Privacy Policy

Last updated: April 24, 2026 · Version 1.0
Plain-English summary: DIDHub provides phone numbers (DIDs) and routes calls, SMS, and MMS to your VoIP system. To do that, we have to collect basic account info, billing info, and the technical metadata that is unavoidable in operating a phone network (call detail records, SIP signaling logs, etc.). We don't sell your data. We don't read the content of your calls or messages unless you've explicitly enabled call recording or SMS-to-email/webhook on a number. Read on for the full detail.

Contents

1. Who we are

"DIDHub", "we", "us", and "our" refer to DIDHub Inc., the operator of didhub.io. We are the data controller for personal data we collect from customers and visitors. We are a data processor for personal data that customers route through our platform (e.g. inbound caller IDs, SMS and MMS content and media forwarded via webhook).

2. What data we collect

Account & billing data

  • Name, email, company name, billing address
  • Tax identifiers (VAT, EIN, etc.) where required
  • Payment details (handled by our PCI-compliant payment processor; we do not store full card numbers)
  • Authentication data (hashed passwords, 2FA tokens, API keys)

KYC / activation data (regulated countries only)

  • Proof of local address
  • Copy of government-issued ID or business registration
  • Required only by the regulators in countries that demand it (Germany, France, etc.). Documents are stored encrypted, accessed only when regulators or carriers require, and deleted when no longer required.

Call detail records (CDRs) & SMS/MMS metadata

  • Calling number, called number, timestamp, duration, disposition, route used
  • SIP signaling traces for diagnostic purposes
  • SMS and MMS sender, recipient, timestamp, message ID, delivery status, media attachment metadata (size, MIME type)
  • This data is required to bill correctly, comply with telecom regulations, and operate the network. It is the equivalent of a phone bill itemization.

Call recordings & SMS/MMS content (only when enabled)

  • Audio recordings of calls — only when you, the customer, enable recording on a number.
  • SMS body text and MMS media (images, video, audio) — only when forwarded via SMS/MMS-to-email, SMS/MMS-to-webhook, or stored for retrieval via API.
  • You control retention and can delete recordings, SMS, and MMS media at any time from the dashboard or via API.

Usage & technical data

  • IP addresses, browser/user agent, dashboard activity logs (for security and audit)
  • API request logs (rate limiting, abuse detection, debugging)

3. How we use it

  • To deliver the service: route calls, SMS, and MMS, provision numbers, generate CDRs, bill correctly
  • To meet our legal obligations: regulatory reporting, lawful intercept where required by court order, fraud prevention, anti-money-laundering checks
  • To secure the platform: detect abuse, fraud, toll-fraud attempts, brute-force attacks
  • To support you: respond to support requests, debug routing issues
  • To improve the product: aggregate, anonymized analytics on platform health and feature usage

We do not sell personal data, share it for cross-context behavioral advertising, or use the content of your calls, SMS, or MMS for any purpose other than the routing and storage you've configured.

4. Who we share it with

  • Upstream carriers in each country we serve — we transmit the calling/called number and signaling required to deliver the call. Content of calls is not shared except as transit traffic.
  • Payment processors (Stripe and similar) for processing payments.
  • Cloud infrastructure providers (Cloudflare, AWS, GCP, and similar) where the service is hosted, under data-processing agreements.
  • Regulators and law enforcement when required by binding legal process in a jurisdiction we operate in.
  • Webhooks and email recipients you configure — when you set up SMS/MMS-to-email or SMS/MMS-to-webhook, we forward inbound messages and any attached media to the address/URL you provide. You are responsible for the security of those endpoints.

For visitors and customers in the EU/EEA/UK, we process personal data on the following legal bases:

  • Performance of a contract — to deliver the service you signed up for
  • Legal obligation — telecom regulations, KYC, AML, lawful intercept, tax
  • Legitimate interests — fraud prevention, network security, product improvement (balanced against your rights)
  • Consent — for optional cookies, marketing communications you've subscribed to

6. How long we keep it

  • Account data: for the life of your account, plus 7 years after closure for tax/audit obligations.
  • CDRs and SMS/MMS metadata: typically 12 months online, longer in cold storage where required by local telecom regulations.
  • Call recordings, SMS, and MMS content (incl. media): the retention period you set per number — 7 days, 30 days, 90 days, 1 year, custom — plus a brief safety buffer.
  • KYC documents: as long as the underlying number is active, plus 6 years (or local equivalent) for regulatory traceability.
  • Logs and security events: 30-90 days for operational logs, longer for incident investigation.

7. Security

  • TLS 1.2+ for everything in transit (web, API, optional SIP TLS & SRTP)
  • Encryption at rest for call recordings, SMS and MMS content (including media attachments), KYC documents, and credentials
  • Strong access controls, least-privilege internal access, audit logging on all admin actions
  • Regular vulnerability scanning, third-party penetration testing
  • 2FA available (and recommended) on all accounts; SSO available on paid tiers
  • Incident response process — we'll notify affected customers without undue delay if a breach impacts your data

8. Your rights

Depending on where you live, you have rights to:

  • Access the personal data we hold about you
  • Correct inaccurate data
  • Delete data (subject to legal retention requirements — we cannot delete CDRs that telecom regulators require us to keep)
  • Object to processing or restrict it
  • Port your data to another provider
  • Withdraw consent (where consent is the basis)
  • Lodge a complaint with your local data protection authority

Email [email protected] to exercise any of these.

9. International transfers

DIDHub operates a globally distributed network across NOAM, LATAM, EURO, MENA, AFRICA, INDIA, APAC, and ANZAC regions. Data may be processed in any of these regions to deliver the service. For transfers out of the EU/EEA/UK we rely on Standard Contractual Clauses and supplementary measures where appropriate. A Data Processing Agreement (DPA) is available on request for customers who need one.

10. Cookies & analytics

We use a small number of essential cookies for authentication and session management. We may use privacy-respecting analytics (server-side or cookieless) to understand aggregate site usage. We do not use third-party advertising trackers or cross-site tracking on this site.

11. Children

DIDHub is a B2B service. The platform is not directed at, and we do not knowingly collect data from, anyone under 16.

12. Changes

If we change this policy materially, we'll post the updated version here with a new "last updated" date and notify active customers by email when warranted. Continued use of the service after a change means you accept the updated policy.

13. Contacting us

Email [email protected] for any privacy-related questions, data access/deletion requests, or to request a copy of our DPA.