Data Security Policy

Effective date: March 14, 2026 · Last updated: March 14, 2026

MoneyPhone takes the security of your data seriously. This policy describes the safeguards we maintain, how we respond to security incidents, and what we do to protect your voice conversations, account information, and financial activity data.

1. Security Measures We Maintain

We implement the following controls to protect user data:

All data transmitted between the app and our servers is encrypted via HTTPS/TLS
User passwords are hashed using industry-standard cryptographic algorithms — we never store plaintext passwords
Database access is restricted to authenticated server processes only; no public access is permitted
Voice recordings and voicemails are stored in access-controlled storage, only accessible to circle members and voicemail recipients
Session tokens are signed and expire automatically after periods of inactivity
Administrative access to production systems is restricted to authorized personnel only
We conduct periodic reviews of our security posture and infrastructure configuration

2. What Constitutes a Data Incident

A data security incident includes any event that results in, or may result in, unauthorized access to, disclosure of, or loss of user data. This includes but is not limited to:

Unauthorized access to user accounts or the database
Exposure of voice recordings or messages to unintended recipients
Loss or theft of user credentials
Malicious code or ransomware affecting our systems
Accidental public exposure of private user data

3. Incident Response Procedure

In the event of a confirmed or suspected data incident, we follow this response timeline:

Detect & Contain — Within hours of discovery

We identify the nature and scope of the incident, isolate affected systems to prevent further exposure, and secure any active vulnerabilities.

Assess — Within 24 hours

We determine what data was affected, which users may be impacted, and the likely cause of the incident. We document all findings for internal records and regulatory purposes.

Notify Affected Users — Within 72 hours

We notify all users whose data may have been compromised. Notification includes the nature of the incident, what data was involved, steps we have taken, and recommended actions for the user (e.g. changing passwords).

Regulatory Notification — Within 72 hours where required

Where required by applicable law (including GDPR and applicable US state laws), we notify relevant data protection authorities within 72 hours of becoming aware of the incident.

Remediate & Review

We remediate the root cause, restore systems to a secure state, and conduct a post-incident review to prevent recurrence. Findings are documented and inform future security improvements.

4. User Notification

If your data is affected by a security incident, we will contact you at the email address associated with your account. Notifications will include:

A plain-language description of what happened
The types of data that were involved
The steps MoneyPhone has taken or is taking to address the issue
Recommended actions you can take to protect yourself
A contact point for questions

Note: MoneyPhone will never ask for your password via email. If you receive a suspicious communication claiming to be from MoneyPhone, contact us immediately at d0x.digital.marketing@gmail.com.

5. Reporting a Security Vulnerability

If you discover a security vulnerability in MoneyPhone, please report it responsibly by emailing d0x.digital.marketing@gmail.com with the subject line "Security Report". Please include:

A description of the vulnerability and steps to reproduce it
The potential impact if exploited
Any supporting evidence (screenshots, logs, etc.)

We will acknowledge all valid security reports within 48 hours and work to remediate confirmed issues promptly. We request that you do not publicly disclose vulnerabilities until we have had a reasonable opportunity to address them.

6. Third-Party Services

MoneyPhone relies on third-party infrastructure providers (including cloud hosting and database services). These providers maintain their own security certifications and compliance programs. We contractually require our service providers to maintain appropriate data security standards.

7. Contact

For questions about this Data Security Policy or to report a security incident, contact us at:
d0x.digital.marketing@gmail.com