1. Introduction & Scope
This Privacy Policy ("Notice") applies when smsroute acts as a data controller with respect to the personal data of our customers, prospective customers, and end users. It does not apply to the processing activities of mobile operators, carriers, or other third parties that receive data in their capacity as independent controllers.
Who This Notice Covers
- Customers — organisations or individuals who create an smsroute account to send or receive SMS messages via our gateway.
- Prospective Customers — individuals visiting our website or evaluating our service prior to account creation.
- End Users — individuals who receive SMS messages sent by our customers through the smsroute gateway.
Data Controller
smsroute is the data controller for the personal data described in this Notice. Our operating entity and contact details are provided in the How to Contact Us section below.
Service-Specific Notices
This Notice covers the smsroute SMS gateway service as offered on smsroute.cc. Supplemental privacy information may apply to specific features or integrations; such supplements will be provided at the point of enrollment.
2. What Personal Data We Process
We collect personal data from three main sources: data you provide directly, data collected automatically through your use of our services, and data received from third parties.
Table 1 — Data You Provide Directly
| Category | Examples |
|---|---|
| Account Data | Email address, API key identifier, account preferences, webhook URLs, sender-ID registrations, delivery-receipt settings |
| Payment Data | Crypto wallet address at time of deposit (logged for ledger and fraud-detection purposes; not linked to on-chain activity outside the deposit transaction) |
| Support Correspondence | Emails or support tickets submitted to privacy@smsroute.cc or support@smsroute.cc |
Table 2 — Data Collected Automatically
| Category | Examples |
|---|---|
| API Request Metadata | Request timestamp, endpoint, source IP address, HTTP status code, response size — retained for debugging, rate-limiting, and abuse prevention |
| Delivery Receipt Metadata | Destination phone number (MSISDN in E.164 format), sender ID, submission timestamp, carrier-acknowledgement timestamp, delivery status (accepted, delivered, rejected, failed, expired), routing metadata (POP of origin, terminating carrier, segment count, billed price in USD) |
| Session Data | Standard session cookie for authenticated dashboard state; CSRF token; theme preference cookie (where enabled by the user) |
Table 3 — Message Bodies (SMS Content)
Message bodies pass through our routing engine to the destination carrier and are not retained past 24 hours by default. They are held temporarily in encrypted transient storage solely to support delivery retries on carrier-level timeouts and to allow customers to reproduce support tickets.
Exceptions to the 24-hour default apply only when: (a) a message is under active investigation for fraud, spam, or abuse to comply with a carrier complaint or legal process; (b) a customer has explicitly enabled extended-retention debugging for a bounded window; or (c) we are compelled by a lawful order in a jurisdiction with effective process against smsroute.
We do not mine message bodies for analytics, marketing, or product development.
3. How and Why We Use Your Data
We use the personal data described in Section 2 for the following purposes, under the legal bases indicated. Not all bases apply to every processing activity; the applicable basis depends on the specific purpose.
Table 4 — Processing Purposes and Legal Basis
| Purpose | Legal Basis (GDPR Art. 6) | Notes |
|---|---|---|
| Service operation and message routing | Performance of contract (Art. 6(1)(b)) | Necessary to deliver SMS to the correct carrier and return delivery receipts |
| Billing, ledger reconciliation, and usage exports | Performance of contract (Art. 6(1)(b)) | Necessary to credit top-ups and debit per-message charges |
| Account authentication and API key management | Performance of contract (Art. 6(1)(b)) | API keys are hashed at rest; not recoverable after creation |
| Rate-limiting and fraud prevention | Legitimate interest (Art. 6(1)(f)) | Detecting compromised API keys, credential-stuffing, spam patterns, and traffic violating carrier acceptable-use policy |
| Compliance with lawful carrier complaints and regulator inquiries | Legal obligation (Art. 6(1)(c)) | We disclose the minimum data responsive to the specific request |
| Supporting customer compliance obligations (e.g., delivery-receipt logs as evidence) | Legitimate interest (Art. 6(1)(f)) | Where delivery-receipt logs are required by the customer's regulators |
| Aggregate, de-identified routing analytics (median latency, success rate, per-country delivery profiles) | Legitimate interest (Art. 6(1)(f)) | Individual customer content is not used for product analytics |
| Sending transactional notifications (account confirmation, security alerts, price-change notices) | Performance of contract (Art. 6(1)(b)) | Sent to the email address on the account record |
| Security incident notification to affected account holders | Legal obligation (Art. 6(1)(c)) | GDPR requires notification to supervisory authority within 72 hours; high-risk incidents notified to affected individuals |
4. How We Disclose Personal Data
We do not sell or rent personal data to marketing platforms, ad exchanges, lead-generation services, or data brokers. We do not share customer lists, send history, or delivery-receipt data with data brokers or ad-tech companies.
Table 5 — Data Recipient Categories
| Recipient | Data Shared | Purpose |
|---|---|---|
| Mobile Operators and Carriers | Destination MSISDN, sender ID, and message body required to deliver the SMS | Message delivery — these recipients act as independent controllers for their own processing activities |
| Cryptocurrency Payment Processors | Deposit wallet address, transaction hash, transaction amount (USD equivalent) | Processing crypto deposits and crediting the account ledger |
| Customer-Designated Webhook Endpoints | Delivery-receipt callbacks (status, timestamp, metadata) as configured by the customer | Customer's own integrations and analytics |
| Regulatory and Law Enforcement Authorities | Minimum data responsive to a lawful subpoena, court order, or regulator directive issued by an authority with effective process against smsroute | Legal compliance — where legally permitted we notify the affected account holder before disclosure |
5. International Transfers
smsroute operates a globally distributed service. Data may be processed at any of our three points of presence (Frankfurt, Singapore, São Paulo) and replicated to a central billing ledger for accounting purposes.
When we process personal data on behalf of an EU customer sending to EU destinations, smsroute acts as a processor under GDPR Art. 28, and the customer is the controller. The following transfer safeguards are in place:
- Standard Contractual Clauses (SCCs) — EU Commission-approved SCCs are incorporated by reference into our Data Processing Addendum and are available on request for all customers.
- UK Transfer Mechanisms — For UK customers, the IDTA or UK SCC addendum applies as appropriate.
- Swiss Transfers — The FDPIC-recognised SCC variant applies to transfers from Switzerland.
- Brazil Transfers — SCCs for Brazil transfers are available on request.
Where smsroute certifies under an adequacy decision or applicable international framework (such as the EU-U.S. Data Privacy Framework or equivalent), that certification will be referenced in our Data Processing Addendum.
6. Data Security & Retention
Security Measures
- TLS in transit — The API enforces TLS 1.2+ and prefers TLS 1.3. The dashboard enforces HSTS with a one-year max-age and includeSubDomains flag.
- Encryption at rest — All account records, delivery-receipt metadata, and transient message-body storage are encrypted at rest using AES-256 with keys managed in an HSM-backed key vault.
- API authentication — API keys are hashed at storage (never recoverable after creation). Webhooks support HMAC signatures so you can verify callback authenticity.
- Access controls — smsroute staff access to production data is role-based, audit-logged, and scoped to the minimum needed for the specific operational task.
- Incident response — Security incidents affecting personal data are notified without undue delay. GDPR requires notification to the supervisory authority within 72 hours; high-risk incidents are notified to affected individuals.
Retention Schedule
| Data Category | Retention Period | Reason |
|---|---|---|
| Message Bodies | Up to 24 hours (default) | Operational retries, support ticket reproduction |
| Delivery-Receipt Metadata | 90 days | Dispute resolution, carrier-complaint response, customer-facing reporting |
| API Request Logs | 90 days | Debugging, abuse investigation |
| Account Record (email, settings) | Active account plus 90 days after closure | Reactivation, post-closure support |
| Billing and Ledger Records | 7 years | AML and tax audit requirements applicable to payment-handling entities |
| Support Correspondence | Resolution period plus 1 year | Audit, recurrence detection |
7. Privacy Rights & Choices
smsroute honours the rights described below regardless of whether the specific legal framework technically applies to a given account, subject to the retention carve-outs in Section 6.
Table 6 — Rights by Jurisdiction
| Right | GDPR / EEA | UK GDPR | CCPA / CPRA (California) | LGPD (Brazil) | Other |
|---|---|---|---|---|---|
| Access — request a copy of personal data held about you | Art. 15 | Art. 15 | Right to Know | Art. 18 | Honoured |
| Rectification — correct inaccurate data | Art. 16 | Art. 16 | Right to Correct | Art. 18 | Honoured |
| Erasure — delete data no longer necessary for its collected purpose (subject to legal-retention carve-outs) | Art. 17 | Art. 17 | Right to Delete | Art. 18 | Honoured |
| Restriction of processing | Art. 18 | Art. 18 | — | Art. 18 | Honoured |
| Portability — receive data in a structured, machine-readable format | Art. 20 | Art. 20 | Right to Data Portability | Art. 18 | Honoured |
| Objection to processing based on legitimate interest | Art. 21 | Art. 21 | — | Art. 18 | Honoured |
| Opt out of sale or sharing | Art. 21 | Art. 21 | Right to Opt Out — smsroute does not sell or share | Art. 18 | Affirmed |
| Lodge a complaint with supervisory authority | Art. 77 | Art. 77 | Right to file complaint with California AG | Art. 18 | Honoured |
| Non-discrimination for exercising rights | — | — | Right to Non-Discrimination | — | Affirmed |
Additional Jurisdictions
Equivalent rights of access, correction, and (where applicable) withdrawal of consent are honoured under the same request channel for users in Singapore (PDPA), Malaysia (PDPA), Switzerland, Canada (PIPEDA), and Australia (Privacy Act 1988).
How to Exercise Your Rights
Email privacy@smsroute.cc from your account address. Unverified requests are rate-limited. A signed message from a wallet previously used to top up is sufficient additional authentication. We respond within 30 days, extendable by 60 days for complex requests with notice.
8. Children’s Privacy
The smsroute service is not directed to children under the age of digital consent applicable in your jurisdiction. We do not knowingly collect personal data from children.
- United States / UK: Under 13 (COPPA / Children's Code)
- European Economic Area: Under 16 (or the age set by the relevant Member State)
- Other jurisdictions: The age of digital consent as defined by local law
If you believe a child has created an smsroute account, contact us at privacy@smsroute.cc with the subject line "Children" and we will investigate and delete the account.
9. Cookies & Tracking Technologies
The smsroute website uses only the following categories of cookies and tracking technologies:
Cookie Categories
| Category | Purpose | Opt-Out |
|---|---|---|
| Required | Session cookie for authenticated dashboard state; CSRF token; theme preference cookie (where enabled). These are essential for the service to function and cannot be disabled. | Not available (required) |
| Functional | Remember user preferences such as dashboard theme. These improve usability but are not essential. | Available via browser settings or preference cookie where applicable |
| Analytics | A self-hosted, IP-anonymised event log used for basic product usage measurement. Does not use cookies and does not fingerprint the browser. | N/A (no cookies used) |
What We Do NOT Use
We do not set advertising cookies, retargeting pixels, social-network tracking tags (no Meta pixel, no LinkedIn Insight tag, no TikTok pixel), or cross-site analytics cookies that link browsing history across unrelated domains.
Browser Controls
Most browsers allow you to block or delete cookies via their settings. The following industry opt-out tools are also available:
- Global Privacy Control (GPC) — A signal sent by participating browsers and extensions that opts you out of targeted advertising.
- Do Not Track (DNT) — A browser setting that requests websites not to track you.
- Your Online Choices, NAI, Digital Advertising Alliance — Industry opt-out mechanisms for participating companies.
10. Service-Specific Notices
SMS Gateway — Our Role as a Processor
When you use smsroute to send SMS messages, we act as a data processor with respect to the content of those messages and the destination phone numbers. You (the customer) are the controller with respect to the purpose and means of processing those messages. This means:
- You are responsible for ensuring you have the legal right to send SMS to the destination phone numbers (e.g., valid consent where required by applicable law).
- You are responsible for compliance with applicable telecommunications regulations, including anti-spam laws, calling/ texting ID laws, and carrier acceptable-use policies.
- smsroute does not use message content for any purpose other than routing and (where applicable) fraud/abuse investigation under the circumstances described in Section 2.
Extended Retention for Enterprise Customers
Where a high-volume customer negotiates a written Master Services Agreement (MSA), additional information may be requested under that MSA for settlement and compliance purposes. That collection is governed by the MSA, not this default policy.
11. How to Contact Us
Privacy and Data Subject Requests
Privacy Inquiries & Data Subject Requests
Response within 30 days; extendable by 60 days for complex requests with notice.
Legal Process and Regulatory Requests
We respond to lawfully issued requests from authorities with effective process against our operating entity.
Data Protection Officer
For matters requiring the attention of a Data Protection Officer, contact privacy@smsroute.cc.
Physical Address
smsroute operates globally with points of presence in Frankfurt, Singapore, and São Paulo. For written correspondence, contact privacy@smsroute.cc to obtain the current operating address.
12. Resolving Complaints
If you have concerns about how smsroute handles your personal data, we encourage you to contact us directly so we can address your issue.
Three-Step Resolution Process
- Contact us first. Email privacy@smsroute.cc. We aim to respond within 30 business days.
-
Contact your local data protection authority. If
you are not satisfied with our response, or if you believe our
processing violates applicable data protection law, you have the
right to lodge a complaint with the relevant supervisory
authority:
- EEA (EU): The supervisory authority in your Member State — for Ireland, the Data Protection Commission (DPC).
- UK: The Information Commissioner’s Office (ICO).
- Brazil: The Autoridade Nacional de Proteção de Dados (ANPD).
- California (USA): The California Attorney General.
- Seek legal remedy. Nothing in this Notice restricts your right to seek legal remedies through the courts.
13. Changes to This Notice
We may modify this Privacy Notice from time to time. Material changes — including changes to the categories of personal data we collect, the purposes for which we use it, the recipients with whom we share it, or your rights — take effect no earlier than 30 days after notice is provided via:
- A banner displayed on the smsroute dashboard on first login after the change, and
- An email to the account-of-record address.
Archived versions of this Notice are available on request by contacting privacy@smsroute.cc.