Privacy Policy

Reliable Channel LLC

Effective: April 22, 2025 · Last Updated: May 23, 2026

Reliable Channel LLC (“JoltSMS,” “we,” “us,” or “our”) operates a platform for renting dedicated, real-SIM U.S. phone numbers for inbound SMS and verification codes. This Privacy Policy explains what we collect, how we use it, and the choices you have. It applies to our marketing site (joltsms.com), dashboard (app.joltsms.com), REST API, and MCP server.

🔒

Our Privacy Promise

We do not sell, rent, or trade your personal information to third-party data brokers.

🔍1. Information We Collect

We collect two kinds of information: what you give us, and what we record automatically.

What you give us

  • Account credentials. Your name, email, and password (encrypted) when you sign up.
  • Social login identity. If you sign in with Google, X/Twitter, or Apple, we receive your email and name from the provider.
  • Payment and billing details. Through our Stripe Payment Element, we receive transaction metadata, your country, your ZIP code, and a tokenized reference to your payment method. We do not store full card numbers — Stripe holds those.
  • Team invitations. When you invite a team member to a number, you give us their email address.

What we record automatically

  • Your real IP address. We log the originating client IP (read from Cloudflare’s headers, not the proxy IP) along with your browser user-agent. This helps us detect chargeback fraud and account hijacking.
  • Inbound SMS messages. When someone sends an SMS to your number, our upstream carrier delivers it to our servers via webhook. We store the message body, sender, recipient, and timestamp.
  • Parsed verification codes. Our system attempts to extract OTP / 2FA codes from message bodies so you can act on them faster.
  • Error and diagnostic logs. If something goes wrong, we capture a request ID, browser details, and stack traces to help us debug.

📦2. Subprocessors

We use a small number of trusted third parties to run the platform. All are bound by confidentiality and data processing terms:

  • Upstream telephony carriers. Our cellular carrier partners route inbound SMS to our servers via authenticated webhooks. They are the source of truth for whether a number is still active.
  • Stripe, Inc. Payment processing, subscriptions, invoicing, and tax calculation. We sync your default payment method’s billing address to Stripe so they can calculate sales tax correctly.
  • Amazon Web Services (AWS SES). We send transactional and billing emails through Amazon’s Simple Email Service.
  • Core infrastructure providers. We host our PostgreSQL database, Redis cache, and Grafana/Loki logs on cloud infrastructure.

⚙️3. How We Use Your Information

  • Delivering inbound SMS. We store messages so they appear in your dashboard in real time, and we forward them to the destinations you configure (email, Slack, Discord, Telegram, webhooks). SMS messages can contain sensitive content like OTP codes — you are responsible for what destinations you forward them to.
  • System-managed account notifications. Every account gets a built-in email notification endpoint tied to your verified account email. This endpoint cannot be disabled, so we can always reach you about critical events (billing failures, 3DS prompts, number expiration).
  • Vendor message filtering. We automatically scan inbound SMS for internal carrier or vendor tracking markers. Those messages are flagged as vendor traffic, hidden from your dashboard, hidden from the REST API, and not forwarded to your notification endpoints. They’re retained only for compliance audits.

👥4. Team Workspaces and AI Agents

Team members

When you invite a team member as an OWNER, MANAGER, or VIEWER, they can read your inbound SMS messages and parsed verification codes for the numbers you share with them. The role controls what configuration actions they can take — VIEWER is read-only, MANAGER can configure notifications and team, and OWNER can also control billing.

By using team features, you confirm that:

  1. Everyone you invite has agreed to view your incoming SMS data and related metadata.
  2. You will not use the platform to process special-category data (such as health records) or anything that violates carrier rules.
  3. You are liable for what your invited team members do.

API keys and AI agents

If you create a jolt_sk_* API key or configure an AI agent against our MCP server, that automation can provision numbers, poll messages, and extract OTP codes on your behalf.

⚠️ Data Leaves Our Custody

Once data leaves our servers and reaches your environment — your scripts, your AI agent’s context window, your downstream tools — we no longer control it. You are responsible for compliance, prompt injection risk, and logging exposure in your downstream workflow.

🍪5. Cookies and Local Storage

We use only the storage we need to operate the platform:

  • Authentication cookies. A joltsms_session HttpOnly cookie keeps you signed in across our subdomains.
  • Theme preference. A themePref value in your browser’s local storage remembers your dark-mode choice.
  • Real-time delivery. Temporary values keep your Socket.IO connection stable so inbound SMS appear in real time.

If you block essential cookies, you cannot sign in and live SMS delivery to your dashboard will fail. We do not respond to “Do Not Track” signals at this time. See our Cookie Policy for the full inventory, including consent-gated analytics cookies.

🤖6. Automated Decisions and Fraud Controls

We run automated systems to keep the platform secure and operational:

  • Billing health tracking. We calculate your account status (healthy, payment_failing, suspended, ending, canceled, or setup_required) by combining Stripe billing state with carrier-line state. This status determines whether your numbers continue to receive SMS.
  • Number sweeps. Every 6 hours, an automated job checks all numbers against the carrier and releases any that have permanently expired.
  • Fraud freeze. If your account is flagged for chargeback, payment dispute, or platform abuse, we automatically freeze it. Your sessions are revoked, your numbers are suspended, and our background restoration jobs are blocked from reactivating access. To preserve evidence for the dispute, we retain your session IP, user-agent, and transaction history for the duration of the investigation.

👤 Human Review Rights

These automated checks are for security and access control. They are not used to make legally significant decisions about you. If your account is impacted by an automated decision, you can request a human review by emailing [email protected].

7. Data Retention and Deletion

When you delete your account, we run a two-step deletion process to balance your deletion rights (under GDPR and TDPSA) with billing and fraud-evidence requirements:

Data CategoryRetention IntervalTerminal Deletion / Redaction State
Active Profile Data (Name, Email, Social Identifiers)Duration of active account lifecycle.Immediate: Email overwritten with a non-identifiable signature (deleted-{userId}@local.invalid). All browser/socket sessions revoked.
Inbound SMS Payloads (Text message strings, OTP extractions)Duration of active subscription + 30 days after account deletion.After 30-day soft-purge window: Background worker permanently overwrites text fields with [REDACTED].
Notification Activity Logs (Slack/Discord/Webhook delivery history)Linked to the active lifecycle of the parent notification endpoint.Upon Endpoint Removal or Account Deletion: Cleanly unlinked and records older than 30 days are pruned. Remaining entries persist safely linked to the anonymized user.
System Audit Logs (getClientIp rows, operational history)Maintained continuously for security and fraud-prevention compliance.Upon Account Deletion & Purge: Underlying records are intentionally preserved as transactional evidence against chargeback claims. Database relationships detach the structural account link via identity anonymization.
Stripe Invoices, Credit Notes, & Tax RecordsPermanent corporate ledger tracking.Indefinite Retention: Preserved in Stripe to comply with IRS and state tax regulations.
Internal Vendor Infrastructure Caches (Area codes, pricing metrics)6 to 24 hours (automated sweep frequencies).Overwritten on the trailing cron cycle.

Stripe invoices, credit notes, and tax records are retained by Stripe to meet financial-record-keeping laws, independent of your account profile deletion.

🌍8. International Transfers

JoltSMS runs in the United States. If you access our services from the EEA, UK, Switzerland, Canada, or Australia, your information is processed in the U.S.

For cross-border protection:

  • Standard Contractual Clauses (SCCs). We use the Standard Contractual Clauses approved by the European Commission and the UK Information Commissioner’s Office for international transfers.
  • Encryption. Sensitive credentials — webhook secrets and notification endpoint configurations — are encrypted at the column level with AES-256-GCM. The underlying database relies on provider-level disk encryption. Data in transit is protected by modern TLS. Internal admin endpoints are restricted by IP allowlist.
  • Data minimization. Inbound SMS content is permanently redacted 30 days after account deletion (see §7).

You can request a copy of our Transfer Impact Assessment (TIA) or SCC details by emailing [email protected].

🇺🇸9. U.S. State Privacy Rights (Including TDPSA)

This section applies to residents of states with consumer privacy laws, including the Texas Data Privacy and Security Act (TDPSA).

Your rights

  • Right to access. You can ask whether we are processing your data and request a portable copy.
  • Right to correction. You can ask us to fix inaccurate information.
  • Right to deletion. You can ask us to delete your data, subject to the 30-day process described in §7.
  • Right to non-discrimination. We will not penalize you, change your pricing, or restrict your account for exercising any of these rights.

Statutory declarations

  • No sale of consumer data. We do not sell consumer data, biometric identifiers, or sensitive records to third-party data brokers.
  • Small business profile. Reliable Channel LLC operates in alignment with scope parameters evaluated under regional guidelines. We maintain full transparency around data storage but are exempt from the administrative audit requirements of the TDPSA.
  • Children’s privacy. JoltSMS is designed for adult developer and business customers. We do not knowingly collect personal information from anyone under 13 (COPPA) or under 18. If we are formally notified of an unauthorized account, we will promptly delete it.

Texas Attorney General appeal pipeline

Texas Request and Appeal Disclosures: If you submit a data request, we will authenticate and respond within forty-five (45) days. If we must deny a request (for instance, if an active subscription prevents deletion), we will explain why within that window.

If you want to contest a denial, you can submit a written appeal to [email protected] with the subject line “Administrative Privacy Appeal”. We will respond within sixty (60) days.

Pursuant to Texas law, if we deny your final appeal, you can file an official report with the consumer protection division of the Office of the Texas Attorney General (www.texasattorneygeneral.gov).

🏛️10. Disputes

This policy is governed by the laws of the State of Texas, without regard to conflict-of-law principles.

  • Limit on private right of action. TDPSA enforcement is reserved to the Texas Attorney General. This policy does not create a private right to sue.
  • Binding individual arbitration. Any dispute involving data handling at Reliable Channel LLC must be resolved by binding individual arbitration in Tarrant County, Texas, under the Federal Arbitration Act.

⚠️ Class Action Waiver

YOU AGREE TO BRING ANY PRIVACY OR SECURITY CLAIMS STRICTLY IN YOUR INDIVIDUAL CAPACITY. YOU WAIVE ALL RIGHTS TO PARTICIPATE AS A PLAINTIFF, REPRESENTATIVE, OR CLASS MEMBER IN ANY CLASS, COLLECTIVE, OR GROUP LEGAL ACTION AGAINST RELIABLE CHANNEL LLC.

  • Policy updates. We may update this policy to reflect changes in our platform or in applicable law. Material updates will be announced in-app on your /alerts page.

✉️11. Contact & DPA Requests

For questions about this policy, data access requests, or to register an appeal:

Email: [email protected]

Enterprise customers needing a Data Processing Addendum (DPA) can request one at the same address.

JoltSMS — Operated by Reliable Channel LLC

1710 Keller Pkwy STE 1025

Keller, TX 76248

United States

Email: [email protected]