Privacy Policy

messages.dev is a platform for sending and receiving iMessage, RCS, and SMS at scale through a REST API and TypeScript SDK. The service is operated by [TODO: legal entity, state of incorporation, mailing address] ("messages.dev", "we", "us"). You can reach us at support@messages.dev.

This policy applies to the messages.dev marketing site, the dashboard at app.messages.dev, our documentation, and the API and SDK.

We distinguish between two groups of people:

• Customers are the developers and companies who sign up for messages.dev and operate the service.
• End usersare the people our customers exchange messages with. For end-user data processed through a customer's account, the customer is the controller and messages.dev acts as a processor on their behalf.

Account information. When you sign up we collect name, email address, and authentication identifiers through our auth provider, Clerk.

API usage and logs. Request metadata, IP addresses, timestamps, user agents, and rate-limit counters tied to your API keys.

Message content and metadata. To deliver the service we store the full text of messages sent and received through your Lines, sender and recipient phone numbers and Apple IDs, timestamps, reactions, read receipts, typing indicators, and any attachments. Attachments are stored in Vercel Blob. Message bodies are stored in plaintext at rest and are not end-to-end encrypted. Only customers who are authorized on the account can read their own data.

Webhook configuration. URLs you register to receive events, along with the signing secrets we generate for them.

Daemon telemetry. Health and status information from the Mac hardware running your daemon, including heartbeats, version numbers, and error reports.

Product analytics. We use PostHog and Vercel Analytics to understand how the marketing site and dashboard are used. This includes pageviews, session information, and basic device and browser data.

• To operate, maintain, and secure the service.
• To route messages between your Lines, your daemon, and recipients.
• To debug problems, investigate abuse, and improve reliability.
• To communicate with you about your account, billing, and product updates.
• To enforce our Terms of Service and applicable law.

We rely on a small set of third-party providers to run messages.dev. Each one is bound by their own privacy and security commitments.

• Clerk (United States): authentication and user management.
• Convex (EU-west-1): application database and serverless backend where message content and account data are stored.
• Vercel (United States): hosting for the marketing site and dashboard, and Vercel Blob storage for message attachments.
• PostHog: product analytics for the marketing site and dashboard.
• Vercel Analytics: high-level traffic metrics.

We will update this list before onboarding any new subprocessor that handles customer data.

Queued outbound messages are automatically deleted from our outbox within 24 hours of delivery or failure. Other message records are retained for as long as your account is active so that they remain available through the API, until you delete them or close your account.

When you close your account or request deletion, we remove customer data from production systems within 30 days. Backups are purged on their normal rolling schedule.

We use TLS for all network traffic between clients, our API, and your daemon. API keys are stored as one-way hashes. SSH credentials used to provision Mac hardware are encrypted with AES-256-GCM.

Message content is not end-to-end encrypted and is stored in plaintext at rest in our database. If your use case requires end-to-end encryption, messages.dev is not an appropriate platform. No method of transmission or storage is perfectly secure, and we cannot guarantee absolute security.

Customer data is primarily stored in the European Union through Convex (EU-west-1). Some of our subprocessors, including Clerk, Vercel, and PostHog, are based in the United States and may process data there. Where required, transfers rely on the European Commission's Standard Contractual Clauses or an equivalent mechanism.

Depending on where you live, you may have the right to access, correct, delete, export, or restrict processing of your personal information, and to object to certain processing. To exercise any of these rights, email support@messages.dev from the address on your account. We will respond within the time required by applicable law.

If you are an end user who has received or sent a message through a messages.dev customer, the customer is responsible for explaining how they use your information and for honoring your rights with respect to that information. Please contact them first. If you are unable to reach them, you can write to us at support@messages.dev and we will do our best to help.

messages.dev is a developer product and is not directed at children. We do not knowingly collect information from anyone under 16. If you believe a child has provided us with personal information, please contact us and we will delete it.

We may update this policy from time to time. When we do, we will change the "Last updated" date at the top of the page. If the changes are material, we will also notify account holders by email.

Questions about this policy or how we handle your information can be sent to support@messages.dev or by mail to [TODO: mailing address].

See also our Terms of Service.