Privacy Policy

1. Who We Are

MessageBlast is an omnichannel communication platform developed and operated by Lightup Network Solutions GmbH & Co. KG a telecommunications operator in Germany and Switzerland.

Company Details:

MessageBlast enables businesses ("Customers") to send and manage omnichannel communications — including SMS, Email, Voice, RCS, and WhatsApp — to their end-users ("Contacts") through a unified platform. As a German-based entity, Lightup Network Solutions operates in full compliance with the General Data Protection Regulation (GDPR) (EU) 2016/679 and applicable German data protection laws (Bundesdatenschutzgesetz – BDSG).

2. Scope of This Policy

This Privacy Policy applies to:

• Customers — businesses and individuals who register and use the MessageBlast platform to send communications
• Contacts — end-users whose data is uploaded by Customers to send campaigns (e.g., SMS or email recipients)
• Website Visitors — individuals who browse the MessageBlast website without creating an account

This Policy describes how Lightup Network Solutions, as the Data Controller, collects, processes, stores, and protects personal data in connection with the use of the MessageBlast platform and its associated website.

Important distinction: When Customers upload their Contacts' data to the platform for campaign delivery, Lightup acts as a Data Processor on behalf of the Customer (who is the Data Controller for that data). In such cases, the Customer's own privacy policy governs how their Contacts' data is handled. Lightup's processing of such data is governed by a separate Data Processing Agreement (DPA) made available to all Customers upon account creation.

3. What Personal Data We Collect

3.1 Data Collected from Customers (Platform Users)

When a Customer creates and uses a MessageBlast account, the following data may be collected:

• Identity data: Full name, job title, company name
• Contact data: Email address, phone number
• Account credentials: Username, encrypted password
• Billing data: Billing address, VAT/tax number, payment method details
• Usage data: Login activity, campaign history, message logs, platform feature usage, API call records
• Technical data: IP address, browser type, device type, operating system, session tokens
• Communication data: Support requests, chat messages with our team, submitted forms

3.2 Data Collected from Contacts (End-Recipients)

Contacts' data is uploaded to the platform exclusively by Customers. This data may include:

• Phone numbers (for SMS, Voice, RCS, WhatsApp campaigns)
• Email addresses (for Email campaigns)
• First name, last name, and any custom attributes defined by the Customer
• Opt-in/opt-out status and timestamps
• Message delivery and engagement data (sent, delivered, opened, clicked)

Lightup does not independently collect or control this data. The Customer is responsible for obtaining valid consent from their Contacts before uploading any personal data to MessageBlast.

3.3 Data Collected Automatically from Website Visitors

When visiting the MessageBlast website, we automatically collect:

• IP address and approximate geolocation
• Browser type and version
• Pages visited and time spent
• Referring website
• Cookie-based identifiers

4. How We Use Your Personal Data

Lightup will never use Contact data uploaded by Customers for its own marketing, profiling, or commercial purposes.

5. Legal Basis for Processing

All personal data processed by Lightup Network Solutions is done so on one or more of the following legal bases under GDPR Article 6:

• Contract performance (Art. 6(1)(b)): Processing necessary to deliver the MessageBlast service to registered Customers
• Legitimate interests (Art. 6(1)(f)): Security monitoring, fraud prevention, platform improvement, and direct marketing communications to existing Customers
• Legal obligation (Art. 6(1)(c)): Compliance with applicable German and EU laws (e.g., tax records, telecommunications regulations)
• Consent (Art. 6(1)(a)): Optional newsletter subscriptions, non-essential cookies, and marketing communications where consent has been explicitly given

6. Data Retention

Lightup retains personal data only for as long as necessary for the purpose for which it was collected, or as required by law.

When data is no longer required, it is securely deleted or anonymized in accordance with our internal data retention procedures.

7. Who We Share Your Data With

Lightup does not sell personal data to third parties. Data is shared only in the following circumstances:

7.1 Internal Teams

Access to personal data is limited to authorized internal staff who require it to perform their role, including:

• Customer support and onboarding teams
• Technical operations and infrastructure teams
• Finance and billing teams
• Security and compliance teams

7.2 Sub-Processors and Service Providers

Lightup engages trusted third-party service providers who process data on our behalf, under strict data processing agreements:

• Cloud infrastructure providers (for platform hosting and storage)
• Payment processors (PCI-DSS compliant; do not store full card data on our systems)
• Email and SMS gateway providers (for message delivery)
• Analytics and monitoring tools (anonymized/aggregated data only)
• Customer support ticketing systems

A full list of current sub-processors is available upon written request to privacy-web@messageblast.com.

7.3 Legal and Regulatory Authorities

Lightup may disclose personal data to competent authorities (e.g., law enforcement, regulatory bodies) when required to do so by applicable law, court order, or to protect the rights and safety of users and third parties.

7.4 Business Transfers

In the event of a merger, acquisition, or sale of assets, personal data may be transferred as part of that transaction, subject to applicable data protection obligations. Affected users will be notified in advance.

8. International Data Transfers

Lightup Network Solutions is headquartered in Germany and processes data primarily within the European Economic Area (EEA). Where data is transferred outside the EEA (e.g., to sub-processors in the United States or other third countries), Lightup ensures that appropriate safeguards are in place, including:

• Standard Contractual Clauses (SCCs) as approved by the European Commission
• Adequacy decisions by the European Commission where applicable
• Binding Corporate Rules (BCRs) where relevant

You may request details of the applicable transfer safeguards by contacting us at contact-web@messageblast.com.

9. Your Rights

Under the GDPR and applicable data protection laws, you have the following rights regarding your personal data:

• Right of Access (Art. 15 GDPR): Request a copy of the personal data we hold about you
• Right to Rectification (Art. 16 GDPR): Request correction of inaccurate or incomplete data
• Right to Erasure (Art. 17 GDPR): Request deletion of your data, subject to legal retention requirements
• Right to Restriction (Art. 18 GDPR): Request that we limit processing of your data in certain circumstances
• Right to Data Portability (Art. 20 GDPR): Receive your data in a structured, machine-readable format
• Right to Object (Art. 21 GDPR): Object to processing based on legitimate interests, including direct marketing
• Right to Withdraw Consent: Withdraw consent at any time without affecting prior processing
• Right to Lodge a Complaint: File a complaint with your national supervisory authority

For Germany: The competent supervisory authority is the Hessian Commissioner for Data Protection and Freedom of Information (HBDI), as Lightup is registered in Frankfurt am Main, Hessen.

📧 To exercise your rights, contact us at: contact-web@messageblast.com or in writing to: Lightup Network Solutions GmbH & Co. KG, Wiesenhüttenplatz 26, 60329 Frankfurt am Main, Germany.

We will respond to all valid requests within 30 days in accordance with GDPR requirements.

10. Data Security

Lightup Network Solutions takes data security seriously and has implemented a range of technical and organizational measures to protect personal data, including:

• Encryption in transit: All data transmitted between users and the platform is encrypted using TLS 1.2+
• Encryption at rest: Sensitive data stored on our servers is encrypted
• Access controls: Role-based access management with principle of least privilege
• Two-Factor Authentication (2FA): Mandatory for all platform accounts
• Penetration testing: Regular third-party security assessments
• Incident response: Documented procedures for detecting, reporting, and responding to data breaches within 72 hours (GDPR Art. 33)
• Data center security: Hosted in ISO 27001-certified and EU-based data centers

While we take all reasonable precautions, no system can guarantee 100% security. Customers are responsible for maintaining the security of their own account credentials and ensuring proper access controls for their team members.

11. Cookies and Tracking Technologies

The MessageBlast website and platform use cookies and similar technologies to ensure proper functionality and improve user experience.

Users can manage their cookie preferences via the cookie consent banner displayed on first visit, or by adjusting browser settings. Disabling certain cookies may affect platform functionality.

12. Children's Privacy

The MessageBlast platform is intended exclusively for use by businesses and professionals (B2B). We do not knowingly collect personal data from individuals under the age of 16. If we become aware that personal data from a minor has been submitted without appropriate parental consent, we will take immediate steps to delete it.

13. Third-Party Links

The MessageBlast platform and website may contain links to third-party websites, integrations, or services. Lightup is not responsible for the privacy practices of these third parties. We encourage users to review the privacy policies of any third-party services they access through or in connection with MessageBlast.

14. Changes to This Policy

Lightup Network Solutions may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or for other operational reasons. When material changes are made, we will:

• Update the "Last Updated" date at the top of this document
• Notify registered Customers by email or via an in-platform notification
• Post the updated Policy on our website

Continued use of the MessageBlast platform after the effective date of any update constitutes acceptance of the revised Policy.

15. Contact Us & Data Protection Officer

For any questions, concerns, or requests relating to this Privacy Policy or the processing of your personal data, please contact us:

16. Definitions

This Privacy Policy was prepared in accordance with the General Data Protection Regulation (GDPR) (EU) 2016/679 and the German Federal Data Protection Act (BDSG). It is intended as a working draft and should be reviewed by a qualified legal counsel before publication.