1. Introduction & Data Controller
1.1 Who We Are
SMSCodeHub (the "Company," "we," "us," or "our") is a telecommunications aggregation service provider registered in Siedlce, Masovian Voivodeship, Poland. We operate under the laws of the Republic of Poland and the European Union.
1.2 Data Controller
For the purposes of the EU General Data Protection Regulation (GDPR) and the Polish Act on Personal Data Protection (RODO), SMSCodeHub is the Data Controller responsible for your personal information.
1.3 Scope of This Policy
This Privacy Policy applies to all users of the SMSCodeHub website, mobile applications, and API services. By using our Service, you consent to the data practices described in this policy.
Privacy-First Commitment
We are committed to privacy by design. We collect only the minimum data necessary to provide our Service, and we never sell your personal information to third parties.
2. Information We Collect
2.1 Information You Provide Directly
| Data Type | Purpose | Legal Basis (GDPR) |
|---|---|---|
| Email Address | Account registration, password recovery, service notifications | Contract performance (Art. 6(1)(b) GDPR) |
| Password (hashed) | Account authentication and security | Contract performance |
| Payment Information | Processing payments via Stripe, PayPal, or crypto gateways | Contract performance + Legal obligation (AML/KYC) |
| Transaction History | Billing, refunds, fraud prevention | Legitimate interest (Art. 6(1)(f) GDPR) |
2.2 Information Collected Automatically
- IP Address: For fraud detection, security monitoring, and compliance with legal obligations
- Browser & Device Information: Browser type, operating system, device identifiers for technical support and analytics
- Usage Data: Pages visited, time spent on site, referral sources (via Google Analytics)
- Cookies: See Section 6 for detailed cookie policy
2.3 Information We Do NOT Collect
No ID Verification Required
We do NOT require or collect:
- Government-issued ID (passport, driver's license)
- Social Security Numbers or Tax IDs
- Proof of address documentation
- Biometric data (fingerprints, facial recognition)
Exception: Payment processors (Stripe) may require additional KYC verification for high-value transactions as mandated by anti-money laundering (AML) regulations.
3. How We Use Your Information
We use your personal data for the following purposes:
3.1 Service Delivery
- Provision of virtual phone numbers and SMS reception services
- Processing and routing SMS messages to your dashboard
- Managing your account balance and transaction history
3.2 Payment Processing
- Processing credit card, PayPal, and cryptocurrency payments
- Issuing invoices and receipts (as required by Polish tax law)
- Detecting and preventing payment fraud
3.3 Communication
- Sending transactional emails (order confirmations, balance alerts)
- Providing customer support via email or live chat
- Sending service updates or security notifications (you cannot opt-out of these)
3.4 Security & Compliance
- Monitoring for fraudulent activity, spam, and abuse of the Service
- Complying with legal obligations (court orders, law enforcement requests)
- Enforcing our Terms of Service
3.5 Analytics & Improvement (Optional)
- Analyzing usage patterns to improve website performance
- A/B testing new features (aggregated data only)
- Conducting security audits and vulnerability assessments
Legal Basis: All processing activities are based on one or more of the following GDPR legal bases: Contract performance (Art. 6(1)(b)), Legal obligation (Art. 6(1)(c)), Legitimate interest (Art. 6(1)(f)), or Consent (Art. 6(1)(a)).
4. Data Retention - "Zero Logs" Policy
Our "Zero SMS Content Retention" Promise
We do NOT permanently store the content of SMS messages you receive through our Service.
4.1 SMS Message Content
- Retention Period: Maximum 24 hours from receipt
- Purpose: Transient storage to display messages in your dashboard
- Deletion: Automatic deletion after 24 hours, or immediately upon account termination
- Encryption: All SMS content is encrypted in transit (TLS 1.3) and at rest (AES-256)
4.2 Other Data Retention Periods
| Data Type | Retention Period | Reason |
|---|---|---|
| Account Information | Duration of account + 30 days after deletion | Service provision, legal grace period |
| Transaction Records | 7 years | Polish tax law requirement (Art. 112 of Tax Ordinance Act) |
| IP Logs (Security) | 90 days | Fraud detection, abuse prevention |
| Support Tickets | 3 years | Service improvement, legal claims |
| Analytics Data (Aggregated) | 26 months | Google Analytics default retention (GDPR compliant) |
7. Data Security Measures
We implement industry-standard security measures to protect your data from unauthorized access, alteration, disclosure, or destruction:
7.1 Technical Safeguards
- Encryption:
- TLS 1.3 for all data in transit (HTTPS)
- AES-256 encryption for data at rest (database encryption)
- Bcrypt hashing for password storage (industry standard)
- Access Controls: Role-based access control (RBAC) for internal staff, multi-factor authentication (MFA) for admin accounts
- Firewall & Intrusion Detection: Network-level firewall, DDoS protection via Cloudflare
- Regular Security Audits: Quarterly penetration testing and vulnerability scans
7.2 Organizational Safeguards
- Employee confidentiality agreements (NDAs)
- Limited access to personal data on a need-to-know basis
- Incident response plan for data breaches (notification within 72 hours as required by GDPR)
7.3 Data Breach Notification
In the event of a data breach affecting your personal information, we will:
- Notify affected users via email within 72 hours of discovery
- Report the breach to the Polish Personal Data Protection Office (UODO) as required by GDPR
- Provide details on the nature of the breach, affected data, and remediation steps
8. Your GDPR/RODO Rights
Under the EU General Data Protection Regulation (GDPR) and the Polish Act on Personal Data Protection (RODO), you have the following rights:
8.1 Right to Access (Art. 15 GDPR)
You have the right to request a copy of all personal data we hold about you. We will provide this information in a structured, machine-readable format (e.g., JSON or CSV) within 30 days of your request.
8.2 Right to Rectification (Art. 16 GDPR)
You can update or correct inaccurate personal information directly in your account settings or by contacting us at support@smscodehub.com.
8.3 Right to Erasure / "Right to Be Forgotten" (Art. 17 GDPR)
You can request deletion of your account and all associated personal data. We will comply within 30 days, except where retention is required by law (e.g., transaction records for tax purposes).
8.4 Right to Data Portability (Art. 20 GDPR)
You can request a copy of your data in a portable format (JSON, CSV) to transfer to another service provider.
8.5 Right to Restrict Processing (Art. 18 GDPR)
You can request that we temporarily suspend processing of your data while we verify the accuracy of disputed information.
8.6 Right to Object (Art. 21 GDPR)
You can object to processing based on legitimate interests (e.g., analytics, fraud detection). We will cease processing unless we demonstrate compelling legitimate grounds.
8.7 Right to Lodge a Complaint
If you believe we have violated your privacy rights, you can file a complaint with:
Polish Personal Data Protection Office (UODO)
ul. Stawki 2, 00-193 Warsaw, Poland
Email: kancelaria@uodo.gov.pl
Website: uodo.gov.pl
9. International Data Transfers
Our servers are primarily located in the European Union (Poland). However, some third-party services (e.g., Stripe, Google Analytics) may process data outside the EU.
9.1 GDPR Safeguards for Non-EU Transfers
When data is transferred to countries outside the EU/EEA, we ensure adequate protection through:
- EU-US Data Privacy Framework: For US-based processors like Stripe (certified participants)
- Standard Contractual Clauses (SCCs): EU Commission-approved data transfer agreements
- Adequacy Decisions: Transfers to countries with EU adequacy status (e.g., Switzerland, UK post-Brexit)
10. Children's Privacy
Our Service is NOT intended for individuals under the age of 18. We do not knowingly collect personal data from minors.
If we become aware that a user is under 18, we will:
- Immediately suspend the account
- Delete all associated personal data
- Notify the account holder (if contact information is available)
Parents or guardians who believe their child has registered an account should contact us immediately at support@smscodehub.com.
11. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or Service features. When we make material changes:
- We will update the "Last Updated" date at the top of this page
- Registered users will receive email notification
- A prominent notice will be displayed on the website for 30 days
Your continued use of the Service after such changes constitutes acceptance of the updated Privacy Policy.
12. Contact & Data Protection Officer
For privacy-related inquiries, data access requests, or to exercise your GDPR rights, please contact us:
Data Protection Officer (DPO):
Email: privacy@smscodehub.com
General Support: support@smscodehub.com
Registered Address: Siedlce, Masovian Voivodeship, Poland
Response Time: We aim to respond to all privacy requests within 72 hours (GDPR compliance)
By using SMSCodeHub, you acknowledge that you have read and understood this Privacy Policy and consent to the collection, use, and processing of your personal data as described herein.
Last Updated: January 22, 2026 | Effective Date: January 1, 2026