Legal

Data Processing Agreement

How Minutes Network FZ-LLC processes end-user personal data as a processor on behalf of app developers (the controllers) under UK GDPR Article 28. Jingle Plug-In follows a strict data minimisation approach - we never access contacts, messages, or browsing history, and the only personal data processed is the minimum needed to route calls (phone number, device token, country / region derived from the verified phone number, and call metadata).

Last updated: June 13, 2026

verified_user UK GDPR Article 28
shield Data Minimisation
delete_sweep 90-Day Retention

This Data Processing Agreement ("DPA") forms part of the Terms of Service and any Integration Agreement between Minutes Network FZ-LLC ("Processor", "Jingle") and the app developer ("Controller", "Developer") and governs the processing of personal data through the Jingle Plug-In.

1. Definitions

Terms not defined herein have the meanings given in the UK GDPR, Data Protection Act 2018, and the Terms of Service. "Processing", "Personal Data", "Data Subject", "Controller", and "Processor" have the meanings defined in Article 4 of the UK GDPR. "Sub-processor" means any processor engaged by the Processor to process Personal Data on behalf of the Controller, as contemplated by Article 28(2) and 28(4) of the UK GDPR.

2. Scope and Roles

For End User personal data processed through the Jingle Plug-In inside the Developer's app, the Developer acts as the Controller and Minutes Network FZ-LLC acts as the Processor, consistent with our Privacy Policy. The Developer determines the purposes and means of processing (activating Jingle for its users), while Minutes Network™ processes that data on the Developer's behalf to provide the call termination service. This DPA sets out the terms required by Article 28(3) of the UK GDPR.

Minutes Network FZ-LLC acts as an independent controller only where required for billing, fraud prevention and legal compliance. Minutes Network FZ-LLC is also the controller for partner and website data (such as partner applications and business contact details); that processing falls outside the scope of this DPA and is described in the Privacy Policy.

3. Details of Processing

Element Details
Subject matter Provision of the Jingle call termination service
Duration For the term of the Terms of Service and any Integration Agreement
Nature and purpose Call routing, revenue calculation, fraud prevention
Categories of data subjects End Users of the Host App who activate Jingle
Types of personal data Phone numbers, pseudonymised device tokens, country / region (country-level only, derived from the user's verified phone number - no GPS or location permission), network state, audio (ephemeral, processed in real time for call routing - never recorded or stored), call metadata (timestamps, duration, routing status, and the destination number of the routed international call - not the user's personal calls or contacts), call quality metrics (aggregated), IP addresses, error and diagnostic logs
Special categories None processed
Retention Call metadata retained for 90 days for billing and fraud detection purposes, then anonymised; phone numbers deleted within 30 days of deactivation; call quality metrics retained in aggregated form for 30 days; IP addresses retained for 30 days in rolling logs; error and diagnostic logs retained for 14 days; audio is never recorded or stored. The full retention schedule is set out in the Privacy Policy

4. Processor Obligations

In accordance with Article 28(3) of the UK GDPR, the Processor shall:

  • Process Personal Data only on documented instructions from the Controller (including with regard to international transfers), unless required to do so by law - in which case the Processor shall inform the Controller of that legal requirement before processing, unless the law prohibits this
  • Immediately inform the Controller if, in its opinion, an instruction infringes the UK GDPR or other applicable data protection law
  • Ensure persons authorised to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality
  • Implement appropriate technical and organisational security measures pursuant to Article 32, including TLS 1.3 encryption in transit, AES-256 encryption at rest, and role-based access control (see Section 7)
  • Engage Sub-processors only in accordance with the general authorisation, flow-down, and notification process in Section 6
  • Assist the Controller, by appropriate technical and organisational measures, in responding to requests to exercise Data Subject rights under Chapter III of the UK GDPR (see Section 10)
  • Assist the Controller in ensuring compliance with its obligations under Articles 32 to 36 of the UK GDPR (security, breach notification, data protection impact assessments, and prior consultation), taking into account the nature of the processing and the information available to the Processor
  • Delete or return all Personal Data at the end of the provision of services, at the Controller's choice, and delete existing copies unless storage is required by law (see Section 12)
  • Make available to the Controller all information necessary to demonstrate compliance with Article 28 and allow for and contribute to audits in accordance with Section 11

5. Controller Obligations

The Controller shall:

  • Ensure it has a lawful basis (consent or legitimate interest) for processing End User data through Jingle
  • Provide clear and transparent privacy disclosures to End Users
  • Obtain valid consent before activating the Jingle Plug-In for each End User
  • Respond to data subject requests in a timely manner
  • Notify Jingle promptly of any consent withdrawals or data subject requests that affect the Service

6. Sub-processors

The Controller grants the Processor a general written authorisation to engage Sub-processors in the following categories. A full and current list of Sub-processors is available on request from privacy@jingleplugin.com:

Sub-processor Purpose Location
Cloud infrastructure provider Hosting and data storage EU / UK
Carrier interconnections Call routing Various (per destination)

The Processor shall impose data protection obligations on each Sub-processor, by way of a written contract, that are no less protective than those set out in this DPA, and remains fully liable to the Controller for the performance of each Sub-processor's obligations, in accordance with Article 28(4) of the UK GDPR.

The Processor shall notify the Controller at least 30 days before adding or replacing Sub-processors. The Controller may object in writing, on reasonable data protection grounds, within 14 days of that notice. If the objection cannot be resolved, either party may terminate the affected processing.

7. Security Measures

The Processor implements the following measures:

  • Encryption: TLS 1.3 for data in transit; AES-256 for data at rest
  • Access control: Role-based access, multi-factor authentication, least-privilege principle
  • Network security: Firewalls, intrusion detection, DDoS mitigation
  • Monitoring: Continuous security monitoring and logging
  • Testing: Regular vulnerability scans and annual penetration testing
  • Personnel: Security awareness training, background checks, NDAs
  • Physical: Data centres with ISO 27001 certification

8. Data Breach Notification

The Processor shall notify the Controller without undue delay, and in any event within 72 hours, after becoming aware of a Personal Data breach affecting Personal Data processed under this DPA, so that the Controller can meet its own obligations under Articles 33 and 34 of the UK GDPR. The notification shall include:

  • Nature of the breach, including categories and approximate number of affected data subjects
  • Name and contact details of the DPO or point of contact
  • Likely consequences of the breach
  • Measures taken or proposed to address the breach and mitigate its possible adverse effects

Where it is not possible to provide all of this information at the same time, the Processor may provide it in phases without undue further delay, and shall cooperate with the Controller in any subsequent investigation and remediation.

9. International Transfers

Where Personal Data is transferred outside the UK/EEA, the Processor shall ensure appropriate safeguards are in place, including:

  • The UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses, as issued by the Information Commissioner's Office, for restricted transfers from the UK
  • EU Standard Contractual Clauses adopted by the European Commission, for transfers originating in the EEA
  • UK adequacy regulations where applicable
  • Transfer Risk Assessments where required, with supplementary measures as identified by the risk assessment

10. Data Subject Rights

The Processor shall assist the Controller in fulfilling its obligations to respond to Data Subject requests within the statutory timeframes. The Processor shall promptly notify the Controller if it receives a request directly from a Data Subject.

11. Audits and Information Rights

The Processor shall make available to the Controller all information reasonably necessary to demonstrate compliance with this DPA and Article 28 of the UK GDPR. The Controller may audit the Processor's compliance with this DPA no more than once in any 12-month period - unless an audit is required by a supervisory authority or follows a Personal Data breach - on at least 30 days' written notice, during normal business hours, and subject to reasonable confidentiality obligations. The Processor may satisfy audit requests by providing relevant independent third-party audit reports and written responses to reasonable information requests.

12. Term and Termination

This DPA is effective for the duration of the Terms of Service and any Integration Agreement. Upon termination, the Processor shall, at the Controller's election, return or delete all Personal Data within 90 days and certify deletion in writing, unless and to the extent that storage is required by applicable law - in which case the Processor shall protect the retained data and process it only for that limited purpose.

13. Liability

Each party's liability arising out of or in connection with this DPA is subject to the limitations and exclusions of liability set out in the Terms of Service, including the cap on the Company's total liability. Nothing in this DPA expands either party's liability beyond what is agreed in the Terms of Service and any Integration Agreement, except to the extent that liability cannot lawfully be limited under applicable data protection law.

14. Governing Law

This DPA is governed by the laws of the United Arab Emirates, subject to the mandatory provisions of applicable data protection legislation.

15. Contact

Data Protection enquiries: privacy@jingleplugin.com
Minutes Network FZ-LLC, Ras Al Khaimah, United Arab Emirates