Privacy Policy

1. Scope & Acceptance

This Privacy Policy ("Policy") applies to your access or use of pinnacle.sh, our APIs, SDKs, webhooks, dashboards, support channels, and any related services (collectively, the "Services"). By continuing to use the Services, you acknowledge that you do so entirely at your own risk and that Pinnacle provides no warranties, representations, or guarantees of any kind.

2. Information We Collect

We collect the following categories of data:

• Account Information. Name, email address, company name, and authentication credentials you provide during registration.
• Billing Data. Payment method details and billing address, processed by our payment processor.
• Usage & Log Data. API call logs, request metadata, IP addresses, browser type, timestamps, and system performance data automatically generated by our systems.
• User-Submitted Content. Message bodies, media files, contact lists, and any other content you deliberately transmit through the Services.
• Network Identity & Telecom Signals. Mobile phone numbers (MSISDNs), SIM-swap indicators, number portability and carrier metadata, network-derived fraud scores, and silent network-authentication responses. These are obtained from upstream mobile network operators, aggregators, and Communications Service Providers and processed only to deliver the security, anti-fraud, deliverability, and identity-verification features you request.
• Communications. Records of correspondence when you contact our support team.

You decide what to upload and remain solely responsible for the lawfulness, integrity, and confidentiality of all data you provide.

3. How We Use Information

We process data only to:

• Operate and maintain the Services you request, including the routing and delivery of SMS, MMS, RCS, and iMessage traffic.
• Monitor, debug, and improve system performance.
• Provide fraud prevention and detection (e.g., SIM-swap checks before sending high-risk OTPs or transactional messages).
• Provide user authentication and multi-factor authentication, including silent network-based number verification.
• Provide identity verification and number-quality validation to reduce impersonation risk and undelivered messages.
• Comply with applicable law, carrier rules, and lawful requests from regulators, mobile network operators, and Communications Service Providers when strictly required.

We do not sell mobile information, MSISDNs, network-derived signals, or message content. We do not share this data with third parties for advertising, profiling, or marketing purposes. Network Features data is processed solely for the real-time security and identity purposes for which you or your customer requested it.

4. Your Responsibilities & Assumed Risk

5. Security Disclaimer

Pinnacle employs commercially reasonable safeguards; however, we expressly disclaim any obligation to guarantee the absolute security of information.

6. International Transfers & Sub-processors

We engage the following categories of sub-processors to operate the Services. Data may be processed in any country where we or our sub-processors operate; transfers from the EEA, UK, or Switzerland to the United States are governed by Standard Contractual Clauses where applicable.

• Cloud infrastructure & hosting. Enterprise cloud-hosting, edge-networking, DDoS-protection, and media-storage providers (United States, with global edge points of presence).
• Database & file storage. A managed database and authenticated object-storage provider (United States).
• Messaging carriers. Mobile network operators, downstream messaging vendors, and direct carrier connections used to deliver SMS, MMS, RCS, and iMessage traffic and to provide Network Features (such as number verification, SIM-swap detection, and identity insights). Pinnacle has no control over, and assumes no liability for, the practices, accuracy, availability, or decisions of these upstream providers.
• Payments. A PCI-compliant payment processor used for billing, invoicing, and tax handling.
• Product analytics & observability. A first-party product-analytics provider for the dashboard and marketing site. Mobile-message content and Network Features data are not sent to product-analytics tooling.
• Email & transactional notifications. A transactional-email provider used for account, billing, and operational emails to Customer administrators.

An up-to-date sub-processor list is available on request at founders@pinnacle.sh. We are not responsible for the privacy or security practices of third-party networks, carriers, hosting vendors, or integrations that you choose to use directly. If you interact with third-party products outside the Services, your information is governed solely by those third parties' policies.

7. Network Features & Telecom Identity Data

Pinnacle integrates network-based identity, fraud, and authentication signals (collectively, "Network Features") provided by upstream mobile network operators, aggregators, and Communications Service Providers (each, an "Upstream Provider") to deliver fraud prevention, authentication, and identity verification within the Services. Network Features are passed through from Upstream Providers; Pinnacle does not generate the underlying telecom data and assumes no liability for its accuracy, availability, latency, or any decision made in reliance on it.

• Data processed. Mobile phone numbers (MSISDNs), SIM-swap timestamps and indicators, network and porting metadata, fraud scores, and silent-authentication responses returned by the Upstream Provider.
• Permitted purposes. Fraud prevention and detection, account-takeover protection, multi-factor authentication, identity verification, and message-deliverability validation. Network Features data is not used for advertising, profiling, or any purpose unrelated to these security and identity functions.
• Roles. Where a Pinnacle Customer initiates a Network Features call on behalf of an end user, the Customer is the controller and Pinnacle acts solely as a processor; Upstream Providers act as independent controllers or processors as required by applicable law and their own terms.
• Lawful basis. The Customer is responsible for establishing and maintaining a valid lawful basis (legitimate interest in fraud prevention, end-user consent, or another applicable basis) and for end-user notice. Pinnacle relies on the Customer's representations of compliance.
• Retention. Raw MSISDNs and network responses tied to a Network Features request are retained only for as long as needed to complete the request and produce audit logs, then minimized to a hashed reference and limited metadata. Audit metadata is retained for up to 12 months consistent with Section 8.
• End-user rights. End users may exercise access, correction, and deletion rights through the Customer that initiated the request, or by contacting Pinnacle at founders@pinnacle.sh. Requests that require action by an Upstream Provider will be forwarded; Pinnacle is not liable for an Upstream Provider's response time or determination.

8. Data Retention & Deletion

We retain your data only for as long as necessary to provide the Services, comply with legal obligations, resolve disputes, and enforce our agreements. Specific retention periods vary by data type:

• Account Information. Retained for the duration of your account and deleted within 30 days of account closure or an approved deletion request.
• Usage & Log Data. Retained for up to 12 months for operational and security purposes, then automatically purged.
• User-Submitted Content. Retained until you delete it or request its deletion. Removed from production systems within 30 days of an approved deletion request.

Requesting Deletion. You may request deletion of your personal data at any time by emailing founders@pinnacle.sh with the subject line "Data Deletion Request." We will acknowledge your request within 5 business days and complete the deletion within 30 calendar days, unless a legal obligation requires us to retain certain data. You will receive a written confirmation once deletion is complete.

9. Children's Privacy

The Services target users aged 18 and over. If you allow a minor to use the Services or submit a child's data, you assume full responsibility for complying with COPPA or similar laws.

10. No Warranties & Limitation of Liability

THE SERVICES AND ALL DATA PROCESSING ARE PROVIDED "AS IS," "AS AVAILABLE," AND "WITH ALL FAULTS." TO THE MAXIMUM EXTENT ALLOWED BY LAW:

• PINNACLE DISCLAIMS EVERY WARRANTY, EXPRESS OR IMPLIED, INCLUDING MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, NON-INFRINGEMENT, AND DATA ACCURACY.
• PINNACLE'S TOTAL AGGREGATE LIABILITY FOR ANY MATTER ARISING FROM OR RELATING TO THIS POLICY OR THE SERVICES IS ZERO U.S. DOLLARS ($0).
• SOME JURISDICTIONS DO NOT ALLOW CERTAIN EXCLUSIONS. WHERE PROHIBITED, OUR LIABILITY IS LIMITED TO THE LOWEST AMOUNT PERMITTED BY LOCAL LAW.

11. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal data:

• Right to Access. Request a copy of the personal data we hold about you.
• Right to Correction. Request correction of inaccurate or incomplete personal data.
• Right to Deletion. Request deletion of your personal data, subject to legal retention requirements. See Section 8 for the deletion process and timeline.
• Right to Portability. Request an export of your data in a machine-readable format.
• Right to Object. Object to processing of your data for certain purposes.
• Right to Restrict Processing. Request that we limit how we use your data while a complaint is being resolved.

To exercise any of these rights, contact us at founders@pinnacle.sh. We will respond within 30 calendar days. We may ask you to verify your identity before processing your request. We will not discriminate against you for exercising your rights.

12. Updates to This Policy

We may modify this Policy at any time by posting a revised version. Continued use after the effective date constitutes your acceptance of all changes, regardless of notice.

13. Governing Law & Dispute Resolution

This Policy is governed by Delaware law. All disputes must be resolved by binding arbitration in San Francisco, California, on an individual basis; class actions are waived.

Contact Information