Legal
Privacy Policy
Last updated: May 29, 2026
POSSMS ("POSSMS," "we," "our," or "us") provides a browser extension and supporting backend that allows business operators ("you," "Subscriber," or "Sender") to send and receive SMS and MMS messages with your customers ("Recipients") through your point-of-sale and business tools. This Privacy Policy explains what information we collect, how it is used, who it is shared with, and your rights regarding that information.
POSSMS is a tool that relays messages on your behalf. You are the sender of every message, and you control the content, timing, and audience. We do not write, schedule, or send messages on our own.
1. Information We Collect
Information you provide
- Account details: business name, contact email, and the identifier of your point-of-sale account.
- Configuration: business hours, auto-reply text, and other preferences you set in the extension.
- Communications you send to us (support emails, feedback).
Information generated by your use of the Service
- Outbound and inbound SMS/MMS messages, including phone numbers, message body, attached images, timestamps, and delivery status.
- Customer phone-to-name mappings synced from your connected POS to speed up lookups in the extension.
- OAuth tokens issued by your POS provider, used to authenticate requests on your behalf.
- Operational logs (error events, request metadata) used to keep the Service running.
Information we do not collect
- We do not collect payment card data.
- We do not run third-party advertising trackers or analytics fingerprinting in the extension.
2. How We Use Information
- To operate the Service — relay your messages to and from Twilio, look up customer names, and display your conversations.
- To provide support and respond to your requests.
- To detect, investigate, and prevent abuse, fraud, or security incidents.
- To comply with legal obligations.
- To improve the Service in aggregate (for example, fixing reliability issues based on error logs).
3. Where Information Is Stored
Different categories of data live in different places:
- Your browser: Extension settings, your POS OAuth tokens, and a cache of customer phone numbers and names are stored in your browser's extension storage.
- Cloudflare Workers KV: Per-shop configuration, customer phone-name maps, and read/unread state.
- Cloudflare D1 (SQLite): Message records (phone numbers, message body, media URLs, delivery status) used to build your conversation history.
- Cloudflare R2: Image attachments you send or receive. Staging copies for Twilio delivery expire after one hour. Permanent copies kept for conversation history are deleted automatically after 90 days.
4. Sub-Processors
POSSMS uses the following third parties to operate the Service. By using POSSMS you agree to your data being processed by these providers under their respective terms:
- Twilio, Inc. — SMS/MMS delivery to and from your customers.
- Cloudflare, Inc. — Compute (Workers), storage (KV, D1, R2), and content delivery.
- Google LLC — Identity verification when you sign in with Google.
- Your point-of-sale provider — For example, Lightspeed. Your POS OAuth scopes allow us to read customer phone numbers on your behalf.
5. Data Retention
- Messages: retained until you delete the thread from the extension, after which they are hidden from the extension's view; carrier-side copies at Twilio are retained per Twilio's policies and are outside our control.
- Image attachments: deleted from R2 storage 90 days after upload via an automated cleanup job.
- Customer phone-name maps: retained while your account is active.
- OAuth tokens: retained until you disconnect or revoke them.
6. Sharing of Information
We share information only as needed to operate the Service:
- With the sub-processors listed above.
- When required by law, subpoena, or other valid legal process.
- To protect the rights, property, or safety of POSSMS, our users, or others, including enforcing this policy or our Terms of Service.
- In connection with a merger, acquisition, financing, or sale of assets, subject to the same protections set out here.
We do not sell personal information.
7. Your Rights
Depending on where you live, you may have rights to access, correct, delete, or export the personal information we hold about you, and to object to or restrict certain processing. To exercise these rights, email [email protected] from the account email on file. We will respond within a reasonable timeframe and may verify your identity before acting.
Note that Recipients (your customers) interact with POSSMS only because you send them messages. If a Recipient asks us about their data, we will refer them to you as the Sender of record, and we will assist in good faith to honor lawful deletion or access requests.
8. Recipient Opt-Out
SMS recipients can opt out at any time by replying with STOP, UNSUBSCRIBE, CANCEL, END, or QUIT. Twilio handles these opt-outs at the carrier level and blocks further messages from your number to that recipient. You are responsible for keeping your own records of consent and opt-outs in accordance with applicable law.
9. Security
We take reasonable steps to protect the data we handle. The Service uses HTTPS for all network traffic, scoped per-shop access keys, OAuth for POS integration, and signed time-limited URLs for media access. No system is perfectly secure, and we cannot guarantee against all unauthorized access. If we become aware of a security incident affecting your data, we will notify you as required by applicable law.
10. International Users
The Service is operated from the United States. If you access the Service from outside the United States, your information may be transferred to, stored, and processed in the United States and other countries where our sub-processors operate. By using the Service, you consent to this transfer.
11. Children
POSSMS is not intended for use by anyone under 18, and is not designed to collect information from children under 13. If you believe a child has provided information through the Service, contact us and we will delete it.
12. Changes to This Policy
We may update this Privacy Policy from time to time. The "Last updated" date at the top reflects the most recent change. Material changes will be flagged on this page, and your continued use of the Service after the effective date constitutes acceptance.
13. Contact
Questions about this Privacy Policy or your data:
[email protected]
See also: Terms of Service.