Privacy Policy

Plain summary: Mobile API Connect is a business tool that helps companies send and receive SMS through their own SIM card. We process your SMS content only long enough to deliver it; we never sell your data; we never look at your personal contacts; we never share data with advertisers (we have none); and you can delete everything at any time by unpairing your device or contacting us.

1. Who we are

The service is operated by One91 Network Pte. Ltd., a private company incorporated in Singapore (UEN 201005367C). For privacy questions, contact hello@mobileapiconnect.com.

2. What this product does

Mobile API Connect lets a business install the app on an Android phone with their own SIM card. The business's backend systems (e.g. SAP, Oracle, Zoho, Salesforce) can then:

• Push SMS messages by calling our REST API (api.mobileapiconnect.com). The paired Android phone delivers the SMS using the SIM.
• Pull SMS replies that arrive at the SIM. The app forwards each inbound SMS to our backend, which then signs and POSTs it to the customer's configured webhook URL.

The customer of this product is a business; the SIM owner and webhook owner are the same business. End consumers (the people sending or receiving SMS through the SIM) are not our users — they interact only with the business that has deployed Mobile API Connect.

3. Data we collect

3.1 Data from the Android app

• Device identifiers we generate: a random deviceId, a random API key, a random HMAC signing secret. These are stored locally in Android EncryptedSharedPreferences and on our backend in PostgreSQL.
• Device metadata you enter during pairing: device nickname (e.g. "Reception phone"), optional phone model string, optional email for support, the company name.
• SMS content for outbound jobs that your own backend sends through our API. This is queued in our database only until the paired device delivers it, then minimised.
• SMS content for inbound messages received by the SIM. This is forwarded to our backend and then to your webhook URL. Stored in our database for audit / retry purposes (typical retention: 90 days, configurable).
• Delivery metadata: timestamps, status (queued / sent / delivered / failed), error codes.

3.2 Data we do NOT collect

• We do NOT read your phone's contact list.
• We do NOT read SMS history from before the app was installed.
• We do NOT collect GPS / location.
• We do NOT collect call logs, photos, microphone audio, or any unrelated device data.
• We do NOT collect analytics on individual end-consumer behaviour. The portal collects aggregate counts (messages / day) for billing and dashboards only.
• We do NOT use third-party advertising SDKs, tracking pixels, or social-network buttons.

3.3 Data from the web portal

When a business user signs into portal.mobileapiconnect.com, we store their email, name, hashed password (bcrypt), and login timestamps. We use a single session cookie (JWT) and do not embed any third-party tracker.

4. How we use it

• To deliver outbound SMS messages your backend pushes to our API.
• To forward inbound SMS replies to your configured webhook URL.
• To show you delivery status, logs, and aggregate usage in the portal.
• To detect and prevent abuse of the service (rate limits, fraud signals).
• To respond to support requests you send us.
• To bill you for usage (if you are on a paid plan).

5. Who we share it with

We share message content with exactly two destinations and no one else:

1. Your own paired Android device, which sends the outbound SMS via your SIM.
2. Your own configured webhook URL, which receives the inbound SMS.

We do not sell, rent, or share your data with advertisers, data brokers, or any third party for marketing purposes. The only third parties that touch the data are infrastructure providers acting on our instruction (Hetzner for hosting, Gandi for email / DNS, Let's Encrypt for TLS certificates), each bound by their own privacy policies.

We may disclose information if compelled by a valid Singapore court order or law-enforcement request under Singapore law, and we will notify the affected business customer unless legally prohibited from doing so.

6. Where it is stored

All operational data sits on servers physically located in Germany (Hetzner Online GmbH), encrypted at rest. Daily backups are encrypted and retained for 30 days. We are a Singapore entity, and processing complies with Singapore's Personal Data Protection Act (PDPA). Where data subjects are in the EU/UK, we process on the basis of legitimate business interest under GDPR Article 6(1)(f).

7. How long we keep it

• SMS content (outbound + inbound): default 90 days. Configurable down to 7 days on request.
• Delivery metadata (timestamps, status, no content): up to 13 months, then aggregated.
• API keys + signing secrets: until you revoke or unpair.
• Portal user accounts: until you ask us to delete them.

8. Your rights

You can:

• Unpair the device in the app — Settings → Unpair. This deletes all API credentials locally.
• Revoke API keys from the portal.
• Request a data export or deletion by emailing hello@mobileapiconnect.com from the email address associated with your account. We will respond within 14 days.
• See the full account deletion guide.

9. Children

Mobile API Connect is a business tool intended for use by employees of a company. It is not directed at children, and we do not knowingly collect data from children under 16.

10. Changes to this policy

We may update this policy as the product evolves. The "Last updated" date at the top will reflect any change. Material changes will be announced via the portal banner and, where we have your email, via direct notice.

11. Contact

One91 Network Pte. Ltd.
Email: hello@mobileapiconnect.com
UEN: 201005367C, Singapore