1.Our posture, in one paragraph
smsroute is a transit-layer A2P SMS gateway. We hold the minimum personal data required to operate the service and bill for it, we do not build marketing profiles of our customers, we do not share data with third-party brokers or ad networks, and we do not retain message bodies beyond a short operational window. The rest of this document says the same thing in more detail.
2.Data we collect
2.1 From account holders (our direct customers)
- Email address at signup — used to send the account-confirmation link, transactional dashboard notifications, security alerts, and price-change notices. You choose this address; we do not require a corporate domain or a verified mail server.
- Crypto wallet addresses seen at payment time — the from-address on incoming deposits is logged to the ledger for accounting and fraud-detection purposes. We do not link on-chain activity outside the deposit transaction to your account.
- API request metadata — request timestamp, endpoint, source IP, HTTP status, and response size, retained for debugging, rate-limiting, and abuse prevention.
- Account settings — API keys (hashed at rest), sender-ID registrations, webhook URLs, and delivery-receipt preferences.
- Support correspondence — emails to support or privacy are kept for the resolution window plus one year for audit.
2.2 From each delivered SMS
- Destination phone number (recipient MSISDN in E.164);
- Sender ID (the alphanumeric or numeric from-string declared by the customer);
- Timestamp of submission and of carrier acknowledgement;
- Delivery status (accepted, delivered, rejected, failed, expired) as reported by the destination carrier;
- Routing metadata (POP of origin, carrier terminated to, segment count, billed price in USD).
2.3 Message bodies
Default: not retained past 24 hours. Message bodies pass through our routing engine to the destination carrier and are discarded once the carrier acknowledges receipt or the retry window closes. We hold bodies for up to 24 hours in encrypted transient storage to support redelivery on carrier-level timeouts and to allow customers to reproduce support tickets against a specific send.
Exceptions. A message body may be retained beyond 24 hours only if (a) the message is under active investigation for fraud, spam, or abuse and we need to preserve evidence to comply with a carrier complaint or a legal process, (b) the customer has explicitly enabled extended-retention debugging on their account for a bounded window, or (c) we are compelled by a lawfully issued order in a jurisdiction with effective process against smsroute. We do not mine message bodies for analytics, marketing, or product development.
3.How we use the data
- Service operation. Routing messages to the correct carrier, returning delivery receipts, authenticating API requests, enforcing rate limits.
- Billing and accounting. Crediting top-ups, debiting per-message charges, producing usage exports, reconciling the ledger.
- Fraud prevention. Detecting compromised API keys, credential-stuffing attacks against the dashboard, patterns consistent with spam campaigns or phishing, and traffic that violates carrier acceptable-use policy.
- Compliance. Responding to lawful carrier complaints and regulator inquiries (with the minimum data responsive to the specific request), supporting the customer's own compliance obligations where delivery-receipt logs are required as evidence.
- Service improvement. Aggregate, de-identified routing analytics — median latency per corridor, success rate per carrier, per-country delivery profiles. We do not use individual customer content for product analytics.
4.Data we do NOT collect
smsroute makes a deliberate posture choice to minimise the personal-data surface. At signup and through ordinary Service use, we do not collect:
- KYC documentation — no government-issued ID, no passport, no driver's licence, no utility bill;
- Selfie photographs, biometric scans, or liveness video;
- Date of birth;
- Physical street address or delivery address;
- Business registration documents, articles of incorporation, beneficial-ownership disclosures;
- Tax identification numbers (SSN, EIN, VAT, NIP, RFC, CNPJ, PAN, etc.);
- Phone number of the account holder (account authentication is email + API key, not SMS-2FA on the account itself);
- Browser fingerprints beyond a standard session cookie.
Where a high-volume customer negotiates a written Master Services Agreement, additional information may be requested under that MSA for settlement and compliance purposes — that collection is governed by the MSA, not this default policy.
5.Data we do NOT share
- No third-party marketing. We do not sell or rent customer data to marketing platforms, ad exchanges, or lead-generation services.
- No data brokers. We do not share customer lists, send history, or delivery-receipt data with data brokers.
- Operator routing is per-message, not per-customer. Mobile operators see the destination MSISDN, sender ID, and message body required to deliver the SMS; they do not see a customer identifier, a balance state, or aggregated customer-level data.
- No ad-tech. The smsroute website does not carry advertising pixels, retargeting tags, or social-platform tracking.
We share the minimum data responsive to a lawful process (subpoena, court order, regulator directive issued by an authority with effective process against smsroute). Where legally permitted we notify the affected account holder before disclosure.
6.Retention
| Data category | Retention | Reason |
|---|---|---|
| Message bodies | Up to 24 hours (default) | Operational retries, support reproduction |
| Delivery-receipt metadata | 90 days | Dispute resolution, carrier-complaint response, customer-facing reporting |
| API request logs | 90 days | Debugging, abuse investigation |
| Account record (email, settings) | Active plus 90 days after closure | Reactivation, post-closure support |
| Billing / ledger records | 7 years | AML / tax / audit requirements applicable to payment-handling entities |
| Support correspondence | Resolution + 1 year | Audit, recurrence detection |
7.Your rights
Depending on your jurisdiction, you have some or all of the following rights. smsroute honours these rights regardless of whether the specific legal framework applies to a given account, subject to the retention exceptions in Section 6 (we cannot, for example, delete billing ledger entries we are required to keep for 7 years under AML/tax law).
7.1 GDPR (EU) and UK-GDPR
- Access — request a copy of the personal data we hold about you (Art. 15);
- Rectification — correct inaccurate data (Art. 16);
- Erasure — request deletion of data no longer needed for the purposes it was collected, subject to legal-retention carve-outs (Art. 17);
- Restriction of processing (Art. 18);
- Portability — receive the data in a structured, machine-readable format (Art. 20);
- Objection to processing based on legitimate interest (Art. 21);
- Lodge a complaint with your supervisory authority.
7.2 CCPA / CPRA (California)
- Right to know what categories of personal information we collect, sources, purposes, and recipients;
- Right to delete personal information held about you (subject to statutory exceptions);
- Right to correct inaccurate information;
- Right to opt out of sale or sharing — smsroute does not sell or share personal information in the CPRA sense;
- Right to limit use of sensitive personal information;
- Right to non-discrimination for exercising these rights.
7.3 LGPD (Brazil)
Confirmation of processing, access, correction, anonymisation, portability, deletion, information on sharing, and the right to revoke consent (LGPD Art. 18).
7.4 Singapore PDPA, Malaysia PDPA, Switzerland, Canada (PIPEDA), Australia Privacy Act
Equivalent rights of access, correction, and (where applicable) withdrawal of consent are honoured under the same request channel.
7.5 Exercising your rights
Email privacy@smsroute.cc from your account address. Unverified requests are rate-limited; a signed message from a wallet previously used to top up is sufficient additional authentication. Response within 30 days, extendable by 60 for complex requests with notice.
8.International data transfers
smsroute runs a globally distributed service. Data may be processed at any of our three POPs (Frankfurt, Singapore, São Paulo) and replicated to a central billing ledger. When we process personal data on behalf of an EU customer sending to EU destinations, smsroute acts as a processor under GDPR Art. 28 and the customer is controller. Standard Contractual Clauses are available on request for enterprise customers. For UK customers, the IDTA or UK SCC addendum applies; for Swiss customers, the FDPIC-recognised SCC variant.
9.Security
- TLS in transit — the API enforces TLS 1.2+ and prefers TLS 1.3; the dashboard enforces HSTS with a one-year max-age and includeSubDomains flag.
- Encryption at rest — all account records, delivery-receipt metadata, and transient message-body storage are encrypted at rest using AES-256 with keys managed in an HSM-backed key vault.
- API authentication — API keys are hashed at storage (never recoverable after creation); webhooks support HMAC signatures so you can verify callback authenticity.
- Access controls — smsroute staff access to production data is role-based, audit-logged, and scoped to the minimum needed for the specific operational task.
- Incident response — if a security incident affects your personal data, we will notify you without undue delay and in any event within the window required by applicable law (GDPR: 72 hours to the supervisory authority; timing to affected individuals where high risk).
Certifications and claims we do NOT make. smsroute does not currently hold SOC 2, ISO 27001, PCI-DSS, or HIPAA certification. We do not claim to be a HIPAA Business Associate and will not sign a BAA. Customers with regulated-industry requirements should evaluate fit before onboarding.
10.Cookies
The smsroute website uses only minimal technical cookies necessary for operating the dashboard: a session cookie for authenticated state, a CSRF token, and (where enabled by the user) a preference cookie for dashboard theme. We do not set advertising cookies, retargeting pixels, social-network tracking tags (no Meta pixel, no LinkedIn Insight tag, no TikTok pixel), or cross-site analytics cookies that link browsing history across unrelated domains. A self-hosted, IP-anonymised event log is used for basic product usage measurement; it does not use cookies and does not fingerprint the browser.
11.Children
The Service is not directed to children under 16 (or the applicable age of digital consent in your jurisdiction). We do not knowingly collect personal data from children. If you believe a child has created an smsroute account, email privacy@smsroute.cc and we will investigate and delete the account.
12.Contact
Privacy questions, data-subject requests, and complaints: privacy@smsroute.cc.
General support: support@smsroute.cc.
Legal process: please contact privacy@smsroute.cc; smsroute responds to lawfully issued requests from authorities with effective process against our operating entity.
13.Changes to this policy
We may modify this Privacy Policy from time to time. Material changes take effect no earlier than 30 days after notice via dashboard banner and email to the account-of-record address. Archived versions are available on request.