Privacy Policy
Last updated: 2026-05-02
1. Introduction
This Privacy Policy explains how SecureMyData (Entreprise Individuelle / SIREN: 805027760 / SIRET: 80502776000026 / VAT: FR87805027760), operating the PhoneValidation API service at phonevalidationapi.com, collects, uses, stores, and protects your personal data.
As a company based in France, we comply with the EU General Data Protection Regulation (GDPR), the French Data Protection Act (Loi Informatique et Libertés), and all other applicable data protection laws.
2. Data Controller
The data controller responsible for your personal data is:
SecureMyData
Entreprise Individuelle / SIREN: 805027760 / SIRET: 80502776000026 / VAT: FR87805027760
You can reach us via our contact page.
3. Data We Collect
3.1 Account information
Email address, password (salted hash, never plaintext), account creation date.
3.2 API usage data
API request logs (endpoints, timestamps, response codes, reason codes), API key identifiers, request count, rate-limit data.
3.3 Validation logs
For each phone number submitted to the API, we store a SHA-256 hash of the number (not the number itself) along with the validation result and metadata. Plain phone numbers are not stored beyond the immediate request unless required for batch processing.
3.4 Contact form data
Name, email address, subject and message content.
3.5 Payment data
Handled entirely by Stripe. We do not store credit card numbers, bank details, or other financial information. We receive subscription status and transaction identifiers from Stripe.
3.6 Technical data
IP address, browser type, referring URL (standard server access logs).
We do not use any third-party analytics or tracking tools.
4. Legal Bases for Processing (GDPR Art. 6)
| Purpose | Legal basis |
|---|---|
| Account creation, authentication, API access | Performance of a contract (Art. 6(1)(b)) |
| Payment processing via Stripe | Performance of a contract (Art. 6(1)(b)) |
| Marketing emails (onboarding sequence) | Legitimate interest (Art. 6(1)(f)) — opt-out via every email |
| API usage monitoring, rate limiting, abuse prevention | Legitimate interest (Art. 6(1)(f)) |
| Responding to contact requests | Legitimate interest (Art. 6(1)(f)) |
| Tax, invoicing, accounting records | Legal obligation (Art. 6(1)(c)) |
5. How We Use Your Data
- Provide, maintain, and improve the Service.
- Authenticate your identity and manage your account.
- Process payments (through Stripe).
- Monitor API usage, enforce rate limits, prevent abuse.
- Send transactional notifications (batch ready, low balance, security alerts).
- Send onboarding emails during the first 14 days; you can unsubscribe at any time via the link in every email.
- Comply with legal obligations.
We do not sell your personal data. We do not use your data for advertising or profiling purposes.
6. Data Sharing
We share personal data only with the following sub-processors, and only to the extent necessary:
| Sub-processor | Purpose | Data shared |
|---|---|---|
| Stripe, Inc. (USA / Ireland) | Payment processing | Email, billing data |
| Resend, Inc. (USA) | Transactional email delivery | Email, message content |
| Contabo GmbH (Germany) | Infrastructure hosting | All server-side data |
We do not transfer personal data outside the European Economic Area (EEA) without adequate safeguards (Standard Contractual Clauses where applicable).
7. Data Retention
- Account data: retained for the duration of your account, plus 3 years after deletion for legal compliance.
- API usage logs: retained for 12 months, then aggregated and anonymized.
- Validation logs: stored as SHA-256 hashes (no plaintext email) for 12 months for caching and abuse detection.
- Contact form submissions: 12 months after resolution.
- Payment / transaction records: 10 years (French commercial and tax law).
8. Cookies
We use only strictly necessary cookies:
- Session cookie — first-party, used to maintain your authenticated session. Expires when you log out or after a defined inactivity period.
- CSRF token cookie — first-party, prevents cross-site request forgery on form submissions.
We do not use tracking, analytics, or advertising cookies. Because we only use strictly necessary cookies, consent is not required under GDPR / ePrivacy.
9. Your Rights (GDPR)
- Access (Art. 15) — request a copy of all personal data we hold about you.
- Rectification (Art. 16) — request correction of inaccurate or incomplete data.
- Erasure (Art. 17) — request deletion ("right to be forgotten"), subject to legal retention requirements.
- Restriction (Art. 18) — request that we limit processing of your data.
- Portability (Art. 20) — request your data in a machine-readable format.
- Object (Art. 21) — object to processing based on legitimate interests.
- Withdraw consent — at any time where processing is based on consent.
To exercise any of these rights, please contact us. We respond within 30 days.
If you believe your rights have been violated, you may lodge a complaint with the supervisory authority:
CNIL (Commission Nationale de l'Informatique et des Libertés) — www.cnil.fr
10. Data Security
- HTTPS / TLS for all communications.
- Argon2id password hashing (64MB memory cost).
- API keys hashed at rest (SHA-256), with optional plaintext storage for in-dashboard reveal.
- HMAC-signed webhook payloads.
- Regular security updates and server hardening.
- Strict access controls limiting who can view personal data.
11. Children's Privacy
The Service is not directed at individuals under 18. We do not knowingly collect personal data from minors. If we learn we have collected data from someone under 18, we will delete it promptly.
12. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be communicated to registered users by email. The "Last updated" date at the top of this page indicates the most recent revision.
13. Contact
For any questions regarding this Privacy Policy or your personal data, please contact us.