minimoth

Privacy Policy

Effective date: 22 June 2026

MiniMoth, a product by AbhiMan Stories ("we", "us"), is a developer tool for SMS OTP authentication and session management. This policy explains what data we collect, how we use it, and how long we keep it. Our direct customers are developers ("you"), and your end-users' data is processed on your behalf.

1. Data we collect

Developer account data

  • Email address and bcrypt-hashed password
  • Project names and API keys (stored as hashes; plaintext shown only at creation)
  • Wallet balance, top-up history, and session billing records

End-user data (processed on your behalf)

  • Indian mobile phone numbers submitted via the API
  • OTP codes — stored only as SHA-256 hashes, never in plain text
  • Session records: phone number, hashed access and refresh tokens, timestamps

2. How we use this data

  • To deliver one-time passcodes by SMS to the phone number you provide
  • To create and validate user sessions on your behalf
  • To calculate and record per-session billing against your wallet
  • To send you transactional email (account creation, top-up confirmations)
  • To investigate abuse, errors, or disputes

We do not sell, rent, or share end-user phone numbers or session data with any third party for marketing or advertising purposes.

3. Third-party processors

We use third-party service providers to operate the platform — including SMS delivery, payment processing, cloud infrastructure, and transactional email. These providers process data only to the extent necessary to perform their respective functions. We do not store raw card or bank instrument data; payment instrument handling is delegated entirely to our payment processor.

4. Data retention

  • Unverified OTPs: automatically deleted within 6 hours if the OTP is never used.
  • Access tokens: expire automatically after 15 minutes.
  • Session and billing records: retained for as long as necessary to fulfil billing obligations and comply with applicable legal requirements.
  • Developer account data: retained while your account is active. Deleted upon written request to [email protected], subject to any legal hold obligations.

5. Security

OTP codes are never stored in plain text — only SHA-256 hashes. API keys and session tokens are similarly stored as hashes. Access tokens have a 15-minute TTL and are never written to permanent storage. All connections to our API are encrypted in transit via TLS.

6. Your responsibilities as a developer

You are the data controller for your end-users' data. You are responsible for obtaining any consents required under applicable law before sending OTPs to your users' phone numbers, and for maintaining an appropriate privacy policy for your own application.

7. Changes to this policy

We may update this policy from time to time. Material changes will be communicated by email to registered developers. The effective date at the top of this page reflects the most recent revision.

8. Contact

Questions or requests regarding this policy can be sent to [email protected].