Privacy Policy

This Privacy Policy describes how SIMtrix ("we", "us", "our") collects, uses, and protects your personal data when you use our platform. We are committed to protecting your privacy in accordance with the General Data Protection Regulation (GDPR) and applicable data protection laws.

SIMtrix acts as a data processor on behalf of our customers (data controllers) with respect to CRM data and communications content. For account management and billing data, SIMtrix acts as the data controller. Contact: support@simtrix.app

We collect and process the following categories of personal data: Account Data: Email address, name, company name, Bitrix24 domain URL, billing address, payment information (processed by Stripe — we do not store full card numbers). Device Data: Android device model, OS version, SIM card identifier (ICCID), phone number associated with the SIM, FCM push token. Communication Metadata: Phone numbers of call/SMS participants, timestamps, call duration, SMS delivery status. Note: SMS content and call recordings are transmitted through our server as a relay but are not stored beyond the time technically necessary for delivery. Usage Data: Feature usage statistics, API call logs, error logs (anonymized where possible). Bitrix24 Integration Data: OAuth tokens (encrypted at rest with AES-256-GCM), Bitrix24 user IDs, Bitrix24 domain.

We process your data for: (a) Contract performance (Art. 6(1)(b) GDPR): Providing the relay service, managing your account, processing payments. (b) Legitimate interest (Art. 6(1)(f) GDPR): Improving the Service, preventing abuse, security monitoring, anonymous analytics. (c) Legal obligation (Art. 6(1)(c) GDPR): Tax and accounting records, responding to legal requests. (d) Consent (Art. 6(1)(a) GDPR): Marketing communications (opt-in only).

We implement the following security measures: - All data in transit is encrypted using TLS 1.3 - Sensitive data at rest (OAuth tokens, API keys) is encrypted using AES-256-GCM - Database access uses Row Level Security (RLS) for tenant isolation - Server infrastructure hosted in Germany (EU) on ISO 27001-compliant facilities - Regular security audits and dependency vulnerability scanning - Access to production systems restricted to authorized personnel with MFA

- Account data: Retained for the duration of your subscription + 30 days after termination - Communication metadata: 90 days (configurable per tenant) - Call recordings: Stored until uploaded to Bitrix24, then deleted from our servers within 24 hours - Billing records: 7 years (legal requirement) - Server logs: 30 days - Backups: 30 days with automatic purge

Under the GDPR, you have the right to: - Access your personal data (Art. 15) - Rectification of inaccurate data (Art. 16) - Erasure ('right to be forgotten') (Art. 17) - Restriction of processing (Art. 18) - Data portability (Art. 20) - Object to processing (Art. 21) - Withdraw consent at any time (Art. 7(3)) To exercise these rights, contact: support@simtrix.app We will respond within 30 days.

We share data with the following third-party services, each governed by their own privacy policies: - Bitrix24 (1C-Bitrix): CRM integration — receives call/SMS data as configured by you - Stripe (Stripe, Inc.): Payment processing — receives billing data - Google Firebase (Google LLC): Push notifications — receives FCM tokens - Hetzner (Hetzner Online GmbH): Server hosting in Germany — data stored on their infrastructure All sub-processors are GDPR-compliant and have Data Processing Agreements in place.

Your data is primarily stored and processed within the European Union (Germany). Where data is transferred to sub-processors outside the EU (e.g., Stripe, Google), such transfers are protected by Standard Contractual Clauses (SCCs) or adequacy decisions.

Our web application uses only essential cookies required for authentication and session management. We do not use tracking cookies, advertising cookies, or third-party analytics cookies.

We may update this Privacy Policy periodically. Material changes will be communicated via email. Continued use after changes constitutes acceptance.