Privacy Policy
Last updated: June 2026
1. Who We Are
BulkSMSRates.com Ltd (“we”, “us”, “our”) operates the bulk SMS gateway at bulksmsrates.com and the customer dashboard at app.bulksmsrates.com. We are the data controller for personal data you provide to us directly, and a data processor for message content and recipient data you submit via our platform.
2. Data We Collect
- Account data: name, email address, password (hashed with Argon2id), company name, and billing address.
- Payment data: billing address and card metadata (last 4 digits, expiry). Full card numbers are processed exclusively by Stripe and are never stored on our servers.
- Message data: destination numbers, sender IDs, message bodies, and delivery report metadata you submit through the API or dashboard.
- Usage data: API request logs, IP addresses, browser/SDK user-agent, timestamps, and error codes — retained for 90 days for debugging and fraud prevention.
- Contact lists: phone numbers and optional metadata (name, email, custom fields) you upload to the Contacts feature.
3. How We Use Your Data
- To provision and operate your account and process SMS sends.
- To issue invoices, process payments, and detect fraud.
- To send transactional emails (verification, password reset, low-balance alerts).
- To provide customer support and investigate reported issues.
- To send product updates and rate-change notices — you may unsubscribe at any time via the link in any email or from Settings in the dashboard.
- To comply with applicable laws and respond to lawful requests from authorities.
4. Legal Bases (GDPR)
For EEA/UK users, our processing rests on:
- Contract — account registration, SMS delivery, billing.
- Legitimate interests — fraud prevention, abuse detection, platform security.
- Legal obligation — retention of financial records and cooperation with lawful authority requests.
- Consent — marketing communications (opt-in during registration or via Settings).
5. Data Sharing
We do not sell your personal data. We share it only with:
- Downstream carriers — destination numbers and message bodies are passed to carrier partners solely to deliver your messages.
- Stripe — payment processing (governed by Stripe’s own privacy policy).
- Infrastructure providers — cloud hosting and CDN services under data-processing agreements.
- Legal authorities — where required by applicable law or court order.
6. Data Retention
- Account data: retained for the life of your account plus 3 years after closure.
- Message logs: 90 days in hot storage; purged thereafter.
- Financial records (invoices, transactions): 7 years per UK law.
- API access logs: 90 days.
7. Your Rights
Subject to applicable law, you have the right to:
- Access a copy of your personal data.
- Correct inaccurate data.
- Request erasure (“right to be forgotten”).
- Object to or restrict certain processing.
- Data portability (receive your data in a structured, machine-readable format).
- Withdraw consent for marketing at any time.
To exercise any of these rights, email [email protected]. We will respond within 30 days.
9. Security
We implement industry-standard measures including TLS 1.2+ in transit, Argon2id password hashing, encrypted carrier credentials at rest, and access controls aligned with ISO 27001 practices. We conduct regular security reviews.
10. International Transfers
Our infrastructure is hosted within the EU/UK. Where personal data is transferred outside these regions (e.g., to carrier partners), we ensure adequate safeguards are in place via standard contractual clauses or equivalent mechanisms.
11. Changes to This Policy
We may update this policy from time to time. Material changes will be notified by email to registered users at least 14 days before they take effect. The “Last updated” date at the top reflects the most recent revision.
12. Contact
Questions or complaints about this policy should be directed to: [email protected]. You also have the right to lodge a complaint with the UK Information Commissioner’s Office (ICO) at ico.org.uk.