What SmishAlert sees in each deployment mode

What SmishAlert sees is determined by the deployment mode your organization selects—surfaced in the admin console and reviewable in procurement. See Deployment modes for the full descriptions; this is the data-flow summary.

Personal mode

• Sees: only the messages and screenshots a user explicitly reports (body, sender, timestamp, classification).
• Never sees: unknown-sender messages the user didn't report, anything from contacts/known senders, photos, location, address book, or other phone data.

Workforce mode (organization default)

• Sees: every unknown-sender SMS/iMessage body and sender on iOS (via the Message Filter extension); on Android, every message the employee reports; device metadata (carrier, OS, app version—no advertising IDs); classification verdicts and campaign clusters.
• Never sees: messages from contacts or known senders, photos, location, address book, browsing, third-party apps unless an employee screenshots and submits, or employees who aren't enrolled.

Compliance mode (preview)

Adds capture of known-sender messages through a supervised messaging policy with real-time review and retention aligned to record-keeping rules. It requires formal employee consent and supervisor disclosure and is never enabled by default.

Architecture, retention, and subprocessors

On-device CoreML classification is the first verdict in every mode; in Workforce/Compliance the iOS Message Filter network-defer API sends unknown-sender content for second-pass classification. Default retention for reported content is 90 days (custom retention and EU residency available on Enterprise). Subprocessors include Neon, Stripe, Google Firebase, PostHog, and Intercom. Full data-flow detail, fingerprint specs, and the DPA are available for procurement—email support@smishalert.ai, and see the Trust page on smishalert.ai.