Last updated: 18th November 2025
This Data Protection / GDPR Policy sets out how Jairus approaches data protection compliance when providing SPARK Sales Androids™ + SMS and related services.
It is intended for customers, partners, regulators and other interested parties who want to understand our general position on UK GDPR, EU GDPR (where applicable), the Data Protection Act 2018 and related laws.
This policy complements our Privacy Policy and any Data Processing Agreement we enter into with customers.
Our role depends on the context:
Controller
We act as a controller for personal data relating to:
our own customers, suppliers and prospects
website visitors to jairus.co.uk
our own marketing and business administration
Processor
We usually act as a processor when we handle Customer Data for Campaigns, for example your lead lists, SMS content and responses, and associated metrics. In this role we:
process data only on your documented instructions
do not use the data for our own independent purposes, other than as permitted in the Agreement
assist you with data subject rights and incident response, as set out in the relevant Data Processing Agreement
Where roles are more complex or shared (for example joint campaigns), we will agree written terms that reflect the specific arrangement.
We identify and document lawful bases for processing personal data, as required under Article 6 of UK GDPR.
Typical bases we rely on are:
Contract – to perform our agreements with customers and suppliers
Legitimate interests – to operate and improve our services, maintain relationships and promote relevant offerings, in a way that individuals would reasonably expect and that does not override their rights
Consent – particularly for our own marketing where required, and where a clear, affirmative choice has been recorded
Legal obligation – to meet legal and regulatory requirements
For SMS marketing that we send on behalf of our customers, the customer is responsible for selecting and documenting the lawful basis for their own processing, including any consent required for marketing under UK GDPR and PECR. We process the data on their instructions.
SMS and similar electronic messages used for promotional purposes are typically regarded as direct marketing and are subject to PECR as well as UK GDPR.
Our approach is as follows:
Customers are responsible for ensuring they have valid consent or another lawful basis for each recipient and for respecting any “soft opt in” rules.
Our systems are designed to include a clear opt out mechanism in marketing SMS (for example, reply STOP), and we maintain suppression lists to help prevent future messages to numbers that have opted out.
We provide tools and reporting to allow customers to track engagement and opt outs.
We encourage all customers to keep records of consent, privacy information and any preferences to support their own compliance.
We aim to collect and process only the personal data needed for defined purposes, and we encourage customers to send us only the fields required for a Campaign.
High level retention principles:
We keep personal data only for as long as necessary for the stated purpose, plus any additional period needed for legal, accounting or reporting obligations.
For Campaign data, we typically retain logs and performance records for a limited period (for example 12–24 months), after which they may be anonymised or deleted, unless otherwise agreed with the customer.
Where we act as a processor, our retention of Customer Data is governed by the Agreement and your instructions.
Customers may request deletion or return of Campaign data at the end of a contract, subject to legal retention requirements and technical feasibility.
We maintain appropriate technical and organisational measures to protect personal data, with regard to:
confidentiality – ensuring only authorised people can access data
integrity – safeguarding against accidental or unlawful destruction, loss or alteration
availability – ensuring data is accessible when legitimately needed
Measures include, as appropriate:
access controls, authentication and role-based permissions
encryption in transit and at rest for key systems
regular backups and recovery procedures
secure development and change management practices
logging and monitoring of system activity
staff confidentiality obligations and awareness training
We review our security measures periodically and in response to changes in risk, technology and legal requirements.
To provide the Services we use carefully selected sub-processors, such as:
SMS and telecom providers
cloud hosting and infrastructure services
email and communication platforms
analytics, monitoring and support tools
We:
carry out due diligence on sub-processors
put written contracts in place that require them to protect personal data to standards consistent with our own obligations
keep an internal record of sub-processors and can provide details to customers on request
Where required, we will notify customers in advance of changes to sub-processors so they have the opportunity to raise concerns.
Where personal data is transferred outside the UK or EEA, we aim to ensure an equivalent level of protection by:
relying on adequacy regulations where available, or
putting in place appropriate safeguards such as Standard Contractual Clauses and, where relevant, additional technical or organisational measures
Details of specific transfers can be provided in our Data Processing Agreement and on request.
Individuals have certain rights over their personal data under UK GDPR, including rights of access, rectification, erasure, restriction, portability and objection, as outlined in our Privacy Policy.
Our approach:
Where we are the controller, individuals can contact us directly using the contact details in the Privacy Policy.
Where we are a processor, we will promptly notify the relevant customer of any request we receive and assist them in responding, in line with our Agreement.
We maintain procedures and logs to handle rights requests and to ensure responses are provided within statutory time limits wherever possible.
We have an incident response process to detect, assess and respond to potential personal data breaches.
If we become aware of a personal data breach that affects Customer Data:
we will notify affected customers without undue delay,
provide available information to help them meet their own notification obligations, and
take reasonable steps to contain, investigate and remediate the incident
Customers are responsible for assessing whether they need to report a breach to the ICO or other supervisory authority and to affected individuals.
We support compliance by:
assigning clear internal responsibilities for data protection and security
maintaining relevant policies and procedures
training staff who handle personal data on their obligations
reviewing and updating our approach as laws, guidance and our services evolve
We monitor developments in UK GDPR, EU GDPR, PECR and related laws and adjust our practices where needed.
If you have questions about this policy or our data protection practices, please contact:
Jairus
Email: privacy@jairus.o.uk
Postal address: Suite 1, 39 Ludgate Hill, London EC4M 7JN
Privacy Policy | Terms & Conditions | Copyright © 2025 Jairus Ltd. All Rights Reserved.