Privacy Policy

At a Glance

The short version

Most privacy policies are written to protect the company. This one is written to be understood. Below is the complete picture — but if you want a summary first, here it is.

🔒

No SMS content stored

We do not log the text of verification codes you receive

🗑️

Auto-purge after 30 days

Activation records deleted automatically after the refund window closes

🚫

No behavioral profiling

We do not build profiles, sell data, or use third-party ad tracking

⚖️

GDPR & CCPA rights

Access, correction, deletion, and portability — honoured within 30 days

🍪

Essential cookies only

No ad cookies, no cross-site tracking pixels, no retargeting

📧

Contact us anytime

privacy@smsactivate.guru — we respond within 5 business days

Data Collection

What we collect, and why

We collect only the data required to run the service. Every data point listed below has a specific operational purpose. If we cannot articulate why we collect something, we do not collect it.

Account data Necessary

Email address and hashed password. Required to authenticate your session, send transactional emails (receipts, refund confirmations), and identify your account for support requests. We never store your password in plain text — only a bcrypt hash.
Transaction records Necessary

Payment amounts, timestamps, top-up history, and balance movements. Required to issue refunds, generate receipts, detect fraud, and comply with financial record-keeping requirements. Payment card data is processed exclusively by our payment processor — we never see or store full card numbers.
Activation logs Limited

The country and platform category of each activation request, the number assigned, delivery status (delivered / failed / timed out), and timestamp. We do not log the SMS content, the specific platform URL, or any OTP code you receive. Activation logs are retained for 30 days to process refunds, then deleted automatically.
Technical data Limited

IP address, browser type, and device type — collected at login and top-up events for fraud detection and abuse prevention. IP logs are retained for 90 days, then purged. We do not correlate technical data with your activation history.
Support communications Necessary

Emails and chat messages sent to our support team. Retained for 12 months from the date the ticket is resolved, then deleted. We may reference support history when investigating repeat issues, but we do not share it with third parties.
API usage metrics Aggregated only

Request counts, endpoint usage, and error rates per API key — used to monitor system health and detect abuse patterns. Stored in aggregate; we cannot reconstruct individual request sequences from this data. Retained for 6 months.

Data Use

How your data is used

We use data for exactly the purposes described at collection — nothing more. We do not repurpose data, infer interests, or build secondary profiles from your usage history. The SMS Activation Service earns money by delivering successful activations, not by monetising user data.

01

Service delivery

Assigning numbers, receiving SMS, forwarding codes, issuing refunds, and managing your account balance. The core operations the service exists to perform.

02

Fraud & abuse prevention

Detecting unusual usage patterns, preventing account takeovers, and enforcing our Acceptable Use Policy. This protects both us and the integrity of the number inventory for legitimate users.

03

Legal compliance

Responding to valid court orders and law enforcement requests. We retain the minimum data necessary for this purpose and disclose only what is legally compelled — never voluntarily.

04

Service communications

Transactional emails: receipts, refund notices, low balance warnings, and critical service updates. We do not send marketing emails unless you have explicitly opted in.

05

Platform improvement

Aggregated, anonymised metrics (e.g., which platforms have highest demand, average delivery times by country) inform infrastructure investment decisions. No individual data is used for this purpose.

06

Support & dispute resolution

Transaction and activation records are accessed by support staff when investigating a ticket you open. Access is logged and scoped to the records directly relevant to your request.

"We do not sell your data. We do not share it with advertisers. We do not build profiles. Your usage of SMS Activate is your business."

Data Retention

How long we keep it

Every category of data we collect has a defined maximum retention period. Deletion is automated — data is not kept past these limits because someone forgot to delete it.

01

Account data

Retained while your account is active

Email address and account settings are kept for as long as your account exists. If you delete your account, we purge account data within 30 days, except where a legal hold applies (e.g., an open dispute or active law enforcement request).

Until account deletion + 30 days

02

Activation logs

Deleted automatically after the refund window

Activation records (country, platform category, number assigned, delivery status) are retained for exactly 30 days from the activation date — the maximum window in which a refund can be claimed. After that, the record is permanently deleted. The SMS content is never logged.

30 days from activation

03

Transaction records

7 years for financial compliance

Payment amounts, balance movements, and refund records are retained for 7 years to meet financial reporting and tax compliance requirements. These records identify the amount and date, but not which specific platform you were verifying.

7 years (legal requirement)

04

IP and technical logs

90-day rolling window for fraud detection

IP addresses and browser fingerprints captured at authentication and payment events are kept for 90 days in a separate fraud-detection database. After 90 days, entries are purged on a rolling basis. This data is not correlated with activation history.

90 days rolling

05

Support tickets

12 months from resolution

Support conversations are retained for 12 months after the ticket is marked resolved. This allows us to provide context if the same issue recurs. After 12 months, ticket content is deleted; only a de-identified record of the ticket category and resolution outcome is kept for quality reporting.

12 months from resolution

Third Parties

Who we share data with

We share the minimum necessary data with a small number of service providers required to operate the platform. We do not share data with advertisers, data brokers, or analytics companies that build behavioral profiles.

Payment processors

We use PCI-DSS compliant payment processors to handle card transactions. Your card data goes directly to the processor — we see only the transaction status and a tokenised reference. We share your email and transaction amount with the processor to generate receipts and process refunds. We do not share your activation history or usage patterns.

Infrastructure providers

Our platform runs on cloud infrastructure. Encrypted data at rest is stored on servers operated by our infrastructure provider in accordance with our data processing agreement. The provider does not have logical access to your unencrypted data and has no right to use it for their own purposes.

Law enforcement and legal process

We disclose data only when legally compelled by a court order, subpoena, or equivalent lawful process in a jurisdiction where we are required to comply. We notify affected users before disclosure when legally permitted to do so. We publish aggregate transparency statistics in our annual report.

Business transfers

In the event of a merger, acquisition, or sale of substantially all assets, your data may be transferred as part of that transaction. We will notify you via email and post a notice on this page at least 30 days before any such transfer, and you will retain the right to delete your account before it takes effect.

Your Rights

What you can ask us to do

Whether or not you are in the EU or California, we apply the same rights framework to all users globally. These rights are not conditional on your geography — they are how we think data relationships should work.

Right to access

You can request a complete export of all personal data we hold about you. We will deliver a structured, machine-readable file (JSON) within 30 days of your verified request. Requests can be made from your account settings or by emailing privacy@smsactivate.guru.
Right to correction

If any data we hold about you is inaccurate or incomplete, you can request a correction at any time. Account details can be updated directly from your dashboard. For data outside the dashboard, contact our support team.
Right to deletion

You can request deletion of your account and all associated personal data. We will complete the deletion within 30 days. Note that transaction records subject to legal retention requirements (7-year financial records) cannot be deleted on request, but they will be de-identified where technically feasible.
Right to data portability

You can request your data in a portable format for transfer to another provider. We provide exports in JSON and CSV. Portability applies to data you have directly provided and data generated by your use of the service.
Right to object / opt out (CCPA)

You can object to processing based on legitimate interest at any time. California residents can additionally opt out of any future sale of personal information (we do not sell data, but the right applies). Requests are processed within 15 business days.
Right to lodge a complaint

If you believe we have handled your data incorrectly, you can file a complaint with your local data protection authority. For EU users, this is the supervisory authority in your member state. We also have an internal privacy review process — contact privacy@smsactivate.guru and a senior team member will respond within 5 business days.

Cookies & Tracking

Minimal by design

We use only the cookies strictly necessary to operate the platform. There are no advertising cookies, no retargeting pixels, and no third-party tracking scripts embedded in our pages. We do not participate in cross-site tracking networks.

Cookie name	Purpose	Duration	Type
session_token	Authenticates your logged-in session. Required for the dashboard to function.	Session (cleared on logout)	Necessary
csrf_token	Prevents cross-site request forgery attacks on form submissions and API calls.	Session	Necessary
currency_pref	Stores your preferred display currency (USD / EUR / GBP) across sessions.	1 year	Functional
theme_pref	Stores light/dark mode preference so it persists across visits.	1 year	Functional
Analytics	We do not use Google Analytics, Meta Pixel, or any behavioural analytics cookies.	—	None
Advertising	We do not serve advertisements and do not use ad-network cookies.	—	None

"No ad cookies. No tracking pixels. No remarketing. If your browser blocks third-party cookies by default, nothing on our platform breaks."

Security

How we protect your data

Privacy without security is theatre. Here is what we do technically to protect the data we hold.

01

Encryption in transit

All traffic between your browser and our servers uses TLS 1.2+. We enforce HTTPS everywhere and use HSTS headers to prevent downgrade attacks.

02

Encryption at rest

Databases are encrypted at rest using AES-256. Backups are encrypted before transmission to remote storage and are only accessible to authorised infrastructure personnel.

03

Access controls

Production database access is restricted to a small team on a need-to-know basis. All access is authenticated with hardware security keys and logged. Logs are retained for 12 months and reviewed quarterly.

04

Vulnerability management

We run automated dependency scanning and conduct quarterly penetration tests on our public-facing infrastructure. Critical vulnerabilities are patched within 24 hours of discovery.

05

Breach notification

In the event of a data breach affecting personal data, we will notify affected users within 72 hours of discovery — before the GDPR deadline, not at it. Notification includes what data was affected, what we did, and what you can do.

06

Password hashing

Passwords are hashed using bcrypt with a work factor sufficient to make brute-force attacks impractical. We never store, transmit, or log passwords in plain text at any stage.

Contact & Updates

Questions and policy changes

If you have a question about this policy, a data request, or a concern about how your information is handled, contact us at privacy@smsactivate.guru. We respond within 5 business days.

When we make material changes to this policy, we will notify you by email (if you have an account) and update the "Last updated" date at the top of the page. Changes that significantly reduce your rights will be communicated at least 30 days in advance.

01

Return to main page

See how our SMS Activation Service works — real numbers, instant delivery, 190+ countries. No subscription required.

Go to main page →

02

About us

Learn about who built SMS Activate, our infrastructure, operating principles, and the values that shape how we run the service.

Read About Us →

03

Get a virtual number

Ready to try it? Create a free account on SMS Activate, top up from $1, and get your first number in under 30 seconds.

Go to SMS Activate →