Gravity SMS

Last updated: March 1, 2026

Privacy Policy

Gravity SMS is a platform (B2B SaaS), not a direct-to-consumer SMS sender. This policy describes how we handle data for our tenants (businesses). We tell you how we collect, use, store, and protect your data. Tenants are responsible for their own end-users' consent and compliance.

1. What We Collect

We collect account information (name, email, organization name) from tenant signup. We store authentication data: hashed API keys and encrypted RingCentral OAuth tokens. We process SMS message data including sender number, recipient number, message body, timestamps, and delivery status. We log usage data such as API call logs, IP addresses, and timestamps. Stripe processes subscriptions and payments; we do not store full card numbers (Stripe handles PCI compliance).

2. How We Use It

We use this data to provide the SMS gateway service (send and receive messages via RingCentral), authenticate API requests, maintain RingCentral connections on behalf of tenants, monitor service health and debug issues, and communicate service updates.

3. How We Store & Protect It

Data is stored in MongoDB Atlas with encryption at rest. RingCentral OAuth tokens are encrypted with AES-256 before storage. API keys are stored as SHA-256 hashes and are not recoverable. All API traffic uses HTTPS. Data is hosted on Render (US-based infrastructure).

4. Third-Party Services

We use RingCentral for SMS delivery (you use your own account and credentials). Stripe handles subscription billing and payment processing; card data never touches our servers and Stripe is PCI-DSS compliant. MongoDB Atlas hosts our database. Render hosts our application. Redis (via Render) powers our job queue and caching. Vercel hosts our frontend. Microsoft Power Automate receives webhook callbacks when you configure them. We do not sell or share data with third parties for marketing.

5. Data Retention

Message records are retained for 90 days. Webhook event logs are retained for 30 days. Account data is retained while your account is active. On account deletion, credentials are deleted immediately and message history is deleted within 30 days.

6. Tenant Responsibilities

Tenants are responsible for their own end-users' consent and compliance. Tenants must comply with TCPA, CTIA guidelines, and applicable laws for their SMS usage. Gravity SMS is a platform; tenants own the relationship with their message recipients.

7. Your Rights

You may access your data via the API or tenant dashboard. You may request a data export or account deletion. You may disconnect RingCentral at any time.

8. Cookies

We use minimal session cookies for admin and tenant dashboard authentication. We do not use tracking cookies or analytics.

9. Changes to This Policy

We may update this policy from time to time. Changes will be posted here with an updated date. Continued use after changes constitutes acceptance.

10. Contact

For questions about this policy, contact us at support@gravitysms.com or visit gravitysms.com.