YoungPG Virtual

Privacy Policy

Last updated: May 26, 2026

This Policy explains what data YoungPG Virtual collects, why we collect it, who we share it with, and how long we keep it. It applies to the website and the API.

1. What we collect

  • Account data: email, username, password hash (we never see your plaintext password), date of registration, last login.
  • Wallet activity: deposits, debits, refunds, balance history. This is the audit ledger and we keep it indefinitely for accounting reasons.
  • Rental metadata: which service / country you rented, the phone number assigned, the SMS code received, and the upstream provider used. Kept for 12 months; the SMS body and code are encrypted at rest.
  • Technical data: IP address, user agent, request timestamps for security (rate-limit and abuse detection). Auto-purged after 60 days for API requests and 30 days for login attempts.
  • Payment data: we DO NOT store full card numbers or bank credentials. Payment-gateway transaction IDs and amounts are kept for reconciliation.

2. Why we collect it

  • To provide the Service (you can’t rent a number without an account and a balance).
  • To comply with anti-fraud, anti-money-laundering, and tax obligations.
  • To investigate and respond to security incidents.
  • To answer support requests.

We do not sell, rent, or trade your personal data with anyone.

3. Who we share it with

  • Upstream telecommunications partners. They see the service code and country you requested in order to allocate a number; they do NOT see your account email, name, or any other personal data.
  • Payment processors (Korapay, Cryptomus). They see only what they need to process the payment.
  • Law enforcement, on a valid legal request from competent authorities.

4. Security

Passwords are hashed with bcrypt (cost 12). API keys are stored as SHA-256 hashes — we cannot reveal them to you again after issue. Sensitive fields (recovery codes, third-party credentials) are encrypted at rest using AES-256-GCM with per-record nonces. All outbound API calls use TLS 1.2+ with strict certificate verification.

5. Your rights

You can, at any time, request:

  • a copy of the data we hold about you;
  • correction of inaccurate data;
  • deletion of your account and personal data (subject to the audit-ledger retention obligations above);
  • export of your wallet ledger and rental history as CSV.

Email privacy@youngpgvirtual.com with the request. We aim to respond within 14 days.

6. Cookies

We use a single first-party session cookie (ypv_sess) to keep you signed in. It is HttpOnly, Secure, SameSite=Lax. We do not run third-party analytics or advertising trackers.

7. Changes

We may update this Policy. Material changes are announced by email to the address on file at least 14 days in advance. Continued use after the effective date constitutes acceptance.

8. Contact

Questions, requests, or complaints: privacy@youngpgvirtual.com.