Privacy Policy

1. Who we are

"DIDHub", "we", "us", and "our" refer to DIDHub Inc., the operator of didhub.io. We are the data controller for personal data we collect from customers and visitors. We are a data processor for personal data that customers route through our platform (e.g. inbound caller IDs, SMS and MMS content and media forwarded via webhook).

2. What data we collect

Account & billing data

• Name, email, company name, billing address
• Tax identifiers (VAT, EIN, etc.) where required
• Payment details (handled by our PCI-compliant payment processor; we do not store full card numbers)
• Authentication data (hashed passwords, 2FA tokens, API keys)

KYC / activation data (regulated countries only)

• Proof of local address
• Copy of government-issued ID or business registration
• Required only by the regulators in countries that demand it (Germany, France, etc.). Documents are stored encrypted, accessed only when regulators or carriers require, and deleted when no longer required.

Call detail records (CDRs) & SMS/MMS metadata

• Calling number, called number, timestamp, duration, disposition, route used
• SIP signaling traces for diagnostic purposes
• SMS and MMS sender, recipient, timestamp, message ID, delivery status, media attachment metadata (size, MIME type)
• This data is required to bill correctly, comply with telecom regulations, and operate the network. It is the equivalent of a phone bill itemization.

Call recordings & SMS/MMS content (only when enabled)

• Audio recordings of calls, only when you, the customer, enable recording on a number.
• SMS body text and MMS media (images, video, audio), only when forwarded via SMS/MMS-to-email, SMS/MMS-to-webhook, or stored for retrieval via API.
• You control retention and can delete recordings, SMS, and MMS media at any time from the dashboard or via API.

Usage & technical data

• IP addresses, browser/user agent, dashboard activity logs (for security and audit)
• API request logs (rate limiting, abuse detection, debugging)

3. How we use it

• To deliver the service: route calls, SMS, and MMS, provision numbers, generate CDRs, bill correctly
• To meet our legal obligations: regulatory reporting, lawful intercept where required by court order, fraud prevention, anti-money-laundering checks
• To secure the platform: detect abuse, fraud, toll-fraud attempts, brute-force attacks
• To support you: respond to support requests, debug routing issues
• To improve the product: aggregate, anonymized analytics on platform health and feature usage

We do not sell personal data, share it for cross-context behavioral advertising, or use the content of your calls, SMS, or MMS for any purpose other than the routing and storage you've configured.

4. Who we share it with

• Upstream carriers in each country we serve, we transmit the calling/called number and signaling required to deliver the call. Content of calls is not shared except as transit traffic.
• Payment processors (Stripe and similar) for processing payments.
• Cloud infrastructure providers (Cloudflare, AWS, GCP, and similar) where the service is hosted, under data-processing agreements.
• Regulators and law enforcement when required by binding legal process in a jurisdiction we operate in.
• Webhooks and email recipients you configure, when you set up SMS/MMS-to-email or SMS/MMS-to-webhook, we forward inbound messages and any attached media to the address/URL you provide. You are responsible for the security of those endpoints.

5. Legal bases (GDPR)

For visitors and customers in the EU/EEA/UK, we process personal data on the following legal bases:

• Performance of a contract, to deliver the service you signed up for
• Legal obligation, telecom regulations, KYC, AML, lawful intercept, tax
• Legitimate interests, fraud prevention, network security, product improvement (balanced against your rights)
• Consent, for optional cookies, marketing communications you've subscribed to

6. How long we keep it

• Account data: for the life of your account, plus 7 years after closure for tax/audit obligations.
• CDRs and SMS/MMS metadata: typically 12 months online, longer in cold storage where required by local telecom regulations.
• Call recordings, SMS, and MMS content (incl. media): the retention period you set per number, 7 days, 30 days, 90 days, 1 year, custom, plus a brief safety buffer.
• KYC documents: as long as the underlying number is active, plus 6 years (or local equivalent) for regulatory traceability.
• Logs and security events: 30-90 days for operational logs, longer for incident investigation.

7. Security

• TLS 1.2+ for everything in transit (web, API, optional SIP TLS & SRTP)
• Encryption at rest for call recordings, SMS and MMS content (including media attachments), KYC documents, and credentials
• Strong access controls, least-privilege internal access, audit logging on all admin actions
• Regular vulnerability scanning, third-party penetration testing
• 2FA available (and recommended) on all accounts; SSO available on paid tiers
• Incident response process, we'll notify affected customers without undue delay if a breach impacts your data

8. Your rights

Depending on where you live, you have rights to:

• Access the personal data we hold about you
• Correct inaccurate data
• Delete data (subject to legal retention requirements, we cannot delete CDRs that telecom regulators require us to keep)
• Object to processing or restrict it
• Port your data to another provider
• Withdraw consent (where consent is the basis)
• Lodge a complaint with your local data protection authority

Email [email protected] to exercise any of these.

9. International transfers

DIDHub operates a globally distributed network across NOAM, LATAM, EURO, MENA, AFRICA, INDIA, APAC, and ANZAC regions. Data may be processed in any of these regions to deliver the service. For transfers out of the EU/EEA/UK we rely on Standard Contractual Clauses and supplementary measures where appropriate. A Data Processing Agreement (DPA) is available on request for customers who need one.

10. Cookies, analytics & advertising

Essential cookies

A small number of essential cookies are used for authentication, session management, and CSRF protection. These cannot be disabled because the site can't function without them.

Analytics

We use the following analytics tools to understand aggregate site usage:

• Cloudflare Web Analytics, cookieless, no personal identifiers, no cross-site tracking. Counts pageviews, top pages, referrers, country, and device family. Always on; no consent banner required because no personal data is processed.
• Google Analytics 4, counts pageviews, sessions, events (clicks, scrolls, conversions). Sets cookies. Only active after you accept the cookie banner. If you decline or ignore the banner, GA4 does not load and no data is sent to Google.

Advertising and remarketing

If you accept the cookie banner, we also load tracking pixels for the following advertising platforms so we can measure ad performance and show relevant ads to people who have already visited our site (remarketing):

• Google Ads conversion + remarketing tag
• Microsoft Advertising (Bing) UET tag
• LinkedIn Ads Insight Tag
• Meta (Facebook / Instagram) Pixel

These pixels share with each platform: the pages you viewed on didhub.io, your approximate location (country / region), device type, and a platform-set identifier. They do not share your name, email, phone, or account contents. If you decline or ignore the cookie banner, none of these pixels load and no data is shared.

Customer-list audiences (lookalike + matched audiences)

If you have given us explicit marketing consent at signup (the checkbox "It's OK to email me product updates") and have not subsequently withdrawn it, we may upload a hashed (one-way, irreversible SHA-256) version of your email address and country to the advertising platforms listed above. The platforms use these hashes to:

• Match you against existing accounts on their platform so we can show you DIDHub-related ads (suppressed if you're already a customer)
• Build "lookalike" audiences, finding new prospective customers whose platform-side profile resembles existing DIDHub customers. The platforms do not share back which specific people are in the lookalike audience; we only see aggregate ad performance.

Hashed identifiers that do not match a platform account are discarded. You can withdraw marketing consent at any time from Settings → Account → Communications in your DIDHub dashboard; we re-export the audience list weekly so withdrawals propagate within seven days. You can also opt out of advertising directly at Google's ad-settings, Meta's ad preferences, and the equivalents on LinkedIn and Microsoft.

Your rights

You can:

• Decline analytics + advertising cookies at the banner (or via the "Cookie preferences" link in the site footer at any time)
• Withdraw marketing consent from your account settings
• Request deletion of your data via [email protected]

For EU/UK visitors, the legal basis is your consent (analytics + advertising cookies and customer-list uploads). You have the right to object to this processing at any time without affecting the use of the rest of the service.

11. Children

DIDHub is a B2B service. The platform is not directed at, and we do not knowingly collect data from, anyone under 16.

12. Changes

If we change this policy materially, we'll post the updated version here with a new "last updated" date and notify active customers by email when warranted. Continued use of the service after a change means you accept the updated policy.

13. Contacting us

Email [email protected] for any privacy-related questions, data access/deletion requests, or to request a copy of our DPA.