SMSBulk

Privacy Policy

Last updated: May 3, 2026

Notice: This Privacy Policy is provided for general information. It does not constitute legal advice and should be reviewed by a qualified legal advisor before deployment in your jurisdiction.

1. Data Controller

SMSBulk ("we", "us", "our") operates smsbulk.net and provides SMS verification services through virtual phone numbers. We act as the data controller for personal data processed in connection with the service.

For privacy questions, data subject access requests, or any other inquiry covered by this policy, contact us on Telegram at @smsbulksupport.

2. Information We Collect

Account data: email address, hashed password, preferred locale, account role. We do not require legal name, government ID, or physical address for SMS verification.

Wallet and transaction data: wallet balance, top-up records, refund records, and activation charges. Cryptocurrency payment metadata (invoice id, network, status) is received from Cryptomus and stored against your account.

Activation data: for each verification we process the assigned virtual phone number, target service code, country, the SMS body that arrives, and timestamps. The SMS body is automatically purged 30 days after the activation completes.

Technical and security data: IP address, user-agent, request timestamps, rate-limit counters, and authentication events. Used for abuse prevention, fraud detection, and incident response only.

Cookies: we use strictly necessary cookies for session and authentication, plus a NEXT_LOCALE preference cookie. We do not use third-party advertising or cross-site tracking cookies.

3. Purposes of Processing

We process your data to:

  • Provide the SMS verification service (virtual number assignment, SMS routing, automatic refunds)
  • Process wallet top-ups and maintain transaction records
  • Detect and prevent fraud, abuse, or violations of our Terms of Service
  • Comply with applicable legal obligations and respond to lawful requests
  • Maintain service integrity, security, and performance
  • Send transactional emails (verification, password reset, security notifications) when an SMTP provider is configured

4. Legal Bases for Processing (GDPR)

  • Contract: processing necessary to provide the service you requested.
  • Legitimate interests: security monitoring, fraud prevention, service improvement, where these interests are balanced against your rights.
  • Legal obligation: tax records, accounting, lawful disclosure to authorities.
  • Consent: where required (for example, optional marketing communications). Consent can be withdrawn at any time.

5. Third-Party Service Providers

We share the minimum data necessary with the following processors:

  • Telecom upstream provider: we forward anonymous activation requests (service code, country code) to obtain virtual phone numbers and receive SMS content.
  • Cryptomus (payment processor): we forward wallet top-up amounts, currencies, and invoice ids for cryptocurrency processing. Cryptomus operates under its own privacy policy.
  • Email delivery provider (SMTP): when configured, transactional emails (verification, password reset) are sent through an SMTP provider.
  • Error and performance monitoring: aggregated error reports and performance metrics may be sent to Sentry, with personally identifying request fields redacted.
  • Legal authorities: when required by valid legal process, we disclose data per applicable law.

We do not sell, rent, or trade your personal data to advertisers or third parties for marketing.

6. International Data Transfers

Our processors may operate outside the European Economic Area or your country of residence. Where required, transfers are protected by Standard Contractual Clauses or equivalent safeguards. By using the service, you acknowledge that activation data and payment metadata may be processed outside your country.

7. Data Retention

SMS body and activation logs: automatically purged 30 days after the activation completes.

Account data: retained while your account is active. Upon account deletion request via @smsbulksupport, personal information is removed within 30 days, except where retention is required by law.

Transaction and accounting records: retained for up to 5 years to satisfy tax and accounting obligations.

Security logs: retained up to 12 months for incident response and abuse prevention, then aggregated or deleted.

8. Your Rights

Under GDPR, KVKK, and equivalent regulations, you have the right to:

  • Access the personal data we hold about you
  • Request correction of inaccurate or incomplete data
  • Request deletion of your data ("right to be forgotten") subject to legal retention requirements
  • Object to or restrict processing of your data
  • Receive your data in a portable, structured format
  • Withdraw consent at any time, where processing is based on consent
  • Lodge a complaint with your local data protection authority

To exercise any of these rights, contact us on Telegram at @smsbulksupport. We respond to verified requests within 30 days.

9. Security

We protect your data with industry-standard measures: TLS 1.3 transport encryption, bcrypt password hashing, rate limiting, scoped API keys, role-based access control, and centralised logging. Security is monitored continuously and incidents are triaged through a documented response process.

No system is fully resistant to compromise. We do not claim absolute security. If you suspect unauthorised access to your account, contact us immediately at @smsbulksupport.

10. Data Breach Notification

If a personal data breach is likely to result in a risk to your rights and freedoms, we will notify the competent supervisory authority within 72 hours of becoming aware, where required by law. Affected users will be notified without undue delay through email and in-app notice.

11. Children's Privacy

SMSBulk is intended only for users 18 years of age or older. We do not knowingly collect personal data from minors. If you believe a minor has provided personal data, contact us at @smsbulksupport for immediate removal.

12. Changes to This Policy

We may update this Privacy Policy when our practices, providers, or legal obligations change. The "Last updated" date at the top reflects the current version. Material changes will be communicated through the website and to registered users via email or in-app notice.

13. Contact

For privacy-related questions, data subject requests, or any concern covered by this policy, contact us on Telegram at @smsbulksupport. We aim to respond within one business day.