuals | Records necessary to meet our legal, regulatory, anti-fraud, anti-money-laundering and sanctions-screening obligations, and to manage complaints and disputes. |
How we collect it
We obtain personal data in the following ways:
- Directly from you — when you contact us, subscribe to updates, register for or use our platforms, enter into a contract, attend an event, or apply for a role.
- Automatically — through cookies, server logs and similar technologies when you visit our websites or use our services, as described in our Cookie Policy.
- From our customers and partners — where an operator or merchant routes end-user transactions through our platform, we receive the data needed to process and reconcile those transactions.
- From third parties — such as mobile network operators, payment and anti-fraud partners, identity-verification and sanctions-screening providers, recruitment agencies, referees, and publicly available business sources.
Purposes & lawful bases
Under the UK GDPR we must have a lawful basis for processing personal data. The table below sets out our principal purposes and the lawful basis (or bases) we rely on for each. Where we rely on legitimate interests, we have carried out a balancing assessment to ensure our interests are not overridden by your interests, rights and freedoms.
| Purpose | Lawful basis |
|---|---|
| Providing, operating and supporting our platforms and services to customers | Performance of a contract; legitimate interests |
| Processing and reconciling carrier-billing and payment transactions | Performance of a contract; legal obligation; processing on behalf of a controller (as processor) |
| Responding to enquiries and providing customer support | Legitimate interests; performance of a contract |
| Sending marketing communications and newsletters | Consent; legitimate interests (existing business contacts, soft opt-in) |
| Operating, securing and improving our websites and analytics | Consent (non-essential cookies); legitimate interests |
| Fraud prevention, risk management and platform security | Legitimate interests; legal obligation |
| Anti-money-laundering, counter-terrorist-financing, sanctions screening and KYC | Legal obligation; legitimate interests |
| Managing accounts, invoicing, tax and statutory record-keeping | Legal obligation; performance of a contract |
| Recruitment and assessment of job applicants | Legitimate interests; consent; legal obligation (right-to-work) |
| Handling complaints, disputes and legal claims | Legitimate interests; legal obligation; establishment or defence of legal claims |
| Corporate transactions (mergers, acquisitions, financing, due diligence) | Legitimate interests |
Our legitimate interests
Where we rely on legitimate interests, these include:
- operating, maintaining and improving our products, services and websites;
- keeping our platforms, customers and end-users safe from fraud and abuse;
- managing and developing our commercial relationships and business contacts;
- promoting our services to relevant business audiences;
- understanding how our services are used and producing aggregated insights;
- protecting our legal rights and ensuring the security of our network and information.
Where we rely on consent (for example for certain marketing or non-essential cookies), you may withdraw that consent at any time without affecting the lawfulness of processing carried out before withdrawal.
International transfers
We are based in the United Kingdom and aim to store and process personal data within the UK and the European Economic Area (EEA) wherever possible. Some of our service providers and partners are located outside the UK, which may mean your personal data is transferred to, and processed in, countries that do not have the same data-protection laws as the UK.
Where we transfer personal data outside the UK, we ensure an appropriate safeguard applies, such as:
- a transfer to a country covered by UK adequacy regulations (a country the UK government has determined provides an adequate level of protection);
- the UK International Data Transfer Agreement (IDTA), or the UK Addendum to the EU Standard Contractual Clauses;
- the EU Standard Contractual Clauses (SCCs) where relevant for EEA-related transfers, together with any supplementary measures identified by a transfer risk assessment.
You may contact us at privacy@centili.co.uk to request more information about the safeguards we apply to a particular transfer.
Data retention
We keep personal data only for as long as necessary for the purposes for which it was collected, including to satisfy any legal, accounting, regulatory or reporting requirements. To determine the appropriate retention period we consider the amount, nature and sensitivity of the data, the potential risk of harm from unauthorised use or disclosure, the purposes for which we process it, and whether we can achieve those purposes by other means.
| Data | Typical retention period |
|---|---|
| Customer and partner contract and account records | Duration of the relationship, then up to 6 years after it ends |
| Transaction, billing and settlement records | Up to 6 years (or longer where required for tax or AML purposes) |
| AML, KYC and sanctions-screening records | At least 5 years after the end of the business relationship |
| Marketing contact data and preferences | Until you unsubscribe or object, then a suppression record is kept |
| Website analytics and cookie data | As stated in our Cookie Policy (typically up to 24 months) |
| Unsuccessful job-applicant data | Up to 12 months after the recruitment decision |
When personal data is no longer required, we securely delete or anonymise it. Where we act as a processor, retention is governed by our customer’s instructions and the relevant Data Processing Agreement.
Security measures
We maintain appropriate technical and organisational measures designed to protect personal data against unauthorised or unlawful processing and against accidental loss, destruction or damage. These measures include:
- encryption of data in transit and, where appropriate, at rest;
- role-based access controls and the principle of least privilege;
- network segmentation, firewalls and intrusion-detection controls;
- secure software-development practices, code review and vulnerability management;
- logging, monitoring and alerting across our platforms;
- staff confidentiality obligations and data-protection and security awareness training;
- vendor due diligence and contractual security obligations on sub-processors;
- business-continuity, backup and incident-response procedures.
We operate a documented procedure for handling personal-data breaches and, where required, will notify the ICO and affected individuals in accordance with the UK GDPR. To report a suspected security issue, please see our Responsible Disclosure Policy or contact security@centili.co.uk.
Your rights
Subject to certain conditions and exemptions, you have the following rights under the UK GDPR in relation to your personal data:
- Right of access — to obtain confirmation that we process your data and a copy of it (a data subject access request, or DSAR).
- Right to rectification — to have inaccurate or incomplete data corrected.
- Right to erasure — to have your data deleted in certain circumstances (the “right to be forgotten”).
- Right to restriction — to restrict our processing of your data in certain circumstances.
- Right to data portability — to receive certain data in a structured, commonly used, machine-readable format and to have it transmitted to another controller.
- Right to object — to object to processing based on legitimate interests and to direct marketing at any time.
- Right to withdraw consent — where we rely on consent, to withdraw it at any time without affecting prior processing.
- Right to complain — to lodge a complaint with the ICO (see below).
How to exercise your rights
To exercise any of these rights, or to make a DSAR, please contact us at privacy@centili.co.uk or write to us at the registered office address below. We may need to verify your identity before responding. We will respond within one month, although we may extend this by up to a further two months for complex or numerous requests, and will tell you if we do. There is normally no charge, although we may charge a reasonable fee or refuse to act where a request is manifestly unfounded or excessive.
If your request relates to data we process as a processor on behalf of an operator or merchant, we will refer you to the relevant controller, who is best placed to respond.
Automated decision-making & profiling
We use automated tools for fraud prevention, transaction risk-scoring and platform security. These tools may flag transactions or activity for review. We do not make decisions that produce legal or similarly significant effects about you based solely on automated processing without meaningful human involvement, except where permitted by law (for example where necessary to prevent fraud) and with appropriate safeguards. Where automated decision-making does take place, you have the right to obtain human intervention, to express your point of view and to contest the decision by contacting privacy@centili.co.uk.
Children
Our websites and services are directed at businesses and are not intended for children. We do not knowingly collect personal data from children. Where our services are offered to end-users by an operator or merchant, that controller is responsible for ensuring any age-related requirements are met. If you believe we have inadvertently collected personal data relating to a child, please contact privacy@centili.co.uk and we will take appropriate steps to delete it.
Controller vs processor clarification
Data-protection law distinguishes between a controller, which decides why and how personal data is processed, and a processor, which processes personal data on a controller’s behalf and on its instructions.
- Where we are the controller: data about our website visitors, business contacts, customers’ and partners’ representatives, job applicants, and our own business operations. This policy governs that processing.
- Where we are the processor: end-user data we process to deliver carrier-billing and payment services on behalf of an operator or merchant customer. In those cases the customer is the controller, its own privacy notice applies, and our processing is governed by our Data Processing Agreement.
Changes to this policy
We may update this Privacy Policy from time to time to reflect changes in our practices, our services, or legal and regulatory requirements. When we make material changes, we will update the “Last updated” date shown at the top of this page and, where appropriate, notify you by other means. We encourage you to review this policy periodically.
Contact & ICO details
If you have any questions about this Privacy Policy or how we handle personal data, or if you wish to exercise your rights, please contact our privacy team at privacy@centili.co.uk or our Data Protection Officer at dpo@centili.co.uk. You can also write to us at:
Centili Group Ltd.
[Registered office address — to be confirmed], United Kingdom
You have the right to lodge a complaint with the Information Commissioner’s Office (ICO), the UK supervisory authority for data-protection matters, if you are unhappy with how we have handled your personal data. We would, however, appreciate the chance to address your concerns before you approach the ICO, so please contact us first.
| Authority | Information Commissioner’s Office |
|---|---|
| Address | Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF, United Kingdom |
| Helpline | 0303 123 1113 |
| Website | ico.org.uk |
This Privacy Policy is governed by the laws of England and Wales, and any disputes relating to it are subject to the jurisdiction of the courts of England and Wales.