Privacy Policy

1. Who we are

SMSPin ("we", "us", "SMSPin") operates an online SMS verification service at smspin.io. We are the data controller for the personal data described in this policy. Contact us at [email protected].

2. What we collect

Account data

• Email address and hashed password
• Account role (user, operator, admin) and plan
• Optional: display name, avatar, two-factor authentication secret

Billing data

• Top-up history, account balance, invoice metadata
• Payment method identifiers from our processors (Stripe, crypto gateways). We never see or store full card numbers.

Usage data

• Orders you place (country, app, timestamp, cost) and their status
• OTP codes received through our service, retained only while needed to deliver them to you
• API requests you make (endpoint, timestamp, IP, response code)

Technical data

• IP address, user-agent, device fingerprints used for fraud prevention and rate limiting
• Server logs and error telemetry

3. What we do NOT collect

• Your real personal phone number — we never need it
• Government ID, unless legally required for payout recipients (operators)
• Contents of SMS messages that are not directed to numbers you have purchased

4. Why we use it

• Service delivery — to issue virtual numbers, route SMS, and display OTP codes to you in real time.
• Billing — to charge, refund, and reconcile balances.
• Security & fraud prevention — to detect abuse, stop automated attacks, and protect operators.
• Product improvement — aggregate, anonymized analytics to improve routing and deliverability.
• Legal compliance — to meet tax, anti-money-laundering, and law enforcement obligations where applicable.

5. Legal bases (GDPR)

We process your data under one or more of: (a) performance of our contract with you, (b) your consent (e.g. marketing emails), (c) our legitimate interests (security, fraud prevention, service improvement), and (d) compliance with legal obligations.

6. Retention

• Received OTP codes: up to 5 minutes after delivery, then deleted
• Order records: 24 months (for support and refunds), then anonymized
• Billing records: 7 years, as required by tax law
• Server logs: 30 days for operational logs, 12 months for security logs
• Closed accounts: anonymized within 90 days of deletion request, except data we must retain by law

7. Sharing

We share data only with processors who help us run the service:

• Payment processors (Stripe, crypto gateways)
• Cloud infrastructure (hosting, CDN, email delivery)
• Upstream SMS suppliers that route numbers (only the data needed to fulfill a request)
• Law enforcement, if we receive a valid, binding legal request

We never sell your personal data.

8. International transfers

Our infrastructure runs in the EU and US. Where we transfer data outside your region, we rely on Standard Contractual Clauses or equivalent safeguards.

9. Your rights

Depending on your jurisdiction, you have the right to:

• Access the personal data we hold about you
• Correct inaccurate data
• Delete your data (right to erasure)
• Port your data to another service
• Object to or restrict certain processing
• Withdraw consent at any time
• Lodge a complaint with your local data protection authority

Email [email protected] to exercise any of these rights. We respond within 30 days.

10. Security

Passwords are hashed with bcrypt (12 rounds). Sessions are signed JWTs stored in httpOnly cookies. All traffic runs over TLS 1.2+. We use role-based access controls internally and audit access to sensitive systems.

11. Children

SMSPin is not intended for users under 16. We do not knowingly collect data from children. If you believe a child has signed up, contact us and we will remove the account.

12. Changes to this policy

When we make material changes, we notify registered users by email at least 14 days before they take effect. The "Last updated" date above always reflects the current version.

13. Contact

Questions or concerns? Email [email protected] or use the contact form.