Legal

Privacy Policy

How we collect, use and protect your information.

Last updated: 19 June 2026

This Privacy Policy explains how Horizon Web Services Pvt Ltd ("SmsHorizon", "we", "us", "our") collects, uses, shares, retains and protects personal data when you visit smshorizon.in, create an account, or use our messaging services (SMS, RCS, WhatsApp Business messaging, virtual mobile numbers and APIs). We are committed to handling personal data in line with India's Digital Personal Data Protection Act, 2023 (DPDP Act), the EU and UK General Data Protection Regulation (GDPR), the California Consumer Privacy Act as amended (CCPA/CPRA), and the policies of the platforms we integrate with, including Meta's WhatsApp Business Platform and Google's RCS Business Messaging.

1. Who we are

We are the data controller responsible for your personal data, based at No. 254 Saradha College Road, Fairlands, Salem 636016, Tamil Nadu, India. You can reach us about this Policy through our contact page. For account data and website data, we act as a data controller. For message content and recipient data that our customers transmit through our platform, we act as a data processor on our customers' behalf (see "Our role: controller and processor").

2. Information we collect

  • Account and business information: name, business name, email address, phone number, address, GST and billing details, and login credentials.
  • Message and recipient data: the content of messages you send, recipient phone numbers, sender IDs, message templates, and delivery status. For WhatsApp, this may include WhatsApp Business account identifiers and approved templates.
  • Payment information: handled by third-party payment processors. We do not store full card numbers.
  • Technical and usage data: IP address, browser and device information, log files, API usage and cookies.
  • Communications: support tickets, sales enquiries and correspondence with us.

3. How we use your information, and our legal bases

  • To provide, maintain and secure our messaging services (performance of a contract).
  • To process payments and issue GST invoices (contract and legal obligation).
  • To respond to your support and sales queries (legitimate interests, contract).
  • To send service notifications such as downtime and policy changes (legitimate interests).
  • To comply with TRAI, DLT and other regulatory, tax and legal requirements (legal obligation).
  • To detect, prevent and investigate fraud, spam and abuse (legitimate interests).
  • To send marketing communications where you have opted in (consent, which you may withdraw at any time).

4. Our role: controller and processor

We are a data controller for the personal data of our account holders and website visitors. When our customers use our platform to send messages, we act as a data processor: we process recipient data and message content only on the documented instructions of the customer (the controller), to deliver the requested messaging service, and in accordance with applicable law and our agreement with that customer.

5. WhatsApp Business Platform and Meta Platforms

We use Meta's WhatsApp Business Platform and related Meta APIs to enable our customers to send messages to recipients who have opted in. Our access to and use of information obtained through Meta and WhatsApp complies with the WhatsApp Business Messaging Policy, the Meta Platform Terms and the Meta Developer Policies.

  • We use WhatsApp and Meta data only to provide, support and improve the messaging services our customers request.
  • We do not sell this data, and we do not use it for advertising or to build profiles unrelated to the service.
  • We do not transfer it to third parties except as needed to deliver the service (for example, to Meta and telecom infrastructure providers) or as required by law.
  • Recipient (end-user) data obtained through the WhatsApp Business Platform is processed on behalf of our business customers and handled per their instructions and applicable law.

6. Google RCS Business Messaging

We offer RCS (Rich Communication Services) business messaging. In India, RCS is delivered through the telecom operators (such as Reliance Jio and Vodafone Idea) together with Google's RCS Business Messaging platform. Our access to and use of information for RCS complies with Google's RCS Business Messaging policies and terms, and the requirements of the participating telecom operators.

  • We use RCS data only to provide, support and improve the messaging services our customers request.
  • We do not sell this data, and we do not use it for advertising or to build profiles unrelated to the service.
  • We do not transfer it to third parties except as needed to deliver the service (for example, to Google's RCS infrastructure and the telecom operators) or as required by law.
  • Recipient (end-user) data used for RCS is processed on behalf of our business customers and handled per their instructions and applicable law.

7. How we share information

We do not sell, rent or trade your personal data. We share data only with:

  • Telecom operators and messaging platforms (including Meta/WhatsApp and Google RCS) to deliver your messages.
  • Payment processors to handle billing and payments.
  • Infrastructure and sub-processors (such as hosting and security providers) who process data on our behalf under confidentiality and data-protection obligations.
  • Professional advisors (such as auditors and legal counsel) where necessary.
  • Government, regulatory or law-enforcement authorities where legally required.
  • A successor entity in the event of a merger, acquisition or asset sale, subject to this Policy.

8. International data transfers

Our primary servers are located in India. Where personal data is transferred across borders (for example, to Meta or to cloud and security providers), we rely on appropriate safeguards such as Standard Contractual Clauses or an equivalent lawful transfer mechanism.

9. Data retention

We keep personal data only for as long as necessary for the purposes described in this Policy, for the life of your account, and to meet legal, tax, regulatory and dispute-resolution obligations. Our indicative retention periods are:

  • Account and billing records: for the duration of your account and for the period required under applicable Indian tax and company law (generally up to 8 years) after account closure.
  • Message delivery logs and metadata: up to 12 months, for billing and dispute resolution, after which they are deleted or anonymised.
  • Message content: retained only as long as needed to deliver the message and resolve disputes, and not used for any other purpose.

10. Data deletion, and how to request it

You may ask us to delete your personal data at any time. To make a Data Deletion Request:

  • Submit a request through our contact page, mentioning "Data Deletion Request" in your message.
  • Include the email address or phone number associated with your account so we can verify your identity.

We will acknowledge your request and, once your identity is verified, delete or anonymise your personal data within 30 days (or sooner where required by law). We may retain the minimum information necessary to comply with legal, tax, regulatory or dispute-resolution obligations, or to prevent fraud and abuse, and will securely delete the rest. Where you sent messages through the WhatsApp Business Platform or Google RCS Business Messaging, deletion will also cover the associated data we hold, subject to Meta's and Google's requirements and applicable law. If we act as a processor for a customer, we will also act on verified deletion instructions from that customer.

11. Your privacy rights

Depending on where you live, you may have the right to:

  • Access the personal data we hold about you, and receive a copy.
  • Correct inaccurate or incomplete data.
  • Delete your data ("right to erasure"), as described above.
  • Port your data to another provider where applicable.
  • Restrict or object to certain processing.
  • Withdraw consent at any time, without affecting processing already carried out.
  • Nominate another person to exercise your rights in the event of death or incapacity (DPDP Act).
  • Lodge a complaint with a supervisory authority, such as the Data Protection Board of India, an EU/UK supervisory authority, or the California Privacy Protection Agency.

We do not sell or "share" personal data for cross-context behavioural advertising, and we will not discriminate against you for exercising your rights (CCPA/CPRA). To exercise any right, contact us.

12. Cookies and tracking

Our website uses essential cookies for session management and security, and analytics cookies to understand how visitors use the site. You can control or disable cookies in your browser settings. Disabling essential cookies may affect site functionality.

13. Spam protection (Google reCAPTCHA)

Our signup and contact forms are protected by Google reCAPTCHA to detect automated abuse. When you submit these forms, limited technical information (such as your IP address, browser details and interaction signals) is shared with Google for verification. Use of reCAPTCHA is subject to the Google Privacy Policy and Terms of Service.

14. Data security

We use industry-standard encryption (HTTPS/TLS) for data in transit. Account passwords are hashed, access to customer data is restricted to authorised personnel on a need-to-know basis, and we monitor our systems for unauthorised access. In the event of a personal-data breach that is likely to result in risk to you, we will notify you and the relevant authorities as required by applicable law. No method of transmission or storage is completely secure, so we cannot guarantee absolute security.

15. Children's privacy

Our services are intended for businesses and are not directed to children. We do not knowingly collect personal data from anyone under the age of 18. If you believe a minor has provided us data, please contact us so we can delete it.

16. Grievance Officer and escalations

In accordance with the DPDP Act and India's Information Technology Act and rules, you may raise a privacy grievance or escalation with our Grievance Officer through our contact page, selecting "Escalation (to management)" as the reason. Please include enough detail (and the email or phone linked to your account) for us to verify your identity and respond. We will acknowledge and address grievances within the timelines required by applicable law.

17. Changes to this policy

We may update this Policy from time to time. The "Last updated" date above reflects the latest revision. Material changes will be communicated by email or by a notice on this page.

18. Contact us

For any privacy-related questions, please use our contact page.