MassiveSMS
Buy a pack
[Legal]Privacy Policy

Privacy Policy.

Last updated · May 1, 2026·Massive SMS Inc.

This policy describes how Massive SMS Inc. ("we", "us") collects, uses, and shares personal information from people who visit our site, sign up for an account, or whose contact data is uploaded by our customers. We comply with GDPR (EU/UK), LGPD (Brazil), CCPA/CPRA (California), and PIPEDA (Canada).

1. Roles & responsibilities

For data of website visitors and account holders, we are the "data controller": we determine why and how that data is processed.

For data of recipients (your contacts) uploaded by customers, we act as a "data processor" on behalf of the customer (the controller). Specific terms are set out in our Data Processing Agreement.

2. What we collect

From account holders

  • Identity: name, email, billing address, tax ID (if provided).
  • Authentication: hashed password, OAuth tokens (Google), session cookies.
  • Billing: last 4 digits of card, expiry, country (full card number stored by Stripe, never by us).
  • Usage: pages viewed, features used, IP address, browser, OS.
  • Communications: emails to/from support, in-product feedback.

From recipients (uploaded by customers)

  • Phone number, optional name, opt-in metadata (source, IP, timestamp), arbitrary attributes the customer chose to upload.
  • Inbound SMS replies and delivery status from carriers.

Source of recipient data (GDPR Art. 14): Recipient data is uploaded to MassiveSMS by our customers (the data controllers). We do not collect recipient data directly from data subjects. Customers warrant in our Terms that they have a lawful basis (consent or equivalent) for that upload.

3. How we use it

  • Operate the Service: route SMS, deliver dashboard features, bill customers.
  • Compliance: enforce TCPA opt-out, audit trails, fraud prevention.
  • Customer support: respond to tickets, troubleshoot delivery issues.
  • Product analytics: understand which features are used, with aggregated and pseudonymized data where possible.
  • Legal: respond to subpoenas, enforce our Terms, protect rights and safety.

We do not sell personal data. We do not share it with advertisers.

4. Legal bases (GDPR / LGPD)

  • Contract: to deliver the Service customers signed up for.
  • Legitimate interest: security, fraud prevention, basic analytics.
  • Consent: marketing emails, optional cookies (where applicable).
  • Legal obligation: tax records, audit logs, lawful requests.

5. Sharing

We share data only with:

  • Carriers and routing providers (Telnyx, Twilio) to deliver SMS.
  • Stripe, Inc. for payment processing — see dedicated section below.
  • Cloud infrastructure (AWS, Vercel) under standard data processing terms.
  • Resend for transactional email.
  • PostHog for product analytics (opt-in in EU/UK).
  • Authorities when required by valid legal process.

Stripe (payment processor)

Payment data — card number, CVC, expiration, billing address — is collected and processed exclusively by Stripe, Inc. via Stripe Elements / Stripe Checkout. We never see the full card number. We receive only Stripe-issued tokens, the last 4 digits of the card, brand, and expiry month/year for display in your billing settings.

Stripe processes this data under its own Privacy Policy and may use it for fraud prevention via Stripe Radar. Stripe is PCI DSS Level 1 certified. The list of Stripe sub-processors is published at stripe.com/privacy/subprocessors.

"Do Not Sell or Share" (CCPA / CPRA)

We do not sell personal information for monetary or other valuable consideration. We do not share personal information for cross-context behavioral advertising. We do not run third-party advertising trackers on this site. California residents have the right to know, delete, correct, and opt out of sales/sharing — exercise any of these by emailing privacy@massivesms.com.

6. International transfers

Data may be transferred to the United States and other countries where our subprocessors operate. For EU/UK transfers we rely on Standard Contractual Clauses (SCCs) and supplementary measures. The full subprocessor list is in the DPA.

7. Retention

  • Account data: kept while the account is active. Deleted within 30 days of account closure (except where law requires longer retention).
  • Compliance audit logs: 7 years per TCPA recordkeeping guidance.
  • Billing records: 7 years for tax and accounting.
  • SMS message bodies: 90 days, then auto-purged. Metadata (recipient, status, timestamp) retained 24 months for analytics.
  • Opt-out lists: kept indefinitely to honor opt-out requests across re-uploads.

8. Your rights

Depending on your jurisdiction, you may have the right to:

  • Access the personal data we hold about you.
  • Correct inaccuracies.
  • Delete your data (subject to legal retention requirements).
  • Restrict or object to certain processing.
  • Receive a portable copy.
  • Withdraw consent (where consent is the legal basis).
  • Lodge a complaint with your supervisory authority.

Email privacy@massivesms.com to exercise any right. We respond within 30 days. We may verify your identity before fulfilling sensitive requests.

9. Cookies

We use only essential cookies for session and security. We do not run third-party advertising trackers. Optional analytics cookies (PostHog) require consent in EU/UK and can be opted out anytime.

10. Security

Encryption in transit (TLS 1.3) and at rest (AES-256). SOC 2 Type II audited. Detailed posture in our security overview.

11. Children

The Service is not directed to anyone under 16. We dont knowingly collect data from minors. If you believe we have, contact us and we will delete it.

12. Changes

We may update this policy. Material changes get 30 days notice by email and in-product banner. The "Last updated" date at the top reflects the latest revision.

13. Contact

Privacy team: privacy@massivesms.com.
EU / UK Data Protection Representative: appointed on request.
Mailing address: Massive SMS Inc., 2261 Market Street #4001, San Francisco, CA 94114, USA.