Privacy Policy — SMSCode

1. Data We Collect

We collect the following categories of data when you use SMSCode:

Account Data

Email address (used for login and notifications).
Password (stored as an argon2 hash — we never store plaintext passwords).

Google Sign-In Data

If you sign in with Google, we access the following data from your Google account:

Email address — Used as your account identifier and for service communications.
Google user ID — Used to link your Google account to your SMSCode account.

We only request the minimum scopes necessary for authentication (email and openid). We do not access your Google contacts, calendar, drive, or any other Google services.

Transaction Data

Order history (number rentals, service, country, timestamps, status).
Deposit history (amounts, payment method, status).
Account balance and transaction records.

Mobile App Data

Firebase Cloud Messaging (FCM) device tokens — Used to deliver push notifications about order updates and account activity.
Push notification preferences (enabled/disabled).
Device name (optional, for identifying devices in your account).

Usage Data

IP address and approximate geolocation.
Device and browser information (user agent).
Server logs (request timestamps, endpoints accessed).

API Usage Data

API request logs (endpoints, timestamps, response codes).
Rate limit counters.

2. How We Use Your Data

Service delivery — Processing number rentals, managing your balance, and fulfilling orders.
Authentication — Your email and Google user ID (if using Google Sign-In) are used solely for account authentication and identification. We do not use Google user data for advertising, profiling, or any purpose unrelated to providing the SMSCode service.
Push notifications — FCM device tokens are used exclusively to deliver order updates, deposit confirmations, and account security alerts to your mobile device.
Fraud prevention — Detecting and preventing abuse, unauthorized access, and policy violations.
Analytics — Understanding usage patterns to improve platform reliability and performance.
Support — Responding to your inquiries and resolving issues with your account or orders.
Communication — Sending service-related notifications (order updates, security alerts). We do not send marketing emails without your consent.

3. SMS & Virtual Number Data

OTP codes are transient — Received SMS content (OTP codes) is displayed to you in real-time and is not stored long-term after the order expires or completes.
Phone numbers are temporary — Rented numbers are temporary and are recycled after the rental period ends. We do not associate rented numbers with your identity beyond the active order.
No call data — SMSCode only handles SMS verification; we do not process voice calls or call metadata.

4. Payment Data

Payments are processed by third-party gateways (Duitku, Heleket). We do not store your credit card, bank account, or payment instrument details.
We store transaction references (payment gateway IDs, amounts, status) for reconciliation and support purposes.
Payment gateway providers have their own privacy policies that govern how they handle your payment information.

5. Data Sharing

We share data only when necessary for the service:

Upstream SMS providers — We send order parameters (country, service) to upstream providers to fulfill number rentals. We do not share your personal information with providers.
Payment processors — Transaction data is shared with payment gateways to process deposits.
Firebase Cloud Messaging — FCM device tokens are sent to Google's Firebase service to deliver push notifications. No other personal data is shared with Firebase.
Law enforcement — We may disclose data if required by law, court order, or to protect the rights, property, or safety of SMSCode, our users, or the public.

We do not sell your personal data to third parties. We do not share data with advertisers. Google user data obtained through Sign-In is never shared with any third party and is used exclusively for authentication within SMSCode.

6. Data Retention

Order history — Retained for reconciliation, support, and audit purposes.
OTP/SMS content — Purged after the order expires or completes.
Account data — Retained while your account is active.
Server logs — Retained for up to 90 days for security and debugging purposes.
FCM device tokens — Deleted immediately when you unregister a device or delete your account.

Account Deletion & Data Purge

You can delete your account at any time through the account settings on the web dashboard or the mobile app. When you delete your account:

Your account is immediately soft-deleted (status set to "Deleted").
Your remaining balance is forfeited and recorded as a final transaction.
All active sessions (web and mobile) are revoked immediately.
FCM device tokens and push subscriptions are deleted.
API tokens and webhook configurations are removed.
A 30-day re-registration cooldown applies — you cannot create a new account with the same email during this period.
After 30 days, a scheduled task permanently purges your personally identifiable information (PII): your email is replaced with a non-identifiable placeholder, your password hash is cleared, and your Google user ID is removed.
Transaction history and order records are retained in anonymized form for accounting and legal compliance.

7. Cookies & Sessions

We use a single httpOnly session cookie (__session) to maintain your authenticated session. This cookie is encrypted and cannot be read by client-side scripts.
We do not use tracking cookies, advertising cookies, or third-party analytics cookies.
No cookie banner is needed because we only use strictly necessary cookies for authentication.

8. Security Measures

Data Storage

Infrastructure — All data is stored on dedicated servers operated by us. We do not use shared cloud hosting for user data.
Database — User data is stored in PostgreSQL with access restricted to application services only.
Encryption in transit — All traffic between you and our servers is encrypted via TLS (HTTPS).
Session encryption — Session cookies are encrypted with AES-256-GCM.

Data Protection

Password hashing — Passwords are hashed with argon2, a memory-hard algorithm resistant to brute-force attacks.
CSRF protection — State-changing endpoints are protected against cross-site request forgery.
Rate limiting — API and auth endpoints are rate-limited to prevent abuse.
Access control — Internal services communicate via authenticated channels with secret keys. Database and cache services are isolated in a private network not accessible from the internet.

While we implement industry-standard security measures, no system is 100% secure. If you discover a vulnerability, please report it to [email protected].

9. Your Rights

You have the right to:

Access — Request a copy of the personal data we hold about you.
Correction — Request correction of inaccurate personal data.
Deletion — Delete your account and associated personal data directly from your account settings (web or mobile app). Personal data is purged within 30 days of deletion. You can also request deletion by contacting us.
Export — Request your data in a portable format.

To exercise access, correction, or export rights, contact us at [email protected]. We will respond within 30 days.

10. Children

SMSCode is not intended for use by anyone under 18 years of age. We do not knowingly collect personal data from children. If you believe a child under 18 has provided us with personal data, please contact us and we will promptly delete it.

11. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email or a notice on the platform. The "Last updated" date at the top reflects the most recent revision.

12. Contact

For privacy-related questions or requests, contact us at [email protected].

For general support, reach us at [email protected].