What we collect — and what we don't.

Per account:

• Email address. One per account. We accept any address that receives mail, including disposable inboxes. We send service notices and pre-action warnings to it.
• Password hash. Stored as bcrypt with cost 12. We never see or store the plaintext password.
• Account balance. Your current credit in USD.
• Sign-in timestamp. The most recent sign-in date and time. Used to display "last seen" in your settings and to detect unusual activity.

Per service you deploy:

• Product (VPS or dedicated), plan, region, OS image, and billing cycle — the configuration you picked.
• Encrypted root password. AES-256-CBC at rest, keyed off a server-only secret we don't expose. We can't decrypt it for casual lookup; the provisioner decrypts at deploy time and the value is then wiped from process memory.
• Service state (pending, active, suspended, terminated), assigned IPv4 (once allocated), creation and renewal timestamps.

Per payment:

• Order reference, requested amount, coin chosen, the deposit address generated by our payment hub, the transaction id once it confirms, and the timestamp of confirmation.
• We do not record your sending wallet address. We do not link payments to any external identity.

• No real name. Ever.
• No physical address. Billing or shipping.
• No phone number. Not for verification, not for recovery, not "in case of urgent issues."
• No government ID. No passport scans, no driver's licenses, no tax numbers.
• No browser fingerprint. We don't run fingerprint libraries on our pages.
• No analytics. No Google Analytics, no Plausible, no Matomo, no internal pixel. We don't know how many of you read this page.
• No third-party trackers. No Facebook Pixel, no Hotjar, no chat-widget that phones home. The only external resources we fetch are the typefaces from Google Fonts and a crypto-icon set from a public CDN — both because they cache aggressively across the web and shaving 200ms of TLS handshake isn't worth running our own font server. If you object to that, browse over Tor; the pages render fine without them.
• No bank or card details. We don't accept those payment methods.
• No content on your server. We don't index, scan, mirror, or sample what runs there.

The web server (nginx) writes an access log entry for every HTTP request — URL, status code, timestamp, user agent, and originating IP after Cloudflare unwrapping. We use these logs for one thing only: rate-limiting bots and tracing infrastructure issues. They are rotated and deleted after 7 days. They never leave the host.

Application logs (errors, warnings) are written to a separate file, also rotated after 7 days. They do not contain credentials or message contents.

We do not log inside your server. Whatever your service does, we don't see it.

We set exactly one cookie when you sign in: PHPSESSID, an opaque session identifier. It is HttpOnly, Secure, SameSite=Lax, and lives for thirty days unless you sign out. There is no tracking cookie, no advertising cookie, no consent banner because there is nothing to consent to. If you are signed out, no cookie is set at all.

• In transit: TLS 1.2+ on every connection, HSTS preloaded, modern cipher suites only. No HTTP fallback.
• At rest: Database disk uses LUKS full-disk encryption. Root passwords for deployed servers are additionally AES-256-CBC encrypted at the row level. Backups are encrypted before they leave the host.
• Passwords: bcrypt with cost 12. We can't recover them, only verify them.

By default, no one. Not other providers, not law enforcement, not "trusted partners."

The narrow exceptions:

• Payment hub (simsms.co). When you top up, we send the requested amount and the coin to our payment hub so it can generate a deposit address and check it for confirmations. We send: the order reference, amount in USD, chosen coin. We do not send your email or account id.
• CDNs we link to. Google Fonts and jsDelivr (for the crypto-icon set and our language-flag set) see the IPs of visitors fetching those resources. We do not exchange data with them — they just serve static files.
• Hosting/transit providers. Our datacenter providers technically have physical access to the machines. They cannot read the encrypted volumes without our keys, which are not stored on disk.
• Judicial orders. See the terms of service. We act only on enforceable orders, narrowly scoped, with advance notice to you.

• Account record: for the lifetime of the account, plus 30 days after final termination so we can resolve disputes. Then deleted from the live database.
• Payment records: 13 months after confirmation for accounting purposes, then permanently dropped.
• Server records: 90 days after termination, then deleted. The associated disk volumes are wiped at termination.
• nginx access logs: 7 days, then rotated out.
• Session records: until session expiry (30 days of inactivity) or sign-out, whichever comes first.
• Backups: 14 days encrypted, then rotated out.

From your dashboard you can: change your password, view active services, view your full billing ledger, terminate any service, and sign out of the current browser. Account termination is self-service from the settings panel.

There is no "delete my data" button because there is no extra database storing your data. Terminate your services, withdraw what's left of your balance via a final top-up purchase, and you've effectively done it. The 30-day grace window exists in case you change your mind.

If your jurisdiction grants you a right of access (GDPR, CCPA, similar), the dashboard already exposes everything we hold about you. There is no off-system store to inspect.

Material changes — any change that broadens what we collect, narrows your retention windows in your disfavor, or adds a new data-sharing recipient — are announced 30 days in advance, by email and on the canary page.

Non-material changes (clarifications, typos) take effect immediately. The "effective" date at the top of this page always reflects the last update.