This is an English convenience translation. The binding version is the German original, available at simrelay.com/de/byos-datenschutzerklaerung. In case of any discrepancies, the German version shall prevail.

Privacy Policy for the SIMRelay BYOS App

Last updated: 25 February 2026

This privacy policy explains what personal data we process when you use our Android app "SIMRelay BYOS" (hereinafter "App"). In particular, you will learn what data is collected, on what legal basis this occurs, what permissions the App requires, and what rights you have.

1. Controller and Contact

The controller within the meaning of the GDPR is:

SIMRelay GmbH
Lilienthalstr. 5c
12529 Schönefeld, Germany
Email: [email protected]
 

Further details about the controller can be found in our legal notice at simrelay.com/de/impressum. If a data protection officer has been appointed, their contact details are also listed there.

2. Description and Purpose of the App

SIMRelay BYOS (Bring Your Own SIM) turns an Android smartphone into an SMS relay device for the SIMRelay platform. The App receives incoming SMS messages on the device and forwards them in real time to the SIMRelay API. This allows businesses to use off-the-shelf Android smartphones as SMS gateways without having to purchase dedicated hardware.

3. Data Processed

3.1 Phone Numbers of the SIM Card(s)

The App reads the phone number(s) of the SIM card(s) inserted in the device in order to associate them with the SIMRelay platform. On dual-SIM devices, both SIM cards may be detected. This association is strictly necessary for the functionality of the service.

3.2 SMS Messages (Communication Content and Traffic Data)

The App intercepts incoming SMS messages and transmits their content as well as associated traffic data (sender number, time of receipt) to the SIMRelay API. Communication content and traffic data are subject to the secrecy of telecommunications under the German Telecommunications Digital Services Data Protection Act (TDDDG). This specific legislation takes precedence over the general provisions of the GDPR in this regard. The transmitted SMS content is stored on the SIMRelay platform within the customer account and made available to the respective customer. The customer is responsible for the management and deletion of SMS content under their own data protection obligations. We provide deletion functions within the platform for this purpose and reserve the right to introduce configurable retention policies in the future, allowing customers to control automatic deletion after a defined period.

3.3 Device and Connection Data (Heartbeat)

The App periodically sends so-called heartbeat data to the SIMRelay API in order to monitor the operational status of the relay device. This includes the connection status, a message counter, the battery level, and the signal strength. This data is used solely to ensure reliable operation and is not used for advertising purposes.

3.4 Authentication Data

Using the App requires a SIMRelay customer account to which the user must log in. The device is paired with the customer account via a PIN-based activation flow. The App stores authentication tokens in encrypted form on the device and renews them automatically upon expiry.

3.5 Device Configuration

Settings such as the selected SIM card and configuration parameters are stored locally on the device. This data does not leave the device.

4. Analytics and Crash Reporting Services

4.1 Google Firebase Analytics

We use Google Firebase Analytics provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; parent company: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. Firebase Analytics helps us understand how the App is used so that we can improve functionality, stability, and user experience. Pseudonymised usage data is collected, including events and interactions within the App, session duration, approximate geolocation (based on IP address), technical device characteristics (model, operating system version, screen resolution), and a pseudonymous app instance ID. No complete IP addresses are permanently stored. Processing is based on Art. 6(1)(f) GDPR (legitimate interest in improving and maintaining the stability of the App). Data transfers to Google LLC in the USA are based on an adequacy decision (EU-U.S. Data Privacy Framework) and additionally on Standard Contractual Clauses and supplementary safeguards.

4.2 Firebase Crashlytics

We use Firebase Crashlytics, a crash reporting service provided by Google Ireland Limited. Crashlytics automatically collects technical diagnostic data in the event of app crashes and errors, including device type, operating system version, the state of the App at the time of the crash, stack traces, a pseudonymous installation ID, and basic session data. This data is used exclusively to identify and fix software defects. Processing is based on Art. 6(1)(f) GDPR (legitimate interest in the technical stability and reliability of the App). The safeguards for data transfers to the USA described in section 4.1 apply.

4.3 Firebase Cloud Messaging

We use Firebase Cloud Messaging (FCM) to send push notifications to the App, for example in the event of configuration changes or technical advisories. FCM uses a device-specific token ID that does not allow conclusions to be drawn about the identity of the user. Processing is based on Art. 6(1)(f) GDPR (legitimate interest in timely communication with the relay device).

5. App Permissions

The App requires the following Android permissions, each of which is necessary for the described functionality:

Receive and read SMS (RECEIVE_SMS, READ_SMS): To intercept and forward incoming SMS messages to the SIMRelay platform. This is the core functionality of the App.

Read phone state and phone numbers (READ_PHONE_STATE, READ_PHONE_NUMBERS): To identify the inserted SIM card(s) and their phone numbers in order to ensure correct association with the SIMRelay platform.

Internet access and network state (INTERNET, ACCESS_NETWORK_STATE): For communication with the SIMRelay API and monitoring of the network connection.

Auto-start after device reboot (RECEIVE_BOOT_COMPLETED): To automatically restart the relay service after a device reboot so that no SMS messages are missed.

Foreground service and notifications (FOREGROUND_SERVICE, POST_NOTIFICATIONS): To keep the relay service permanently active in the background and to inform the user about the operational status.

All permissions are used exclusively for the purposes described. No permissions are used for advertising or marketing purposes.

6. Purposes and Legal Bases

The data described in section 3 is processed for the following purposes and on the following legal bases:

Provision of the relay service: The processing of phone numbers, SMS content, traffic data, and authentication data is necessary for the performance of the contract (Art. 6(1)(b) GDPR). For communication content and traffic data, the provisions on the secrecy of telecommunications under the TDDDG additionally apply.

Operational monitoring and reliability: The collection of heartbeat data (battery, signal, connection status) is based on our legitimate interest in a stable and reliable service (Art. 6(1)(f) GDPR).

Analytics and bug fixing: The use of Firebase Analytics and Crashlytics is based on our legitimate interest in improving and maintaining the technical stability of the App (Art. 6(1)(f) GDPR).

Security: Measures for IT security, abuse prevention, and protection of the communication infrastructure are based on Art. 6(1)(f) GDPR.

7. Recipients of Data

In the course of operating the App, the following recipients may receive access to data insofar as this is necessary to provide the respective service:

SIMRelay platform: SMS content and traffic data are transmitted to the SIMRelay platform, where they are distributed according to the forwarding rules set up by the customer to the configured recipients (phone, app, Slack, MS Teams, webhook).

Google (Firebase): Firebase Analytics, Crashlytics, and Cloud Messaging as processors for analytics and crash data. Data processing agreements pursuant to Art. 28 GDPR are in place.

Hosting and infrastructure providers: For the operation of the SIMRelay API and associated infrastructure.

Within our company, only persons who require access for their duties receive it (need-to-know principle). Government access occurs exclusively on a legal basis.

8. International Data Transfers

Through the use of Google Firebase, data may be transferred to Google LLC in the USA. We base such transfers – where available – on the adequacy decision (EU-U.S. Data Privacy Framework) and additionally on Standard Contractual Clauses (Art. 46(2)(c) GDPR) as well as supplementary technical and organisational safeguards.

9. Retention Periods and Deletion

SMS content: Stored on the SIMRelay platform within the customer account. Deletion is the responsibility of the customer, who is provided with appropriate deletion functions within the platform. Configurable retention policies will be introduced in the future, allowing customers to control automatic deletion after a defined period. Upon deletion of the customer account, all associated SMS content is irrevocably deleted.

Traffic data: Deleted without undue delay once they are no longer required for the provision of the service.

Heartbeat data: Stored on a rolling basis; older entries are regularly overwritten.

Authentication tokens: Stored in encrypted form on the device and deleted upon logout or uninstallation of the App.

Firebase Analytics: Event data is retained for two or fourteen months depending on the configuration.

Crashlytics data: Crash reports are retained for 90 days.

10. Data Security

We implement appropriate technical and organisational measures to protect your data. These include, in particular, encrypted storage of authentication tokens on the device, end-to-end TLS encryption of communication between the App and the API, token-based authentication with automatic refresh, access restrictions based on the need-to-know principle, and regular security reviews and updates.

11. Your Rights

Under the GDPR, you have the following rights:

Right of access (Art. 15 GDPR): You may request information about the personal data we process about you.

Right to rectification (Art. 16 GDPR): You may request the correction of inaccurate data.

Right to erasure (Art. 17 GDPR): You may request the deletion of your data, provided no statutory retention obligations apply.

Right to restriction of processing (Art. 18 GDPR): You may request the restriction of the processing of your data.

Right to data portability (Art. 20 GDPR): You may request to receive your data in a structured, commonly used, and machine-readable format.

Right to object (Art. 21 GDPR): You may object at any time to processing based on Art. 6(1)(f) GDPR.

Right to lodge a complaint: You have the right to lodge a complaint with a data protection supervisory authority, in particular in the Member State of your habitual residence, place of work, or the place of the alleged infringement. For telecommunications-specific matters, the Federal Commissioner for Data Protection and Freedom of Information (BfDI) has jurisdiction.

To exercise your rights, please contact: [email protected]

12. Obligation to Provide Data and Automated Decisions

There is no legal obligation to provide personal data. However, the data and permissions described in sections 3 and 5 are required for the use of the App and the relay service. Without these, the App cannot fulfil its function. No solely automated decision-making within the meaning of Art. 22 GDPR takes place.

13. Minors

The App is intended for businesses and their employees. It is not intended for use by persons under the age of 16. We do not knowingly collect personal data from children.

14. Changes to This Privacy Policy

We update this privacy policy when changes in legislation, technology, or our processing activities require it. The current version is available in the App and on our website at simrelay.com/en/byos-privacy-policy.