How we collect, use, and protect your information — including CCPA, GDPR, and 10DLC compliance.
This Privacy Policy explains how 312VOIP & Text ("we," "our," or "us") collects, uses, shares, and protects personal information when you use our SMS/MMS messaging platform at www.312voip.com and portal.312voip.com. It covers your rights under U.S. law (including California's CCPA/CPRA) and EU/EEA law (GDPR), as well as our obligations under the 10DLC messaging registration framework.
This Policy applies to:
If you are a business using our platform to message your own customers, you are a Data Controller for the personal data in your contact lists. We act as a Data Processor on your behalf. Your customers' rights should be addressed in your own privacy policy.
To comply with carrier requirements, we collect specific business data for 10DLC brand and campaign registration. See Section 4 for full details.
| Purpose | Data Used | Legal Basis (GDPR) |
|---|---|---|
| Provide and operate the platform | Account, messaging, contact data | Contract performance |
| Process payments and manage billing | Billing, account data | Contract performance |
| 10DLC brand/campaign registration | Business info, EIN, use-case description | Legal obligation; Contract |
| Send transactional emails (password reset, billing alerts) | Email address, account data | Contract performance |
| Detect fraud, abuse, and security threats | Usage, IP, auth logs | Legitimate interest |
| Comply with legal obligations | All categories as required | Legal obligation |
| Improve platform features and performance | Aggregated/anonymized usage data | Legitimate interest |
| Respond to support requests | Account data, message context | Contract performance; Legitimate interest |
We do not use your contact lists or message content for advertising, marketing profiling, or any purpose other than providing the Service to you.
10DLC (10-Digit Long Code) registration is a U.S. carrier requirement for all business SMS sent from local phone numbers. All major carriers (AT&T, T-Mobile, Verizon, and others) require businesses to register before they can send messages at scale. Without registration, messages are filtered or blocked.
When you complete the sign-up wizard or register your brand, we submit the following information to The Campaign Registry (TCR), the central registration authority designated by the carriers:
TCR shares this data with participating carriers for vetting purposes. By registering a brand on our platform, you consent to this data submission. TCR's own privacy practices are governed by their privacy policy at campaignregistry.com.
Carriers may independently vet your business using third-party business verification services. We do not control this process. Carrier decisions to approve, limit, or reject a campaign are not within our control.
By accepting these terms, you acknowledge that carriers may inspect message samples for compliance with their policies. We do not share message content proactively, but carriers may request samples as part of 10DLC compliance audits.
TCPA and carrier guidelines require us to maintain permanent records of opt-out requests (STOP, UNSUBSCRIBE, etc.). These records are kept indefinitely to ensure opted-out phone numbers are never re-messaged. This is a legal and carrier compliance requirement that cannot be overridden.
Outbound message content is retained for 90 days for delivery confirmation and compliance purposes. Inbound message content is retained for 90 days. After 90 days, message body content is purged; delivery metadata (timestamp, status, sender, recipient) is retained for 2 years for reporting and dispute resolution.
We do not sell or rent your personal information. We share data only in the following circumstances:
| Third Party | Data Shared | Purpose |
|---|---|---|
| Telnyx LLC | Message sender/recipient, content, delivery status | SMS/MMS delivery infrastructure |
| Stripe Inc. | Payment card data (via secure tokenization) | Payment processing and subscription management |
| The Campaign Registry (TCR) | Brand name, EIN, contact, campaign use case | Mandatory 10DLC brand & campaign registration |
| Microsoft Azure | Encrypted application data | Cloud hosting and database services |
| Google Firebase | Device tokens | Push notifications for mobile app |
| Law enforcement / courts | As required by valid legal process | Legal compliance, subpoenas, court orders |
| Business successors | All customer data | Merger, acquisition, or asset sale |
All third-party service providers are contractually required to process personal data only as instructed and to implement appropriate security measures. Where required by GDPR, we execute Data Processing Agreements (DPAs) with these parties.
We implement industry-standard technical and organizational security measures:
Despite these measures, no system can guarantee absolute security. If you suspect unauthorized access to your account, contact us immediately at security@312voip.com.
In the event of a data breach that affects your personal information, we will notify you as required by applicable law — within 72 hours for GDPR-regulated breaches (where feasible), and within the timeframes required by applicable U.S. state breach notification laws.
We use the following types of cookies:
We do not use advertising cookies, retargeting pixels, or cross-site tracking technologies in the portal or the mobile app.
For EU/EEA visitors to our public website, we obtain consent for non-essential cookies in accordance with the ePrivacy Directive. You may withdraw consent at any time by clearing cookies or adjusting your browser settings.
| Data Category | Retention Period | Reason |
|---|---|---|
| Account & profile data | Duration of account + 30 days after deletion request | Service provision; grace period |
| Message body content | 90 days | Delivery confirmation; compliance |
| Message metadata (timestamps, status) | 2 years | Reporting; dispute resolution |
| Opt-out records | Indefinitely | TCPA & carrier compliance; legal obligation |
| Billing records & invoices | 7 years | Tax/financial legal requirements |
| Security/audit logs | 1 year | Fraud detection; security investigations |
| 10DLC registration records | Duration of registration + 3 years | Carrier compliance; legal obligation |
After the applicable retention period, data is securely deleted or anonymized. You may request earlier deletion subject to legal retention obligations (see Section 11).
If you are a California resident, the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA) provides you with specific rights regarding your personal information. This section describes those rights and how to exercise them.
In the past 12 months, we have collected the following categories of personal information as defined by the CCPA:
| CCPA Category | Examples | Collected? |
|---|---|---|
| Identifiers | Name, email, IP address, account ID | Yes |
| Personal information (Cal. Civ. Code § 1798.80) | Name, address, phone number, payment card info | Yes |
| Commercial information | Purchase history, billing records | Yes |
| Internet or other electronic network activity | Usage logs, browser type | Yes |
| Geolocation data | IP-derived approximate location | Limited (IP only) |
| Professional / employment information | Company name, job title | Yes |
| Inferences drawn from personal information | Account usage patterns | No |
| Sensitive personal information (EIN) | Tax Identification Number (business) | Yes — 10DLC only |
We collect personal information directly from you (account registration, form submissions), automatically from your use of the Service (logs, cookies), and from third parties (payment processors, carrier delivery status reports).
We collect personal information for the purposes described in Section 3. We do not collect personal information for the purpose of inferring characteristics about you.
We do not sell your personal information as defined by the CCPA/CPRA. We do not share personal information with third parties for cross-context behavioral advertising purposes. We share data only with service providers under written agreements that restrict their use of the data (see Section 5).
Because we do not sell or share personal information for advertising purposes, there is no opt-out required under Cal. Civ. Code § 1798.120. However, you may submit a request to confirm this at any time.
We collect your Employer Identification Number (EIN) solely for 10DLC brand registration purposes. We do not use it to infer any characteristics, and it is shared only with The Campaign Registry as required. We do not use sensitive personal information for any purpose other than the specific business purpose for which it was collected.
As a California resident, you have the following rights:
To submit a request, contact us at privacy@312voip.com with the subject line "California Privacy Request." We will verify your identity before processing the request. We respond to verified requests within 45 days (extendable by an additional 45 days with notice). You may designate an authorized agent by providing a signed power of attorney.
California Civil Code Section 1798.83 ("Shine the Light") permits California residents to request a list of third parties to whom we have disclosed personal information for direct marketing purposes. We do not disclose personal information to third parties for direct marketing purposes, so no such list exists.
If you are located in the European Union or European Economic Area, the General Data Protection Regulation (GDPR) applies to our processing of your personal data. This section describes our GDPR obligations and your rights as a data subject.
For personal data processed when you use our platform as an account holder:
Data Controller: 312VOIP & Text, 1301 S. Wolf Rd Ste 402, Prospect Heights, IL 60070, United States
Contact: privacy@312voip.com
If you are a business using our platform to send messages to your customers (EU data subjects), you are the Data Controller for those contacts' personal data. We act as your Data Processor and process that data only on your documented instructions under a Data Processing Agreement (DPA). To request a DPA, contact us at privacy@312voip.com.
| Processing Activity | Legal Basis (Art. 6 GDPR) |
|---|---|
| Creating and managing your account | Art. 6(1)(b) — Contract performance |
| Processing payments | Art. 6(1)(b) — Contract performance |
| 10DLC brand registration (EIN, business details) | Art. 6(1)(c) — Legal obligation; Art. 6(1)(b) — Contract |
| Sending transactional emails | Art. 6(1)(b) — Contract performance |
| Security monitoring and fraud prevention | Art. 6(1)(f) — Legitimate interest |
| Compliance with legal obligations | Art. 6(1)(c) — Legal obligation |
| Analytics (aggregated/anonymized) | Art. 6(1)(f) — Legitimate interest (anonymized data) |
| Marketing communications (if opted in) | Art. 6(1)(a) — Consent |
We are based in the United States. If you access our platform from the EU/EEA, your personal data will be transferred to and processed in the United States. The U.S. does not have an adequacy decision from the European Commission for all purposes.
We rely on the following transfer mechanisms to ensure adequate protection:
You may request a copy of the applicable SCCs by contacting privacy@312voip.com.
Under GDPR, you have the following rights regarding your personal data:
Submit requests to privacy@312voip.com with "GDPR Rights Request" in the subject line. We respond within 30 days, extendable by 60 days for complex requests (with notice). Identity verification is required.
If you believe we have not handled your personal data in compliance with GDPR, you have the right to lodge a complaint with your local supervisory authority. A list of EU data protection authorities is available at edpb.europa.eu. We encourage you to contact us first so we can resolve any concerns directly.
While we are not currently required to appoint a formal DPO, we have designated a privacy contact responsible for GDPR compliance matters. You may contact our privacy representative at privacy@312voip.com.
If you are an EU-based business using our platform, please note that U.S. 10DLC requirements mandate submission of your business data (including tax identification equivalents) to The Campaign Registry, a U.S.-based entity. This submission is necessary to provide the Service in the United States. By signing up, you acknowledge this transfer and submission as necessary for contract performance (Art. 6(1)(b)) and legal obligation compliance (Art. 6(1)(c)).
Regardless of your location, you may:
To submit any privacy request, email privacy@312voip.com. We will acknowledge your request within 5 business days and respond within the timeframe required by applicable law.
312VOIP & Text is a business platform intended for use by adults aged 18 and older. We do not knowingly collect personal information from children under 13 (or under 16 for EU residents). If we become aware that a child has provided personal information, we will delete it promptly. Contact us at privacy@312voip.com if you believe a child has provided us with their information.
We may update this Privacy Policy periodically. For material changes, we will:
For GDPR-regulated processing, where changes affect legal basis or significantly alter data use, we will seek fresh consent where required. Continued use of the platform after the effective date constitutes acceptance of the updated policy.
For any privacy questions, data subject requests, or concerns: