1. Who we are
Smshawk is an Android application published by Shakvaro (Chattogram, Bangladesh). Questions about this policy go to privacy@shakvaro.com. Smshawk is a cross-device SMS sync utility: it keeps the SMS arriving on the device it's installed on in sync with the other devices and endpoints the user explicitly configures (a laptop dashboard, email, Telegram, another phone, or the user's own webhook).
2. Consent before any SMS access
Before Smshawk ever accesses your SMS, the app shows an in-app disclosure that states exactly what it reads and where it will be transmitted, and asks for your explicit consent. Declining means no SMS permission is requested. You can revoke SMS permission any time from Android Settings.
3. What Smshawk collects, and what happens to it
Each row below describes a single category of data. "Transmitted" means it leaves the device. "Retained on Smshawk servers" means it is kept by Shakvaro after delivery completes.
| Data | Transmitted to | Retained on our servers |
|---|---|---|
| SMS message content (full body) | The destinations you configure (your webhook / another phone), and — for your email / Telegram destinations — the Resend / Telegram processors that deliver them. | Not retained after delivery. |
| Sender phone number | Same as message content (it is part of the synced message). | Not retained after delivery. |
| Source hash (truncated) | Backend (for delivery tracking and idempotency / de-duplication). | ~30 days. |
| Delivery status / metadata | Backend. | ~30 days. |
| Device identifiers (FCM push token, opaque device token) | Backend. | Until you revoke the device. |
| Forwarding rules (if cloud sync is enabled) | Backend, end-to-end encrypted (ciphertext only). | Until you delete them. |
| Crash reports (optional) | Sentry (PII stripped via beforeSend hook). | Per Sentry retention. |
Plain English: Smshawk transmits the full message text and sender number off the device to the destinations you configure. We don't claim "nothing leaves the device" — that would be false. What we do guarantee is that bodies aren't stored on our servers after delivery completes.
4. What Smshawk does NOT collect
- Phone book / contacts.
- Call logs.
- Location.
- Browsing history.
- Photos or files outside the SMS scope.
- No advertising SDK is integrated.
- No third-party analytics on message content.
5. Default SMS handler — Smshawk is NOT it
Smshawk is notyour default SMS app by default. You keep using your normal Messages app. Smshawk reads incoming SMS via Android's standard broadcast permission.
There is an optional MMS-sync mode (off by default, user-initiated) that does make Smshawk the default SMS handler — because Android only delivers MMS messages to the default handler. You have to turn it on yourself, and you can turn it back off any time.
6. Third parties / sub-processors
These services may receive data only as needed to deliver the destinations you configure or to run the app:
- Resend— delivers user-configured email destinations. Only what's needed to send the email (target, sender, body) is forwarded.Privacy: resend.com/legal/privacy-policy
- Telegram Bot API — delivers user-configured Telegram destinations.Privacy: telegram.org/privacy
- Firebase Cloud Messaging (Google) — pushes outbound-SMS commands from the dashboard to the device.Privacy: firebase.google.com/support/privacy
- Sentry — optional crash reporting only; PII is stripped via
beforeSend.Privacy: sentry.io/privacy
7. Security
- Encrypted local storage — the on-device database is encrypted with SQLCipher; device secrets use hardware-backed key storage (Google Tink AEAD).
- Authenticated sync — each phone authenticates to the backend with its own per-device token; there is no shared secret in the app.
- Signed webhooks — webhook payloads carry an HMAC-SHA256 signature so your receiver can verify they came from your device.
- End-to-end encrypted rule sync — if you enable cloud rule sync, your forwarding rules are encrypted on-device with XChaCha20-Poly1305 and Argon2id-derived keys before upload. The backend only ever sees ciphertext.
- SSRF protection — the backend pins DNS and blocks internal addresses to prevent webhook URLs from being abused.
- TLS in transit for every network call.
8. Retention
- SMS bodies: transmitted to your configured destinations; not retained on Smshawk servers after delivery.
- Forwarding metadata (source hash, status, delivery latency): ~30 days.
- Webhook delivery records: ~30 days.
- Encrypted rule blobs: until you delete them.
- Device identifiers: until you revoke the device or uninstall.
9. Your rights and controls
- Pause syncing any time by disabling rules in-app or revoking SMS permission in Android Settings.
- Remove all on-device data by uninstalling the app or clearing app storage.
- Request a copy or deletion of all server-side records by emailing privacy@shakvaro.com. We respond within 30 days.
10. Children
Smshawk is a general-audience utility, is not directed at children under 13, and does not knowingly collect data from children.
11. Not a monitoring tool
Smshawk only syncs SMS that arrive on the device it's installed on, configured by the device owner. It is nota tool to monitor anyone else's phone, and it is not stalkerware.
12. Changes
Material changes will be announced in-app and via this page at least 7 days before they take effect. The "Effective" date above will reflect the most recent update.
13. Contact
Questions about Smshawk's privacy? privacy@shakvaro.com. Smshawk is built by Shakvaro (Chattogram, Bangladesh).