What is Personally Identifiable Information (PII)?

As businesses increase the collection and storage of individuals' data, individuals and regulators want greater transparency about how these businesses use and safeguard that data. This led to various jurisdictions passing legislation that limits the use, distribution, and accessibility of PII, while requiring businesses to seek consent in collecting data and securing it after collection.

PII is a legal, rather than technical, concept. Legislation around PII varies across different jurisdictions. These include:

• Global privacy laws: GDPR in the European Union
• Industry laws: HIPAA and PCI in the United States
• State or provincial laws: CCPA, CPRA, CalOPPA
• Regional data breach laws

These and other regulations define PII in their contexts, so PII definitions differ by use case. For example: IP addresses might or might not be considered PII, depending on the jurisdiction or your use case.

Twilio treats customer data management as a serious matter. To keep your data safe and secure, Twilio employs software, configurations, processes, and guidelines for managing data. Inside Twilio systems, PII gets managed in different ways.

• Twilio wants you to know what data it manages as PII in its systems.
• Twilio provides a Data Protection Addendum. This extends the specification of your legal relationship with Twilio and clarifies how Twilio manages data on your behalf.
• European users should explore the Twilio GDPR Program. This clarifies how Twilio manages data where some or all of your data might originate in Europe.

To remove or encrypt PII, Twilio offers features that redact phone numbers, message body contents, and encrypt call recordings.

Twilio manages API properties marked as PII in its API documentation. Twilio implements appropriate technical and organizational security controls as appropriate to the risk associated with that data.

When Twilio needs data for statistical analysis, reporting, and capacity planning, Twilio anonymizes or removes values with PII first. Twilio treats values like names, your end users' phone numbers, or voice call and chat transcriptions as containing PII. Twilio manages the phone numbers that you rent, whether a long code or short code, differently from non-Twilio numbers. Twilio owns the rented phone numbers.

For each property marked as PII, Twilio also marks it with a Minimum Time to Live (MTL), expressed in days. This specifies how many days after creation Twilio systems store that data for carrier reconciliation, tax management, or other required business purpose. Outside of the MTL, Twilio applies deletion API requests immediately. The deleted data could remain in backups and other interconnected systems for up to 30 days.

If you have special retention requirements, contact the Twilio support team or your success manager for potential options.

When you leave Twilio following a reasonable grace period, Twilio anonymizes or removes all PII data from its systems within 30 days, or longer if the MTL exceeds 30 days.

In addition to the MTL, Twilio may also retain PII for specific regulatory, mitigation, legal, or investigative concerns. These include, but are not limited to:

• Detecting, preventing, and investigating spam, fraudulent activity, and network exploits and abuse
• Litigation, law enforcement requests, or government investigations

Twilio stores properties marked with "Not PII".

• Twilio might use these for counting or other operations as Twilio runs its systems.
• Twilio can't redact or remove most of these properties.
• You might be able to control the data in these properties in some instances
• You should never place PII in properties marked "Not PII".
• Twilio doesn't treat this data as PII, and its value may be visible to Twilio employees, stored long-term, and may continue to be stored after you've left Twilio's platform.

If you need to put PII in these properties, contact Twilio Support for data management alternatives.

To better understand data privacy at Twilio, see these resources:

• Read more about what Twilio is doing to protect your data
• Familiarize yourself with the Twilio privacy policy
• Read about Twilio and the General Data Protection Regulation (GDPR)