Privacy Policy

1 Introduction

Welcome to VerifySMS. This Privacy Policy ("Policy") describes how VerifySMS ("we," "our," or "us") collects, uses, discloses, and safeguards your personal information when you access or use the VerifySMS mobile application for iOS (the "App") and any associated services (collectively, the "Service").

VerifySMS is a mobile application that enables users to purchase temporary virtual phone numbers for the purpose of receiving SMS verification codes. Our Service allows you to complete phone-based verifications without disclosing your personal phone number.

By downloading, installing, or using our App, you acknowledge that you have read, understood, and agree to the practices described in this Privacy Policy. If you do not agree with any part of this Policy, please do not use our Service.

This Policy applies to all users of the VerifySMS App, regardless of their location. We are committed to protecting your privacy and ensuring that your personal information is handled in accordance with the General Data Protection Regulation (GDPR), the UK General Data Protection Regulation (UK GDPR), and other applicable data protection laws.

2 Information We Collect

We are committed to data minimization and only collect information that is strictly necessary to provide, maintain, and improve our Service. Below is a detailed breakdown of the categories of information we collect.

2.1 Information from Apple Sign In

We use Apple Sign In as our sole authentication method. When you create an account through Apple Sign In, we may receive the following information from Apple:

• Email address — This may be your actual email address or an Apple relay email address (e.g., xyz@privaterelay.appleid.com) if you chose the "Hide My Email" option during sign-in. We respect your choice and will use whichever email Apple provides.
• Apple user identifier — A unique, stable identifier assigned by Apple that allows us to recognize your account across sessions. This identifier is specific to our App and cannot be used to track you across other services.
• Full name — This is provided only if you choose to share it during the Apple Sign In process. Sharing your name is entirely optional and not required to use our Service.

2.2 Usage Information

In the course of providing our Service, we collect certain usage information related to your activity within the App:

• Number purchase history — Records of the virtual numbers you have purchased, including the associated service name, country, and the amount paid.
• Transaction records — Details of financial transactions within the App, including wallet deposits made through Apple In-App Purchase, number purchases, and any applicable refunds.
• General app usage patterns — Aggregated, non-granular information about how you interact with the App. We do not perform detailed behavioral tracking, screen recording, or session replay.

2.3 Information We Do NOT Collect

• Phone contacts — We never request or access your device's contact list.
• Location data — We do not collect GPS coordinates, IP-based geolocation for tracking, or any other form of precise or coarse location data.
• Device identifiers for tracking — We do not collect the Identifier for Advertisers (IDFA), Identifier for Vendors (IDFV), or any device fingerprinting data for advertising or cross-app tracking purposes.
• Browsing history — We have no visibility into your web browsing activity, search history, or in-app browsing outside of VerifySMS.
• Photos or media — We do not request access to your photo library, camera, or any media stored on your device.
• SMS content from your personal number — We do not read, intercept, or access text messages on your device. The SMS codes displayed within our App are received by temporary virtual numbers provisioned through our third-party SMS provider and are not associated with your personal phone number.

3 How We Use Your Information

We process your personal information solely for the purposes outlined below. Each purpose is grounded in a lawful basis under applicable data protection law, including the performance of our contract with you, our legitimate interests, or compliance with legal obligations.

• Process purchases and refunds — To facilitate the purchase of virtual numbers, manage your in-app wallet, process deposits made via Apple In-App Purchase, and handle any applicable refund requests.
• Maintain your wallet balance — To accurately track deposits, debits, and your current balance so that you can use the Service seamlessly.
• Provide customer support — To respond to your inquiries, troubleshoot issues, and resolve disputes related to your account or transactions.
• Improve our Service — To analyze aggregated, anonymized usage patterns in order to identify areas for improvement, develop new features, and enhance the overall user experience.
• Ensure service integrity — To detect and prevent fraud, abuse, and unauthorized use of our platform, and to maintain the security and stability of our systems.
• Comply with legal obligations — To meet our obligations under applicable laws and regulations, including tax reporting, financial record-keeping, and responding to lawful requests from governmental authorities.

4 Third-Party Services

To deliver our Service, we rely on a limited number of trusted third-party providers. We carefully select these partners and ensure that appropriate data protection agreements are in place. Below is a description of each third-party service we use and how your data interacts with them.

4.1 Supabase (Database & Authentication)

We use Supabase as our backend database and authentication infrastructure. Your account data — including your Apple Sign In credentials, wallet balance, and transaction history — is securely stored within Supabase's EU data center located in the eu-west-1 region (Frankfurt, Germany). Supabase implements industry-standard security measures, including encryption at rest and in transit, and row-level security policies.

For more information, please refer to the Supabase Privacy Policy.

4.2 HeroSMS (SMS Provider)

We use the HeroSMS API as our third-party SMS provider to provision temporary virtual phone numbers and retrieve incoming SMS verification codes. When you request a virtual number, we transmit the service and country selection to HeroSMS. No personal data (such as your name, email, or Apple ID) is shared with HeroSMS. The interaction is limited to number provisioning and SMS retrieval for the virtual numbers you purchase.

4.3 Apple (Payments)

All financial transactions within VerifySMS are processed exclusively through Apple's In-App Purchase (IAP) system. We do not collect, process, or store your payment card details, bank account information, or any other financial instrument data. Apple handles all payment processing, billing, and receipt management in accordance with their own privacy practices.

For more information, please refer to the Apple Privacy Policy.

5 Data Storage & Security

The security of your personal information is a top priority. We implement a comprehensive set of technical and organizational measures to protect your data against unauthorized access, alteration, disclosure, or destruction.

• EU-based data storage — All personal data is stored within the European Union, specifically in the Supabase eu-west-1 region (Frankfurt, Germany), ensuring compliance with GDPR data residency requirements.
• SSL/TLS encryption in transit — All data transmitted between your device and our servers is protected using Transport Layer Security (TLS) encryption, preventing interception by unauthorized third parties.
• SSL certificate pinning — Our iOS application implements certificate pinning to prevent man-in-the-middle (MITM) attacks by verifying the server's SSL certificate against a known, trusted certificate embedded in the App.
• Row-level security (RLS) — Our database implements row-level security policies, ensuring that each user can only access their own data. Even in the event of an application-level vulnerability, RLS provides an additional layer of data isolation.
• No plaintext sensitive data storage — Sensitive information is never stored in plaintext. All authentication tokens and credentials are handled securely using industry-standard practices.
• Regular security reviews — We periodically review our security practices and infrastructure to identify and address potential vulnerabilities.

6 Data Retention

We retain your personal information only for as long as necessary to fulfill the purposes outlined in this Policy, unless a longer retention period is required or permitted by law. Our retention practices are as follows:

• Account data — Your account information (email, Apple user identifier, name) is retained for as long as your account remains active. If you do not use the Service for an extended period, we may contact you before taking any action regarding your account.
• Transaction history — Records of your purchases, deposits, and refunds are retained for a period of two (2) years from the date of the transaction. This retention period is necessary for legal compliance, including tax and financial reporting obligations.
• After account deletion — Upon deletion of your account (whether initiated by you or by us), all personal data associated with your account will be permanently removed from our active systems within thirty (30) days. Anonymized, aggregated data that cannot be used to identify you may be retained for analytical purposes.

7 Your Rights

Under the General Data Protection Regulation (GDPR) and the UK General Data Protection Regulation (UK GDPR), you have the following rights with respect to your personal data. We are committed to facilitating the exercise of these rights in a timely and transparent manner.

• Right of access — You have the right to request a copy of the personal data we hold about you, along with information about how it is processed. We will provide this information in a commonly used, machine-readable format.
• Right to rectification — If any personal data we hold about you is inaccurate or incomplete, you have the right to request that we correct or update it without undue delay.
• Right to erasure ("right to be forgotten") — You have the right to request the deletion of your personal data where it is no longer necessary for the purpose for which it was collected, or where you withdraw your consent and there is no other legal basis for processing.
• Right to restrict processing — You have the right to request that we limit the processing of your personal data in certain circumstances, for example, while we verify the accuracy of data you have contested.
• Right to data portability — You have the right to receive your personal data in a structured, commonly used, and machine-readable format, and to transmit that data to another controller without hindrance.
• Right to object — You have the right to object to the processing of your personal data where we rely on legitimate interests as the legal basis, including processing for direct marketing purposes.
• Right to withdraw consent — Where processing is based on your consent, you have the right to withdraw that consent at any time, without affecting the lawfulness of processing carried out prior to withdrawal.
• Right to lodge a complaint — You have the right to lodge a complaint with a supervisory authority if you believe that our processing of your personal data infringes applicable data protection law.

8 Account Deletion

You have the right to delete your VerifySMS account at any time. We provide multiple convenient methods for account deletion:

How to Delete Your Account

• In-App — Navigate to Settings → Account → Delete Account within the VerifySMS app. Follow the on-screen confirmation prompts to complete the deletion.
• Email request — Send a deletion request to privacy@verifysms.app from the email address associated with your account. We will process your request and confirm deletion.

What Happens When You Delete Your Account

• All personal data associated with your account (email, name, Apple identifier) will be permanently deleted within 30 days.
• Your wallet balance will be forfeited. Any remaining balance cannot be recovered after account deletion. We recommend using your remaining balance before initiating deletion.
• Active virtual numbers associated with your account will be released and will no longer receive SMS messages.
• Transaction records may be retained in an anonymized form for up to two (2) years following deletion, solely for legal compliance and financial reporting purposes. These anonymized records cannot be linked back to your identity.

9 Children's Privacy

VerifySMS is not intended for use by individuals under the age of seventeen (17). Our App is rated 17+ on the Apple App Store, and we do not knowingly collect, solicit, or maintain personal information from children under the age of 17.

If we become aware that we have collected personal information from a child under 17 without verified parental consent, we will take immediate steps to delete that information from our servers. If you believe that a child under 17 has provided us with personal information, please contact us at privacy@verifysms.app, and we will promptly investigate and take appropriate action.

10 International Data Transfers

Your personal data is primarily processed and stored within the European Union (EU), specifically in the eu-west-1 region. We have designed our infrastructure to minimize the need for international data transfers.

In the event that your data needs to be transferred outside the European Economic Area (EEA), we will ensure that appropriate safeguards are in place, including but not limited to:

• Standard Contractual Clauses (SCCs) approved by the European Commission.
• Adequacy decisions issued by the European Commission for the recipient country.
• Binding Corporate Rules, where applicable.

These measures are designed to ensure that your personal data receives a level of protection equivalent to that guaranteed within the EU, regardless of where it is processed.

11 Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. When we make changes, we will:

• Update the "Last Updated" date at the top of this Policy.
• For material changes that significantly affect how we collect, use, or share your personal information, we will provide notice through the App (via an in-app notification or banner) and/or by sending an email to the address associated with your account.
• Where required by applicable law, we will obtain your consent before implementing material changes to our data processing practices.

We encourage you to review this Policy periodically to stay informed about how we protect your information. Your continued use of the Service after any modifications to this Policy constitutes your acknowledgment of the changes and your consent to abide by the updated terms.

12 Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, we encourage you to reach out to us. We are committed to addressing your inquiries promptly and transparently.

• Email: privacy@verifysms.app
• Support: verifysms.app/support
• Website: verifysms.app

We aim to respond to all privacy-related inquiries within thirty (30) days of receipt. For complex requests, we may extend this period by an additional sixty (60) days, in which case we will inform you of the extension and the reasons for the delay.