Privacy Policy for Easy Gsm Pro Products

Effective date: May 20, 2026
Last updated: May 20, 2026

1. Who we are

This Privacy Policy describes how Luis Enrique Moya Rozas ("we", "us", "our"), an individual developer who resides in Mexico, handles personal information in connection with the Easy Gsm Pro family of products.

The Portal infrastructure is physically operated in Germany (Nuremberg) on servers provided by Hetzner Online GmbH, an EU-based hosting provider acting as our infrastructure sub-processor. This means that Portal data is stored and processed inside the European Union under EU data protection law (GDPR).

You can reach us at: luisenriquemr96@gmail.com

2. Scope of this policy

This policy covers the three Easy Gsm Pro products we publish or operate:

• The App — the "Easy Gsm Pro" mobile (Android) and desktop (Windows) application that we develop and distribute. End-users install it to connect to a CMS instance run by their chosen service provider.
• The CMS — the EasyGSM server software (a Windows executable) that we develop and license to independent service providers ("CMS operators"). The CMS runs on infrastructure chosen and managed by the CMS operator. We do not operate, host, access, or control any CMS instance.
• The Portal — our license server at https://easygsmpro.com, which we operate. It issues licenses, hosts software updates, and receives certain telemetry and backup data from licensed CMS instances (described in Section 7).

3. Our role under data protection law

• For the App: we are the publisher. The App never transmits user data to us. All personal data goes only to the CMS endpoint the end-user configures. We are not the data controller for end-user data handled by the App.
• For the CMS: we are the software vendor. Each CMS operator who licenses the CMS independently decides what data to collect, how to use it, and how long to keep it. The CMS operator is the data controller of all end-user personal data stored in their CMS instance. We have no direct access to that data.
• For the Portal: we are the operator and controller of Portal-only data (license records, machine telemetry, account info of CMS operators who buy licenses from us). To the limited extent that end-user personal data reaches the Portal through the channels described in Section 7, we act as a data processor on behalf of the CMS operator who licensed the CMS.

Built-in compliance features. Although the CMS operator is the data controller (not us), we have engineered the CMS and the App with the technical tooling necessary to discharge most controller obligations under GDPR, CCPA, LFPDPPP, LGPD and similar laws out of the box. This includes self-service endpoints for end-users to exercise their data rights (access, deletion/anonymization, restriction, portability), explicit consent capture with version tracking, age verification at registration, cookie consent banner, an admin-editable Privacy Policy and Terms-of-Service page, a tamper-evident append-only audit log for consent and erasure events, and automatic purge of orphan files on erasure. The CMS operator only needs to configure their identity, jurisdiction, and effective date — the runtime mechanisms are already provided. See Sections 4-6 of our Data Processing Agreement (Technical and Organizational Measures) for the full inventory of compliance features built into the software we license.

4. Binding acceptance (Data Processing Terms)

By installing, accessing, or using any Easy Gsm Pro product (the App, the CMS, or the Portal), you agree to be bound by this Privacy Policy. Where this Policy assigns roles between you and us (for example, "you are the data controller and we are the data processor"), those role assignments constitute the basic terms of data processing between us until and unless replaced by a separately signed Data Processing Agreement. In particular:

• CMS operators (service providers who license the CMS from us) acknowledge and accept that, when they enable backup uploads, network operation logs, or any other channel that transmits their end-users' personal data to the Portal, we act as their data processor under the terms described in this Policy and only for the purposes stated here.
• End-users (anyone who uses the App or interacts with a CMS instance) acknowledge that a copy of certain data they provided to a CMS operator may reach the Portal through the encrypted-backup and optional-logging channels described in Section 7.
• All users of any product acknowledge that this Policy is the governing privacy framework for the product and that material changes will take effect as described in Section 15.

If you do not agree with any part of this Policy, you must stop using all Easy Gsm Pro products.

5. Data the App handles

The App is designed to handle the minimum information needed to operate. The App does not collect: location, contacts, calendar, microphone, camera, biometric data, advertising identifier, the IMEI of your own phone, browsing history, installed apps, or background usage analytics.

The App handles the following data, all of which is transmitted only to the CMS server URL you choose during setup — never to us:

• Account credentials — username, password, and an optional two-factor code when you log in. The password is never stored on your device.
• Authentication token (JWT) — issued by your CMS after login and stored in Android EncryptedSharedPreferences (Keystore-backed) or, on desktop, in platform-equivalent secure storage.
• App preferences — server URL, username, locale, currency display preferences, and in-progress deposit metadata. Stored locally on your device.
• Order data you submit — IMEI of the target device (typed in manually, not read from your phone), model, serial number, custom fields, and any files you attach. Sent to the CMS to process the order.
• Payment proof image (optional) — if you make a manual deposit, you may select an image from your device gallery to upload as proof. Sent only to the CMS.

6. Data the CMS handles

When you use a service through a CMS instance operated by a third-party service provider, that CMS may store the following on the service provider's infrastructure:

• Account information you provided to the service provider (username, email, password hash, full name, phone, language and currency preferences).
• Order records (IMEIs, model, serial, custom fields, unlock codes, file uploads, IP address used when placing the order).
• Wallet balance and transaction history.
• Authentication metadata (encrypted TOTP secret if you enabled two-factor, hashed recovery codes, last login IP and timestamp).
• Telegram chat ID (only if you opted in for notifications).
• Payment proof images you uploaded for manual deposits.

This data lives inside the CMS operator's own database (a private PostgreSQL instance embedded in the CMS executable). We do not have direct access to this database in normal operation. To exercise rights of access, correction, deletion or portability over this data, contact the CMS operator who runs the instance you are using. They are required to respond as the data controller.

Payment card data (PAN, CVV, expiry, billing address) is never handled by the CMS. Deposits flow through external payment providers (such as MercadoPago, NowPayments, Binance Pay, QvaPay, sPayWay, or manual bank transfer) chosen by the CMS operator. Those providers have their own privacy policies.

7. Data the Portal receives from licensed CMS instances

A CMS instance may transmit the following to our Portal at https://easygsmpro.com:

• License heartbeats — machine identifier, hostname, public IP address, OS info, CPU count, CMS version, configured domains. Used for license validation and clone detection. Contains no end-user personal data.
• Database backups for disaster recovery — transmitted with AES-256-GCM over per-installation keys established at bootstrap (decryptable by us on receipt purely so the file can be stored). Retained as the most recent 3 versions per license on access-controlled storage.
  
  What is unreadable to us inside those backups: the most sensitive fields are individually encrypted or hashed at the application level before they ever enter the database, and we do not hold the per-instance keys needed to reverse that encryption. Specifically:
  • User passwords are stored as one-way bcrypt hashes — these are not reversible by anyone, including us. We can never recover an end-user's password from a backup.
  • Two-factor TOTP secrets are Fernet-encrypted using a key derived per-instance; we do not hold that key.
  • Two-factor recovery codes are bcrypt-hashed.
  • The CMS operator's payment-provider API credentials and webhook secrets are Fernet-encrypted.
  • The session JWT tokens are ephemeral and not persisted to the database at all.
  What IS readable to us if we open a backup: non-secret identifying fields stored in plain text inside the database — username, email, full name, phone number, language/timezone preferences, last-login IP, Telegram chat ID, wallet balance, transactions, order records (including device IMEIs, model, serial number, custom fields and unlock codes when present). We access this content only when strictly necessary for disaster recovery or to respond to a verified request from the CMS operator.
• Network operation logs — off by default. The CMS operator can enable this per-instance for debugging integrations. When enabled, request and response bodies exchanged between the CMS and upstream service providers may be sent to us, including IMEIs and unlock codes. Authentication credentials inside those payloads are scrubbed automatically before transmission.
• Anti-tampering security events — when the CMS detects evidence of code tampering, it sends a short reason string (for example, code_hash_mismatch) plus its license key and machine identifier. Contains no end-user personal data.

For any of this data, the CMS operator remains the data controller and we act as their processor. If you want a backup or log entry that contains your data removed, you can either ask the CMS operator (preferred), or contact us directly at luisenriquemr96@gmail.com and we will coordinate with the operator.

8. Permissions the App requests

• Internet — required to talk to the CMS you choose.
• Read images from gallery (READ_MEDIA_IMAGES on Android 13+; READ_EXTERNAL_STORAGE on Android 12 and below) — used only when you choose to upload a payment proof image. The App never reads images on its own.

The App does not request location, contacts, microphone, camera, calendar, phone state, SMS, biometric, notifications, or any other sensitive permission.

9. Third-party services

The App does not integrate any third-party analytics, advertising, crash reporting, tracking, push notification, or social-login SDK. There is no Firebase, no Google Analytics, no Crashlytics, no Sentry, no Facebook SDK, no AdMob, no Mixpanel, no AppsFlyer, no Adjust, no OneSignal.

The only third-party network connection that the App itself may make is to fonts.googleapis.com (via the google_fonts package) when a CMS operator configures a non-bundled font. That request transmits only the font family name and does not include personal data.

When you tap an external link from inside the App (support Telegram or WhatsApp, payment-provider checkout URLs), the App opens that link in your browser or the corresponding app. Those destinations have their own privacy policies.

The CMS itself may connect to upstream service providers (such as Chimera, Octoplus, or DHRU-compatible servers) selected by the CMS operator, and to payment providers as listed in Section 6. These integrations are configured by the CMS operator, not by us.

10. How data is secured

• In transit (App ↔ CMS): HTTPS/TLS when the CMS operator configures TLS on their instance.
• In transit (CMS ↔ Portal): HTTPS plus AES-256-GCM authenticated encryption over per-installation keys for backup and log payloads.
• At rest on your device: authentication tokens are stored in EncryptedSharedPreferences (Android Keystore) or platform-equivalent secure storage on desktop.
• At rest in the CMS database: passwords are bcrypt-hashed; two-factor recovery codes are bcrypt-hashed; TOTP secrets are Fernet-encrypted; payment-provider credentials configured by the CMS operator are Fernet-encrypted. These protections are preserved inside any backup that reaches the Portal.
• At rest in the Portal: backups, logs, and license records are stored on access-controlled servers we operate at Hetzner Online GmbH (Nuremberg, Germany — ISO 27001 certified data centers). Access is restricted to operational necessity and limited to the developer's authenticated sessions.

No system is perfectly secure. We apply industry-standard safeguards but cannot guarantee absolute security.

11. Data retention

• On your device: cleared when you uninstall the App or sign out (the authentication token is wiped on sign-out).
• In the CMS: governed by the CMS operator. We do not set retention.
• In the Portal: the most recent 3 backup versions per CMS license; license heartbeats and (when enabled) operation logs are retained while the license is active and for a reasonable period thereafter for security and audit purposes.

12. Your rights

Depending on your jurisdiction, you may have rights to access, correct, delete, restrict the processing of, or port your personal data, and to lodge a complaint with a data protection authority.

• For data inside the App or held by the CMS you use → contact the CMS operator (your service provider). They are the controller.
• For data held by us in Portal backups or logs → luisenriquemr96@gmail.com.

We respond within 30 days.

13. International data transfers

Portal data is stored in the European Union. Specifically, the Portal runs on Hetzner Online GmbH infrastructure in Nuremberg, Germany. For end-users and CMS operators located within the EU, EEA, or UK, no international transfer of Portal data takes place under GDPR Chapter V — processing happens inside the EU.

The natural person operating the Portal (Luis Enrique Moya Rozas) resides in Mexico and accesses Portal infrastructure remotely from Mexico for the sole purposes of operating, maintaining, and supporting the service. Access from Mexico is subject to appropriate technical and organizational measures (authenticated access, encrypted channels, audit logging) and is limited to operational necessity. If you consider this remote administrative access a transfer, the applicable basis is Article 49(1)(b) GDPR (necessary for the performance of a contract).

CMS instances themselves are operated independently by the service providers who licensed the CMS, on infrastructure of their choosing — they may be located anywhere in the world. By using the App with a given CMS, you accept that your data is processed in the country where that CMS is hosted, under the CMS operator's own privacy policy.

14. Children

None of our products are directed at children under 13 (or under 16 in the European Economic Area). We do not knowingly collect personal data from children. If you believe a child has provided us personal data, contact us at luisenriquemr96@gmail.com.

15. Changes to this policy

We may update this Privacy Policy from time to time. The "Last updated" date at the top reflects the most recent change. Material changes will be communicated through the App or the Portal where reasonably possible. Continued use of any of our products after the effective date of an update constitutes acceptance.

16. Contact

Luis Enrique Moya Rozas (Mexico)
Email: luisenriquemr96@gmail.com
Web: https://easygsmpro.com