Privacy Policy

We collect the following categories of data when you use SMSCode:

Account Data

• Email address (used for login and notifications).
• Password (stored as an argon2 hash — we never store plaintext passwords).

Google Sign-In Data

If you sign in with Google, we access the following data from your Google account:

• Email address — Used as your account identifier and for service communications.
• Google user ID — Used to link your Google account to your SMSCode account.

We only request the minimum scopes necessary for authentication (email and openid). We do not access your Google contacts, calendar, drive, or any other Google services.

Transaction Data

• Order history (number rentals, service, country, timestamps, status).
• Deposit history (amounts, payment method, status).
• Account balance and transaction records.

Mobile App Data

• Firebase Cloud Messaging (FCM) device tokens — Used to deliver push notifications about order updates and account activity.
• Push notification preferences (enabled/disabled).
• Device name (optional, for identifying devices in your account).

Usage Data

• IP address and approximate geolocation.
• Device and browser information (user agent).
• Server logs (request timestamps, endpoints accessed).

API Usage Data

• API request logs (endpoints, timestamps, response codes).
• Rate limit counters.

• Service delivery — Processing number rentals, managing your balance, and fulfilling orders.
• Authentication — Your email and Google user ID (if using Google Sign-In) are used solely for account authentication and identification. We do not use Google user data for advertising, profiling, or any purpose unrelated to providing the SMSCode service.
• Push notifications — FCM device tokens are used exclusively to deliver order updates, deposit confirmations, and account security alerts to your mobile device.
• Fraud prevention — Detecting and preventing abuse, unauthorized access, and policy violations.
• Analytics — Understanding usage patterns to improve platform reliability and performance.
• Support — Responding to your inquiries and resolving issues with your account or orders.
• Communication — Sending service-related notifications (order updates, security alerts). We do not send marketing emails without your consent.

• OTP codes are transient — Received SMS content (OTP codes) is displayed to you in real-time and is not stored long-term after the order expires or completes.
• Phone numbers are temporary — Rented numbers are temporary and are recycled after the rental period ends. We do not associate rented numbers with your identity beyond the active order.
• No call data — SMSCode only handles SMS verification; we do not process voice calls or call metadata.

• Payments are processed by third-party gateways (Duitku, Heleket). We do not store your credit card, bank account, or payment instrument details.
• We store transaction references (payment gateway IDs, amounts, status) for reconciliation and support purposes.
• Payment gateway providers have their own privacy policies that govern how they handle your payment information.

We share data only when necessary to provide the Service. The following is the complete list of categories of third-party processors we engage; itemized operational locations and transfer safeguards are described in Section 13 (International Data Transfer).

• Cloudflare, Inc. — content delivery network, DDoS protection, and egress networking. Processes IP addresses, request metadata, and TLS-terminated traffic in transit.
• Resend, Inc. — transactional email delivery (verification, password reset, order notifications). Processes your email address and message content.
• Upstream SMS providers — virtual number rental and inbound SMS routing. We send minimal order parameters (country, service) to fulfill rentals; we do not share your identity or account data with providers.
• Payment gateways — transaction data is shared with payment processors to complete deposits. We do not receive or store full payment-instrument details.
• Firebase Cloud Messaging (Google) — FCM device tokens are sent to Google's Firebase service to deliver push notifications. No other personal data is shared with Firebase.
• Law enforcement — We may disclose data if required by law, court order, or to protect the rights, property, or safety of SMSCode, our users, or the public.

We do not sell your personal data to third parties. We do not share your personal data with advertisers. We do not participate in any data broker or ad network. Google user data obtained through Google Sign-In is never shared with any third party and is used exclusively for authentication within SMSCode.

• Order history — Retained for reconciliation, support, and audit purposes.
• OTP/SMS content — Purged after the order expires or completes.
• Account data — Retained while your account is active.
• Server logs — Retained for up to 90 days for security and debugging purposes.
• FCM device tokens — Deleted immediately when you unregister a device or delete your account.

Account Deletion & Data Purge

You can delete your account at any time through the account settings on the web dashboard or the mobile app. When you delete your account:

• Your account is immediately soft-deleted (status set to "Deleted").
• Your remaining balance is forfeited and recorded as a final transaction.
• All active sessions (web and mobile) are revoked immediately.
• FCM device tokens and push subscriptions are deleted.
• API tokens and webhook configurations are removed.
• A 30-day re-registration cooldown applies — you cannot create a new account with the same email during this period.
• After 30 days, a scheduled task permanently purges your personally identifiable information (PII): your email is replaced with a non-identifiable placeholder, your password hash is cleared, and your Google user ID is removed.
• Transaction history and order records are retained in anonymized form for accounting and legal compliance.

• We use a single httpOnly session cookie (__session) to maintain your authenticated session. This cookie is encrypted and cannot be read by client-side scripts.
• We do not use tracking cookies, advertising cookies, or third-party analytics cookies.
• No cookie banner is needed because we only use strictly necessary cookies for authentication.

Data Storage

• Infrastructure — All data is stored on dedicated servers operated by us. We do not use shared cloud hosting for user data.
• Database — User data is stored in PostgreSQL with access restricted to application services only.
• Encryption in transit — All traffic between you and our servers is encrypted via TLS (HTTPS).
• Session encryption — Session cookies are encrypted with AES-256-GCM.

Data Protection

• Password hashing — Passwords are hashed with argon2, a memory-hard algorithm resistant to brute-force attacks.
• CSRF protection — State-changing endpoints are protected against cross-site request forgery.
• Rate limiting — API and auth endpoints are rate-limited to prevent abuse.
• Access control — Internal services communicate via authenticated channels with secret keys. Database and cache services are isolated in a private network not accessible from the internet.

While we implement industry-standard security measures, no system is 100% secure. If you discover a vulnerability, please report it to [email protected].

You have the right to:

• Access — Request a copy of the personal data we hold about you.
• Correction — Request correction of inaccurate personal data.
• Deletion — Delete your account and associated personal data directly from your account settings (web or mobile app). Personal data is purged within 30 days of deletion. You can also request deletion by contacting us.
• Export — Request your data in a portable format.

To exercise access, correction, or export rights, contact us at [email protected]. We will respond within 30 days.

If you are a resident of California, the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), gives you specific rights regarding your personal information in addition to the rights set out in Section 9 (Your Rights).

Right to know. You may request that we disclose the categories and specific pieces of personal information we have collected about you, the sources of that information, the purposes for collecting or disclosing it, and the categories of third parties with whom we share it. The categories we collect are detailed in Section 1 (Data We Collect).

Right to delete. You may request that we delete personal information we have collected about you, subject to certain legal exceptions (for example, to complete a transaction, detect security incidents, or comply with a legal obligation).

Right to correct. You may request that we correct inaccurate personal information we maintain about you.

Right to opt out of sale or sharing. We do not sell your personal information to third parties, and we do not share it for cross-context behavioural advertising. There is nothing for you to opt out of, but we state this explicitly so you know.

Right to limit use of sensitive personal information. We do not use sensitive personal information (as defined by the CPRA) for purposes beyond those necessary to provide the Service.

Right to non-discrimination. We will not discriminate against you for exercising any of these rights. Your Service experience will not change, and no fees, terms, or quality of service will be affected.

How to exercise. To exercise any CCPA right, contact us at [email protected]. We will verify your identity before responding and will reply within 45 days (extendable by a further 45 days where reasonably necessary).

SMSCode does not use third-party web analytics services, behavioural tracking tools, or advertising technology. Specifically:

• We do not use Google Analytics, Mixpanel, Amplitude, Hotjar, Segment, or any similar analytics service;
• We do not embed tracking pixels, marketing tags, or retargeting scripts on any page;
• We do not participate in any ad network or cross-site advertising ecosystem;
• We do not build behavioural profiles of individual users for marketing or recommendation purposes.

The only data we collect about your use of the Service is the operational data necessary to deliver and secure it: server request logs, rate-limit counters, order history, and session cookies. These are described in detail in Section 1 (Data We Collect), Section 7 (Cookies & Sessions), and Section 8 (Security Measures). Server logs are retained for up to 90 days for security and debugging purposes, then purged.

If we ever introduce analytics in the future, this Privacy Policy will be updated before the change takes effect, and you will be notified per Section 14 (Changes to This Policy).

SMSCode is not intended for use by anyone under 18 years of age. We do not knowingly collect personal data from children. If you believe a child under 18 has provided us with personal data, please contact us and we will promptly delete it.

Void Zero Ltd is based in the United Kingdom, and personal data you provide is processed primarily in the UK and the European Economic Area (EEA). To deliver the Service, we use sub-processors and third-party infrastructure that may process your data in other jurisdictions, including the United States and other countries outside the UK/EEA.

Transfer mechanism

Where we transfer personal data from the UK or EEA to a country that has not received an adequacy decision from the UK Information Commissioner's Office (ICO) or the European Commission, we rely on one or more of the following safeguards:

• the UK International Data Transfer Addendum (UK IDTA) incorporated into our contracts with sub-processors;
• the Standard Contractual Clauses (SCCs) approved by the European Commission (Decision 2021/914) for EU data;
• adequacy decisions in respect of jurisdictions recognized as providing an essentially equivalent level of protection (including the UK Data Bridge for qualifying US recipients under the Data Privacy Framework);
• other safeguards recognized under UK GDPR Article 46 or EU GDPR Article 46.

Onward transfer controls

All sub-processors that receive your personal data are bound by written contracts that require them to: (a) process data only on documented instructions from Void Zero Ltd; (b) implement appropriate technical and organizational security measures; (c) ensure confidentiality of personnel with access to data; (d) assist us in fulfilling data subject rights requests; and (e) delete or return data on contract termination. These obligations follow the requirements of UK GDPR Article 28 and EU GDPR Article 28.

Current sub-processor categories

Sub-processors that may process your data outside the UK/EEA include, but are not limited to:

• Cloudflare, Inc. (United States) — content delivery, DDoS protection, and egress networking;
• Resend, Inc. (United States) — transactional email delivery;
• SMS provider partners operating internationally — virtual number rental and inbound SMS routing (see Section 3);
• Payment gateways — transactional payment processing for deposits (see Section 4).

Your rights

You may request a copy of the transfer safeguards applicable to your data by contacting us at [email protected]. We will respond within 30 days as described in Section 9 (Your Rights) and GDPR Article 12.

We may update this Privacy Policy from time to time. Material changes will be communicated via email or a notice on the platform. The "Last updated" date at the top reflects the most recent revision.

For privacy-related questions or requests, contact us at [email protected].

For general support, reach us at [email protected].