boundlesstelecom
Boundless 2.0
All legal & governance documentsLegal · data

Privacy Notice

What personal data we collect, why we collect it, who we share it with, how long we keep it, and the rights you have under UK GDPR. Article 13/14-compliant.

Version
v1.0
Effective
22 April 2026
Last reviewed
22 April 2026
Jurisdiction
United Kingdom + EEA
Owner
Data Protection Officer
Review cycle
Annual, plus on material change
UK GDPRData Protection Act 2018PECR 2003

1. Controller#

Boundless Telecom Ltd is the controller for the personal data described here. Our Data Protection Officer can be reached at dpo@boundless.tel. ICO registration number on our imprint.

2. What we collect, why, and the lawful basis (Art. 13)#

DataPurposeLawful basisRetention
Account identifiers (name, email, address, DOB)Provide the service, prove your identityContract (Art. 6(1)(b))Life of contract + 6 years (Limitations Act)
Billing dataCharge you, meet HMRC dutiesContract + Legal obligation (6(1)(b)/(c))6 years (HMRC)
Communications metadata (CDRs)Operate the network, bill, troubleshootContract + Legal obligation12 months, then anonymised
Device identifiers (IMSI, IMEI)Provision and authenticateContractFor life of SIM
Marketing preferencesSend (or not send) you marketingConsent (Art. 6(1)(a))Until withdrawn
Vulnerability self-disclosureAdjust how we serve youExplicit consent - Art. 9(2)(a)Until withdrawn
Security telemetry (Abel)Detect fraud and threatsLegitimate interest (Art. 6(1)(f))13 months
Sovereign by default. UK + EEA storage, encrypted in transit and at rest.

3. Who we share it with#

  • Sub-processors: the carrier core, payment processor (Stripe), audit storage. Full list at DPA Annex 2.
  • Regulators: when lawfully required (Ofcom, ICO, HMRC, FCA).
  • Law enforcement: only against a valid warrant - see Lawful Intercept Statement.
  • Never: advertisers, data brokers, commercial third parties.

4. Your rights (UK GDPR Arts. 15–22)#

You have the right to access, correct, erase, restrict and port your personal data, to object to certain processing, and not to be subject to solely automated decisions with legal effect. Exercise any of these from your account, or email dpo@boundless.tel. We respond within one calendar month.

You also have the right to complain to the Information Commissioner's Office.

5. International transfers#

Data primarily stays in UK + EEA. Where it is transferred outside (e.g. a sub-processor with a US footprint), we use the UK International Data Transfer Agreement plus the EU SCC Addendum and conduct a Transfer Risk Assessment. Adequacy decisions are relied on where in force.

6. Security#

Encryption in transit (TLS 1.3), encryption at rest (AES-256), least-privilege access with audited break-glass, MFA mandatory for all staff, and a 26-layer Abel control surface independently described at /security. Personal-data breaches are notified to the ICO within 72 hours and to affected individuals where the risk is high.

7. Contact & ownership#

Owner: Data Protection Officer. Reviewed annually. dpo@boundless.tel. Postal address on imprint.

Version history

VersionDateChange
v1.022 April 2026Initial publication.

This document is published by Boundless Telecom Ltd and forms part of our public legal posture. It is a living document - we update it as the regulatory environment, our supply chain or our products change. If anything here is unclear or you'd like a counter-signed copy, contact legal@boundless.tel and we'll respond within one working day.