Privacy Policy

Last Updated: 15 October 2025 • Version: 1.0
Controller: 9Eons Limited (CRO 06393882) • VAT: GB 920145856
Address: Luminous House, 300 South Row, Milton Keynes, MK9 2FR, United Kingdom • Email: hi@tisa.one • DPO: dpo@9eons.com • Tel: +44 1908 737 500

This Privacy Policy explains how 9Eons Limited (“we”, “us”, “our”) processes personal data when you use the TISA Mobile application and related services. TISA Mobile provides PBX-grade calling over encrypted connections (TLS + SRTP), for business users and, in future, for consumers with limited features. We comply with the UK GDPR, the Data Protection Act 2018, PECR, and applicable Ofcom and ICO guidance.

1. Data Controller & Contact

9Eons Limited is the Data Controller for TISA Mobile.

Product brand: TISA (a product of 9Eons Limited).

2. What We Collect

Depending on your account type (business or future consumer) and use of the App, we process the following categories of data:

Category Examples Purpose
Account & Identity Business login (e.g., 300@company.tld) using company domain email; for future B2C: mobile number as username; profile name; company association Authenticate access; associate user to an organisation or consumer account
Contact & Presence Contact sync (work contacts), BLF/presence status Display colleague availability and enable calling
Call Data Records (CDRs) Calling/called party identifiers, timestamps, duration, signalling metadata Routing, delivery, billing, security, and legal recordkeeping
Voicemail & Recordings Stored voicemails; call recordings (if enabled by customer) Provide voicemail access and optional recording features
Device & Connection IP address, device identifiers, SIP user-agent Maintain secure, encrypted session connectivity
Support Correspondence Emails or messages sent to support Resolve technical, billing, or account queries

We do not collect in-app analytics, crash logs, diagnostics, or marketing/tracking identifiers at this time.

We do not process personal data of external callers beyond what is technically necessary for call setup and routing.

3. Lawful Bases for Processing

Purpose Lawful Basis
Provision of telecom/PBX services, authentication and access Contract (UK GDPR Art. 6(1)(b))
Network security, fraud prevention, service logs Legitimate Interests (Art. 6(1)(f))
Regulatory compliance and Ofcom/PECR recordkeeping Legal Obligation (Art. 6(1)(c))
Optional call recording Consent (Art. 6(1)(a)); user-controlled pause/resume

Where consent applies, you can withdraw it at any time in the manner provided (e.g., using pause controls) without affecting processing lawfully carried out before withdrawal.

4. Call Recordings & Voicemail

  • Call recordings (if enabled) and voicemails are stored in the UK region only, encrypted using AES-256-GCM.
  • TISA Mobile provides in-call controls to pause/resume recording. To comply with GDPR and PCI DSS, users must pause recording when handling sensitive data (e.g., payment card data, passport numbers).
  • Where legally required, appropriate call recording notices should be enabled and communicated by the customer.

Responsibility note: The customer (and end user) are responsible for using pause/resume features appropriately when sensitive information is discussed.

5. How We Use Personal Data

  • Provide and maintain secure calling services (TLS signalling with Let’s Encrypt certificates; SRTP is mandatory for media).
  • Authenticate users (business: unique extension + company domain email; future B2C: mobile number as username).
  • Enable contact sync and presence/BLF within the app.
  • Operate and protect our network, prevent fraud/abuse, and comply with legal requirements.
  • Provide support in response to queries sent to hi@tisa.one.

We do not use app data for marketing or profiling and do not run in-app analytics at this time.

6. Sharing & Recipients

We share personal data only as necessary to provide the service, meet legal obligations, or with your organisation’s administrators where applicable:

  • Your Organisation (B2B): Company administrators may access account-level data relevant to administration and billing.
  • Processors/Sub-processors:
    • AWS (UK Regions): Hosting infrastructure. Data stored and processed within the United Kingdom.
  • Legal/Regulatory: Law enforcement or regulators where required by applicable law.

We do not sell personal data.

7. International Transfers

Our servers are located in the United Kingdom, and we operate the service within the UK. We do not routinely transfer personal data outside the UK. If a transfer becomes necessary (e.g., specific support scenarios), we will implement appropriate safeguards in accordance with UK GDPR (such as the UK IDTA or EU SCCs with the UK Addendum) and inform you where required.

8. Data Retention

  • CDRs: retained for 90 days.
  • Voicemails: retained for 90 days.
  • Account Data after Termination: retained for up to 90 days after contract termination (unless a longer period is required by law or to resolve disputes).

After expiry of the relevant period, data is securely deleted or anonymised.

9. Security & Encryption

  • In transit: TLS for signalling (using Let’s Encrypt certificates); SRTP is compulsory for audio/media.
  • At rest: We use cryptography including AES-256-GCM for stored data (e.g., recordings/voicemail in UK region).
  • Access Controls: Principle of least privilege, multi-tenant separation, and administrative access logging.
  • App Display: Some user information (e.g., extension number, caller ID) may be shown inside the app for your convenience.

While we implement appropriate technical and organisational measures aligned with ICO/Ofcom expectations, no system can be 100% secure. Please keep your credentials confidential and notify us promptly if you suspect unauthorised access.

10. Your Rights

Under UK GDPR, you have rights including: access, rectification, erasure, restriction, objection, and data portability. You may also have the right to withdraw consent where processing relies on consent (e.g., optional call recording).

How to exercise your rights: Email hi@tisa.one with a copy to dpo@9eons.com. We may need to verify your identity and, for B2B users, confirm your request with your organisation’s administrator as appropriate.

You also have the right to complain to the UK Information Commissioner’s Office (ico.org.uk).

11. Children’s Data

TISA Mobile is intended for adults and authorised business users. We do not knowingly provide services to or collect data from children under 16.

12. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be notified via the app or our website. The “Last Updated” date at the top indicates the current version.

13. Contact & Complaints

If you are not satisfied with our response, you can complain to the Information Commissioner’s Office (ICO) at ico.org.uk.

14. Key Definitions

  • UK GDPR: The UK General Data Protection Regulation and the Data Protection Act 2018.
  • PECR: The Privacy and Electronic Communications Regulations (UK).
  • Ofcom: UK communications regulator; we comply with relevant obligations and guidance.
  • Processor/Sub-processor: Third parties that process personal data on our behalf under contract.
  • CDR: Call Detail Record containing metadata (e.g., numbers, time, duration) required for telecom operations.