Hosting Telecom ("we", "us", "our") operates the HTC Net Messenger mobile application. This policy explains what information we collect, how we use it, and your rights under applicable data protection law, including the UK General Data Protection Regulation (UK GDPR).
1. Information We Collect
Account information. When you register, we collect the following:
- Your phone number, used as the primary identifier for your account and stored on our servers to enable account lookup and contact discovery. Other users who have your phone number in their address book find you through a Contact Discovery Service that runs inside a secure hardware enclave; the raw phone numbers that contacts submit for lookup are not visible to us as server operators.
- An optional username you set, so others can message you without knowing your phone number.
- A password you set, stored only as a cryptographic hash — we do not retain or have the ability to recover the plaintext password.
- An optional email address, if you enable two-factor authentication or recovery.
Phone-number verification. During registration and when you re-register on a new device, we pass your phone number to an SMS verification provider (Twilio, acting as our data processor) so it can deliver a one-time verification code. We do not retain the SMS message body. See our SMS Consent Policy for the verification workflow in full.
Messages and calls. HTC Net Messenger uses end-to-end encryption. Message content, attachments (including voluntarily shared location coordinates, photos, voice notes, and files), and call media are encrypted on your device before transmission using the Signal Protocol. Our servers carry only ciphertext; we cannot read or access the plaintext content of your messages or calls, or the content of any attachment you share.
Encryption keys. Your device generates and stores private encryption keys locally. Only public key material is uploaded to our servers to enable the Signal Protocol key exchange. We never receive your private keys.
Push notification tokens. We receive push-notification tokens from the operating-system push services you use (Apple Push Notification service and VoIP PushKit on iOS; Firebase Cloud Messaging on Android; or, on devices without Play Services, a persistent web-socket to our servers). These tokens are used solely to wake your device for new messages and incoming calls. They are rotated by the OS and do not encode your identity.
Technical data. Our servers may log the IP address and timestamp of your connections to us, aggregate counts (for example, number of registered devices or TURN bandwidth used for calls), and other basic connection metadata strictly necessary for security, abuse prevention, and capacity planning. We do not log the content of your messages, the content of your address book, or your location. For most messages, our Sealed Sender implementation additionally conceals the sender identifier from our servers on the delivery path. See Section 6 of our Terms of Service for the scope of metadata we may use when reviewing reported content.
2. SMS Communications
What we send. When you register for HTC Net Messenger or recover your account, we send one-time SMS verification codes (OTP) to the phone number you provide. These messages are sent exclusively for identity verification purposes.
Consent. By entering your phone number in the HTC Net Messenger application and initiating registration, you expressly consent to receive SMS text messages containing verification codes from HTC Net Messenger, operated by Hosting Telecom. For full details, see our SMS Consent Policy.
Message frequency. Typically 1–3 messages per registration or recovery attempt. Each message contains a 6-digit code valid for 10 minutes.
No marketing. We do not send promotional, marketing, or any non-verification SMS messages. Your phone number is never shared with third parties for messaging purposes.
Message and data rates. Standard message and data rates may apply depending on your mobile carrier and plan.
Opt-out. You may opt out of receiving SMS messages at any time by replying STOP to any verification message or by not completing the registration process.
3. Information We Do Not Collect
Subject to the permissions you grant on your device and the features you choose to use, and as the Service is currently provided:
We do not upload your address book to our servers and do not retain the contacts you submit for contact discovery beyond the duration of the lookup. Contact matching runs inside a secure hardware enclave that hides the submitted phone numbers from our server operators.
We do not track your device geolocation. Location is read from the device only when you choose to share a point in a chat, and is transmitted only as end-to-end encrypted content (see Section 4).
We do not integrate third-party analytics, advertising, behavioural tracking, attribution, or cross-app identification SDKs into the App. The only Google libraries we use are Firebase Cloud Messaging (for Android push delivery) and Google Maps (for on-device map rendering when you use the location-sharing feature).
We do not sell, rent, or share your personal information with third parties for their own marketing, advertising, or profiling purposes.
We do not scan or inspect the plaintext content of your messages, calls, attachments, or shared location data on our servers. The Signal Protocol prevents us from doing so.
These statements describe the Service as offered on the date at the top of this policy. If our practices change, we will update this policy and, where required by law, seek your consent before introducing a material new use of your data.
4. Device Permissions
HTC Net Messenger may request the following device permissions. Each is used only for the stated purpose, is requested at the moment the feature is used, and can be revoked at any time in your device Settings.
Notifications — to alert you of new messages and incoming calls.
Microphone — for voice and video calls.
Camera — for video calls and for scanning QR codes during device linking and chat transfer.
Biometrics (Face ID / Touch ID on iOS, biometric prompt on Android) — optional App lock, if you enable it. Biometric data is processed entirely on-device by the secure hardware of your phone (Apple Secure Enclave or Android TEE / StrongBox) and is never sent to us.
Photo Library (write-only on iOS, equivalent scoped access on Android) — to save photos from chats to your device library. We request write-only scope where possible; we do not read your photo library.
Location — optional, requested only at the moment you choose to share your location in a chat. When granted, the App reads your current coordinates once, generates a static map snapshot on-device, and sends both as an end-to-end encrypted message attachment. We do not receive your coordinates in clear form, do not track your location over time, and do not log or store location data on our servers. The map snapshot is rendered on your device using the Google Maps SDK; the SDK may fetch map tiles from Google while you view a map, which is governed by Google's Maps / Play Services privacy terms.
Contacts — optional, used only to check which of your contacts are also using HTC Net Messenger. We use the Contact Discovery Service, which sends cryptographic hashes of phone numbers to a secure hardware enclave on our server; the enclave returns which ones are registered. We do not upload your address book in plaintext and do not retain the contacts submitted for lookup.
Local Network — for direct peer-to-peer chat transfer between your devices on the same Wi-Fi network.
5. How We Use Your Information
To operate the messaging service: deliver messages, route calls, and synchronise encryption keys.
To authenticate your identity and protect your account.
To send SMS verification codes during registration and account recovery.
To deliver push notifications.
To maintain security and prevent abuse of our infrastructure.
6. Data Storage and Security
Messages and call signalling are stored on our servers only in their end-to-end encrypted form. Pending messages are held until they are delivered to the recipient's device, or for the limited retention period described in Section 7 if a recipient is offline, after which they are deleted. We cannot read the plaintext of any pending or delivered message, call, or attachment, and we do not scan or inspect stored ciphertext.
We employ commercially reasonable security measures, including Transport Layer Security (TLS) for data in transit, certificate pinning in the App, and encryption of data at rest on our servers. Private encryption keys, message history, and local backups are stored on your device; we never receive them.
If you delete the App, the local data on that device is removed. Any encrypted server-side data associated with your account (pending messages, account metadata) is retained only for the limited periods described in Section 7, after which it is deleted in accordance with this policy.
No system is completely secure. While we take technical and organisational measures consistent with industry practice to protect your data, we cannot and do not guarantee absolute security of information stored on or transmitted through the Service. You transmit data through the App at your own risk. In the event of a personal data breach that is likely to result in a high risk to your rights and freedoms, we will notify the Information Commissioner's Office (ICO) and affected users where and as required by the UK General Data Protection Regulation and other applicable law.
7. Data Retention
We retain account information for as long as your account is active. Server-side encrypted message data is retained only until delivery or for a reasonable period to support delivery to offline devices, after which it is deleted. Server logs are retained for no longer than 90 days, except where a longer retention period is required by law or necessary to investigate security incidents or abuse.
7a. Law Enforcement and Legal Requests
We may receive requests from law enforcement, courts, regulators, or other governmental authorities for information about users. Because message and call content is end-to-end encrypted, we do not have the technical ability to provide plaintext content of communications in response to any such request. We will respond to valid legal process addressed to Hosting Telecom in the United Kingdom by providing only the limited categories of information that are lawfully within our possession (such as account registration metadata retained under Section 7). Where permitted by law, we will notify affected users of requests for their data. We reserve the right to challenge requests we consider overbroad, unlawful, or inconsistent with applicable data protection law.
8. Your Rights
Under UK GDPR, you have the right to:
Access the personal data we hold about you.
Request correction of inaccurate data.
Request deletion of your account and associated data.
Object to or restrict processing of your data.
Data portability — receive your data in a structured format.
Lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.
To exercise any of these rights, contact us at the address below.
9. Children's Privacy
HTC Net Messenger is not intended for use by anyone under the age of 16. We do not knowingly collect personal information from children. If we become aware that a child under 16 has provided us with personal data, we will delete it promptly.
10. Changes to This Policy
We may update this policy from time to time. We will notify you of material changes through the application or by updating the date at the top of this page. Continued use of HTC Net Messenger after changes constitutes acceptance of the revised policy.
11. Contact Us
If you have questions about this policy or wish to exercise your data rights, please contact us using our contact form. Select the Privacy & security category so your request reaches the right team.
We will respond to verified data subject requests within the timeframes required by the UK General Data Protection Regulation. If you are not satisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.