Effective Date: 8 March 2026 | Last Updated: 8 March 2026
This Privacy Policy explains how SMSFoundry ("we", "us", "Platform") collects, uses, stores, and protects your personal information when you use our services. This policy complies with the Information Technology Act, 2000 (India), the Digital Personal Data Protection Act, 2023 (India), and aligns with GDPR principles where applicable.
When you register, we collect your full name, email address, and company/business name. This information is required to create and manage your account.
We store your password as a bcrypt hash (we never store plain-text passwords). We generate and store session tokens, CSRF tokens, and OTP codes (as SHA-256 hashes in the database) for authentication and security purposes. Login attempts (email, IP address, user agent, timestamp, success/failure) are logged for security monitoring.
When you use the Platform to send SMS, we process and temporarily store: recipient phone numbers, message content, delivery status, and timestamps. For API audit logging, recipient numbers and message content are stored as SHA-256 hashes (not plain text).
When you pair an Android device, we collect: device model, Android version, app version, and optionally the SIM phone number. Device tokens are stored as SHA-256 hashes.
We collect aggregated daily usage statistics per tenant: messages sent, delivered, failed, and API request counts. This data is used for quota enforcement, billing, and analytics.
If you use the contact management feature, we store contact names, phone numbers, and optionally email addresses that you upload or enter.
We automatically collect: IP address, browser user agent, session fingerprint data (used for hijacking detection), and CSP violation reports (if configured). We do not use tracking cookies, third-party analytics, or advertising pixels.
We use your information for the following purposes:
Service Operation: To authenticate your account, process and deliver messages, enforce plan quotas, pair devices, and manage templates and contacts.
Security: To detect and prevent fraud, abuse, unauthorized access, and AIT/pumping attacks. To enforce rate limits, monitor login attempts, and perform session anomaly detection.
Communication: To send OTP verification codes, account activation emails, abuse notifications, and service-related announcements. We do not send marketing emails.
Compliance: To comply with legal obligations, respond to law enforcement requests (where legally required), and maintain audit logs.
Improvement: To understand usage patterns (in aggregate) and improve platform reliability and features.
SMSFoundry is a self-hosted platform. Your data is stored on the server infrastructure selected by the platform operator. Message content, phone numbers, and all tenant data reside in the MySQL database on that server.
Sensitive data is protected at rest: passwords are bcrypt-hashed, API keys and device tokens are SHA-256 hashed, OTP codes are stored as SHA-256 hashes in the database (not in session storage), and API audit logs use hashed PII.
Account data: Retained for the lifetime of your account plus 30 days after termination.
Message logs: Retained according to server configuration. We recommend 90 days for operational use.
Login attempts: Automatically purged after 30 days.
OTP codes: Expire after 5 minutes and are marked as used. Old records cleaned periodically.
API audit logs: Retained for 90 days (recommended), with hashed PII only.
Abuse flags: Retained indefinitely for platform safety records.
Rate limit data: Automatically purged after 2 minutes.
Idempotency keys: Expire and are purged after 24 hours.
We do not sell, rent, or trade your personal information to third parties. We may share data only in the following circumstances:
Legal requirement: When required by law, court order, or government authority.
Safety: To protect the rights, property, or safety of SMSFoundry, our users, or the public.
Consent: When you explicitly authorize sharing with a specific third party.
Message content is transmitted to carrier networks via your own Android device and SIM card — this is inherent to SMS delivery and is under your control.
We use only essential session cookies for authentication:
Session cookie: HTTP-only, Secure, SameSite=Strict. Required for login. Expires after session timeout or 30 days (if "Remember Me" is enabled).
Admin session cookie: Separate namespace, scoped to /admin/ path. Same security attributes.
We do not use: tracking cookies, third-party cookies, Google Analytics, Facebook Pixel, or any advertising or analytics scripts. We do not perform browser fingerprinting for tracking purposes (fingerprinting is used solely for session hijacking detection).
We implement the following security measures to protect your data:
Bcrypt password hashing (cost factor 12) · Two-factor authentication via email OTP · Session fingerprinting and anomaly detection · CSRF protection with HMAC-bound session tokens · Content Security Policy with per-request nonces · Strict-dynamic CSP on panel pages · Cross-origin isolation headers (COOP/COEP/CORP) · HSTS with preload · SHA-256 hashed API keys and device tokens · Database-backed OTP with IP binding · Split rate limiting (per-email and per-IP) · Automated abuse detection with auto-suspension · Full admin audit logging · HTTPS-only webhook delivery with HMAC-SHA256 signatures.
Depending on your jurisdiction, you may have the following rights:
Access: You can view your account data, message logs, and usage statistics from your dashboard.
Correction: You can update your name and company name from the Settings page.
Deletion: You can request account deletion by contacting support. Upon request, we will delete your account and all associated data within 30 days, except where retention is required by law.
Export: You can access your message logs and contact data through the dashboard or API.
Restriction: You can request that we stop processing your data by suspending or deleting your account.
To exercise any of these rights, contact us at support@smsfoundry.com.
The Platform is not intended for use by individuals under 18 years of age. We do not knowingly collect personal information from minors. If we become aware that a minor has registered an account, we will promptly delete the account and associated data.
If you are accessing the Platform from outside India, please be aware that your data will be processed and stored on servers located in the jurisdiction where the platform is hosted. By using the Platform, you consent to the transfer of your data to that jurisdiction.
We may update this Privacy Policy from time to time. Material changes will be communicated via email to your registered address at least 15 days before taking effect. The "Last Updated" date at the top of this page reflects the most recent revision.
In accordance with the Information Technology Act, 2000 and rules made thereunder, the Grievance Officer for the purpose of this Privacy Policy is:
Grievance Officer
SMSFoundry
Email: support@smsfoundry.com
Complaints will be acknowledged within 24 hours and resolved within 30 days.
For privacy-related inquiries, data requests, or concerns, contact us at:
SMSFoundry
Email: support@smsfoundry.com
Website: https://smsfoundry.com