Privacy Policy
This Privacy Policy describes how ExtremeSMS for MCA ("ExtremeSMS", "we", "our", "us") collects, uses, discloses, and protects information in connection with our SMS marketing platform (the "Service") available at mca.extremesms.net.
The Service is offered to businesses ("Customers") who use it to send commercial SMS messages to individuals ("Recipients") with whom they hold a pre-existing relationship and from whom they have obtained prior express written consent. This policy explains how we handle information about both Customers and Recipients.
1. Information We Collect
1.1 Information you provide as a Customer
- Account data: name, business name, email address, password (stored as a bcrypt hash), and where applicable, Google account identifier used for sign-in.
- Billing and balance data: prepaid balance amounts, per-segment rate, billing ledger entries describing credits and charges. We do not process or store payment card numbers ourselves; payments, if any, are processed by third-party providers.
- Configuration data: assigned toll-free numbers, message templates, contact lists, suppression lists, campaign settings, scheduling, drip sequence configuration, integration webhook URLs, and tags.
- Support communications: information you send when you contact us for support.
1.2 Information Customers upload about Recipients
- Contact list data: phone numbers and (optionally) names, company, email, and any custom CSV columns the Customer chooses to upload for message personalization.
- Message content: the bodies of outbound SMS messages and any inbound replies received on a Customer's toll-free number.
- Delivery metadata: timestamps, delivery status, carrier reporting (delivered, rejected, failed, expired), and provider-side error codes.
Customers act as the controller of Recipient data and represent to us that they have a lawful basis (typically prior express written consent under the U.S. Telephone Consumer Protection Act) for sending each message and for providing each Recipient's information to us.
1.3 Information collected automatically
- Usage data: pages viewed within the application, IP address, browser type, approximate request timing.
- Cookies and local storage: we use a small number of strictly necessary cookies and browser local-storage entries to keep you signed in, remember your interface preferences, and protect against cross-site request forgery. We do not use third-party advertising cookies on the application.
- Server logs: standard HTTP request logs (URL, status, latency, timestamp, source IP) retained for operational and security purposes.
2. How We Use Information
- To operate and maintain the Service, including routing outbound SMS to upstream carriers, recording delivery reports, ingesting inbound replies, and rendering the dashboard.
- To compute and apply per-segment billing against a Customer's balance.
- To enforce platform rules and prevent abuse, including detecting opt-out keywords (STOP, UNSUBSCRIBE, QUIT, etc.) and automatically adding the sender to the Customer's suppression list.
- To respond to support requests, security incidents, and lawful legal process.
- To improve and develop new features, using aggregated and de-identified data where reasonably possible.
3. How We Share Information
3.1 Subprocessors
We share information with third-party service providers only to the extent necessary to deliver the Service:
- SMS connectivity providers who deliver outbound messages and receive inbound messages on our behalf, and the carriers they interconnect with.
- Cloud and hosting providers who run the underlying infrastructure (compute, storage, transit).
- Payment processors, where applicable, who handle payment card data on their own systems.
- Email and identity providers for transactional email and federated sign-in.
Each subprocessor is engaged under a written agreement that requires confidentiality and use of the data only for the purpose of providing services to us.
3.2 Legal and safety
We may disclose information when we believe in good faith it is required to comply with applicable law, valid legal process, or to protect the rights, property, or safety of ExtremeSMS, our Customers, Recipients, or the public.
3.3 Business transfers
If ExtremeSMS is involved in a merger, acquisition, financing, or sale of assets, information may be transferred as part of that transaction, subject to standard confidentiality protections.
3.4 No sale of personal information
We do not sell personal information, and we do not share it for cross-context behavioral advertising, as those terms are defined under the California Consumer Privacy Act and similar laws.
4. Data Retention
Customer account data is retained for as long as the account is active and for a reasonable period afterward to satisfy legal, accounting, or reporting obligations. Contact lists, messages, delivery reports, and suppression entries are retained while the Customer's account is active and can be deleted by the Customer at any time through the dashboard. We retain redacted logs and aggregated usage data for security and capacity planning.
5. Security
We apply reasonable administrative, technical, and physical safeguards designed to protect information, including encryption in transit (HTTPS/TLS), password hashing with bcrypt, scoped per-user data isolation, prepared-statement database access, and audit logging of administrative actions. No system is perfectly secure; we cannot guarantee absolute security and ask that Customers maintain strong account credentials and report suspected compromise promptly.
6. Your Rights
6.1 Customers
Customers may review, update, and export account information from within the dashboard. To request account deletion or to exercise other rights with respect to their own data, Customers may contact us at the address below.
6.2 Recipients
If you are a Recipient who has received a message via the Service and you wish to opt out, the most effective method is to reply STOP to the message; our platform automatically adds opt-out phone numbers to the sending Customer's suppression list and prevents further sends. You may also request that we identify the Customer who sent you a message; we will use reasonable efforts to route your inquiry to that Customer, who is the controller of your information for purposes of the message you received.
6.3 California, Colorado, Connecticut, Virginia, Utah, and similar jurisdictions
Residents of certain U.S. states have specific rights to access, correct, delete, or limit our processing of personal information about them, and to appeal a refusal. To exercise these rights, contact us at the address below. We will verify your identity and respond within the timeframe required by law.
6.4 European Economic Area, United Kingdom, and Switzerland
Where the EU/UK GDPR applies, individuals have rights of access, rectification, erasure, restriction, portability, and objection, and the right to lodge a complaint with a supervisory authority. We process personal data of EEA/UK Recipients on behalf of our Customers as a data processor; please direct requests to the Customer who collected your data, or contact us and we will forward the request.
7. International Data Transfers
The Service is operated from the United States. If you access the Service from outside the United States, the information you provide will be transferred to and processed in the United States. Where required, we rely on contractual safeguards (including standard contractual clauses) to lawfully transfer personal data internationally.
8. Children
The Service is intended for business users and is not directed to individuals under 18. We do not knowingly collect personal information from children. If we learn that we have collected personal information from a child, we will delete it.
9. Changes to this Policy
We may update this Policy from time to time. Material changes will be communicated by updating the "Last updated" date above and, where appropriate, by notice through the Service. Continued use of the Service after the effective date constitutes acceptance of the revised Policy.
10. Contact Us
Questions, comments, or requests regarding this Policy or our handling of personal information may be sent to:
- ExtremeSMS for MCA
- Email: privacy@extremesms.net
- Web: mca.extremesms.net