SIMtrix
S
SIMtrix
EntrarTestar grátis

Privacy Policy — SIMtrix

Version 1.0 · Effective: March 16, 2026 · Last Updated: March 16, 2026

PRIVACY POLICY - SIMTRIX

Version: 1.0
Effective Date: March 16, 2026
Last Updated: March 16, 2026

1. DATA CONTROLLER

The Data Controller under Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (hereinafter: "GDPR") is:

ANTENA sp. z o.o.
ul. Działdowska 16
81-208 Gdynia
Poland

2. INTRODUCTION

This Privacy Policy describes how SIMtrix (hereinafter: "we", "us", "our"), the operator of the service available at https://simtrix.app (hereinafter: "Service"), processes personal data of users (hereinafter: "you", "User", "Data Subject").

2.1 What is SIMtrix?

SIMtrix is a modern SaaS (Software as a Service) platform that acts as a technical bridge connecting a physical SIM card in an Android phone to the Bitrix24 CRM system. The platform enables:

  • Making and receiving phone calls from Bitrix24 through a real SIM card (no VoIP)
  • Sending and receiving SMS messages from Bitrix24
  • Two-way communication with logging of interactions in Bitrix24
  • Recording phone calls (optional)
  • Integration with a mobile application on Android

2.2 "Bridge not Storage" Principle

Key Data Protection Principle in SIMtrix: We are not a data storage service provider. SIMtrix acts solely as a technical bridge (bridge) between:

  • Android mobile application (containing the SIM card)
  • Bitrix24 CRM system (proper place for business data storage)
  • Telecommunications systems (network operators)

SMS content and call recordings are transmitted through our infrastructure temporarily and in transit. We do not store them as long-term archives. After transmission to Bitrix24, responsibility for storing and protecting this data transfers to the client (see section 5 below).

3. WHAT DATA DO WE PROCESS?

3.1 Customer Account Data (Tenant)

We process the following data at the registration and account management stage:

  • Company/organization name
  • Bitrix24 domain
  • Contact email (administrator)
  • Phone number (optional)
  • Country/location
  • Billing data (if applicable)

Legal Basis: Performance of contract for SaaS services (Art. 6 (1) (b) GDPR)

Purpose: Service delivery, account management, billing, customer support

3.2 Bitrix24 User Data (Synchronization)

Upon request of the SIMtrix account administrator, we synchronize data of users assigned to handle calls and SMS:

  • First and last name
  • Internal number in Bitrix24
  • Unique user identifier (User ID)
  • Business email
  • Information about assigned SIM card

Legal Basis: Performance of contract (Art. 6 (1) (b) GDPR) + legitimate interest (Art. 6 (1) (f) GDPR) — proper system functioning

Purpose: Mapping Bitrix24 users to Android devices with SIM cards; tracking who made/received calls

3.3 Android Device Data

The SIMtrix mobile application collects and transmits the following device metadata to the server:

  • Device name
  • Device model
  • Android operating system version
  • IMEI number and SIM identifier (ICCID)
  • Mobile network operator
  • Firebase Cloud Messaging (FCM) token — for push notifications
  • Unique device identifier (UUID)

Legal Basis: Performance of contract (Art. 6 (1) (b) GDPR)

Purpose: Device registration and identification; connection configuration; real-time push notifications

3.4 Communication Metadata (Calls and SMS)

The most important category of data. We process:

3.4.1 Phone Call Metadata:

  • Phone number of sender (or originating device)
  • Phone number of recipient (destination number)
  • Date and time of call start
  • Date and time of call end
  • Call duration (in seconds)
  • Call status: answered, missed, rejected, failed
  • Type: incoming or outgoing call
  • Recording indicator (if enabled)

3.4.2 SMS Metadata:

  • Sender phone number
  • Recipient phone number
  • Date and time of sending
  • Date and time of delivery
  • Status: sent, delivered, failed, pending
  • Number of SMS in message (if multi-part)
  • Type: incoming or outgoing SMS

3.4.3 SMS Content and Call Recordings:

IMPORTANT: SMS content and call recordings are processed as transit data (temporary), not as data stored by SIMtrix:

  • SMS Content: Processed in transit in encrypted format (AES-256), transmitted directly to Bitrix24 and to SIM card. After transmission to Bitrix24, deleted from our servers within 7 days (via automatic cleanup).
  • Call Recordings: Transmitted to server temporarily, encrypted (TLS), transmitted to Bitrix24, deleted from our servers within 24 hours (automatic deletion).

After the retention period, communication metadata without content is stored for maximum 90 days (configurable by administrator).

Legal Basis: Performance of contract (Art. 6 (1) (b) GDPR)

Purpose: Service delivery of call and SMS transmission; logging history in Bitrix24; usage analytics; technical support and diagnostics

3.5 Technical Data and Server Logs

We process standard technical data:

  • IP addresses (of request sources)
  • Browser user-agent
  • Session cookies and authentication tokens
  • API access logs
  • Error and event logs
  • Time stamps
  • Performance and throughput data

Legal Basis: Legitimate interest (Art. 6 (1) (f) GDPR) — security, diagnostics, abuse prevention

Purpose: Security monitoring; error diagnostics; preventing unauthorized access; performance optimization; legal compliance

3.6 Billing Data

  • Payer data (name, address, NIP/VAT ID)
  • Credit card data — processed exclusively by Paddle.com Market Limited (our Merchant of Record), we do not have access
  • Invoice and transaction history
  • Subscription information (plan, start date, renewal date)

Legal Basis: Legal obligation (Art. 6 (1) (c) GDPR) — tax and accounting law

Purpose: Invoicing; subscription management; tax compliance

Data CategoryPurpose of ProcessingLegal Basis
Account dataService delivery, account management, billingArt. 6 (1) (b) GDPR (contract performance)
Bitrix24 user dataUser mapping; interaction trackingArt. 6 (1) (b) GDPR
Device dataDevice registration; push notificationsArt. 6 (1) (b) GDPR
Communication metadataService delivery; logging in Bitrix24Art. 6 (1) (b) GDPR
SMS content and recordingsTransmission to Bitrix24; temporary storageArt. 6 (1) (b) GDPR
Technical data/logsSecurity; diagnostics; abuse preventionArt. 6 (1) (f) GDPR (legitimate interest)
Billing dataInvoicing; tax requirementsArt. 6 (1) (c) GDPR (legal obligation)
Marketing (if applicable)Sending information about new features, promotionsArt. 6 (1) (a) GDPR (consent)

4.2 Detailed Processing Purposes

Service Delivery

The primary purpose of data processing is to fulfill the contract — enabling Clients to use the SIMtrix platform to make/receive calls and SMS through Bitrix24.

Security and Abuse Prevention

We process technical data and logs to:

  • Protect against unauthorized access
  • Detect and prevent fraud
  • Monitor anomalies in usage
  • Respond to security incidents
  • Tax law requirements (retention of billing documents)
  • GDPR requirements (documentation, audit trail)
  • Telecommunications requirements (if applicable)

Service Improvement (optional)

Anonymized analytics data (number of calls, SMS, average call duration) may be processed to optimize the platform — exclusively in anonymized form, without possibility of identifying the data subject.

5. DUAL ROLE: CONTROLLER AND PROCESSOR

5.1 SIMtrix as Data Controller (Administrator)

SIMtrix is an independent controller for:

  • Customer account data (company name, email, billing data)
  • Android device data
  • Technical data and server logs
  • Data concerning subscription and payments

In this role, we make decisions about what data we collect, for what purpose, how long we keep it, and what protective measures we apply.

5.2 SIMtrix as Data Processor (Sub-contractor)

SIMtrix acts as Data Processor for:

  • Phone numbers of contacts from client's Bitrix24 CRM (transmitted by application)
  • SMS content (transmission to Bitrix24)
  • Call recordings (transmission and temporary storage)
  • Any other personal data that the client transmits through the platform

In this role:

  • We act only on client's instructions (SIMtrix account administrator)
  • We do not independently decide on processing purposes and means
  • Client retains full control and responsibility as Controller
  • We are linked by a Data Processing Agreement (DPA)

5.3 Important Consequences of Dual Role

For SIMtrix Clients:

  • You are responsible for the legality of data processing by SIMtrix (as Processor)
  • You must ensure a legal basis for transmitting your contact data to us
  • In case of questions from data protection authorities regarding SMS/call data transmitted through SIMtrix, you as Controller must demonstrate GDPR compliance

For SIMtrix:

  • We are not responsible for whether Clients have the right to transmit specific data to us
  • However, we set conditions (see DPA section)
  • We have the right to refuse service if we suspect violations

5.4 Prohibition on Processing Special Category Data

The SIMtrix Service is NOT intended for processing special category data within the meaning of Article 9 of GDPR, including data concerning:

  • Health, medical information, or biometric data
  • Religious or philosophical beliefs
  • Sexual orientation
  • Trade union membership
  • Political opinions
  • Racial or ethnic origin

The Client undertakes not to intentionally use the Service for the collection, transmission, or processing of such data. If special category data appears in the content of communications (SMS, call recording), the Client, as the data controller, bears sole responsibility for its lawful processing. SIMtrix processes communication content exclusively in transit and does not classify or analyze its contents.

5.5 Client Responsibility for Data Transfer to Bitrix24

The Client is solely responsible for:

  • Choosing the data storage region in Bitrix24 and its compliance with GDPR requirements for cross-border data transfers
  • Ensuring an appropriate legal basis for the transfer of personal data of contacts from CRM to SIMtrix and back to Bitrix24
  • Ensuring that the Bitrix24 configuration complies with data protection regulations applicable in the Client's jurisdiction

SIMtrix bears no liability for the location of data within Bitrix24's infrastructure or for legal consequences arising from the Client's chosen data storage region.

6. "BRIDGE NOT STORAGE" POLICY — IN DETAIL

6.1 What SIMtrix is NOT

SIMtrix is NOT:

  • A provider of SMS storage/archival services
  • A provider of call recording storage services
  • A central repository for business communication history
  • A backup system for SMS/call data

6.2 What SIMtrix IS

SIMtrix is a system for:

  • Routing calls and SMS
  • Mapping Android devices to Bitrix24 users
  • Logging metadata (who, with whom, when) in Bitrix24
  • Reliable and secure bridge between SIM card and CRM

6.3 SMS Content Data Flow

Bitrix24 (client initiates SMS sending)
    ↓
SIMtrix API (receives content encrypted via TLS)
    ↓
AES-256 encryption in transit
    ↓
Android application (receives, sends via SIM card)
    ↓
SMS reaches recipient
    ↓
Response arrives at SIM card
    ↓
Android application transmits to SIMtrix
    ↓
SIMtrix transmits to Bitrix24 (TLS encryption)
    ↓
Bitrix24 logs SMS and its content in CRM
    ↓
[After 7 days] SIMtrix AUTOMATICALLY DELETES SMS content

6.4 Call Recording Data Flow

Call occurs on SIM card (Bitrix24 ↔ Android ↔ Network)
    ↓
Android application (if recording enabled) registers call
    ↓
After call ends: audio file transmitted (TLS) to SIMtrix
    ↓
SIMtrix transmits recording to Bitrix24
    ↓
Bitrix24 logs file in CRM
    ↓
[After 24 hours] SIMtrix AUTOMATICALLY DELETES recording from its servers

6.5 Storage Responsibility

ElementStored byPeriodResponsible for Security
SMS ContentBitrix24 (client)Depends on client policyClient (Controller)
Call RecordingsBitrix24 (client)Depends on client policyClient (Controller)
Metadata (number, time)SIMtrix90 days (max)SIMtrix
Server logsSIMtrix30 daysSIMtrix

7. DATA RETENTION PERIODS (RETENTION POLICY)

7.1 Customer Account Data

  • Period: Duration of contract + 30 days after contract termination/account deletion
  • After 30 days: Full anonymization or deletion
  • Reason: Enable complaint handling, service resumption, archive requirements

7.2 Bitrix24 User Data

  • Period: As long as user is assigned to service; + 30 days after removal from system
  • After 30 days: Deletion
  • Reason: Proper user mapping; tracking incoming calls

7.3 SMS Content

  • Period: 7 days from receipt by Bitrix24
  • Mechanism: Automatic deletion (batch job daily at 2:00 AM UTC)
  • Exception: If SMS contains SENSITIVE personal data (medical data, banking details, passwords) — we will attempt earlier deletion upon request
  • Reason: Data minimization; reducing breach risk; "bridge not storage"

7.4 Call Recordings

  • Period: 24 hours from transmission to Bitrix24
  • Mechanism: Automatic deletion (daily at 4:00 AM UTC)
  • Exception: Can be stored longer ONLY if client explicitly moves them to Bitrix24 Storage (then Bitrix24 responsible, not SIMtrix)
  • Reason: Risk minimization; bandwidth and space savings; "bridge not storage"

7.5 Communication Metadata (without content)

  • Period: Default 90 days, configurable by account administrator (5, 30, 60, 90, 180 days)
  • Retained data: Phone number, date, time, status, call duration — without content
  • After expiration: Anonymization (retain only aggregated statistics)
  • Reason: Diagnostics; complaint handling; analytics

7.6 Technical Data (Server Logs)

  • Period: 30 days
  • After expiration: Deletion
  • Reason: Security monitoring; anomaly detection
  • Exception: In case of security incident — retention may be extended to 90 days for investigation

7.7 Billing Data

  • Period: 5 years from invoice date (EU tax law requirement)
  • After expiration: Deletion or anonymization
  • Reason: Legal requirements; audit, tax control
  • Stored by: Both SIMtrix and Paddle.com Market Limited

8. SUB-PROCESSORS AND DATA TRANSFERS

8.1 Processors (Sub-processors)

We process data with the involvement of the following third parties:

8.1.1 OVH SAS

  • Role: Infrastructure provider (VPS hosting, managed by Provider)
  • Location: Server in Germany (EEA); OVH headquarters: France (EEA)
  • Data: All SIMtrix data stored on OVH servers in Germany
  • Agreement: OVH General Terms of Service + DPA
  • Guarantees: OVH commits to implementing appropriate safeguards (encryption, restricted access, backup)

8.1.2 Google LLC — Firebase Cloud Messaging (FCM)

  • Role: Push notification provider
  • Location: United States (with EU option)
  • Data: FCM tokens of Android devices; user identifiers; notification types
  • Agreement: Google Cloud Terms of Service + DPA
  • Guarantees: Google commits to data protection; SCCC (Standard Contractual Clauses) for US transfers
  • Control: Option to disable FCM (notifications will be delayed in-app)

8.1.3 Paddle.com Market Limited

  • Role: Merchant of Record; payment service provider
  • Location: United Kingdom
  • Data: Payer data, credit card data (we have NO access), transaction history
  • Agreement: Paddle Terms of Service + Payment Processing Agreement
  • Guarantees: Paddle stores data in PCI DSS compliance; We do not store card numbers
  • Control: Paddle manages all transactions independently

8.1.4 Bitrix24 (Client — Controller)

  • Role: CRM system — target repository for SMS data, calls, metadata
  • Location: Depends on client's chosen data center (EU/RU/US)
  • Data: All SMS data, calls, phone numbers, interaction logs
  • Agreement: Client manages DPA with Bitrix24 independently
  • Guarantees: SIMtrix transmits data via secure channel (TLS); after receipt by Bitrix24, SIMtrix not responsible for further storage
  • Important: Client as Controller is responsible for Bitrix24's GDPR compliance

8.2 Data Transfers Outside the EU

Transfers to USA (Google FCM)

  • FCM token transfers to Google LLC may occur to USA
  • Basis: Standard Contractual Clauses (SCC) — Art. 46 GDPR
  • Google has Privacy Shield certification (legacy) and SCC commitment
  • Right to Opt-out: Option to disable FCM by client (no impact on functionality, only delayed notifications)

Transfers to Germany (OVH)

  • All servers in EU (Germany) — no transfer outside EU

9. DATA SECURITY

9.1 General Security Standards

SIMtrix implements a multi-layered approach to data security:

9.2 Encryption

In Transit

  • Standard: TLS 1.3 minimum for all HTTPS connections
  • Certificates: X.509, automatically renewed by Caddy
  • Android Application ↔ Server: TLS 1.3 mandatory; Certificate pinning on app
  • Server ↔ Bitrix24: TLS 1.3; certificate verification
  • Server ↔ OVH: Internal private network, access restricted

At Rest

  • SMS content in transit: AES-256-GCM encryption at application level
  • Databases: Postgres volume encryption (encryption at rest)
  • Call recordings: AES-256 encryption before transmission to S3/storage

9.3 Access Control

  • Row-Level Security (RLS): Postgres RLS for multi-tenant isolation — each client sees only their data
  • API Authentication: JWT tokens, 15-minute TTL (Time To Live)
  • Refresh tokens: 30-day TTL with revocation capability
  • API Keys: For Android app — automatically changed every 90 days
  • Admin Panel: Access protected by password + optional 2FA

9.4 Logging and Monitoring

  • Audit logs: All data processing operations logged (who, what, when)
  • Security events: Failed logins, permission changes, sensitive API access
  • Alerting: Automatic alerts on anomalies (e.g., brute-force attempts)
  • Log retention: 30 days for access logs, 90 days for security events

9.5 Identification and Authentication

  • Passwords: SHA-256 hashing + salt (bcrypt in implementation)
  • Multi-Factor Authentication (MFA): Available on request for admin accounts
  • Session management: Session timeout after 24 hours of inactivity
  • IP whitelisting: Available for dedicated accounts

9.6 Vulnerability Management

  • Scanning: Regular vulnerability scanning (OWASP Top 10)
  • Dependabot: Automatic library updates (npm, Python, Maven)
  • Security audits: Quarterly code and infrastructure review
  • Bug bounty: Bug bounty program to be announced (details on website)

9.7 Security Incidents

  • Response plan: "Incident Response Plan" document maintained internally
  • PUODO notification: Within 72 hours of breach discovery (Art. 33 GDPR)
  • Individual notification: In case of breach posing high risk (Art. 34 GDPR)
  • Documentation: All incidents documented

10. DATA SUBJECT RIGHTS (NATURAL PERSONS)

Each data subject (natural person) has the right to:

10.1 Right of Access (Art. 15 GDPR)

You can request access to personal data we process. We will respond within 30 days in readable format (e.g., CSV, PDF).

10.2 Right to Rectification (Art. 16 GDPR)

If data is inaccurate or incomplete, you can request rectification. We will correct data within 10 days.

10.3 Right to Erasure ("Right to be Forgotten") (Art. 17 GDPR)

You can request erasure of your personal data, with certain exceptions:

  • Data required to complete service
  • Data required by law
  • Data necessary for legal claim defense

In most cases, we will delete data within 30 days.

10.4 Right to Restrict Processing (Art. 18 GDPR)

You can request restriction of data processing (e.g., "do not delete but do not analyze") — data will be stored but not actively processed.

10.5 Right to Data Portability (Art. 20 GDPR)

You can request a copy of your data in structured format (JSON, CSV) for transfer to another service.

10.6 Right to Object (Art. 21 GDPR)

You can object to processing of your data based on legitimate interest. We must then demonstrate that our interests prevail.

If you have given consent to processing (e.g., for newsletter), you can withdraw it at any time. Withdrawal does not affect the legality of processing before withdrawal.

10.8 Right to Lodge a Complaint with Supervisory Authority

If you believe we violate GDPR, you have the right to file a complaint with:

President of the Personal Data Protection Office (UODO)
ul. Stawki 2
00-193 Warsaw
Poland

Email: skargi@uodo.gov.pl
Phone: +48 22 531 03 00
Website: https://uodo.gov.pl

Or with the data protection authority in your country.

10.9 Procedure for Exercising Rights

To exercise the above rights, please send a written request to:

support@simtrix.app

In your request, please:

  • Clearly specify which right you wish to exercise
  • Include a copy of identity document (for verification)
  • Provide specific details (e.g., which data, what period)

We will respond within 30 days (may extend to 60 days in complex cases).

11. CHILDREN'S DATA (Art. 8 GDPR)

SIMtrix is intended exclusively for adults and business organizations.

  • Users must be older than 16 years old (or older in some countries)
  • We do not knowingly collect children's data
  • If we discover a child is using the service, we will immediately delete their account
  • Organizations may collect data of their employees; the organization is responsible for GDPR compliance

12. COOKIES AND TRACKING TECHNOLOGIES

12.1 Session Cookies

The web application (https://simtrix.app) uses session cookies necessary for operation:

  • Session ID: Logged-in user session identifier
  • Auth token: JWT authentication token
  • UI Preferences: Language, theme (dark/light)

These cookies do NOT require additional consent (implied consent, Art. 82 e-Privacy Directive).

12.2 Analytical Cookies

We currently do not use Google Analytics cookies or similar tracking services. If we add them in the future, we will request explicit consent.

Browsers allow cookie management:

  • Can be disabled in browser settings
  • You can choose which cookies to accept
  • Withdrawing consent: cookies will be deleted (but session will be interrupted)

12.4 Tracking Pixels

SIMtrix does not use tracking pixels or similar technologies to track user behavior across third-party websites.

13. CHANGES TO THIS PRIVACY POLICY

13.1 Change Procedure

We may change this Privacy Policy at any time. Significant changes will:

  • Be published at https://simtrix.app/privacy (at least 30 days before taking effect)
  • Be communicated to clients' emails (if change affects their data)
  • Require acceptance of new policy upon next login

13.2 Service Continuation

Continued use of SIMtrix after changes means acceptance of the new Privacy Policy.

14. CONTACT

14.1 Privacy Inquiries

If you have questions, comments, or wish to exercise rights concerning personal data:

Email: support@simtrix.app
Address: ANTENA sp. z o.o., ul. Działdowska 16, 81-208 Gdynia, Poland

We will respond within 10 business days.

14.2 General Customer Support

For general service questions:

Email: support@simtrix.app
Website: https://simtrix.app

15. DEFINITIONS

  • Data Controller: Person/organization deciding on purposes and means of data processing (Art. 4 p. 7 GDPR)
  • Data Processing: Any operation on data (collection, storage, analysis, deletion) (Art. 4 p. 2 GDPR)
  • Data Processor: Person/organization processing data on Controller's instruction (Art. 4 p. 8 GDPR)
  • Data Subject: Natural person whose data is processed (Art. 4 p. 1 GDPR)
  • Personal Data: Information concerning an identified or identifiable natural person (Art. 4 p. 1 GDPR)
  • GDPR: Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016
  • UODO: President of the Personal Data Protection Office (supervisory authority in Poland)
  • DPA: Data Processing Agreement — agreement on data processing between Controller and Processor
  • AES-256 Encryption: Advanced Encryption Standard with 256-bit key length
  • TLS 1.3: Transport Layer Security protocol version 1.3
  • FCM: Firebase Cloud Messaging — Google push notification service
  • GDPR: (English acronym for RODO)

16. ADDITIONAL INFORMATION

16.1 GDPR Compliance

SIMtrix is fully compliant with GDPR requirements regarding personal data processing. Security audits are conducted regularly.

16.2 Data Processing Agreement (DPA)

All SIMtrix clients are subject to a Data Processing Agreement (available upon request at support@simtrix.app). DPA specifies:

  • Roles (Controller vs Processor)
  • Security obligations
  • Incident procedures
  • Access and audit rights
  • Sub-processor agreement

16.3 Impact Assessment (DPIA)

SIMtrix has conducted a Data Protection Impact Assessment (DPIA) for main processing activities (available in document 00-RISK-ASSESSMENT-SIMtrix.md).

End of Privacy Policy

Data Protection Contact: support@simtrix.app