ExtremeSMS/MCA

Privacy Policy

// Last updated: 2026-05-20 · Effective: 2026-05-20

This Privacy Policy describes how ExtremeSMS for MCA ("ExtremeSMS", "we", "our", "us") collects, uses, discloses, and protects information in connection with our SMS marketing platform (the "Service") available at mca.extremesms.net.

The Service is offered to businesses ("Customers") who use it to send commercial SMS messages to individuals ("Recipients") with whom they hold a pre-existing relationship and from whom they have obtained prior express written consent. This policy explains how we handle information about both Customers and Recipients.

1. Information We Collect

1.1 Information you provide as a Customer

1.2 Information Customers upload about Recipients

Customers act as the controller of Recipient data and represent to us that they have a lawful basis (typically prior express written consent under the U.S. Telephone Consumer Protection Act) for sending each message and for providing each Recipient's information to us.

1.3 Information collected automatically

2. How We Use Information

3. How We Share Information

3.1 Subprocessors

We share information with third-party service providers only to the extent necessary to deliver the Service:

Each subprocessor is engaged under a written agreement that requires confidentiality and use of the data only for the purpose of providing services to us.

3.2 Legal and safety

We may disclose information when we believe in good faith it is required to comply with applicable law, valid legal process, or to protect the rights, property, or safety of ExtremeSMS, our Customers, Recipients, or the public.

3.3 Business transfers

If ExtremeSMS is involved in a merger, acquisition, financing, or sale of assets, information may be transferred as part of that transaction, subject to standard confidentiality protections.

3.4 No sale of personal information

We do not sell personal information, and we do not share it for cross-context behavioral advertising, as those terms are defined under the California Consumer Privacy Act and similar laws.

4. Data Retention

Customer account data is retained for as long as the account is active and for a reasonable period afterward to satisfy legal, accounting, or reporting obligations. Contact lists, messages, delivery reports, and suppression entries are retained while the Customer's account is active and can be deleted by the Customer at any time through the dashboard. We retain redacted logs and aggregated usage data for security and capacity planning.

5. Security

We apply reasonable administrative, technical, and physical safeguards designed to protect information, including encryption in transit (HTTPS/TLS), password hashing with bcrypt, scoped per-user data isolation, prepared-statement database access, and audit logging of administrative actions. No system is perfectly secure; we cannot guarantee absolute security and ask that Customers maintain strong account credentials and report suspected compromise promptly.

6. Your Rights

6.1 Customers

Customers may review, update, and export account information from within the dashboard. To request account deletion or to exercise other rights with respect to their own data, Customers may contact us at the address below.

6.2 Recipients

If you are a Recipient who has received a message via the Service and you wish to opt out, the most effective method is to reply STOP to the message; our platform automatically adds opt-out phone numbers to the sending Customer's suppression list and prevents further sends. You may also request that we identify the Customer who sent you a message; we will use reasonable efforts to route your inquiry to that Customer, who is the controller of your information for purposes of the message you received.

6.3 California, Colorado, Connecticut, Virginia, Utah, and similar jurisdictions

Residents of certain U.S. states have specific rights to access, correct, delete, or limit our processing of personal information about them, and to appeal a refusal. To exercise these rights, contact us at the address below. We will verify your identity and respond within the timeframe required by law.

6.4 European Economic Area, United Kingdom, and Switzerland

Where the EU/UK GDPR applies, individuals have rights of access, rectification, erasure, restriction, portability, and objection, and the right to lodge a complaint with a supervisory authority. We process personal data of EEA/UK Recipients on behalf of our Customers as a data processor; please direct requests to the Customer who collected your data, or contact us and we will forward the request.

7. International Data Transfers

The Service is operated from the United States. If you access the Service from outside the United States, the information you provide will be transferred to and processed in the United States. Where required, we rely on contractual safeguards (including standard contractual clauses) to lawfully transfer personal data internationally.

8. Children

The Service is intended for business users and is not directed to individuals under 18. We do not knowingly collect personal information from children. If we learn that we have collected personal information from a child, we will delete it.

9. Changes to this Policy

We may update this Policy from time to time. Material changes will be communicated by updating the "Last updated" date above and, where appropriate, by notice through the Service. Continued use of the Service after the effective date constitutes acceptance of the revised Policy.

10. Contact Us

Questions, comments, or requests regarding this Policy or our handling of personal information may be sent to:

// This document is provided as a starting template for a U.S.-operated SMS platform serving business customers. It is not a substitute for legal advice. Have qualified counsel review and adapt it to your specific operations, jurisdictions, and contractual commitments before relying on it publicly.