Privacy Policy.

Scope

This policy applies to TextroVault public pages, onboarding, waitlist, priority payment, dashboard, support, and operator review workflows.

TextroVault is built for private inbound SMS workflows. We do not operate public SMS inboxes, outbound SMS campaigns, voice calling, emergency calling, SIM resale, or customer-controlled telecom hardware.

Data We Collect

• Account data: name, email, organization, role, authentication state, and support details.
• Onboarding and review data: intended use, urgency, requested countries, requested number count, desired TextroVault capabilities, LinkedIn profile URL if provided, compliance notes, and review status.
• Billing data: selected plan, payment state, Stripe checkout session, invoice ID, invoice link, payment amount, refunds, chargebacks, tax or billing details when provided by Stripe, and renewal history.
• Number data: requested countries, assigned number, SIM status, activation status, inventory status, quarantine status, lifecycle events, and country readiness status.
• Message data after activation: sender, recipient number, timestamp, SMS body, delivery state, message identifiers, read state, and routing metadata.
• Technical and security data: IP address, device/browser information, session data, request logs, audit events, security events, and limited analytics events.
• Compliance and abuse data: lawful-use attestations, investigation notes, enforcement decisions, appeals, and evidence needed to protect customers, carriers, processors, regulators, and TextroVault.

How We Use Data

• To verify contact details and preserve onboarding progress.
• To review requested countries, SIM capacity, lawful use, and activation readiness.
• To create Stripe checkout sessions, receive payment status from Stripe, and show invoice/payment details on the waitlist page.
• To provide the dashboard, inbound message receipt, API/webhook surfaces where enabled, and support.
• To prevent abuse, enforce acceptable use, investigate security events, and comply with lawful requests.
• To measure acquisition and onboarding conversion without logging SMS bodies, payment secrets, or sensitive message contents in analytics.

Sharing And Processors

TextroVault shares data only as needed to operate the service, process payment, send email, host infrastructure, provide support, comply with law, or enforce policy.

Current operational processors may include Cloudflare for hosting, D1, R2, and Worker runtime, Stripe for checkout, subscriptions, invoices, and payment records, and AWS SES for transactional email.

Stripe payment card details are handled by Stripe. TextroVault stores Stripe references and invoice/payment state, not raw card numbers.

Retention

• Inbound SMS content: 30 days by default unless a product setting or written agreement specifies a different period.
• Message metadata and number lifecycle records: up to 12 months by default.
• Account, billing, invoice, tax, and payment records: up to 7 years where needed for accounting, tax, fraud prevention, chargebacks, and legal obligations.
• Compliance, abuse, suspension, and enforcement records: up to 6 years after account closure, or longer if needed for legal claims, regulatory requests, safety, or repeat-abuse prevention.
• Backups are retained on a rolling basis and deleted or overwritten according to backup schedules.

Security Guardrails

• Keep per-customer inbox access isolated.
• Use TLS in transit and encryption at rest where supported by the hosting or database layer.
• Do not place SMS content, OTPs, message bodies, or sensitive account data in analytics events, URL query strings, or client-side tracking events.
• Redact OTP-like strings in internal logs where feasible.
• Do not market privacy in a way that implies concealment from lawful process.

Contact

For privacy, compliance, billing, activation, or support questions, contact TextroVault at yigit@textrovault.com.