SmishAlert

Privacy Policy

Last updated: April 20, 2026

SmishAlert LLC ("SmishAlert", "we", "our", or "us") provides messaging-layer threat intelligence and human exposure intelligence services. This Privacy Policy explains how we collect, use, disclose, and safeguard personal information when you visit our websites (including www.smishalert.ai and related domains such as crm.smishalert.ai and our web console), use our iOS and Android mobile applications (which act as reporting "sensors"), use our web console and APIs, or otherwise interact with our products and services (collectively, the "Services").

This policy is written to meet modern US state privacy laws (including the CCPA/CPRA and the growing list of comprehensive state privacy laws in states such as Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, Delaware, Iowa, Indiana, Tennessee, New Hampshire, New Jersey, Minnesota, Maryland, Kentucky, Rhode Island, and others), the EU/UK GDPR, Canadian PIPEDA/Quebec Law 25, and similar laws where applicable.

1. Who This Policy Applies To

We interact with several types of people, and our role under privacy law depends on which one you are:

  • Website visitors, prospects, and marketing contacts. We are the "controller" (or "business") of this data.
  • Consumer app users. Individuals who install the SmishAlert mobile app on their own account. We are the controller of this data.
  • Enterprise end users (employees of our customers). When an organization deploys SmishAlert to its workforce, the organization is the controller of employee data, and we act as a processor or service provider under that customer's instructions and our written data processing terms. Employees with questions about their organization's use of the Services should contact their employer first.
  • Reporters and partners. People who submit suspicious messages, participate in programs, or engage through our partners.

2. Information We Collect

a. Information You Provide

  • Name, company/organization, work or personal email, phone number, job title, and department (if provided by you or your employer).
  • Account credentials and authentication data (including Apple, Google, or passwordless sign-in identifiers).
  • Billing details for paid plans (processed by our payment processors such as Stripe and Apple / Google in-app purchase; we do not store full card numbers).
  • Content you submit, including screenshots of suspicious messages, URLs, QR codes, message text, sender numbers or handles, call metadata, and any notes or tags you add.
  • Communications you send us (support requests, demo requests, survey responses).

b. Information Collected Automatically

  • Device information: model, OS version, app version, language, time zone, carrier, and unique mobile identifiers.
  • Usage data: pages and screens viewed, features used, button events, timestamps, referrer, search queries inside the product.
  • Log and network data: IP address, approximate geolocation derived from IP, user agent, and request metadata.
  • Diagnostics and crash data via Firebase, Sentry, or similar tools.
  • Cookies, SDKs, and similar technologies (see Section 9).

c. Information From Third Parties

  • Identity and enterprise providers (e.g., Google, Apple, Microsoft, Okta) when you sign in using them.
  • URL and domain reputation data from Google Web Risk, VirusTotal, and similar threat intelligence sources.
  • Business contact data from lead providers and public sources used for B2B marketing.
  • Your employer's HRIS or directory, if your organization connects one for identity and department mapping.

d. Information We Do Not Collect

Our mobile app does not silently read your SMS inbox. We process content only for messages you explicitly report (for example, by sharing a screenshot, forwarding text, scanning a QR code, or using the in-app share extension). We do not collect biometric identifiers, precise GPS location, or the contents of messages you do not report.

3. How We Use Information

We use the information we collect to:

  • Operate and deliver the Services, including analyzing reported messages, generating threat classifications and educational explanations, and correlating reports into campaigns and exposure metrics.
  • Authenticate users, provision and manage accounts, user licenses, and organizations.
  • Provide dashboards, alerts, exposure scoring, and reporting to security teams of our enterprise customers.
  • Operate smishing simulation programs when enabled by an enterprise customer, including delivering simulated messages, tracking responses, and producing training outcomes.
  • Process payments, prevent fraud, and enforce our Terms.
  • Communicate with you about the Services, security alerts, and (with appropriate permission) marketing.
  • Improve product performance, reliability, and detection quality using aggregated and de-identified data.
  • Comply with legal obligations and protect the rights, property, and safety of SmishAlert, our customers, and the public.

4. Legal Bases (EU/UK/Swiss Users)

Where the EU/UK GDPR or similar laws apply, we rely on the following legal bases:

  • Contract: to provide the Services you or your employer requested.
  • Legitimate interests: to secure, maintain, and improve the Services; to prevent fraud and abuse; and to conduct B2B marketing, balanced against your rights.
  • Consent: where required (e.g., certain cookies, marketing communications, optional features).
  • Legal obligation: to comply with applicable laws, lawful requests, and court orders.

5. How We Use AI and Automated Processing

AI is a core part of how we analyze reported messages and produce intelligence. We believe in being explicit about how it works:

  • What AI does in the Services. We use large language models and machine learning to extract details from reported screenshots (URLs, sender numbers, text), classify likely threat categories, generate short educational threat assessments, cluster related reports into campaigns, suggest follow-ups for our support team, and (for simulations) generate realistic smishing lure variations for admin-approved training.
  • AI subprocessors. We currently use third-party model providers, including OpenAI and Anthropic, along with Google Web Risk and VirusTotal for URL reputation. These providers act as our subprocessors and are contractually restricted in how they may use the data.
  • No training of third-party foundation models on your content. We do not permit our AI subprocessors to use Customer Content (reported messages, screenshots, enterprise data, or conversations with the Services) to train or improve their foundation models. We use enterprise or zero-retention API configurations where available.
  • Our own models. We may use aggregated, de-identified signals (such as indicators, patterns, and anonymized features extracted from reports) to improve our own detection models, heuristics, and threat intelligence. Where we do this, we take steps designed to prevent re-identification.
  • Accuracy and human oversight. AI output can be incomplete or wrong. Threat classifications are probabilistic, not legal advice. Security teams remain responsible for their decisions. We do not make decisions with legal or similarly significant effects on individuals solely through automated means. Where your jurisdiction provides specific rights regarding automated decision-making or profiling (e.g., GDPR Article 22, Colorado CPA, EU AI Act), you may contact us to exercise them.
  • Google APIs / OAuth data. Where we integrate with Google APIs (for example, Gmail content for threat analysis), we use that data only to provide the feature you enabled, in real time, and we do not use it to build user profiles or train AI models. This use is subject to the Google API Services User Data Policy, including the Limited Use requirements.

6. How We Share Information

We do not sell personal information, and we do not "share" it for cross-context behavioral advertising, as those terms are defined under US state privacy laws. We disclose information only in the following ways:

  • With your organization. If you use the Services through your employer or other organization, information about your reports, exposure, and activity is visible to that organization's designated administrators and security personnel.
  • Service providers and subprocessors. Infrastructure and platform providers such as Google Cloud / Firebase, Vercel, Neon (PostgreSQL), Stripe, Intercom, AI providers (OpenAI, Anthropic), URL reputation providers (Google Web Risk, VirusTotal), email delivery vendors, and analytics and error-monitoring tools. A current list of material subprocessors is available on request for enterprise customers.
  • Integrations you enable. If your organization configures integrations (such as SIEM, SOAR, MDR, Slack, Microsoft Teams, webhooks, or HRIS/IdP), we send relevant data to those destinations at your direction.
  • Professional advisors. Lawyers, auditors, and insurers under duties of confidentiality.
  • Legal, safety, and compliance. When required by law, subpoena, or lawful request, or to protect rights, safety, and property, including investigating fraud and abuse.
  • Business transfers. In connection with a merger, acquisition, financing, or sale of assets, subject to confidentiality protections.
  • With your consent or at your direction.

7. International Data Transfers

We are headquartered in the United States and process data in the US and in other countries where our providers operate. When we transfer personal data out of the EEA, UK, or Switzerland, we rely on appropriate safeguards such as the European Commission's Standard Contractual Clauses, the UK International Data Transfer Addendum, the EU-US Data Privacy Framework (where applicable), and supplementary measures as needed.

8. Data Retention and Deletion

We retain personal information only as long as needed for the purposes it was collected, unless a longer period is required or permitted by law:

  • Active accounts: retained while the account is active.
  • Inactive consumer accounts: deleted or anonymized after 12 months of inactivity unless a legal hold applies.
  • Enterprise tenant data: retained for the term of the customer's subscription plus a short wind-down period, subject to the customer's retention configuration.
  • Reported messages and threat intelligence: tenant-scoped data is deleted on request or at contract end. De-identified indicators (e.g., known-bad URLs, domains, hashes) may be retained to power ongoing detection.
  • Billing records: retained as required by tax and accounting laws (typically 7 years in the US).
  • Backups: securely retained on a rolling basis and overwritten on a fixed schedule.

You can request deletion of your account or data at any time (see Section 10 and Section 11).

9. Cookies and Similar Technologies

We use the following categories of cookies and similar technologies on our websites and web console:

  • Strictly necessary: required for authentication, security, and core functionality.
  • Functional / preferences: remember settings like language or last-viewed dashboard.
  • Analytics: help us understand how the Services are used so we can improve them.
  • Marketing: used only on our marketing website for limited measurement and retargeting. We do not run advertising inside the authenticated web console.

You can manage cookies through your browser, our cookie banner (where presented), or, for Global Privacy Control signals, we treat opt-out preference signals from your browser as a valid opt-out of "sale" or "sharing" under applicable US state laws.

10. Account Deletion and Data Requests

You can request account or data deletion by:

We verify and process verified requests within the timeframes required by applicable law (typically within 45 days for US state laws; within 30 days for GDPR, subject to extension).

If your employer provided the account, we will direct deletion requests for their tenant data to them as the controller.

11. Your Privacy Rights

Depending on where you live, you may have rights to:

  • Access or receive a copy of your personal information (data portability).
  • Correct inaccurate information.
  • Delete your personal information.
  • Opt out of "sale" or "sharing" of personal information or targeted advertising (we do not do these, but you may still submit a request).
  • Limit use of sensitive personal information (we do not use sensitive PI for purposes requiring such a limit).
  • Opt out of certain profiling or automated decision-making that produces legal or similarly significant effects.
  • Withdraw consent where we rely on consent.
  • Appeal a denied request, and lodge a complaint with your data protection authority or state attorney general.

To exercise any of these rights, email support@smishalert.ai. We will not discriminate against you for exercising your rights. Authorized agents may submit requests on your behalf with appropriate proof.

California Shine the Light: California residents may request information about any personal information disclosed to third parties for their direct marketing purposes. We do not share personal information for third-party direct marketing.

12. Data Security

We implement administrative, technical, and physical safeguards designed to protect personal information, including:

  • Encryption in transit (TLS 1.2+) and at rest (AES-256 for most storage).
  • Least-privilege access controls, SSO, and MFA for internal systems.
  • Secret management via cloud key management (Firebase Secret Manager, platform-native stores).
  • Logging, monitoring, and alerting on production systems.
  • Regular vulnerability scanning, code review, and third-party testing.
  • Vendor due diligence and contractual data protection terms with subprocessors.

No system is perfectly secure. If we become aware of a security incident affecting your personal information, we will notify affected parties consistent with our legal obligations.

13. Marketing Communications and SMS

  • Email marketing. You can unsubscribe using the link in any marketing email. Transactional messages (billing, security, service notices) may continue as part of the Services.
  • SMS and calls. We do not send marketing SMS or place marketing calls to consumers without prior express written consent as required by the US Telephone Consumer Protection Act (TCPA). Product-related messages (e.g., sign-in codes, alert notifications you configured) are transactional.
  • Smishing simulations. Simulated phishing messages sent as part of an enterprise customer's training program are authorized by that customer for its own workforce. The customer is responsible for notifying employees and complying with applicable laws in its jurisdiction. If you received a simulation and are unsure, contact your employer.

14. Children's Privacy

Our Services are intended for business and adult consumer use. They are not directed to children under 13, and in jurisdictions where the minimum age is higher (for example, 16 in parts of the EEA), under that age. We do not knowingly collect personal information from children. If you believe a child has provided us personal information, contact us and we will delete it.

15. Third-Party Links and Services

Our Services may link to or integrate with third-party services (for example, carriers, identity providers, cloud storage, SIEM/SOAR platforms, and chat tools). Their privacy practices are governed by their own policies. We encourage you to review them.

16. Changes to This Policy

We may update this policy from time to time to reflect changes in our Services, technology, legal requirements, and business practices. When we make material changes, we will update the "Last updated" date and, where appropriate, notify you by email or in-app notification. Your continued use of the Services after changes become effective means you accept the updated policy.

17. Contact Us

For questions, requests, or complaints about this Privacy Policy or our privacy practices, contact us:

support@smishalert.aiPrimary contact—handled with Intercom and our knowledge base for the fastest response. Please include "Privacy Request" in the subject if relevant.

Postal mail: SmishAlert LLC, Attn: Privacy, c/o the address listed on our current invoice or support@smishalert.ai for the current mailing address.

EU/UK residents: if you believe your rights are not being respected, you may lodge a complaint with your local supervisory authority. We will cooperate in good faith to resolve any concern before escalation.