Privacy Policy
Last updated: April 25, 2026
This policy describes how Vblast (“Vblast,” “we,” “us”) collects, uses, and protects information about two distinct groups of people:
- Customers — businesses and individuals who sign up for a Vblast account, create campaigns, and pay for service.
- Callers — end users who scan a Vblast-generated QR Call code and dial the resulting phone number.
What we collect from Customers
- Email address and password (via Supabase Auth)
- Organization name
- Audio files, logo images, and SMS message content you upload to your campaigns
- Payment method, billing address, and tax ID (handled and stored by Stripe; we never see your card number)
- Server logs (IP, user-agent, request timestamps) for security and abuse prevention
What we collect from Callers
Vblast collects the minimum information needed to operate the service. The data captured at each stage of a Caller’s interaction is:
- QR Call code scan: When a Caller scans a Vblast QR Call code, their browser opens our short URL. We log a SHA-256 hash of the Caller’s IP address (raw IP is never persisted), the timestamp, and the user-agent string. This is used for unique-scan counts and abuse prevention. Raw IP is not stored or shared.
- Phone call: When a Caller dials the campaign number, Twilio (our voice provider) sends us the Caller’s phone number (E.164 format) and a call identifier. We log call duration and outcome.
- Opt-in (press 1): If the Caller presses 1, we record an opt-in: their phone number, the timestamp, and the call ID. This record is the legal evidence of express consent to receive the SMS they will then receive from the campaign.
- SMS opt-out: If a Caller later replies STOP (or any of the standard unsubscribe keywords) we add their phone number to our opt-out list and stop sending future messages.
Why we collect each kind of data
- Customer information — to provide and bill for the service.
- Caller IP hash + scan logs — security, fraud prevention, and aggregate analytics (e.g. how many unique scans your QR Call code received). Lawful basis under GDPR: legitimate interest (Article 6(1)(f)). Under CCPA: necessary for the operation of the service.
- Caller phone number from call alone (no press-1) — operational logging, billing, and rate-limit / abuse prevention. We do not use this number to send marketing messages.
- Caller phone number with press-1 opt-in — to send the SMS the Caller has consented to receive. Lawful basis under GDPR: explicit consent (Article 6(1)(a)). Under TCPA: express written consent.
Sharing & disclosure
We do not sell, rent, or trade personal data to anyone. We share data only with the following service providers, each of which is bound by their own privacy commitments:
- Supabase — database, authentication, file storage
- Twilio — voice and SMS infrastructure
- Stripe — payment processing
- Vercel — application hosting
- Resend (or equivalent) — transactional email
We may disclose data when legally required (subpoena, court order, fraud investigation), or to protect the rights, property, or safety of Vblast, our customers, or the public.
Customer-controlled data
Customer campaigns generate Caller-level data (call logs, opt-in records, SMS delivery status). For this data, the Customer is the data controller and Vblast is a data processor. Customers can export the full opt-in list as CSV from their dashboard at any time. Customers are responsible for complying with TCPA, CCPA, GDPR, or any other law applicable to their use of the service.
Data retention
- Customer accounts — retained as long as your account is active. On account deletion, we remove personal information within 30 days, except as required by law (e.g. tax records held for 7 years).
- Call and opt-in records — retained indefinitely while the customer’s account is active, because they serve as legal proof of consent for the SMS sent. Deleted on account closure.
- Hashed IP scan logs — retained for 24 months, then aggregated and the per-event rows are deleted.
- SMS opt-out records — retained indefinitely (regulatory requirement to honor STOP across the customer’s campaigns).
Your rights
You have the following rights regarding your personal information:
- Access — request a copy of the data we hold about you
- Correction — ask us to fix inaccurate information
- Deletion — request deletion of your data (subject to legal-hold exceptions)
- Portability — receive your data in a machine-readable format
- Objection — object to certain types of processing
For California residents under CCPA: we do not sell personal information. To exercise your rights, email support@vblast.net. We respond within 30 days.
For EEA residents under GDPR: you have the right to lodge a complaint with your supervisory authority. Vblast does not actively market services to EEA residents; if you reach the service from the EEA, the same rights apply.
Cookies
Vblast uses essential cookies for authentication (a session cookie set by Supabase Auth). We do not use third-party analytics or advertising cookies. Disabling essential cookies will prevent you from signing in.
Children’s privacy
Vblast is not intended for use by anyone under 18. We do not knowingly collect data from minors. If you believe a minor has interacted with the service, contact us and we will delete the data immediately.
Security
We use TLS for all web traffic, hashed passwords (managed by Supabase Auth), database row-level security to scope each Customer’s data to their own organization, and signed Twilio + Stripe webhooks. We will notify affected Customers within 72 hours of becoming aware of a breach involving their personal data.
Changes to this policy
We may update this policy. The “Last updated” date at the top reflects the most recent change. Material changes will be communicated by email to Customer accounts.
Contact
Questions, requests, or complaints: support@vblast.net
This document describes Vblast’s practices in plain English and is not a substitute for legal advice. If you’re a Customer using Vblast in a regulated industry or jurisdiction, consult your own counsel.