At a glance

We collect what we need to run the Services: account info, payment info (processed by a third party, not stored by us), request and event logs, and the content that passes through the API because of your use of it.
We do not sell personal data, and we do not use the content that flows through our APIs to advertise to anyone.
For SMS verification codes and WhatsApp message content, Mossmoon acts as a processor on behalf of the customer using the API; the customer is the controller.
You can access, export, correct, and delete your data — see Your rights.
Questions: [email protected].

02

Who this applies to

This Policy covers three groups of people whose data we may process:

Account holders — the developers, agencies, and businesses with a Mossmoon account.
End-Customers of WhatsApp Lines — individuals whose WhatsApp account is linked to a line that our customer provisioned (for example, an agency's client). Their phone number, profile name, and message content flow through the line on the customer's instructions.
Message recipients and SMS senders — people who exchange messages with an End-Customer through a line, and the senders of SMS verification codes whose messages route through a rented number.

03

Our role

Whether Mossmoon is the “data controller” or “data processor” (terms used in GDPR and similar laws) depends on the data:

Data category	Mossmoon's role
Your account, login, billing, support correspondence, telemetry of how you use the Services	Controller
SMS verification codes received on numbers you rented; the phone numbers we rent on your behalf	Processor (you are the controller)
WhatsApp message content, recipient phone numbers, contact names that pass through a WhatsApp Line you provisioned	Processor (you are the controller; the End-Customer is the data subject)
Operational logs (request metadata, IP addresses, timestamps, error traces)	Controller

When we act as a processor, we only process data on documented instructions from you (the controller), as set out in these Terms, our API, and your configuration.

04

What we collect

You give us directly

Account data: email address, authentication identifiers, organization name (optional), country (optional).
Payment data: when you top up your Wallet, you submit card details directly to our payment processor. We receive only non-sensitive metadata in return (last four digits, card brand, expiry month/year, processor transaction ID).
Support correspondence: when you email us or use an in-product channel, we keep the content of those messages.
Configuration: webhook URLs, line settings, opaque identifiers you supply (e.g. agency_external_user_id).

We collect automatically when you use the Services

Usage data: API requests, endpoints called, timestamps, response codes, request volume.
Device and network data: IP address, user-agent string, basic device characteristics, and approximate location derived from IP (city/country).
Cookies and similar storage: see Cookies.

We process on your behalf

SMS verification codes and the phone numbers we rented to receive them.
WhatsApp message content, recipient phone numbers, sender phone numbers, contact names, delivery and read receipts, and the phone number of the End-Customer's WhatsApp account.

05

Why we use it

To operate the Services — authenticate requests, route SMS orders to upstream sources, keep WhatsApp Lines connected, deliver webhooks, charge your Wallet.
To bill you — apply prices, run charges through the payment processor, maintain financial records.
To support you — respond to inquiries, debug issues, communicate about your account.
To keep the Services safe — detect and prevent fraud, abuse, spam, and security incidents; enforce our acceptable-use rules; protect users.
To improve the product — analyze aggregate usage patterns and performance to make Mossmoon better.
To comply with the law — respond to legal process, prevent harm, exercise or defend legal claims.

We do not use the content of SMS codes or WhatsApp messages to train models, target advertising, or sell to anyone.

06

Legal bases (GDPR)

If you are in the European Economic Area, United Kingdom, or Switzerland, we rely on the following legal bases under the GDPR:

Purpose	Legal basis
Providing the Services to a customer, billing, support	Performance of a contract (Art. 6(1)(b))
Security, abuse prevention, product improvement, business records	Legitimate interests (Art. 6(1)(f))
Complying with applicable law, responding to legal process	Legal obligation (Art. 6(1)(c))
Marketing emails, optional analytics cookies, anything we say is consent-based	Consent (Art. 6(1)(a)), withdrawable at any time

07

Who we share data with

We share personal data only with the categories of recipients listed below, and only as needed for the purposes listed in Why we use it.

Service providers / processors — companies that help us run the Services under written contracts that require them to protect the data and use it only on our instructions, including:
- cloud hosting and database providers (where account and operational data is stored);
- the payment processor that handles card top-ups;
- email delivery providers (transactional emails like account verification, receipts);
- error monitoring and analytics providers (to keep the Services working).
Upstream SMS providers — when you order an SMS number, the underlying rental is fulfilled by an upstream source. The minimum data required (the service name, country, sometimes the sending pattern) is shared with that source. We hide which source fulfilled a given order from you, but the source itself sees the rental.
Meta / WhatsApp — operating a WhatsApp Line necessarily exchanges data with WhatsApp's servers (phone number, connection metadata, messages in/out). WhatsApp's own privacy practices apply to that exchange.
Your end-customers' counterparts — recipients of messages you send through a line see the End-Customer's phone number and the message you sent, by the nature of messaging.
Law enforcement, regulators, courts — when we have a good-faith belief that we are legally required to disclose, or when disclosure is necessary to prevent imminent harm. Where lawful, we'll narrow the disclosure to what's required and notify affected accounts.
Corporate transactions — if Mossmoon is involved in a merger, acquisition, financing, or sale of assets, personal data may be transferred as part of that transaction, subject to the same Privacy Policy commitments.

We do not sell personal data, and we do not share personal data for cross-context behavioral advertising.

08

WhatsApp Lines — specifics

When you provision a WhatsApp Line for an End-Customer, we host a persistent connection to WhatsApp on their account so that inbound messages can be forwarded to your webhook and outbound messages can be sent through the API. To do that, we process:

The End-Customer's WhatsApp phone number and profile name;
Connection credentials used to keep the line authorized (handled server-side; never exposed to you or any other party);
Inbound and outbound message content, recipient phone numbers, contact names as resolved by WhatsApp, and delivery / read acknowledgments.

The End-Customer's WhatsApp remains primary on their phone. They can disconnect the Mossmoon connection at any time from WhatsApp on their phone, which permanently terminates the line.

When a line is released — by you, by the End-Customer disconnecting, or by us — we destroy the connection credentials and cease processing message content for that line. Aggregate billing and operational records (e.g. that a line existed and when it was active) are retained as described in Retention.

09

SMS numbers — specifics

When you request an SMS number, we rent a number from an upstream source on your behalf, receive any SMS that arrives on that number during the rental window, and forward the content (typically a verification code) to you via the API. We see the full text of the SMS as part of forwarding it, but we do not use that content for any purpose other than delivering it to you and detecting abuse. After the rental window ends, the number is no longer assigned to you and may be re-rented by the upstream source to someone else.

10

Cookies & similar technologies

We use a small set of cookies and similar storage in the dashboard and website. We don't use third-party advertising cookies.

Category	Purpose
Strictly necessary	Keeping you signed in, security tokens, CSRF protection. Cannot be disabled without breaking the dashboard.
Functional	Remembering preferences (theme, last-used filters).
Analytics (aggregate)	Understanding which pages and endpoints are used, to improve the product. We minimize what's collected and don't link it to advertising profiles.

11

Data retention

We keep personal data only as long as needed for the purposes we collected it for, or as required by law. Indicative periods:

Data	How long
Account record	While the account exists; then up to 90 days for closure cleanup.
Billing records (top-ups, invoices, tax records)	Up to 7 years, as required by financial / tax law.
SMS verification codes	Up to 30 days after the order, then deleted.
WhatsApp message content / metadata	Up to 30 days from the message timestamp, then deleted from primary stores. Aggregate counts retained for billing and rate-limit accounting.
WhatsApp connection credentials	Only while the line is active; destroyed on release or disconnection.
Operational logs (requests, errors, IPs)	Up to 90 days, then deleted or fully de-identified.
Support correspondence	Up to 3 years after the last interaction.
Security / abuse investigation records	As long as needed to investigate, prevent recurrence, and meet legal obligations.

You can request earlier deletion as described in Your rights, subject to retention we're legally required to maintain.

12

Security

We implement reasonable and appropriate administrative, technical, and organizational measures to protect personal data, including encryption in transit (TLS), encryption at rest where supported by our infrastructure, hashed and salted storage of API keys and credentials, role-based access for employees, and audit logging of administrative actions.

No system is perfectly secure. You play a part too: protect your account credentials, rotate API Keys if you suspect compromise, and notify us at [email protected] if you discover a vulnerability or believe an incident has occurred.

13

International data transfers

Mossmoon is operated from the United States and our service providers may process data in the United States, the European Union, the United Kingdom, and other countries. Where we transfer personal data from the EEA, UK, or Switzerland to a country that doesn't have an adequacy decision, we rely on appropriate safeguards such as the European Commission's Standard Contractual Clauses (and the UK addendum where applicable), along with supplementary measures as needed.

14

Your rights

Depending on where you live, you may have rights to:

Know what personal data we hold about you and get a copy;
Correct inaccurate or incomplete data;
Delete personal data (subject to retention we're required to keep);
Restrict or object to certain processing;
Receive your data in a portable, machine-readable format and, where technically feasible, have it transmitted to another provider;
Withdraw consent where we relied on consent;
Lodge a complaint with your local data protection authority.

For data we process as a processor on a customer's behalf (WhatsApp content, SMS codes), please contact the customer first; we'll support them in responding to your request. For everything else, email [email protected]. We may need to verify your identity before acting.

15

California (CCPA / CPRA)

If you are a California resident, the categories of personal information we collect, the purposes for which we collect each category, and the categories of third parties with whom we share each category are described in What we collect, Why we use it, and Who we share with.

We do not sell personal information and we do not share personal information for cross-context behavioral advertising as those terms are defined under the CCPA / CPRA. We do not knowingly collect sensitive personal information for the purpose of inferring characteristics about a consumer.

You may exercise your rights to know, delete, correct, and limit the use of sensitive personal information by contacting [email protected]. We will not discriminate against you for exercising your rights.

16

Children

The Services are not directed to children under 18 (or the age of digital consent in your jurisdiction, whichever is higher). We do not knowingly collect personal data from children. If you believe a child has provided us personal data, contact [email protected] and we will delete it.

17

Changes to this Policy

We may update this Privacy Policy from time to time. When we make material changes, we'll update the Effective Date at the top and, where reasonable, provide additional notice (for example, an in-product banner or an email to the address on your account). Continued use of the Services after a change takes effect means you accept the updated Policy.

18

Contact

Privacy questions and security disclosures: [email protected]. General support: [email protected].