Privacy Policy.
Everything stays on your device. No cloud, no analytics, no tracking.
1. Who we are & our role
Hiras SMS ("the App", "Hiras", "we", "us") is an Android application developed and maintained by Charwin Amper, based in the Republic of the Philippines. The App is published under the Arcwhin software brand; at the time of publication, Arcwhin is a software publishing brand operated by the developer and not a separate legal entity. Throughout this policy, "we", "us", and "our" refer to the developer of the App, currently operated by an individual under the Arcwhin brand. The App turns your phone into a local, self-hosted SMS gateway, exposing a small REST API on your local network so that other apps you control can send SMS through your phone's own SIM card.
Hiras SMS is designed to operate entirely on your own Android device. The developer does not operate any cloud service that receives or processes your SMS data, there are no user accounts, and the developer has no access to the contents of your device, your messages, or your API key.
Purchases are handled by Google Play, not by us. If you buy the App, Google processes your payment under Google's Privacy Policy. We never see your card or payment details; at most we receive anonymised, aggregate sales figures from Google.
2. Information processed on your device
To do its job, the App handles the following information locally on your phone. Except where you explicitly configure it to (see §5), this information is never transmitted to us or to any third party:
- Your API key (
sk_local_…) — generated on your device on first launch and stored in Android Keystore-backed secure storage. It authenticates requests to your gateway. It leaves your phone only if you deliberately copy or share it. - Outgoing messages — the recipient number and message text you send through the API are passed to Android to be sent via your SIM. The App also keeps an on-device history of your sends (recipient number, the full message text, segment count, send status, the local-network IP address that made the request, and timestamps), limited to the most recent 1,000 messages, plus daily counts (sent, failed, segments). This history lives in app-private storage on your device and is never uploaded. You can erase it at any time with Clear History.
- Incoming messages (only if you enable webhooks) — if, and only if, you turn on the incoming-SMS webhook feature and the gateway is running, the App reads inbound SMS (sender number, message text, the receiving number, SIM slot, and time) and forwards them to the webhook URL you configured. The App keeps no inbox and stores no incoming-message archive. With no webhook configured, the App does not read your incoming SMS at all.
- SIM & phone details — your phone number, carrier name, and the list of
SIMs are read to display them in the app and to answer the authenticated
/api/host/inforequest for clients on your own network that you authorised with your key. Some carriers hide the phone number; the App shows "not available" rather than guessing. - Network details — your phone's local-network (LAN) IP address, so the App can show you the URL to reach the gateway, plus the IP and time of the most recent request (shown in the app to confirm reachability). These are held in memory only.
- App settings — such as which SIM is the default, your webhook URL and on/off state, the auto-start-on-boot preference, and whether you've seen onboarding.
3. What we do not collect
The App contains no third-party analytics, advertising, crash-reporting, or tracking software. Specifically, Hiras SMS does not:
- collect analytics, usage statistics, or telemetry;
- include advertising or advertising identifiers;
- send crash reports or diagnostics to us or any third party;
- track your location;
- read, upload, or sell your contacts;
- create a profile of you or share data with data brokers.
We have no back-end that could receive any of the above even if we wanted it — by design.
This website. The Arcwhin website uses no analytics, advertising, or tracking cookies. Its static host keeps standard server access logs (such as IP address and timestamp) for security and reliability, as any web host does. See the website privacy page.
4. How your SMS is transmitted
When you send a message, the App hands it to Android's telephony system, which sends it over your mobile carrier's network using your SIM — exactly as a normal text message. Your carrier processes the message under its own terms and privacy practices, and standard carrier charges apply. Hiras does not provide SMS credits and takes no commission.
5. Data you choose to send to third parties
Some optional features send data to destinations you choose and control:
- Your webhook endpoint. If you enable incoming-SMS webhooks, inbound message data is delivered to the URL you set. That endpoint is operated by you (or by a service you selected), and how it handles the data is your responsibility. For security, each webhook request is signed with an HMAC signature and a timestamp, and your API key itself is never included in the request.
- Your own VPN (advanced, optional). If you use a private VPN such as Tailscale, WireGuard, or ZeroTier to reach your gateway from elsewhere, that connectivity is provided by software you installed and manage. Hiras neither provides, configures, nor manages any VPN; it merely detects a private-network interface if one is present. Compatibility is not guaranteed.
6. Network & security notes
The API is served over your local network using plain HTTP (not HTTPS). This is normal for a local-network device, but it means requests between client apps and the gateway are not encrypted in transit on that network. We recommend operating Hiras on a network you trust and keeping your API key private. Access is protected by:
- API-key authentication — every sensitive request must present your
Bearerkey; - a local-network guard that accepts only private-network and loopback addresses and rejects the public internet.
If you believe your API key has been exposed, you can regenerate it in the app at any time.
7. Permissions we request & why
| Permission | Why the App needs it |
|---|---|
SEND_SMS | To send text messages through your SIM — the core function. |
RECEIVE_SMS | To read inbound SMS only when you enable webhook forwarding. It shares Android's SMS permission group with SEND_SMS, so both are granted together; with no webhook configured, the App does not read incoming SMS. |
READ_PHONE_STATE, READ_PHONE_NUMBERS | To detect your SIM(s), carrier, and phone number so the app can show them and route multi-SIM sends. |
INTERNET, ACCESS_NETWORK_STATE, ACCESS_WIFI_STATE | To run the local network server and determine the LAN address to display. Used for local networking and for delivering webhooks you configure — not to contact us. |
FOREGROUND_SERVICE, FOREGROUND_SERVICE_SPECIAL_USE, POST_NOTIFICATIONS | To keep the gateway running with a visible, ongoing notification while it's active. |
WAKE_LOCK, REQUEST_IGNORE_BATTERY_OPTIMIZATIONS | To keep the network connection responsive with the screen off ("shelf mode"). |
RECEIVE_BOOT_COMPLETED | Only used if you turn on "start automatically after reboot"; lets the gateway resume after a restart. |
8. Storage, retention & deletion
All data described in §2 is stored on your device only. Message history is capped at the most recent 1,000 messages and rolls over automatically; daily totals are kept for statistics. You can:
- use Clear History in the app to erase stored messages;
- uninstall the App, which removes its data from your device.
Because we hold none of your data, there is nothing for us to retain or delete on your behalf.
9. Your rights
Under the Philippine Data Privacy Act (RA 10173) and comparable laws such as the GDPR, you have rights to access, correct, erase, and port your personal data. Because Hiras stores your data locally and puts you in direct control, you exercise these rights yourself on the device — you can view your history in the app, clear it, or uninstall to remove it. If you have any question about this policy, contact us (§12).
10. Your responsibilities
Hiras is a tool that you operate. When you use it to send messages to other people, you determine who is contacted and why, which makes you responsible for having a lawful basis to message them and for complying with applicable laws — including, in the Philippines, the Data Privacy Act (RA 10173), the SIM Registration Act (RA 11934), and anti-spam rules, as well as equivalent laws in your recipients' jurisdictions. Please obtain the consent you need and do not use Hiras for unsolicited or unlawful messaging. See the Terms of Use.
In data-protection terms: where you use the App to process other people's personal data, you are the Personal Information Controller under the Philippine Data Privacy Act (RA 10173) (or the equivalent role, such as "controller", under laws like the GDPR). The developer is neither a controller nor a processor of that data and has no access to it.
11. Children
Hiras SMS is a developer tool intended for adults and is not directed to children. We do not knowingly collect personal information from children — and, as noted, we do not collect personal information from anyone.
12. Changes & contact
We may update this policy as the App evolves. Material changes will be reflected by an updated "Last updated" date on this page, and — where appropriate — noted in the app. Continued use after an update means you accept the revised policy.
Questions about privacy? Contact us at arcwhin@gmail.com.
This policy is governed by the laws of the Republic of the Philippines.
Android and Google Play are trademarks of Google LLC. Tailscale, WireGuard, and ZeroTier are trademarks of their respective owners. Use of these names is for identification only and does not imply affiliation or endorsement.