Last updated 10 July 2026
Data protection & GDPR
If you run a business on TurnUpText, you are the data controller for your customers' details and we are your processor. This page explains what that means in practice, how long data lives, and how deletion works.
The controller / processor split, in plain English
Under UK GDPR, the controller decides why and how personal data is used; the processorhandles it on the controller’s instructions.
- You are the controllerfor your customers’ names, mobile numbers, email addresses, and appointment details. You collected them, you decide to send reminders, and you are responsible for having a lawful basis to contact each customer. For appointment reminders to your own customers, that basis is usually “legitimate interests” or performance of your contract with them: service messages, not marketing.
- TurnUpText is your processorfor that data. We store it, render your message templates, and pass messages to our SMS and email providers, nothing else. We never use your customers’ details for our own purposes and never contact them except with the reminders you schedule.
- TurnUpText is the controller for your own account and billing data, as described in the privacy policy.
Our terms of service and the privacy policy together set out the processing terms: we act only on your documented instructions, keep the data confidential, use the subprocessors listed in the privacy policy, help you respond to data subject requests, and delete data as described below.
Retention schedule
| Data | Kept for |
|---|---|
| Customers, appointments, message history | 12 months, then deleted or anonymised automatically |
| Account and business details | Until you delete your account |
| Billing records (top-ups, Stripe references) | As required by UK tax and accounting law (normally 6 years) |
| Security and delivery logs | Rolling short-term windows, then deleted |
The operational retention period exists so your appointment history and delivery records stay useful without hoarding data. Anything past it goes without you lifting a finger.
Deletion: always available, from the app
You never need to email us to delete data:
- Delete a customer from their profile: their contact details go immediately, and pending messages to them are cancelled.
- Delete an appointment from the calendar: unsent reminders for it are cancelled.
- Delete your account from Account Settings: your business, customer and appointment data is removed; only the minimal billing records the law requires us to keep survive.
If one of your customers asks you to erase their data, deleting them in TurnUpText discharges the TurnUpText part of that request.
Security practices
Our practices are aligned with the UK Cyber Essentials scheme:
- Least privilege: every account’s data is isolated at the database layer (row-level security), so one business can never read another’s data, and internal access is restricted to what operating the service requires.
- Encryption: in transit via TLS everywhere, and at rest through our infrastructure providers (Supabase on AWS).
- Minimal data: we only ask for what reminders need: a name, a UK mobile number, and optionally an email address.
- No card data: payments are handled entirely by Stripe; card details never touch our systems.
- Abuse controls: rate limits, duplicate-send protection, and an emergency stop protect recipients from misdirected or runaway sending.
Questions
Data protection questions, subprocessor queries, or requests we can help with: hello@turnuptext.co.uk. Your customers can also read how their data is handled in the privacy policy.