Privacy Policy

1. Information We Collect

BulkSMSHub ("we", "us", "our") operates as a data controller and data processor depending on context. We collect the following categories of information:

1.1 Information You Provide Directly

• Account Registration: Full name, business email address, phone number, company name, country and job title when you create an account or request a demo.
• Payment Information: Billing address, VAT/tax number. Payment card details are processed exclusively by our PCI DSS-compliant payment processors (Stripe, PayPal) and are never stored on our servers.
• Contact Data: Messages, enquiries and support tickets submitted through our website, chat or email.
• Platform Data: SMS contact lists, message content, campaign data and API configurations uploaded to your BulkSMSHub account.

1.2 Information Collected Automatically

• Usage Data: Pages visited, features used, click patterns and session duration within the platform dashboard.
• Device and Technical Data: IP address, browser type and version, operating system, device type, screen resolution and referring URL.
• Log Data: Server access logs, API call logs, error logs and delivery reports retained for operational and security purposes.
• Cookies and Tracking: See Section 7 for full details of our cookie usage.

1.3 Information from Third Parties

• Business contact information from LinkedIn or similar professional networks when used for B2B prospecting (with legitimate interest basis).
• Partner referral data when you are referred to BulkSMSHub by a reseller or integration partner.
• Payment verification data from our banking and fraud prevention partners.

2. How We Use Your Data

We use the information we collect for the following purposes and legal bases:

3. Data Sharing and Third Parties

We do not sell your personal data. We share data only in the following circumstances:

• Service Providers: We use third-party vendors to operate our business including cloud hosting (AWS, Google Cloud), payment processing (Stripe, PayPal), email delivery (SendGrid), customer support (Intercom) and analytics (Google Analytics, Mixpanel). These vendors process data only on our documented instructions under strict data processing agreements.
• Telecom Carriers: To deliver SMS messages, recipient phone numbers and message content are transmitted to the relevant mobile network operators. This is inherent to the SMS delivery service.
• Meta (WhatsApp): When using our WhatsApp Business API service, message data is processed by Meta Platforms Inc. under their Business Terms of Service and Data Policy.
• Legal Requirements: We may disclose data if required by law, court order, regulatory authority or to protect the rights, property or safety of BulkSMSHub, our customers or the public.
• Business Transfers: In the event of a merger, acquisition or sale of assets, personal data may be transferred as part of the transaction. We will notify affected users before their data is transferred.

4. Data Retention

We retain personal data for as long as necessary to fulfil the purposes for which it was collected:

• Account data: Retained for the duration of your account plus 3 years after account closure for legal and financial record-keeping.
• Message content and logs: SMS delivery logs retained for 90 days. Message content retained for 30 days unless longer retention is configured by the customer.
• Billing records: Invoices and payment records retained for 7 years to comply with financial regulations.
• Support communications: Retained for 2 years after ticket resolution.
• Marketing consent records: Retained indefinitely as proof of consent, or until withdrawal of consent plus 3 years.

5. Your Rights

Depending on your location, you have the following rights regarding your personal data:

To exercise any of these rights, contact our Data Protection Officer at dpo@bulksmshub.com. We will respond within 30 calendar days. You also have the right to lodge a complaint with your local data protection supervisory authority.

6. Security Measures

BulkSMSHub implements industry-leading security controls certified under ISO 27001:2022 and SOC 2 Type II:

• Encryption at Rest: All stored data encrypted with AES-256. Database encryption with customer-managed key option for enterprise accounts.
• Encryption in Transit: TLS 1.3 enforced for all data in transit. HSTS enabled with a minimum 1-year max-age.
• Access Controls: Role-based access control (RBAC), multi-factor authentication (MFA) enforced for all staff, privileged access management (PAM) for production systems.
• Infrastructure Security: Hosted in ISO 27001-certified AWS data centres across Singapore, Frankfurt and Virginia. VPC isolation, WAF, DDoS protection and continuous vulnerability scanning.
• Security Testing: Annual third-party penetration testing. Continuous automated security scanning. Bug bounty programme available.
• Incident Response: Documented incident response plan. GDPR Article 33 breach notifications within 72 hours of discovery.

7. Cookies and Tracking

We use cookies and similar tracking technologies. Full details are available in our Cookie Policy. A summary:

• Essential Cookies: Required for platform functionality. Cannot be disabled. Examples: session authentication, CSRF protection, load balancer routing.
• Analytics Cookies: Google Analytics 4, Mixpanel. Used with IP anonymisation. Can be opted out via our cookie consent banner.
• Marketing Cookies: Google Ads, LinkedIn Insight Tag, Meta Pixel. Only set with explicit consent. Can be withdrawn at any time.
• Preference Cookies: Remember your language preference, dashboard layout and notification settings.

8. International Data Transfers

BulkSMSHub is headquartered in Singapore and operates globally. Your data may be processed in Singapore, the European Union, United States and other jurisdictions where our infrastructure and service providers are located.

For transfers from the EEA/UK, we rely on: Standard Contractual Clauses (SCCs) approved by the European Commission; the UK International Data Transfer Agreement (IDTA); and adequacy decisions where applicable. A copy of our SCCs is available on request from dpo@bulksmshub.com.

9. Children's Privacy

BulkSMSHub services are intended for businesses and are not directed at individuals under the age of 18. We do not knowingly collect personal data from children. If we become aware that a child has provided us with personal data, we will delete it immediately.

10. Contact Our Data Protection Officer

This Privacy Policy may be updated periodically. We will notify you of material changes via email (for registered users) and by posting a notice on our website. Continued use of BulkSMSHub services after notification constitutes acceptance of the updated policy.