Privacy Policy

Scope, operator, and privacy roles

MegaSMS is a business messaging product operated by Franklin Business Management (“Franklin”, “we”, “us”, or “our”). This Policy applies when you visit MegaSMS, register an account, use the vendor or administrator portal, use the API, buy messaging units, request support, or otherwise interact with the service.

For account, security, billing, support, and platform-administration data, Franklin generally determines why and how data is processed and therefore acts as a data controller under applicable law.

When a vendor uploads contacts or submits recipient phone numbers and message content, the vendor normally determines the purpose and recipients. The vendor is responsible for its relationship with those individuals, while Franklin generally processes that data to provide MegaSMS on the vendor’s instructions. Legal roles may vary according to the facts and applicable law.

Personal data we collect

Account and business information

• Names, business or organization name, email, phone number, address, region, role, and account status.
• Sender-ID applications, verification details, correspondence, and documents a vendor voluntarily supplies.

Messaging and contact data

• Recipient phone numbers, contact names and attributes, contact groups, sender IDs, message content, campaign details, schedules, delivery status, timestamps, segments, and costs.
• Customer reference identifiers and other information submitted through the API.

Billing and support data

• SMS purchases, quota requests, payment references, proof-of-payment uploads, invoices, and transaction status. Payment providers may collect additional financial data under their own notices.
• Support tickets, replies, attachments, and service communications.

Security and technical data

• IP addresses, device/browser information, login attempts, session identifiers, last-login records, audit logs, and security events.
• API-token name, prefix, permissions, expiry, last-used time, and revocation status. MegaSMS stores a one-way hash rather than the full token after creation.

How we use personal data

• Register, review, activate, administer, and secure vendor and user accounts.
• Route SMS messages, provide campaigns, contacts, sender IDs, delivery reporting, and API functions.
• Calculate segments, maintain balances, process purchases, issue invoices, and investigate billing issues.
• Authenticate users and API clients; prevent fraud, spam, abuse, unauthorized access, and security incidents.
• Provide support, operational notices, password recovery, and service communications.
• Maintain audit records, comply with lawful regulatory or court requirements, enforce the Terms of Use, and defend legal claims.
• Improve reliability, usability, capacity planning, and platform performance using appropriately limited data.

We do not sell personal data. We do not use vendor recipient lists to market Franklin’s unrelated products to those recipients.

Legal grounds for processing

We process personal data only where permitted under the Personal Data Protection Act, 2022 and applicable regulations. Depending on the activity, the basis may include consent, taking steps at your request or performing a contract, compliance with a legal obligation, protection of lawful interests with appropriate safeguards, or another basis recognized by Tanzanian law.

Vendors must establish their own lawful basis before uploading contacts or sending messages. MegaSMS account approval does not amount to approval of a vendor’s recipient list, campaign, or legal basis.

When data may be shared

We may disclose the minimum data reasonably necessary to:

• Licensed SMS gateways, mobile network operators, aggregators, and delivery-report providers that transmit messages.
• Payment processors, banks, and billing providers involved in a requested transaction.
• Hosting, security, backup, email, support, and professional-service providers acting under appropriate obligations.
• TCRA, the Personal Data Protection Commission, law-enforcement agencies, courts, tax authorities, or other competent bodies where disclosure is lawfully required.
• A successor involved in a genuine merger, restructuring, financing, or transfer of business, subject to applicable safeguards.

Message content and recipient data may necessarily pass through communications providers to complete delivery. Such providers may have independent legal duties.

Security and incident handling

We use administrative, technical, and physical safeguards appropriate to the nature and risk of the data. Measures include role-based access, password hashing, CSRF protection, scoped and revocable API tokens, logging, vendor isolation, and restricted access to application secrets.

No internet service is risk-free. Vendors must protect their credentials, use HTTPS in production, limit API-token permissions, rotate exposed tokens, restrict internal access to recipient data, and promptly notify MegaSMS of suspected compromise. Where a personal-data breach triggers legal notification duties, Franklin will follow the applicable Act, regulations, and directions of the Commission.

Retention and deletion

We retain personal data only for as long as reasonably necessary for the stated purposes, account operation, message and delivery records, billing, fraud prevention, dispute resolution, legal obligations, and enforcement. Different categories may require different periods.

When data is no longer required, we take reasonable steps to delete, anonymize, or securely restrict it, subject to backups and records that must be preserved by law. Vendors are responsible for deleting contacts and message data they no longer have a lawful reason to retain.

Rights of data subjects

Subject to the Personal Data Protection Act, 2022, applicable exceptions, and verification of identity, individuals may have rights concerning notice, access, correction, objection or restriction, erasure, withdrawal of consent, and complaint about processing.

If your request concerns a message sent by a MegaSMS vendor, contact that vendor first because it selected the recipient and message purpose. We will reasonably assist vendors with valid data-subject requests where we act as their processor. We may request information needed to verify identity and locate the relevant records.

Transfers outside Tanzania

If a service provider or communications route requires personal data to be processed outside Tanzania, Franklin and the vendor must comply with the Act’s cross-border transfer requirements, including applicable adequacy, authorization, contractual, consent, or other safeguards. Vendors must not configure integrations that unlawfully export personal data.

Cookies and sessions

MegaSMS uses essential session cookies to maintain sign-in state, CSRF protection, security, and user preferences. These are required for the portal to work. We do not describe advertising or cross-site tracking cookies here because the current service does not require them. If that changes, this Policy and any consent controls must be updated.

Children

MegaSMS is a business service and is not intended for persons who cannot lawfully enter a business agreement. Vendors must apply any heightened legal requirements before processing children’s data or directing messages to children.

Changes to this Policy

We may update this Policy when the service, providers, or law changes. The current effective date will appear above. Material changes may also be communicated through the portal or another appropriate channel. Continued use does not remove any consent requirement imposed by law.

Contact and complaints

Send privacy requests to Franklin Business Management through the MegaSMS support portal or the official business contact details published by Franklin. Include enough information to identify the account or message, but never send your password or complete API token.

If a concern is not resolved, an individual may contact or lodge a complaint with Tanzania’s Personal Data Protection Commission (PDPC) using its official procedures.