Privacy Policy

This Privacy Policy describes how SMS Bite Limited (“SMSBite”, “we”, “us”) collects, uses, discloses and otherwise processes personal data in connection with the operation of the SMSBite platform, the smsbite.com website, the customer control plane, our APIs and SDKs, and the carrier-grade messaging infrastructure that processes traffic on behalf of our business customers.

The data controller responsible for personal data processed under this Policy is SMS Bite Limited, a company incorporated in the Hong Kong Special Administrative Region under Company Registration N° 78685084, with its registered office at 5.17/F. Bonham Trade Centre, 50 Bonham Strand, Sheung Wan, Hong Kong.

We treat privacy as an engineering discipline. We process the minimum data required to operate the service, secure it against abuse, satisfy operator and regulatory obligations, and honour our contractual commitments to customers. This Policy is aligned with the EU General Data Protection Regulation (Regulation (EU) 2016/679, the “GDPR”), the Hong Kong Personal Data (Privacy) Ordinance (Cap. 486, the “PDPO”) and the California Consumer Privacy Act, as amended by the CPRA (the “CCPA”).

Where SMSBite processes personal data on behalf of a business customer in connection with the routing of messages, SMSBite acts as a data processor (or service provider, under the CCPA), and the customer acts as the controller. Such processing is governed by the Data Processing Addendum (“DPA”) executed between the customer and SMSBite, which prevails over this Policy to the extent of any conflict.

We collect the categories of personal data described below. In every case the collection is limited to what is necessary to operate the service, secure it and meet our legal obligations.

Account & business contact data

When a business representative opens an account, requests access or enters into an Order Form, we collect full name, business email address, role or title, company name, country and other identifying information needed to verify the entity and provision the service. Authentication data such as hashed credentials, multi-factor tokens and session identifiers are also collected to keep the account secure.

Technical data

When you visit our website or use the control plane, we collect technical data including IP address, user-agent, device and browser characteristics, referring URL, locale, timestamps, console actions and diagnostic telemetry. This data is stored under pseudonymous identifiers and is used for security, fraud prevention, performance monitoring and aggregated analytics.

Communications

When you contact us through email, the contact form, support channels or in the course of commercial onboarding, we collect the content of those communications together with associated metadata. We use this information to respond to your enquiry, qualify your account and maintain a record of our correspondence.

Cookies & tracking

We use a small number of cookies and similar technologies. Strictly necessary cookies are used to authenticate sessions and protect against abuse; optional analytics and preference cookies are loaded only with your consent. Section 06 describes each category in detail.

Third-party data

We may receive limited information about you from third parties: payment and fraud-prevention partners, public business registries used for Know-Your-Business (KYB) verification, threat-intelligence feeds, and operators or aggregators who report abuse signals concerning traffic associated with your account. We use such information solely for the purposes described in this Policy.

Message traffic (processor data)

When customers route messages through SMSBite, the message body, sender ID, recipient MSISDN, delivery receipts and operator-level diagnostics pass through our systems on the customer’s behalf. SMSBite processes this data under the customer’s written instructions and in line with the DPA. We do not access message content other than where strictly necessary to operate, secure and audit the service, or where required by law or operator instruction.

We process personal data for the following purposes:

• Service provision. Provisioning accounts, routing traffic to the most appropriate operator, reconciling delivery, invoicing usage and providing technical support.
• Business communications. Replying to enquiries, sending service-related notices, contractual communications, status updates and, where permitted, B2B updates about features that may be relevant to your operations.
• Security and fraud prevention. Detecting abuse, account compromise, credential stuffing, AIT (Artificially Inflated Traffic) and other operational risks; logging and forensic analysis; coordination with affected operators.
• Legal & regulatory compliance. Meeting our obligations under Hong Kong, EU and other applicable laws; responding to lawful requests from competent authorities; auditing, record-keeping and tax obligations.
• Analytics and quality. Aggregated, de-identified analysis of delivery outcomes, routing quality and platform performance.

We do not sell personal data. We do not share personal data for cross-context behavioural advertising. We do not use customer message content to train machine-learning models.

Where the GDPR or UK GDPR applies, we rely on the following legal bases under Article 6:

• Performance of a contract (Art. 6(1)(b)) — to provide the service requested by you or your employer, manage your account, process payments and provide support.
• Legitimate interests (Art. 6(1)(f)) — to secure the platform, prevent abuse, improve routing quality, conduct B2B outreach to verified business contacts and operate our business. We balance these interests against the rights and freedoms of data subjects and document this assessment internally.
• Consent(Art. 6(1)(a)) — for optional analytics cookies, marketing communications where consent is required, and any other processing that depends on consent under applicable law. Consent may be withdrawn at any time without affecting the lawfulness of processing before withdrawal.
• Legal obligation (Art. 6(1)(c)) — to comply with operator and telecommunications regulation, tax and accounting duties, and lawful requests from competent authorities.

Under the PDPO, we process personal data for the purposes for which it was collected (or a directly related purpose), in accordance with the Data Protection Principles set out in Schedule 1 of the Ordinance.

SMSBite is a B2B service. We send commercial communications only to verified business contacts — representatives of companies who have requested access, opened an account, or otherwise entered into a commercial relationship with us — and only in connection with services or topics relevant to their role.

We do not engage in consumer marketing and we do not enrich our outbound lists with third-party consumer datasets. Service-related notices (security alerts, regulatory changes, incident communications, billing) are sent as part of the contractual relationship and cannot be opted out of without closing the account.

Optional commercial communications — product updates, market intelligence, customer-research invitations — can be unsubscribed from at any time using the link present in every such message, or by writing to contact@smsbite.com.

Cookies and similar technologies are used on smsbite.com and in the control plane. We classify them into three categories and load them in accordance with the choices you make in our cookie banner.

• Strictly necessary. Required for the operation of the website and the control plane. These include session, authentication, load-balancing, CSRF and abuse-prevention cookies. They are exempt from consent under the ePrivacy Directive and equivalent laws.
• Analytics. Used to measure aggregated usage patterns — pages visited, time on page, broad geographic origin — in order to improve the website. Loaded only with your consent. Analytics data is pseudonymised and is not used for advertising.
• Preferences. Remember non-essential choices such as locale, region or accessibility preferences. Loaded only with your consent.

We do not use advertising cookies, cross-site trackers or fingerprinting techniques. You can update your cookie choices at any time through the cookie preferences control accessible from the website footer, or by clearing cookies in your browser.

SMSBite shares personal data only with the parties strictly required to operate the service, perform under our contracts, and meet our legal obligations.

• Mobile network operators and licensed aggregatorsin the destination country — to deliver each individual message and to satisfy operator reporting requirements.
• Sub-processors providing cloud infrastructure, security tooling, payment processing, support tooling and similar operational services. A current list of sub-processors is available on request to privacy@smsbite.com and is referenced in the DPA.
• Professional advisors — auditors, counsel, bankers and insurers — bound by confidentiality and used only for the purpose of advising SMSBite.
• Public authorities— where required by valid legal process, regulator instruction or to protect vital interests. We assess every request for legal validity and proportionality before responding.
• Successors in interest — in the event of a merger, acquisition, reorganisation or sale of assets, personal data may be transferred to the successor entity, subject to equivalent protection.

SMSBite does not sell personal data within the meaning of the CCPA or any other applicable law, and does not share personal data for cross-context behavioural advertising.

SMSBite operates from Hong Kong and routes traffic across operators in 180+ countries. Personal data is therefore necessarily transferred across borders to deliver the service.

For transfers of personal data subject to the GDPR or UK GDPR from the European Economic Area, the United Kingdom or Switzerland to jurisdictions that have not received an adequacy decision (including Hong Kong), we rely on the European Commission’s Standard Contractual Clauses (Decision (EU) 2021/914) or the UK International Data Transfer Addendum, supplemented where appropriate by additional technical and organisational measures following a transfer impact assessment.

For transfers from Hong Kong, we comply with the requirements of the PDPO, including Data Protection Principle 3 (use of data) and, when it enters into operation, Section 33 (cross-border transfers). Equivalent contractual safeguards are put in place with recipients in third countries.

Customers may, on request and subject to commercial agreement, configure a preferred processing region. By default, traffic is routed through the processing zone closest to the destination operator.

We retain personal data only for as long as necessary to fulfil the purpose for which it was collected, including any legal, regulatory, accounting or reporting requirements. The default retention periods are summarised below; longer retention may apply where required by law or where data is needed for the establishment, exercise or defence of legal claims.

On expiry of the applicable retention period, personal data is deleted or irreversibly anonymised. Backups containing personal data are overwritten in accordance with the standard rolling backup cycle.

Subject to applicable law, you have the following rights in relation to the personal data we hold about you:

• Right of access— obtain confirmation of whether we process your personal data and a copy of that data.
• Right to rectification— have inaccurate or incomplete personal data corrected.
• Right to erasure(“right to be forgotten”) — have personal data deleted where the legal grounds for processing no longer apply.
• Right to restrictionof processing — limit the way we process your data while a contested issue is resolved.
• Right to data portability — receive personal data you have provided to us in a structured, commonly used, machine-readable format.
• Right to object to processing based on legitimate interests, including processing for direct marketing.
• Right to withdraw consent at any time, without affecting the lawfulness of processing carried out before withdrawal.
• Right to lodge a complaint with a competent supervisory authority.

California residents have additional rights under the CCPA, including the right to know what personal information is collected, used, shared or sold; the right to delete; the right to correct inaccurate personal information; the right to opt-out of sale or sharing (although SMSBite does not sell or share personal information within the meaning of the CCPA); and the right to non-discrimination for exercising any of these rights.

Our primary supervisory authority is the Office of the Privacy Commissioner for Personal Data, Hong Kong (PCPD). Residents of the European Economic Area or the United Kingdom may also lodge a complaint with the data protection authority of their member state or country of residence.

To exercise any of the rights described above, please write to privacy@smsbite.com or contact@smsbite.com. Please include sufficient detail to allow us to identify the relevant records and to verify your identity.

We will respond to verified requests within thirty (30) days of receipt. Where a request is particularly complex or where we have received a high number of requests from you, we may extend the response period by up to two further months and will inform you of the extension and the reasons for it within the initial thirty-day period.

To protect your data we may need to verify your identity before acting on a request. Identity verification is proportionate to the sensitivity of the data involved and may include confirmation of account ownership, matching email addresses on file, or, in limited cases, the production of additional identifying information.

Where SMSBite acts as a processor on behalf of a customer (for example, when processing recipient MSISDNs in routed traffic), data subject requests should be addressed in the first instance to the relevant customer, who acts as the controller. SMSBite will assist the customer in responding, as required by the DPA.

SMSBite implements technical and organisational measures designed to protect personal data against unauthorised access, accidental loss, destruction and damage. Our security programme is aligned with the SOC 2 Trust Services Criteria and reviewed by independent auditors.

• All traffic between clients and SMSBite endpoints is encrypted in transit using TLS 1.3 with modern cipher suites.
• Personal data at rest is encrypted using AES-256 with keys managed by a dedicated key management service.
• Access to production systems is granted on a least-privilege basis, requires multi-factor authentication and is logged and monitored.
• Application code is reviewed, statically analysed and regularly tested against current threat models, including by independent penetration testers.
• Incident response is operated 24/7. Material security incidents affecting personal data are notified to affected customers and, where required, to competent supervisory authorities, within the timelines mandated by applicable law.

Suspected vulnerabilities or security concerns should be reported to security@smsbite.com.

SMSBite is a B2B infrastructure service provided exclusively to verified business entities. It is not directed at children and is not intended for use by anyone under the age of 16, or 18 where local law sets a higher threshold for digital services.

We do not knowingly collect personal data from children. If we become aware that personal data of a child has been provided to us, we will delete that data and, where appropriate, close any associated account. If you believe that we may have collected personal data from a child, please contact privacy@smsbite.com.

The smsbite.com website and the SMSBite control plane may contain links to third-party websites, services or resources operated by parties other than SMSBite. Following such a link will take you outside of our environment.

SMSBite has no control over, and accepts no responsibility for, the content, privacy practices or security of any third-party site. We encourage you to read the privacy notice and terms of any third-party site you visit. Linking from SMSBite content does not imply endorsement.

We may update this Privacy Policy from time to time to reflect changes in our practices, the services we offer, or applicable law. The “Last updated” and “Effective” dates at the top of this Policy always indicate the live revision.

Material changes — changes that affect the way we process your personal data or your rights in relation to it — will be notified to account contacts by email, and the updated Policy will be published at least thirty (30) days before it takes effect. Non-material changes (clarifications, formatting, typographical corrections) take effect on publication.

Earlier versions of this Policy are retained internally and made available on request to privacy@smsbite.com.

Questions, requests and complaints regarding this Privacy Policy or our handling of personal data should be addressed to the data controller:

For complaints that cannot be resolved with us directly, you may contact the Office of the Privacy Commissioner for Personal Data, Hong Kong (PCPD), or the data protection authority of your country of residence in the European Economic Area or the United Kingdom.