1. Who We Are

This Privacy Policy (“Policy”) applies to the services available on globfone.com, its related subdomains (including subdomains like premium.globfone.com), and the Globfone mobile applications (together: “Globfone“, “Service“). Globfone is operated by i-Trends Sp. z o.o., a company established in Poland, with its registered office at ul. Druskiennicka 27, 81-533 Gdynia, Poland (“Administrator”, “we”, “us”).

We act as the data controller for personal data processed in connection with the Service, unless stated otherwise in this Policy (for example, where a partner acts as an independent controller or a processor on our behalf).

We are committed to processing personal data in a fair, transparent and secure manner and in accordance with applicable data protection rules, in particular the GDPR (Regulation (EU) 2016/679).

2. Scope of this Policy

This Policy explains:

• what personal data we collect when you use Globfone (Website, subdomains, and mobile apps),
• for what purposes and on what legal bases we process this data,
• who we share data with, including processors and other third parties,
• how long we keep data,
• your rights under GDPR, CCPA and other applicable laws,
• how to contact us regarding privacy matters.

By using our Website or Services you acknowledge that you have read this Policy and the Terms of Use, including information about cookies, and that you agree to comply with them. If you do not agree with this Policy, please do not use the Service.

3. Key Definitions

• User – any person using the Globfone Services (via Website, subdomain or Application).
• Services – communication and related services we provide, including sending SMS, VoIP calls, video calls, file transfers, free and Premium services.
• Website – the service available at https://globfone.com and related subdomains, including premium.globfone.com and auth.globfone.com.
• Application – the mobile apps “Globfone” or similar, which act mainly as a shortcut/hosted shell for the mobile versions of the Websites and do not contain separate core logic.
• End User / Recipient – the recipient of an SMS, call or other communication (e.g. owner of a phone number in GSM/PSTN networks).
• Personal Data – any information relating to an identified or identifiable natural person (e.g. name, email, IP, phone number, identifiers).
• Data Controller – the entity determining the purposes and means of processing personal data (i-Trends Sp. z o.o. for Globfone).
• Data Processor – an entity processing personal data on behalf of the Controller (e.g. hosting provider, payment processor, VoIP or SMS gateway).
• Cookies – small text files stored on your device to support the operation of the Website and for analytics/advertising, as described in the Cookies section.

4. Categories of Data, Purposes and Legal Bases

The type and scope of data we process depends on how you use the Service (web, Premium, mobile app, free SMS, VoIP etc.). Below we summarise the main processing activities.

4.1. Account Creation, Authentication and Profile Data

What data we process

• Account registration and login:
  • email address,
  • first name, last name (if provided),
  • user identifier in the identity system ,
  • password or other authentication credentials (stored and managed in the identity provider),
  • technical tokens (access/refresh tokens) stored as httpOnly cookies on our domains for authentication and security.
• Extended user profile – in our user database we may store:
  • UUID linked to your identity provider ID,
  • email (unique),
  • profile type (individual / business),
  • company name (for business profiles),
  • first name, last name,
  • postal address (street, city, postal code, country),
  • tax number (e.g. VAT ID, NIP),
  • preferred language, time zone,
  • account balance.

Purposes

• creating and managing a User Account, including authentication via OAuth2/OpenID Connect,
• providing access to free and Premium Services, including web and mobile versions,
• billing, invoicing and payment settlement (especially for business users and Premium accounts),
• configuring VoIP/SIP accounts and link them to your profile,
• personalisation of interface (language, time zone),
• support, complaint handling and communication about your account or services.

Legal bases

• performance of a contract or steps prior to entering into a contract – Art. 6(1)(b) GDPR (e.g. creating and managing your account, providing services),
• legal obligations – Art. 6(1)(c) GDPR (e.g. tax and accounting obligations related to invoices),
• legitimate interests – Art. 6(1)(f) GDPR (e.g. securing access to the Service, preventing abuse, service improvement).

4.2. Communications and VoIP Services

What data we process

• Free and Premium calls (VoIP):
  • SIP login and password generated for you,
  • internal VoIP identifiers (e.g. Server VoIP user ID, tariff/group ID),
  • assigned caller ID number in international format, and display name (if used),
  • call metadata: dialled number, date and time, call duration, call status, technical parameters required to route the call.
• Free calls from browser (webphone):
  • SIP login/password used by the browser client,
  • caller ID and number from your profile.
• Chat, video, file transfer:
  • user identifier/contact name,
  • connection metadata (time, basic technical info),
  • file metadata (size, type) and file content during transfer.

Purposes

• setting up and operating VoIP/SIP accounts (including accounts managed via a third-party VoIP switch such as Mizu),
• establishing, routing and terminating calls and other communications,
• managing service limits (for Free vs Premium accounts),
• ensuring quality of service, troubleshooting and complaint resolution,
• fulfilling legal requirements applicable to telecom-type services, including retention of certain traffic data where required by law.

Legal bases

• performance of a contract – Art. 6(1)(b) GDPR (provision of communication services),
• legal obligations – Art. 6(1)(c) GDPR (where telecom or tax law requires certain data retention),
• legitimate interests – Art. 6(1)(f) GDPR (ensuring service continuity, security and fraud prevention).

4.3. Free SMS with Advertising

What data we process

• Sender information (linked to your User account or session),
• recipient phone number and country/prefix,
• message content, including advertising text automatically appended by the system,
• meta-data: sending time, cost, free SMS balance, IP address, provider ID, gateway response, delivery status, any error codes.

For delivery we send the recipient’s number and the full SMS content to an external SMS gateway (provider).

Purposes

• providing a free SMS service funded by advertising,
• ensuring messages are delivered to eligible destinations only, governed by country/prefix rules,
• preventing abuse (spam, fraud, excessive usage) and managing limits,
• billing and settlement with our SMS providers, and internal reporting.

Legal bases

• performance of a contract – Art. 6(1)(b) GDPR (sending SMS requested by the User),
• legitimate interests – Art. 6(1)(f) GDPR (financing free services with ads, anti-fraud, service quality).

4.4. Contacts / Address Book and Third-Party Numbers

What data we process

• Server-based contacts (within the Service):
  • contact name (up to a limited number of characters),
  • phone number (normalised numeric format),
  • link to your User Account.
• Mobile app device contacts (if you grant permission):
  • access to your address book to allow you to pick recipients directly from contacts.

For device contacts in the mobile Applications, we may process data only locally on your device to enable selection of a recipient; we do not copy or store your address book on our servers, unless explicitly stated and agreed within the app.

Purposes

• making it easier for you to send SMS or calls to frequently used numbers,
• organising contacts inside the Service for your convenience.

Legal bases

• consent – Art. 6(1)(a) GDPR (for accessing the address book on your device or adding third-party data),
• legitimate interests – Art. 6(1)(f) GDPR (providing convenience features such as in-service contact lists).

Where you enter third-party data (e.g. contacts) into the Service, you are responsible for ensuring that you are allowed to provide that data to us (for example, that the contact has consented to communications). In this context, we typically act as a processor handling such data on your behalf.

4.5. Caller ID Verification

What data we process

• phone number that you want to use as caller ID,
• temporary verification code sent via SMS or call,
• verification status (verified/unverified), default flag,
• link to your User Account.

Purposes

• verifying that you control the phone number used as a sender/caller ID,
• preventing spoofing and abuse,
• using the verified number as caller ID for Free SMS and VoIP calls.

Legal bases

• performance of a contract – Art. 6(1)(b) GDPR (using the Service with a verified caller ID),
• legitimate interests – Art. 6(1)(f) GDPR (preventing fraud and identity misuse).

4.6. Payments and Premium Services

What data we process

• for Premium subscriptions and top-ups through Stripe:
  • Stripe customer ID linked to your Account,
  • basic payment method information accessible to us (card brand, last four digits, expiration month/year),
  • transaction data: amount, currency, type of operation (top-up, refund), payment status (Stripe status and our internal status), payment intent/check-out session IDs, description of transaction.
• for other paid services:
  • transaction ID and payer’s details (e.g. email),
  • purchased product details, payment amount, currency, date.

We do not store full card numbers, CVC codes or magnetic stripe data. Such data is processed exclusively by Stripe or other PCI-DSS-compliant payment processors during the payment process.

Purposes

• processing payments for Premium Services and top-ups,
• saving payment methods (via Stripe setup sessions) for future charges if you choose so,
• handling refunds, chargebacks and complaints,
• fulfilling accounting and tax obligations,
• monitoring payment success/failure and preventing payment fraud.

Legal bases

• performance of a contract – Art. 6(1)(b) GDPR (payment and subscription management),
• legal obligations – Art. 6(1)(c) GDPR (tax/accounting recordkeeping),
• legitimate interests – Art. 6(1)(f) GDPR (fraud prevention, dispute handling).

4.7. Free Recharge and Promotional Credits

What data we process

• User Account identifier,
• IP address and request meta-data,
• information about requested and granted free recharge (amount, limits, status),
• attempt logs (including repeated attempts) stored for audit and anti-fraud purposes.

Purposes

• providing promotional free credits or top-ups when available,
• monitoring usage to prevent abuse of promotions,
• security and auditability of free recharge decisions.

Legal bases

• performance of a contract – Art. 6(1)(b) GDPR (where free recharge is part of the Service offering),
• legitimate interests – Art. 6(1)(f) GDPR (protecting the Service from abuse).

4.8. Technical Data, Logs, Rate Limiting and Blacklists

What data we process

• IP addresses (including from HTTP requests and trusted proxy headers),
• user identifiers and request IDs,
• browser / application user agent, operating system, device information,
• server and application logs (errors, warnings, actions such as “SMS sent”, “call attempted”, transactions created),
• blacklists:
  • normalised values such as IP addresses, phone numbers, email addresses or other identifiers,
  • hash of the value, human-readable display value, scope (e.g. global, free SMS only), status, validity period,
  • reason, source (manual/automatic), meta-data, ID of admin who created/modified the entry.

Purposes

• monitoring and protecting the security and stability of the Service,
• detecting and preventing abuse, spam and attacks (e.g. DDoS, brute force, mass messaging),
• enforcing rate limits and usage policies,
• internal diagnostics and technical support,
• keeping an audit trail required by law or good security practice.

Legal bases

• legitimate interests – Art. 6(1)(f) GDPR (security of networks and information, fraud prevention, service quality),
• legal obligations – Art. 6(1)(c) GDPR (where specific laws require security logging).

4.9. Countries, Geo-Restrictions and Pricing

What data we process

• country and phone prefix derived from numbers you dial or send SMS to,
• approximate location inferred from IP address (country/region level),
• internal configuration of supported countries and flags for free/premium calls and SMS.

Purposes

• determining whether certain services (e.g. free calls/SMS) are available for a given country,
• calculating prices and costs,
• complying with local legal or contractual restrictions (e.g. blocking certain destinations),
• selecting appropriate language and localised content, where applicable.:contentReference[oaicite:35]{index=35}

Legal bases

• performance of a contract – Art. 6(1)(b) GDPR (correct routing and pricing),
• legitimate interests – Art. 6(1)(f) GDPR (service optimisation, compliance with regional requirements).

4.10. Profile Credibility and Limiting Features (Profiling)

What data we process

• status of your email verification,
• status of caller ID verification (verified number),
• status of payment verification (existence of a valid payment method or successful transaction),
• a simple score or level assigned to your Account (e.g. 0-3) indicating profile credibility.

Purposes

• assessing the basic trust level of an Account,
• deciding whether certain features are available or under which limits (e.g. raising limits after successful verification),
• preventing abuse of free services and protecting other Users and Recipients from spam or fraudulent behaviour.

Legal bases

• legitimate interests – Art. 6(1)(f) GDPR (fraud prevention, safe operation of the Service).

This activity constitutes profiling within the meaning of GDPR. In general it does not result in decisions producing legal or similarly significant effects, but it may limit access to certain high-risk features or higher limits. You have the right to object to such profiling and to request human review of decisions based on it (see section “Automated Decision-Making and Profiling”).

4.11. Emails, Notifications and Monitoring

What data we process

• email address and/or phone number for notifications,
• content of system or support emails,
• meta-data of messages (message ID, timestamp, delivery status),
• for admin/monitoring alerts: internal contact data of our administrators (phone, email),
• basic data in audit logs: type of alert, channel (SMS/email), target, affected service or container, error counts, etc.

Purposes

• sending operational messages about your Account, payments, security alerts (e.g. password reset, verification emails),
• service updates and critical notifications,
• internal monitoring of the health and stability of our systems (including SMS or email alerts to admins when errors occur).

Legal bases

• performance of a contract – Art. 6(1)(b) GDPR (necessary service communication),
• legitimate interests – Art. 6(1)(f) GDPR (system monitoring and security).

4.12. Analytics, Cookies and Advertising

What data we process

• cookie identifiers and similar technologies,
• IP address, browser type, operating system, device identifiers,
• information about how you interact with the Website or Application (pages visited, clicks, forms, session duration),
• approximate location inferred from IP (country/region),
• advertising identifiers and information on interactions with ads (in the app and on the Website), where applicable.

We use, among others:

• Analytics tools such as Google Analytics to measure traffic and performance,
• Advertising networks such as Google AdMob in the mobile Application to display ads that help finance free services.

Purposes

• ensuring the Website and App work correctly and remembering your choices (e.g. language),
• analysing usage and improving our Services,
• displaying advertising and measuring its effectiveness (in the app and on the Website),
• security (e.g. detection of fraudulent or abnormal traffic).

Legal bases

• legitimate interests – Art. 6(1)(f) GDPR (analytics, service improvement, security),
• consent – Art. 6(1)(a) GDPR (for non-essential cookies and personalised advertising where required by law).

You can manage cookie settings in your browser or device. Disabling certain cookies may impact the functionality of the Service. More details are in section “Cookies and Similar Technologies”.

5. Recipients of Personal Data

We only share personal data with third parties where necessary for the purposes listed above or where required by law. Main categories of recipients include:

• Hosting and infrastructure providers – for servers, databases and storage located mainly in the EU (e.g. OVH) under data processing agreements.
• Identity and authentication provider – our own identity server at auth.globfone.com which we manage on dedicated infrastructure within the EU.
• VoIP and telecom partners – such as Mizu VoIP Switch and other interconnected operators that receive data necessary to route calls and SMS (phone numbers, call/SMS metadata).
• SMS gateway providers – external gateways used to deliver SMS, which process recipient numbers and message content solely to deliver messages.
• Payment operators – Stripe, PayPal and similar services processing payments.
• Analytics and advertising providers – e.g. Google Analytics, Google AdMob, Google Adsense and similar tools used for analytics and displaying ads.
• Email/SMS service providers – for sending transactional emails and system notifications.
• Security and CDN providers – such as Cloudflare, which process certain technical data to improve performance and protect the Service.
• Professional advisors – such as lawyers or auditors, where needed to defend or exercise legal claims.
• Public authorities – courts, law enforcement, regulators and other authorities, where disclosure is required by law or necessary for the protection of our rights or the rights of others.

6. International Data Transfers

Your data may be processed on servers or by partners located outside your country, including outside the EU/EEA (for example, when SMS are routed to operators in other countries, or when using services from global providers like Google or Stripe).

Where we transfer data outside the EU/EEA, we use appropriate safeguards such as:

• transfers to countries recognised by the European Commission as providing an adequate level of protection,
• standard contractual clauses approved by the European Commission,
• where applicable, transfers to entities certified under recognised frameworks (e.g. EU-US Data Privacy Framework for relevant US companies).

We require our partners to process personal data only for the purposes of providing contracted services, to implement appropriate security measures and to delete data in accordance with applicable retention rules.

7. Automated Decision-Making and Profiling

7.1. Automated SMS Content Moderation (AI)

To protect Recipients and our Service from spam, fraud and illegal or harmful content, we use automated systems, including machine learning models, to analyse SMS content before sending.

• Purpose: detect and block messages that may be spam, fraudulent, illegal, offensive, sexually explicit, degrading, threatening or containing prohibited/malicious URLs, and ensure compliance with the Terms of Use.
• How it works: the system automatically classifies messages and may decide to block sending in certain cases. This decision is automated within the meaning of Art. 22 GDPR.
• Storage: content of messages classified as prohibited is not stored longer than necessary for moderation; we keep only limited metadata (e.g. information that a message was blocked, time, sender/recipient numbers) for security and anti-abuse analysis.
• Right to human review: if your message was blocked and you believe this is incorrect, you can request human review by contacting us at support @ globfone.com.

8. Data Retention

We keep personal data only as long as necessary for the purposes for which it was collected, or as long as required by law. Typical retention periods are:

• SMS content: stored up to 18 months┬áto ensure delivery, troubleshoot issues and handle complaints, unless a longer period is required by law. After this period, content is securely deleted (e.g. overwritten).
• Communication metadata (calls, SMS, technical logs): stored generally up to 6 years to ensure service provision, security, settlement and legal compliance (e.g. telecom, tax and limitation periods).
• Authentication and security logs: stored for a period necessary to ensure security and investigate incidents (for example several months) and then deleted or anonymised. Some aggregated or anonymised data may be kept longer for statistics and security trend analysis.
• Account data: stored while your Account is active and for up to 6 years after deletion or last use where necessary to comply with legal obligations (e.g. accounting) or defend/establish legal claims.
• Payment and billing information: stored for the period required by tax and accounting laws (often at least 5-6 years from the end of the year in which the transaction took place).
• Complaint and support data: stored until the complaint is resolved and thereafter for the applicable limitation period for claims.
• Blacklists: data in blacklists (IPs, phone numbers, emails) may be stored for longer than standard account data, for as long as necessary to protect the Service from abuse and repeated attacks. Where possible, we use hashing and partial anonymisation while keeping a readable version for authorised admins only.
• Analytics data: stored in anonymised or aggregated form for up to 36 months, then deleted or further anonymised.:contentReference[oaicite:72]{index=72}

In particular, certain transmission and connection data may be retained for the periods required by applicable telecommunications and tax laws and for the time necessary to investigate and respond to abuse, fraud or legal claims, even after an account has been deleted. When data is no longer needed, we delete it or irreversibly anonymise it. In certain cases, even after Account deletion, we may retain limited data where required by law or necessary to defend against legal claims (see “Exceptions to the Right to Erasure”).

9. Your Rights

Under GDPR, you have in particular the following rights regarding your personal data:

• Right of access – to obtain confirmation whether we process your personal data and, if so, to receive a copy and information about that processing (Art. 15 GDPR).
• Right to rectification – to have inaccurate or incomplete data corrected or completed (Art. 16 GDPR).
• Right to erasure (“right to be forgotten”) – to request deletion of data in cases foreseen by Art. 17 GDPR (e.g. data is no longer needed, processing is unlawful, or consent is withdrawn where consent was the legal basis).
• Right to restriction – to request that we limit processing in certain situations (Art. 18 GDPR).
• Right to data portability – to receive the personal data you provided to us in a structured, commonly used and machine-readable format, and to have it transmitted to another controller where technically feasible (Art. 20 GDPR).
• Right to object – to object at any time, on grounds relating to your particular situation, to processing based on our legitimate interests (Art. 21 GDPR), including profiling. We will stop processing unless we demonstrate compelling legitimate grounds overriding your interests and rights, or the processing is needed to establish or defend legal claims.
• Right to withdraw consent – where processing is based on your consent, you may withdraw it at any time, without affecting the lawfulness of processing based on consent before its withdrawal (Art. 7(3) GDPR).
• Right to lodge a complaint – you may lodge a complaint with the competent supervisory authority, in particular in the EU member state of your habitual residence, place of work or place of the alleged infringement. In Poland, the authority is the President of the Personal Data Protection Office (UODO).

To exercise any of these rights, you can contact us at support @ globfone.com or by postal mail to our registered address. We will respond without undue delay, and in any event within one month, unless the request is particularly complex (in such case, we may extend this period by up to two additional months, informing you about the reasons).

Exceptions to the Right to Erasure

In some cases we may refuse or limit erasure of data, for example where processing is necessary:

• to comply with a legal obligation requiring processing under EU or Member State law (Art. 17(3)(b) GDPR) – in particular, as a company registered in Poland and providing telecommunication-like services, we are subject to legal duties (e.g. under the Polish Telecommunications Act) to retain certain transmission data for evidentiary purposes, to combat network abuse and to cooperate with competent authorities. These obligations apply irrespective of the user’s nationality;
• for the establishment, exercise or defence of legal claims (Art. 17(3)(e) GDPR) – for example, where data is linked to potential misuse, harassment, fraud or other illicit activities, and may be required as evidence in court or administrative proceedings;
• for purposes based on our legitimate interests (Art. 6(1)(f) GDPR), such as ensuring the security and integrity of our services, preventing fraud and abuse, and protecting our platform and its users. In this context, the retention of connection and access logs is considered a necessary and proportionate measure to detect, investigate and mitigate suspicious or abusive behaviour;
• for security reasons – for example, maintaining IP addresses, phone numbers or other identifiers on blacklists to prevent repeated attacks or abuse of our free and Premium services.

This means that in some cases we are legally prohibited from erasing data that is essential for the purposes stated above. Any data retained will be used exclusively for these specified, legitimate and legally mandated purposes and will not be kept longer than necessary.

10. Account Deletion

After logging into your User Profile, User may request deletion of Globfone Account by using the “Delete Account” option available in the account profile page. This action initiates the automated process of anonymising and deleting your personal data, subject to the exceptions and retention periods described in this Privacy Policy (e.g. data required for legal compliance or necessary to establish or defend legal claims).

11. Additional Information for California Residents (CCPA)

If you are a California resident, you may have rights under the California Consumer Privacy Act (CCPA) and similar laws, including:i

• the right to know what categories of personal data we collect, the purposes of processing and the categories of third parties with whom data is shared,
• the right to request deletion of your personal data (subject to legal exceptions),
• the right to request information about data sold or disclosed for business purposes (Globfone does not sell personal data to third parties),
• the right not to be discriminated against for exercising your privacy rights.

You can exercise these rights by contacting us at support @ globfone.com. We will verify your identity and respond according to applicable law.

12. Cookies and Similar Technologies

We use cookies and similar technologies on the Website for the purposes described in section 4.12: to ensure core functionality, remember your settings, analyse traffic, improve the Service and display advertising. Cookies may be set by us (first-party cookies) or by third-party providers (e.g. Google).

You can manage cookies via your browser settings (including blocking or deleting them). You can also use tools offered by some providers (e.g. Google Analytics opt-out browser add-on) to limit tracking. Disabling certain cookies may affect your ability to use some features of the Service.

13. Security

We apply technical and organisational measures to protect personal data against unauthorised access, loss, alteration or destruction. These include, for example:

• encryption of data in transit (e.g. TLS) and in some cases at rest,
• strict access controls and authentication for staff and systems,
• segregation of environments,
• regular security audits and monitoring of logs for suspicious activity,
• backup and recovery procedures,
• data protection and confidentiality clauses in agreements with processors.

Despite our efforts, no method of transmission or storage is completely secure, and we cannot guarantee absolute security of data transmitted over the internet. We encourage you to use strong passwords, keep them confidential and log out after using shared devices.

14. Children’s Privacy

The Service is not directed to children under 13 years of age (or higher minimum age required by local law, e.g. 16 in some EU countries for consent-based processing). We do not knowingly collect personal data from children under the relevant age. If we become aware that such data has been collected without appropriate consent, we will delete it. If you believe that we may have collected data from a child, please contact us at support @ globfone.com.

15. Changes to this Policy

We may update this Policy from time to time to reflect changes in our Services, technology or legal requirements. Updated versions will be published on the Website and, where appropriate, within the Application. We encourage you to review the Policy regularly. If changes are material, we may also notify you via email or within the Service. Continued use of the Service after changes take effect means that you accept the updated Policy.

16. Contact

If you have any questions, concerns or requests regarding this Policy or your personal data, you can contact us at: support @ globfone.com

• Postal address: i-Trends Sp. z o.o., ul. Druskiennicka 27, 81-533 Gdynia, Poland.

In matters not regulated by this Policy, the provisions of Polish law and applicable EU law, in particular GDPR, shall apply.