GDPR Compliance on JustCall
GDPR Compliance on JustCall
JustCall provides tools and processes to help your business meet its obligations under the General Data Protection Regulation (GDPR). This article explains how to handle data subject requests, manage consent, and access your Data Processing Agreement.
JustCall's Role Under GDPR
- Your business is the Data Controller — you decide what personal data is collected and why.
- JustCall is the Data Processor — JustCall processes personal data on your behalf to deliver the service (calls, SMS, recordings, analytics).
This distinction matters because your business is responsible for having a lawful basis for collecting customer data. JustCall provides the technical tools to help you fulfill that responsibility.
Data Processing Agreement (DPA)
GDPR requires a written agreement between controllers and processors. JustCall provides a standard DPA.
- Go to Settings → Security → Compliance.
- Click Download DPA.
- Review the agreement. It covers data processing scope, sub-processors, security measures, breach notification, and data deletion.
- If you need a custom DPA or have specific contractual requirements, contact your Customer Success Manager or email privacy@justcall.io.
The DPA is pre-signed by JustCall. Your acceptance is recorded when you download it from the dashboard.
Handling Data Subject Requests
Under GDPR, individuals (data subjects) can request access to, correction of, or deletion of their personal data. Here is how to handle each type of request in JustCall.
Right of Access (Data Export)
To provide a data subject with a copy of their data:
- Go to Contacts and search for the individual.
- Open their contact profile.
- Click Export Contact Data. This generates a file containing:
- Contact details (name, phone, email)
- Call history (dates, durations, recordings if stored)
- SMS/MMS message history
- Voicemail transcriptions
- Download the file and provide it to the requestor.
For bulk exports across your entire account, go to Settings → Data Management → Export and select the data types to include.
Right to Rectification
To correct inaccurate data:
- Go to Contacts and find the individual.
- Edit the contact fields (name, phone number, email, custom fields).
- Click Save.
Corrected data syncs to connected CRMs automatically.
Right to Erasure (Right to Be Forgotten)
To delete an individual's data:
- Go to Contacts and find the individual.
- Click the three-dot menu (⋮) and select Delete Contact.
- Confirm deletion. This removes:
- Contact record
- Call logs associated with the contact
- SMS/MMS conversations
- Call recordings
- Voicemail recordings and transcriptions
Deletion is permanent and cannot be undone. Allow up to 30 days for complete removal from all systems and backups.
Consent Management
If you rely on consent as your lawful basis for calling or texting contacts, JustCall supports consent tracking through:
- Opt-in/Opt-out tracking. SMS opt-in and opt-out statuses are recorded per contact. See SMS Opt-In and Opt-Out.
- Do Not Message (DNM) list. Add contacts to the DNM list to prevent outbound SMS. See Add Contact to Do Not Message List.
- Call recording disclosure. Configure automatic call recording announcements under Settings → Calls → Recording Announcement to inform callers that calls are recorded.
Data Retention
| Data Type | Default Retention | Configurable |
|---|---|---|
| Call recordings | Unlimited (while account active) | Yes — set auto-delete after 30, 60, 90, or 365 days |
| SMS/MMS messages | Unlimited (while account active) | Yes — set auto-delete period |
| Call logs | Unlimited (while account active) | No — delete manually or via API |
| Voicemail recordings | Unlimited (while account active) | Yes — set auto-delete period |
| Account data | 90 days after account cancellation | No — deleted automatically |
Configure retention policies at Settings → Data Management → Retention.
Sub-Processors
JustCall uses third-party sub-processors for infrastructure and service delivery. A current list of sub-processors is available at Settings → Security → Compliance → Sub-Processors or by emailing privacy@justcall.io.
You are notified of new sub-processor additions via email. Under the DPA, you have the right to object to new sub-processors within 30 days.
Breach Notification
If JustCall becomes aware of a personal data breach affecting your data, JustCall will notify you within 72 hours, as required by GDPR Article 33. Notifications are sent to the account owner's email and include the nature of the breach, data affected, and remediation steps.
Related Articles
- JustCall Security and Compliance — SOC 2, HIPAA, ISO 27001 overview
- SMS Opt-In and Opt-Out — manage messaging consent
- Cancel Your JustCall Account — data retention after cancellation
- SMS Compliance Guide — messaging compliance beyond GDPR