Privacy Policy

Last updated: 1 May 2026

This Privacy Policy describes how Sequal (Private) Limited ("Sequal", "we", "us", or "our") collects, uses, and protects information when you use the Sequal Messaging mobile application and the related Sequal Gateway services. By installing or using the Sequal Messaging app, you agree to the practices described below.

1. Who We Are

Sequal (Private) Limited is a software company registered in Zimbabwe, operating from 70 Hillside Road, Harare. Sequal Messaging is a companion app for the Sequal Gateway bulk SMS platform, designed for businesses and authorised users to send and track SMS messages from their mobile device.

2. Information We Collect

2.1 Account Information

When you register for an account, we collect:

  • Phone number — used to identify your account and to deliver one-time verification codes via SMS.
  • Email address — used to deliver an email verification code at registration and for account-related communication.
  • Full name (where provided) — displayed inside the app and on administrator dashboards.

2.2 Device Information

To secure your account and prevent unauthorised access, the app sends the following to our servers when you register or sign in:

  • Device model and operating system version — shown to administrators when they review your registration.
  • App version — used by our backend to enforce minimum supported versions and to surface upgrade prompts.
  • Android ID — an app-scoped device identifier (provided by the Android operating system) that lets us recognise the same physical device when you re-install the app, so you do not need to be re-approved by an administrator for a fresh install on a device you have used before. The Android ID is reset if you factory reset your device, and it cannot be used to track you across other apps from other developers.
  • IP address — recorded at the moment of registration as a security signal for administrators reviewing new device requests.

2.3 Authentication Data

  • Security PIN — you choose a 6-digit PIN at registration. We never store your PIN in plaintext. Only an Argon2id hash of your PIN is transmitted to our servers and stored.
  • Biometric (fingerprint / face) — if you enable biometric unlock, your biometric data never leaves your device. The Sequal Messaging app uses your operating system's secure biometric subsystem to unlock locally stored credentials. Sequal does not receive, store, or have access to your fingerprint or face data.
  • Authentication tokens — once you sign in, our servers issue short-lived access tokens and refresh tokens that are stored securely on your device using Android's encrypted storage. These tokens are linked to your specific device and are revoked if you sign out, re-register, or are disapproved by an administrator.

2.4 Messaging Data

When you send messages through the app, we record:

  • The recipient phone number(s) for each message you send.
  • The message content — this is required to deliver the message via our SMS provider partners and is logged for billing, audit, regulatory compliance, and customer-support purposes.
  • The delivery status returned by the underlying mobile network operator (delivered, failed, expired, etc.).
  • The provider used to route the message and the credit cost deducted from your account.

2.5 What We Do Not Collect

  • We do not read, scan, or upload SMS messages stored on your phone. The Sequal Messaging app does not request the READ_SMS permission.
  • We do not collect your phone's contact list.
  • We do not collect your location.
  • We do not access your camera, microphone, photos, or files.
  • We do not embed advertising SDKs or behavioural-tracking analytics.

3. How We Use Your Information

We use the information described above to:

  • Verify your identity at registration and at sign-in.
  • Allow administrators to approve or reject new device registrations.
  • Authenticate every API request and authorise you to send messages and view delivery reports.
  • Route your SMS messages to the correct mobile network operator and report delivery status back to you.
  • Bill your message credits and produce account statements and receipts.
  • Notify you when your account balance is low (these notifications are generated locally on your device from data already on your account).
  • Detect and respond to abuse, fraud, and security incidents.
  • Comply with applicable law and lawful requests from regulators and law-enforcement bodies.

4. Android Permissions We Request

The Sequal Messaging app requests only the permissions strictly required for its features:

  • Internet — to communicate with the Sequal Gateway API over HTTPS.
  • SMS Retriever (Google Play Services) — this is not the broad READ_SMS permission. It allows our app to receive only the specific one-time verification code message we send to you (identified by a hash unique to our app), and only at the moment you are completing registration. We cannot read any of your other SMS messages.
  • Post notifications — required on Android 13 and later in order to show local on-device notifications (e.g. low-balance alerts). You can revoke this permission at any time from your device settings.
  • Biometric / Fingerprint — required only if you choose to enable biometric unlock. Verification happens entirely on-device.

5. How We Share Your Information

We share information only as needed to provide the service, and never for advertising. The categories of recipients are:

  • Mobile network operators and SMS providers — we transmit each message you send to the network operator chosen by your routing configuration (for example Econet Wireless Zimbabwe, NetOne, or other licensed providers). The recipient phone number and message body necessarily reach those providers in order to deliver the message.
  • Email delivery infrastructure — transactional emails (such as your registration verification code) are sent through standard SMTP. Your email address is shared with that mail server only to deliver the email to you.
  • Google Play Services — the SMS Retriever feature relies on Google Play Services running locally on your device. No personal data is shared with Google by Sequal beyond what Google Play Services itself requires.
  • Authorised administrators of your organisation — if your account is part of a corporate Sequal Gateway client, your organisation's administrators can see your registered devices, your message logs, and your credit usage.
  • Regulators and law enforcement — we will disclose information when required to do so by a valid legal process, by Zimbabwean telecommunications regulation, or to protect the rights, property, or safety of Sequal, our customers, or the public.

We do not sell your personal data to anyone. We do not share your data with advertising networks, data brokers, or social media platforms.

6. Data Security

  • All communication between the app and our servers happens over HTTPS (TLS 1.2 or higher).
  • Your security PIN is stored only as an Argon2id hash with per-user salt; the original PIN cannot be recovered from this hash.
  • Authentication tokens on your device are stored using Android's hardware-backed Keystore where available, and are scoped to a single device.
  • Provider credentials and other operational secrets on our servers are encrypted at rest.
  • Refresh tokens are rotated on every use and old tokens are immediately invalidated.
  • If you uninstall the app, lose your device, or factory reset, the on-device tokens are destroyed and you will be required to register again.

7. Data Retention

  • Your account profile is retained for as long as your account is active.
  • Message logs (recipient, body, delivery status, cost) are retained while you are an active customer for billing, audit, and regulatory purposes. After account closure they are retained for the period required by applicable Zimbabwean law and then deleted or anonymised.
  • If you ask us to delete your account (see Section 8), we will delete or anonymise the data tied to your account except where we are required by law to keep it for longer.

8. Your Rights

You can:

  • Access the personal data we hold about you by contacting us at the address below.
  • Correct inaccurate personal data through your administrator or by contacting us.
  • Delete your account by emailing [email protected] from the email address on your account, or by asking your organisation's administrator to remove you. Once verified, we will delete personal data tied to your account, subject to the retention periods in Section 7.
  • Withdraw consent for biometric unlock, push notifications, or SMS Retriever at any time through your device settings; the app will fall back to your PIN.
  • Sign out remotely from your other devices through the in-app Devices screen, which immediately revokes their tokens.

9. Children's Privacy

The Sequal Messaging app is a business tool intended for authorised employees and customers of Sequal Gateway clients. It is not directed at children under the age of 13, and we do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us so we can delete it.

10. International Transfers

Sequal's primary servers are located in Zimbabwe. Some sub-processors we rely on (such as Google Play Services and our email delivery infrastructure) may process data outside Zimbabwe. Where this happens, we take reasonable steps to ensure the data continues to be protected.

11. Changes to This Policy

We may update this Privacy Policy from time to time. When we make a material change, we will update the "Last updated" date at the top of this page and, where appropriate, notify you in the app. Your continued use of the app after the update constitutes acceptance of the revised policy.

12. Contact Us

If you have any questions or requests about this Privacy Policy or your data, please contact:

  • Sequal (Private) Limited
  • 70 Hillside Road, Harare, Zimbabwe
  • Email: [email protected]
  • Phone: +263 715 384 247