SMS Localhost ("we", "us", "our") is operated by SuperDarkCode Labs (Pvt) Ltd, a company registered in Zimbabwe. This Privacy Policy explains how we handle information in connection with our platform at sms.localhost.co.zw and any associated services, APIs, or mobile applications (collectively, the "Service").
SMS Localhost is a messaging tool. The contacts, recipient phone numbers, and message content that flow through the Service are generated, uploaded, and controlled by you, the account holder. We do not independently collect, source, build, or seek out personal data about your recipients — we process the content you choose to send through the platform, on your instruction, solely so that we can deliver it. In relation to that content, you are the data controller and we are merely a data processor.
Because that content originates with you, responsibility for compliance rests entirely with you. You are solely responsible for ensuring that you have a lawful basis, valid consent, and any necessary opt-ins to contact every recipient, and for complying with all applicable data protection, anti-spam, and telecommunications laws. We are not the controller of, and accept no liability for, the recipient data you supply.
By using the Service, you consent to the practices described in this policy. If you do not agree, please discontinue use of the Service.
01
Information and Content
We do not collect personal data about your message recipients. Recipient phone numbers, contact lists, and message content are user-generated content that you supply and control. For that content you are the data controller; we are only a processor that delivers what you send. All compliance responsibility for that content rests with you.
1.1 Account Information You Provide
To operate your account we process the information you give us when you register and use the Service:
- Account information: Username, email address, first and last name, password, and optional company or organization name when you register.
- Organization data: Organization name, member details, and role assignments when you create or join an organization.
- Billing information: Transaction records, purchase history, bundle selections, and redemption token usage. Payment card details are processed directly by our payment provider (PesePay) and are never stored on our servers.
- Sender ID applications: Proposed sender names and associated business justifications.
- Support communications: Any messages or information you provide when contacting our support team.
1.2 User-Generated Content You Control
The following is content you create, upload, or instruct us to send. We do not seek it out or collect it independently — we hold and transmit it only to provide the Service to you, and you remain the data controller and the party responsible for its lawful use:
- Contact lists: Phone numbers, names, email addresses, and any custom fields you upload or enter for your contacts and contact groups.
- Message content: The text of SMS and WhatsApp messages you compose, including campaign messages, templates, and drafts.
- Recipient data: The destination numbers and any recipient details you provide for delivery.
You warrant that you hold the necessary rights, consent, and lawful basis for every contact and recipient in this content, and that its use complies with all applicable data-protection and anti-spam laws. We are not responsible for, and disclaim all liability for, content and recipient data you supply.
1.3 Information Collected Automatically
- Usage data: Pages visited, features used, timestamps, and interaction patterns within the dashboard.
- Device and browser data: IP address, browser type and version, operating system, device type, and screen resolution.
- Message delivery metadata: Recipient phone numbers, delivery statuses, timestamps, provider message IDs, and error codes.
- API activity: API key usage, request timestamps, endpoints called, and response statuses.
- Log data: Server logs including access times, referring URLs, and system error information.
1.4 Information From Third Parties
- Social sign-in providers: If you authenticate via Google, GitHub, Microsoft, or LinkedIn, we receive your name, email address, and profile picture as permitted by your account settings with that provider.
- SMS delivery providers: Delivery receipts, status callbacks, and error reports from our upstream messaging partners.
- Payment processor: Transaction confirmation, payment status, and reference numbers from PesePay.
02
How We Use Your Information
We use the information we collect for the following purposes:
- Service delivery: To send your SMS and WhatsApp messages, manage your campaigns, process contact lists, and operate all platform features.
- Account management: To create and maintain your account, authenticate your identity, and manage organization memberships and permissions.
- Billing and payments: To process credit purchases, generate receipts, track credit balances, and send low-credit alerts.
- Communication: To send transactional emails including account verification, password resets, purchase confirmations, sender ID status updates, and credit alerts.
- Platform improvement: To analyze usage patterns, identify bugs, improve performance, and develop new features.
- Security: To detect, prevent, and respond to fraud, abuse, security incidents, and violations of our Terms of Service.
- Compliance: To comply with applicable laws, regulations, legal processes, and enforceable government requests.
- Sender ID review: To evaluate and process sender ID applications, including verifying business identity and preventing impersonation.
We do not read, analyze, or mine the content of your messages for advertising, profiling, or marketing purposes. Message content is processed solely for delivery and compliance screening.
03
Legal Basis for Processing
We process your personal data on the following legal grounds:
- Contract performance: Processing necessary to provide the Service you have signed up for (account management, message delivery, billing).
- Legitimate interests: Processing necessary for our legitimate business interests, such as platform security, fraud prevention, and service improvement, where these interests are not overridden by your rights.
- Consent: Where you have given explicit consent, such as opting in to marketing communications or connecting a social sign-in account.
- Legal obligation: Processing required to comply with applicable laws and regulations.
04
Data Storage, Retention, and Security
4.1 Storage
Your data is stored on secure servers hosted in data centres with physical access controls, redundant power, and network security measures. Database backups are encrypted and stored separately from production systems.
4.2 Security Measures
- All connections are encrypted using TLS/HTTPS.
- Passwords are hashed using industry-standard algorithms (PBKDF2 with SHA-256).
- API keys are hashed at rest and displayed only once at creation.
- Access to production systems is restricted to authorized personnel with multi-factor authentication.
- Regular security reviews and dependency updates are performed.
- Session tokens expire after a period of inactivity.
4.3 Retention
Account data
Active + 30 days
Retained while your account is active, plus 30 days after deletion for recovery.
Message logs
12 months
SMS/WhatsApp metadata and content retained for your reference.
Billing records
7 years
Required for financial record-keeping and tax compliance.
Server logs
90 days
System and access logs for security and debugging.
Contact data
Active + 30 days
Deleted contacts are permanently removed within 30 days.
05
Third-Party Services and Data Sharing
5.1 Service Providers
We share data with the following categories of third-party service providers, solely to operate the Service:
- SMS gateway providers: Recipient phone numbers and message content are transmitted for delivery. These providers are contractually obligated to use this data only for message delivery.
- Payment processor (PesePay): Transaction amounts, currency, and reference numbers are shared to process purchases. PesePay handles all card data directly.
- Email delivery service: Your email address is used to send transactional emails.
- Hosting and infrastructure providers: Your data is processed on servers operated by our hosting provider in accordance with their security commitments.
We do not sell, rent, or trade your personal information or contact lists to any third party for marketing or advertising purposes.
5.2 Legal Disclosures
We may disclose your information if required by law, court order, or government regulation, or if we believe in good faith that disclosure is necessary to protect our rights, your safety, or the safety of others, investigate fraud, or respond to a lawful request from public authorities.
06
Your Rights and Choices
You have the following rights regarding your personal data:
- Access: View your account information, message history, contacts, and billing records from your dashboard at any time.
- Correction: Update your profile, organization details, and contact information directly from the dashboard settings.
- Deletion: Delete individual contacts, groups, campaigns, and templates from the dashboard. To request full account deletion, contact us at network@superdarkcodelabs.co.zw.
- Data export: Request a copy of your data in a machine-readable format by contacting our support team.
- Withdraw consent: Where processing is based on consent, you may withdraw it at any time. This does not affect the lawfulness of processing carried out before withdrawal.
- Objection: You may object to processing based on legitimate interests. We will cease processing unless we have compelling legitimate grounds.
To exercise any of these rights, contact us at network@superdarkcodelabs.co.zw. We will respond within 30 days.
07
Cookies and Similar Technologies
- Essential cookies: We use session cookies for authentication and CSRF protection. These are strictly necessary for the Service to function and cannot be disabled.
- Preference cookies: We store user preferences (such as dismissed onboarding prompts) in browser local storage.
- No tracking cookies: We do not use third-party analytics, advertising, or tracking cookies. We do not participate in any ad networks or retargeting programs.
08
International Data Transfers
Your data may be processed in countries other than Zimbabwe where our service providers operate. When data is transferred internationally, we ensure appropriate safeguards are in place, including contractual obligations on data processors to protect your information in accordance with this policy.
09
Children's Privacy
The Service is not intended for individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have collected data from a person under 18, we will take steps to delete that information promptly.
10
Abuse, Enforcement & Active Defence
The Service exists to deliver legitimate messages for legitimate account holders. Where we reasonably determine that an account is being used in violation of these terms — including fraud, phishing, spam, impersonation, automated abuse, or any attempt to attack, overload, or compromise the platform or its users — we are entitled to take any and all steps necessary to detect, contain, and mitigate that abuse.
10.1 Mitigation Measures
Such measures may include, without limitation:
- Immediate suspension, throttling, or termination of the offending account, organization, API keys, or sender IDs.
- Holding, quarantining, or silently discarding messages identified as abusive.
- Deploying decoy infrastructure, including honeypots, traps, and instrumented endpoints, to observe, fingerprint, and record the behaviour of abusive actors.
- Recording and retaining technical signals associated with the abuse — including IP addresses, the use of VPNs, proxies, or anonymising networks, disposable or throwaway email addresses, device fingerprints, and behavioural patterns — for the purposes of identification, attribution, and prevention.
- Reporting the conduct to upstream providers, payment processors, and law-enforcement or regulatory authorities.
10.2 Active Deterrence
Where an actor persists in attempting to abuse the platform — and particularly where they rely on disposable email addresses and access the Service over a VPN or other anonymising network to mask their identity — we reserve the right to take proportionate measures designed to deter and frustrate the continued attack. This may include measures that deliberately raise the operational and financial cost of the abuse, so that for as long as the actor keeps attempting to do harm, the effort and expense of doing so is increased, in order to protect the platform and its legitimate users.
These measures are defensive and are applied only against accounts and actors engaged in violation or attack. Legitimate account holders using the Service in good faith are not affected.
11
Data Breach Notification
In the event of a data breach that poses a risk to your rights and freedoms, we will notify affected users via email within 72 hours of becoming aware of the breach. We will also notify the relevant data protection authorities as required by applicable law.
12
Changes to This Policy
We may update this Privacy Policy from time to time. When we make significant changes:
- We will update the "Last updated" date at the top of this page.
- We will notify registered users via email.
- We will display a notice on the dashboard for 30 days following the change.
Your continued use of the Service after changes are posted constitutes acceptance of the updated policy.
13
Contact Us
If you have questions, concerns, or requests regarding this Privacy Policy or your personal data, contact us: