Privacy Policy
Effective 2026-07-08 · ARENAMEDIA SP. Z O.O. (Poland, EU) — GDPR-compliant
1. What we collect
- Account: email address, password hash (bcrypt), wallet balance, timestamps.
- Payment: Stripe processes cards. We store the Stripe session ID for reconciliation but never see card numbers.
- Orders: service, country, phone number rented, SMS code received (retained for 30 days for support purposes).
- Technical: IP address (transactional logs), rate-limit counters, session cookie.
2. What we don't collect
- No name, address, phone number, or government ID (we do not require KYC).
- No third-party tracking, no advertising cookies, no ad targeting.
- No content of the SMSes sent to your rented number is analysed or sold.
3. Legal basis (GDPR Art. 6)
Contract performance (billing, order processing) and legitimate interest (fraud prevention, service integrity).
4. Retention
- Account data: kept while your account exists. Delete via email request to hello@1mail.lt.
- Payment records: 7 years (EU accounting law).
- Order + SMS code data: 30 days, then permanently deleted.
- Logs: 14 days, then rotated.
5. Sharing
We share the minimum required data with: Stripe (payment processing), our upstream SMS provider (order fulfilment). We do not sell or rent your data.
6. Your rights (GDPR)
You may request access, correction, deletion, portability, or objection to processing. Email hello@1mail.lt — we respond within 30 days.
7. Security
Passwords hashed with bcrypt (cost 10). Session cookies HttpOnly, Secure, SameSite=Lax. TLS via Let's Encrypt on all endpoints. Rate limits protect against abuse.
8. International transfers
Our servers are in Germany (Hetzner). Some upstream services (SMS provider, Stripe) may transfer data to countries with adequate protection under EU rules.
9. Contact / DPO
hello@1mail.lt — ARENAMEDIA SP. Z O.O., KRS 0001069191, Poland.