SMS Two-Factor Authentication (2FA) Privacy Policy

Last Updated: 3/18/2026
Effective Date: 1/1/2020

1. Overview

Cordata Healthcare Innovations, Inc ("we," "us," or "our") uses SMS-based Two-Factor Authentication (2FA) to enhance the security of your account. This policy explains how we collect, use, store, and protect your mobile phone number and related data in connection with our SMS 2FA service.

2. Information We Collect

When you enroll in SMS Two-Factor Authentication, we collect:

Mobile phone number — The phone number you provide for receiving verification codes
Verification activity logs — Timestamps of when verification codes were sent and whether authentication was successful or failed

We do not collect the content of any messages beyond the verification transaction itself.

3. How We Use Your Information

Your phone number and associated data are used solely for the following purposes:

Sending one-time passcodes (OTP) to verify your identity during login
Maintaining security logs for fraud prevention and compliance purposes

We will not use your phone number for marketing, promotional, or advertising communications.

4. SMS Message Frequency & Charges

You will only receive SMS messages when a login or verification event is triggered by you or detected on your account
Message frequency varies based on your account activity
Standard message and data rates from your mobile carrier may apply
Cordata Healthcare Innovations is not responsible for charges imposed by your mobile carrier

5. Third-Party Service Providers

We use Amazon Web Services (AWS) End User Messaging and/or Twilio to transmit SMS verification codes on our behalf. AWS and/or Twilio acts as a data processor under our direction and is contractually prohibited from using your phone number for any purpose other than delivering messages on our behalf.

For more information, please review:

AWS Privacy Policy
AWS Data Processing Addendum

We do not sell, rent, or share your phone number with any other third parties.

6. Data Retention

Data Type	Retention Period
Mobile phone number	Retained while your account is active; deleted within [30/60/90] days of account closure or 2FA removal
Verification attempt logs	Retained for [90 days / 1 year] for security auditing purposes
Failed authentication records	Retained for [90 days / 1 year] for fraud prevention

After the applicable retention period, data is securely deleted or anonymized.

7. How We Protect Your Information

Encryption of phone numbers at rest and in transit
Access controls limiting who within our organization can view authentication records
AWS infrastructure security and compliance certifications (SOC 2, ISO 27001)
Regular security assessments of our authentication systems

8. Your Rights & Choices

Opt out of SMS 2FA — You may disable SMS-based two-factor authentication in your account settings at any time
Update your phone number — You may update the phone number associated with your account at any time
Request deletion — Contact us at support@cordatahealth.com
Access your data — Request a copy of authentication data associated with your account

9. Children's Privacy

Our SMS 2FA service is not directed at individuals under the age of 13. We do not knowingly collect phone numbers from children under 13. If you believe a child has provided us with their phone number, please contact us immediately at support@cordatahealth.com.

11. Changes to This Policy

We may update this policy from time to time. When we do, we will update the "Last Updated" date at the top of this page. Continued use of SMS 2FA following notice of changes constitutes acceptance of the updated policy.

12. Contact Us

If you have questions or concerns about this policy or our SMS data practices, please contact us:

Cordata Healthcare Innovation, Inc.
Attn: Privacy & Security
📧 support@cordatahealth.com