text|Legal
Legal main
Privacy
FAQs

Privacy

Applies to:
Clients
Partners
Last updated: Oct 22, 2025

Who provides the services and processes my data?

Our services are provided, and your personal data is processed by Text, Inc. headquartered at 101 Arch Street, 8th Floor, Boston, MA 02110, United States of America (“Text”). You can always contact us via chat or by email at support@text.com

What personal data do you collect and process?

When you register for our services, we ask for basic account information, such as: first and last name, company or business name, address, website address, and email. In addition, we process IP number, browser information, operating system, geolocation, payment/credit card details (and other information listed in our Privacy Policy. We also process the data (including personal data) you and/or your customers choose to insert into our services or other data you ask your customers for via the service you subscribed to, for example, chat transcripts, tickets, or knowledgebase entries. 

Am I a data controller or a data processor?

That depends on how you use our services. You are the data controller (a natural or legal person, public authority, agency, or other body, and you, alone or jointly with others) if you decide why and how your customers’ personal data is processed (e.g., managing communication with them).  If you do not determine the purposes of the processing but use data according to the controllers’ instructions, then you act as a data processor.  

We act as your data processor, since we process personal data strictly on your behalf and according to your instructions. In some limited cases (e.g., when we process your account billing information), Text may act as a data controller. These roles are fully explained in our Privacy Policy.

Do I need to sign a Data Processing Addendum (DPA)?

No. Our DPA is automatically included in your Agreement with Text, meaning it applies by default and does not require a separate signature. Regardless of being a data controller or a data processor, when you transfer personal data of EU/EEA, UK, Swiss, or California residents to us while using our services, our Data Processing Addendum (DPA) automatically applies as part of the Agreement. This simplifies compliance and you don’t need to take any additional steps. 

Where can I find your list of sub‑processors?

The current list of authorized sub-processors and their processing activities is available at Sub-Processors. Each sub-processor is carefully vetted for security, compliance, and data protection.

Do you share personal data with sub-processors?

Yes, but only when necessary to deliver the services. We do so to maintain our services, improve our tools, and enable and simplify their usage. If sub-processors need access to a part of your data, they will gain only the necessary data to enable them to provide us with their services (e.g., hosting, analytics, payments). Each is bound by a contract ensuring they apply appropriate security measures.

How do you lawfully transfer personal data outside the EU/UK/Switzerland?

We rely on multiple safeguards:

  • Standard Contractual Clauses (SCCs),

  • participation in the EU-U.S. Data Privacy Framework (DPF),

  • the UK Extension to the EU-U.S. DPF, and

  • the Swiss-U.S. DPF.

These mechanisms ensure lawful transfers and adequate protection regardless of where the data is stored. See International Data Transfer for details.

Have you appointed a Data Protection Officer (DPO)?

Yes. Our DPO is Maciej Malesa. You can reach him at support@text.com 

What is the legal basis for processing personal data?

The main legal basis is the Agreement between you and Text (made up of the Terms of Use, Privacy Policy, and DPA).

  • We process your data as necessary to provide, maintain, and improve our services, and in line with the Agreement.

  • You, as the controller, are responsible for ensuring you have a valid legal basis (such as consent, contract, or legitimate interest) when sharing personal data, including your customers’ data with us.

Do you use cookies?

Yes. We use cookies and similar technologies to operate our service, recognize you, maintain sessions, remember preferences, improve functionality, and measure usage.  You can disable or delete cookies at any time through your browser. See our Privacy Policy and Cookie Policy for details.

How does Text comply with the EU–US Data Privacy Framework (DPF)?

We are a certified participant in the EU-U.S. DPF. This guarantees that EU personal data transferred to the U.S. receives an adequate level of protection. While the EU-U.S. DPF is a standalone transfer mechanism that can be used instead of the Standard Contractual Clauses (“SCCs”), we're not letting our guard down. We continue to apply additional safeguards such as Standard Contractual Clauses (SCCs). 

Are you a data controller or a data processor?

In most cases, Text acts as a data processor. This means we process personal data on your behalf, as you (the client) determine the purposes and means of processing. For example, when you use our Services to communicate with your customers, you remain the data controller, and we act as your data processor in handling the data you provide. As a processor, we use and process personal data only as necessary to provide, maintain, and improve our services, ensure the security and integrity of the services, send you service-related updates, news, or personalized communications, and protect or enforce legal claims.
In certain limited situations, Text may act as a data controller. For instance, when we process your account data (such as billing details or administrative contact information) for our own business operations, we may act as a data controller. Our Privacy Policy describes these circumstances in detail. 

What security measures protect my data?

We apply industry-standard security, including encryption in transit and at rest, regular audits, and strict access controls. Details are described in our DPA.

How do you use my personal data?

We store and process the personal data of our clients and people permitted by our client to use and operate the services for or on behalf of them while using our services. We process data only for purposes defined in the Agreement, such as:

  • enabling communication with your customers,

  • providing customer support,

  • securing accounts and services,

  • processing payments, and

  • sending you service-related updates.

We do not sell personal data.

How can I exercise my privacy rights (e.g., right to be forgotten)?

You can freely decide whether to delete or change your data. You can request data deletion, correction, or access by contacting support@text.com. Requests are usually processed within 30 days, unless we are legally required to retain some information. 

How do you choose and verify sub‑processors?

We are committed to complying with GDPR and accordingly transferring personal data lawfully and with an adequate security level. This is why we work only with inspected third-party service providers. We have verified all the sub-processors we currently cooperate with. Besides the ‘location requirement’ (we cooperate mostly with companies from the EU or the US), every time before we start cooperation with a new sub-processor, we make sure it is GDPR compliant (if applicable). We also enter into agreements with our sub-processors, ensuring that they have appropriate technical and organizational measures according to the nature of the processing and the potential risk to the data subjects.

Does Text comply with the Swiss–U.S. DPF and the UK Extension to the EU–U.S. DPF?

Yes. Text is fully committed to these frameworks:

  • Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF): As a former participant in the Swiss-U.S. Privacy Shield, we have automatically transitioned into the Swiss-U.S. Data Privacy Framework (DPF). Following the adequacy decision by the Swiss Federal Council on September 15, 2024, we are officially authorized to rely on the Swiss–U.S. DPF for lawful data transfers from Switzerland;

  • UK Extension of the EU-U.S. DPF: We have successfully self-certified to the UK Extension of the EU–U.S. DPF. Since the UK adequacy decision issued on October 12, 2023, we are able to receive personal data from the UK and Gibraltar under this framework.

These certifications mean that Text can lawfully receive and process personal data from the UK, Gibraltar, and Switzerland with the same level of protection guaranteed under the EU–U.S. DPF. We continue to uphold all related obligations and safeguards.