Legal

Privacy Policy

Last updated: 2026-05-16

1. Who We Are

ACTIV KODE ("we", "us", or "our") is the data controller for personal data processed in connection with our virtual SMS and email verification services. If you have any privacy concerns, contact us at contact@activkode.com.

2. Data We Collect

2.1 Account data

  • Email address — required for registration, login, account recovery
  • Hashed password — never stored in plain text
  • Language preference — stored in cookie/database
  • Account creation timestamp

2.2 Transactional data

  • Account balance in USD
  • Top-up history — amount, cryptocurrency used, blockchain transaction ID, timestamp
  • Activation history — service name, country, price paid, status, virtual number/email rented, received code (kept for 7 days then anonymized), timestamps
  • Balance transactions — credits, debits, refunds

2.3 Technical data

  • IP address — collected for security, anti-fraud, and abuse prevention
  • User agent — browser/OS for compatibility and debugging
  • Session tokens — to keep you logged in
  • CSRF tokens — to protect against cross-site request forgery

2.4 What we DO NOT collect

  • Real name, phone number, address, ID documents (no KYC required)
  • Payment card data (we use crypto only)
  • Advertising / marketing trackers
  • Browser fingerprinting data
  • Location beyond country-level IP geolocation

3. Legal Basis for Processing (GDPR)

We process your data under the following legal bases:

  • Contract (Art. 6(1)(b) GDPR) — to provide the Service you signed up for
  • Legitimate interest (Art. 6(1)(f) GDPR) — for security, fraud prevention, and basic analytics
  • Legal obligation (Art. 6(1)(c) GDPR) — for tax records, AML compliance, responding to lawful requests
  • Consent (Art. 6(1)(a) GDPR) — for any optional features that require it

4. How We Use Your Data

  • To create and manage your account
  • To process top-ups and rent virtual numbers/emails on your behalf
  • To send you transactional emails (verification codes, expired notifications, password resets)
  • To detect and prevent abuse, fraud, and security incidents
  • To comply with legal obligations
  • To improve the Service (in aggregate / anonymized form only)

We never sell your data. We never share it for advertising purposes.

5. Third Parties We Share Data With

We share minimal data with these processors:

ProviderPurposeData shared
NOWPaymentsCrypto payment processingTop-up amount, order ID
SMS providers (HeroSMS, SMSBower, others)Renting virtual SMS numbersService code, country, no personal data
Email providers (SMSBower Mail, others)Renting virtual email addressesService code, no personal data
Hosting providerServer infrastructureAll data (encrypted at rest)

Each processor has their own privacy policy and DPA. We do not share data with any other third party except as required by law.

6. Data Retention

  • Account data — for the lifetime of your account, then 30 days after deletion request
  • Received verification codes — 7 days, then anonymized (code text removed, metadata kept)
  • Transaction records — 7 years (tax compliance)
  • IP / session logs — 90 days
  • Webhook payloads — 30 days

7. Your Rights Under GDPR

You have the right to:

  • Access — request a copy of your data
  • Rectification — correct inaccurate data
  • Erasure ("right to be forgotten") — delete your account and personal data
  • Restriction — limit how we process your data
  • Portability — receive your data in a machine-readable format (JSON)
  • Object — oppose processing based on legitimate interest
  • Withdraw consent — for any consent-based processing
  • Lodge a complaint with your local supervisory authority

To exercise these rights, email contact@activkode.com from your registered email address. We respond within 30 days.

8. Data Security

We implement industry-standard security measures:

  • HTTPS everywhere (TLS 1.2+)
  • Password hashing with bcrypt
  • CSRF protection on all forms
  • SQL injection prevention via prepared statements
  • Rate limiting on sensitive endpoints
  • Regular security audits

If we discover a breach affecting your data, we will notify you within 72 hours and report to the relevant authority as required by GDPR Article 33.

9. International Transfers

Our servers are located in the European Union. Some processors (e.g., NOWPayments) may be based outside the EU; in such cases, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission.

10. Children's Privacy

The Service is not intended for users under 18. We do not knowingly collect data from children. If you believe a child has provided us with personal data, contact us immediately.

11. Changes to This Policy

Material changes will be announced via email or a notice on the Service at least 7 days before taking effect.

12. Contact

For any privacy-related questions or to exercise your rights, contact us at contact@activkode.com.

Questions?

If anything in these documents is unclear, write to us.

✉ contact@activkode.com