Privacy Policy

Last updated: June 1, 2025

VRNUM is built around the principle of minimal data collection. We collect only what is strictly necessary to operate the service. We never sell your data, never serve advertising, and accept only cryptocurrency payments — meaning no credit card or bank account is ever linked to your VRNUM activity.

1. Information We Collect

We collect the minimum data necessary to provide our services:

  • Email Address: Required when you register an account. Used solely for authentication, account recovery, and support communications.
  • Transaction Records: We store records of purchases, wallet top-ups, invoices, and renewal history to fulfil orders and resolve disputes.
  • Incoming SMS Logs: SMS messages delivered to your virtual numbers are temporarily stored and displayed in your dashboard inbox. These are periodically purged from our servers.
  • Marketing Attribution (Optional): If you arrive at VRNUM via a link containing UTM parameters (e.g. utm_source=google), we may record this anonymously in your account profile to understand which marketing channels are effective. This data is never shared with advertisers.
  • Referrer Information: If your browser sends a referrer header when you first visit, we may store the referring domain (e.g. "google.com") alongside UTM data for internal analytics. We do not track individual browsing behaviour across sites.

2. Information We Do NOT Collect

We explicitly do not collect:

  • Your real name, physical address, or government-issued identity documents (zero KYC).
  • Credit card numbers, bank account details, or any traditional payment information.
  • Device fingerprints or persistent advertising identifiers.
  • Your precise location or IP address for tracking purposes (IP addresses may appear in server logs for security and abuse prevention, but are not linked to your account for profiling).

3. How We Use Your Information

The information we collect is used solely to:

  • Create and manage your account and authenticate your login sessions.
  • Provision virtual phone numbers and deliver incoming SMS to your dashboard.
  • Process cryptocurrency transactions and maintain accurate financial records.
  • Send transactional emails: order confirmations, number expiry warnings, and support replies. We do not send marketing emails unless you explicitly opt in.
  • Detect and prevent fraudulent or abusive activity on our platform.
  • Analyse aggregate usage patterns (e.g. which countries are most popular) to improve the service. This analysis is never linked to individual identities.

4. Cookies & Tracking

We use a minimal set of first-party cookies required for authentication (session cookies) and security (CSRF tokens). We do not use third-party advertising cookies, retargeting pixels, or cross-site tracking technologies.

We use Cloudflare Turnstile on our authentication pages to detect automated bot activity. Turnstile operates as a privacy-preserving alternative to traditional CAPTCHAs and does not use persistent tracking cookies or collect personal data from your device. See Cloudflare's Privacy Policy for details.

We may load Google Analytics 4 if configured, which uses anonymised session data (page URLs, referrers, country-level location) to measure site performance. We do not enable Google Signals, cross-device tracking, or user ID linking. You can opt out via your browser's privacy settings or a standard GA4 opt-out extension.

5. Information Sharing and Disclosure

We do not sell, rent, or trade your personal data. We share minimal data with the following service providers only to the extent necessary to operate:

  • Cryptomus: Our cryptocurrency payment gateway. We share order reference IDs to verify payment status. We do not share your email or identity with Cryptomus.
  • Telecom Providers (Yesim and others): We interface with licensed telecom providers to provision virtual phone numbers. Your email address and personal identity are never shared with these providers.
  • Cloudflare: Our infrastructure and DDoS protection provider. Cloudflare may process network-level data (IP addresses) as part of its service. See Cloudflare's privacy policy.
  • Amazon Web Services (SES): We use AWS Simple Email Service to send transactional emails. Email addresses used for sending are processed by AWS infrastructure.

We may disclose data if required to do so by law or in response to a valid legal process. We will attempt to notify affected users where legally permitted.

6. Data Security

We implement industry-standard technical and organisational security measures including TLS encryption for all data in transit, encrypted database storage, strict access controls (only essential personnel access production data), and regular security reviews. No system is perfectly secure — if you discover a security vulnerability, please report it to [email protected].

7. Data Retention

  • Account data (email, preferences): Retained for the lifetime of your account. Deleted within 30 days of an account deletion request.
  • SMS logs: Purged automatically on a rolling 30-day cycle.
  • Transaction records: Retained for up to 5 years to comply with financial record-keeping requirements.
  • Marketing attribution (UTM/referrer): Retained for the lifetime of your account for internal analytics.
  • Server logs: Retained for up to 90 days for security and abuse investigation, then deleted.

8. Your Rights

Regardless of your location, you have the following rights with respect to your personal data:

  • Access: You can request a copy of the personal data we hold about your account.
  • Rectification: You can update your email address or other account information at any time via your account settings.
  • Erasure: You can request complete deletion of your account and all associated personal data. Note: transaction records may be retained for the legally required period.
  • Objection: You can object to specific processing activities, such as marketing attribution tracking.
  • Portability: You can request an export of your account data in a machine-readable format.

To exercise any of these rights, contact us at [email protected]. We will respond within 30 days.

9. Children's Privacy

VRNUM is not intended for use by persons under the age of 18. We do not knowingly collect personal information from minors. If you believe a minor has created an account, please contact us and we will delete it promptly.

10. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via an email to your registered address or a prominent notice on our website. Continued use of the service after a change constitutes acceptance of the updated policy.

11. Contact Us

For any privacy-related questions, data requests, or concerns, please contact us at [email protected]. We take privacy enquiries seriously and aim to respond within 3 business days.