Privacy policy

numbers.online is operated by Evergrow Management Pte. Ltd. (Singapore UEN 202524252D), a company incorporated in Singapore with its registered office at 51 Lorong 21 Geylang, #04-03, Space 21, Singapore 388466 (“numbers.online”, “we”, “us”, “our”). We are the operator of the numbers.online service and, for the purposes described below, the data controller responsible for your personal data.

This policy applies to everyone who interacts with us: people who run free reverse lookups, people whose numbers appear in the directory, people and businesses who verify a number, and the B2B customers who use our match and list-scrubbing services. It should be read together with our Terms of service, which govern your use of the Service. It is written to meet our obligations under Singapore's Personal Data Protection Act (the PDPA) — our home jurisdiction — as well as the EU and UK General Data Protection Regulation (GDPR) and the California Consumer Privacy Act as amended by the California Privacy Rights Act (CCPA/CPRA).

A phone number is personal data. On its own, and especially when combined with the reports, scores and identity information attached to it, a number can identify a living individual, so we handle every number in our directory as personal data under each of those laws.

For most of what we do, we are the controller — we decide why and how the data is processed. This covers the public directory, community-driven risk scores, identity verification (KYC and KYB), and the accounts and contact details we hold for our users.

For the personal data contained inside the lists that our B2B customers submit — the phone numbers and names sent to our identity-match API, and the call lists sent for scrubbing — we act as a processor (an intermediary). We process that data only on the customer's documented instructions, solely to return a result, and we do not retain it beyond what is needed to deliver the service. The customer remains the controller of those lists and is responsible for having a lawful basis and any required consent for every entry they send us.

Depending on how you use the Service, we may collect:

• Lookup queries and IP address. The phone number you search and the IP address of your request, used to return results, to apply rate limits, and to prevent abuse. You do not need an account to run a lookup.
• Community reports. The report text, tags or categories, the number reported, and any optional one-time-password (OTP) confirmation that the reporter controls a number. Reports help build the risk score and may be shown publicly.
• Reporter standing and credibility. Derived signals — such as account age, corroboration with other accounts, and payment-method fingerprint — used internally to weight how much a report influences the community signal. We use this to keep reporting fair and resist abuse; it is not shown publicly, and a number's report shows at most a tag and an aggregated count, never the reporter's identity for personal reporters.
• Verification and KYC/KYB information. When you verify a number, the details you provide — such as your legal name and, for businesses, know-your-business (KYB) details like company registration, address and tax identifiers — together with any supporting documents we ask you for, which may include a government-issued ID, a proof of address, or company registration records.
• Business-profile data. For verified businesses, the public profile information you choose to publish, such as company or brand name, address, and business details.
• Account and OTP data. If you create an account, your email and any contact details, plus the one-time codes used to confirm control of a number.
• Payment metadata. When you pay the one-time verification fee, our payment provider processes your card details; we receive only metadata such as a transaction reference, amount, and status. We do not store full card numbers.
• Device and log data. Technical information such as browser type, device and operating-system details, timestamps, and security logs.
• Customer-submitted lists. The phone numbers, names and related fields that B2B customers send for identity matching or list scrubbing, which we process as a processor (see section 2).
• Hashed call-attempt metadata for enrolled numbers. When a business customer enrols a number for call-provenance and uses our outbound pre-call check, we record a short-lived, one-way-hashed record of the calling and destination numbers for that call attempt (never the numbers themselves). It is used only to defend the enrolled number against reports about calls it did not place (spoofing) and to attribute calls it did place. It is held briefly (a few days), kept server-side, and is never shown to either party.

We collect personal data from several sources:

• Directly from you when you run a lookup, file a report, verify a number, create an account, publish a business profile, or pay a fee.
• From the subject of a number when they verify their own number or update their preferences.
• From public and reputable third-party sources — for example, public business registries and similar openly available information used to keep the directory accurate.
• From our B2B customers when they submit lists for matching or scrubbing, in which case the customer is responsible for the lawful basis behind that data.

We only use personal data for clear purposes, and under the GDPR each purpose rests on a specific legal basis:

• Providing reverse lookups and risk scores — legitimate interests. Helping people decide whether to trust an unknown number, and preventing spam and fraud, is in the legitimate interests of our users and the public. We balance this against the rights of the people whose numbers appear, and we limit what is shown (see section 7).
• Securing the directory and preventing abuse — legitimate interests. Rate limiting, fraud prevention, and keeping the Service available and accurate.
• Reporter standing and credibility — legitimate interests. Computing how much weight a report carries, to keep the community signal fair and to resist coordinated or Sybil abuse.
• Call-provenance and spoofing defence for enrolled numbers — legitimate interests. Where a business customer enrols a number, we process short-lived hashed call-attempt metadata in that customer's legitimate interest of defending their own number against reports about spoofed calls, and to attribute calls they did place. The data is minimised by hashing, kept only briefly, held server-side, and never shown to either party.
• Marketing preferences, identity verification, and publishing a business profile — consent. We rely on your consent to verify your number, to publish a business profile, and to record your marketing contact preferences. You can withdraw consent at any time.
• Paid verification and B2B services — contract. Processing necessary to deliver the verification or B2B service you (or our customer) have asked for.
• Meeting our obligations — legal obligation. Where the law requires us to retain records, respond to lawful requests, or keep financial records.

Where we rely on legitimate interests, you have the right to object, and we will stop unless we have compelling legitimate grounds that override your interests (see section 14).

The risk score is an automated, advisory signal generated from community reports and usage patterns. It is informational only. It is not a solely-automated decision that produces legal or similarly significant effects within the meaning of Article 22 of the GDPR, and it must not be used as the sole basis for denying anyone a product, service, or opportunity.

If you believe a score or an underlying report is wrong, you can contest it. A number's owner can dispute a report or request a review by writing to [email protected], and we will review the reports behind the score, correct inaccuracies, and, where appropriate, ensure a human is involved in the review.

We treat people and businesses differently, on purpose.

A verified business chooses to publish a public profile so that customers can recognise and trust it — this may include the company or brand name, address, and other business details the business decides to share.

A verified personal number is different. A public lookup of a personal number reveals only that the number is “verified & online” together with its risk score. It never reveals the owner's name, address, or any other personally identifying information. Verification makes your number more trustworthy without exposing who you are.

Our B2B identity-match API lets an authorised customer submit a phone number together with a full name and receive a result of match, no-match, or not-verified — nothing more. The name we hold on file is never returned, and no other personal data leaves our hands. The customer cannot use the API to enrich, enumerate, or re-identify anyone in the directory.

Match results are licensed for one-time use only. Customers may not cache, store, or build a database from results, and they must delete any match results within 30 days. The customer must hold a lawful basis and any required consent for every number-and-name pair they submit, and rate limits apply.

Number owners can tell us whether they want to receive marketing calls. We store those preferences so that they can be honoured. Our list-scrubbing service lets call centres submit a list to be compared against do-not-contact preferences, so that contact is suppressed for people who have opted out.

We never repurpose your marketing preferences or your contact details for our own marketing. The scrubbing service is a compliance aid only: it helps a customer honour “do not contact” signals but does not by itself guarantee compliance with the TCPA, the Singapore PDPA and its Do Not Call provisions, the GDPR, or any other law. The customer remains solely responsible for its own consent, for checking the applicable do-not-call registries, for re-scrubbing regularly, and for using results only to suppress contact.

We do not sell personal data, and we do not share your lookup history with data brokers. We share data only in limited, necessary circumstances:

• Sub-processors who help us run the Service under contract and on our instructions — for example, cloud hosting providers, our payment processor, and messaging providers that send OTP and verification codes. They may process personal data only to provide their service to us.
• Lawful disclosures where we are required to share data to comply with a valid legal request, a court order, or applicable law, or to protect our rights, users, or the public.
• Business transfers, where data may be transferred as part of a merger, acquisition, or sale of assets, subject to this policy.

We do not sell personal data within the meaning of the CCPA/CPRA, and we do not trade your lookup history to anyone.

We operate from Singapore, and our sub-processors may be located in other countries, so your personal data may be transferred to and processed outside Singapore, the EEA, or the UK. Where we transfer personal data internationally, we put appropriate safeguards in place — such as the European Commission's Standard Contractual Clauses (and the UK Addendum where relevant), or equivalent measures — so that your data continues to be protected to the standard required by the applicable law.

We keep personal data only for as long as we need it, and the period depends on the category:

• Lookup logs and IP data — kept for a short period for rate-limiting, security, and abuse prevention, then deleted or aggregated.
• Community reports — retained while they remain relevant to the risk score, subject to correction and dispute.
• Verification and KYC/KYB documents — identity documents are retained only as long as necessary to complete and maintain the verification, plus any limited period required by law. After that, they are securely deleted or de-identified. Documents are also deletable on request, subject to legal-retention limits.
• Business-profile and account data — kept while the profile or account is active, and for a reasonable period afterwards.
• B2B match and scrubbing lists — processed transiently to return a result and not retained beyond what is needed to deliver the service.
• Financial records — retained for the period required by tax and accounting law.

We use technical and organisational measures appropriate to the sensitivity of the data, including encryption in transit and at rest, strict access controls, logging, and the principle of least privilege. Identity documents receive special handling: they are encrypted, access-restricted to the small number of staff and processes that genuinely need them, and held separately from the public directory. No method of storage or transmission is perfectly secure, but we work continuously to protect your data and to respond quickly if something goes wrong.

Depending on where you live, you have the right to access the personal data we hold about you, to correct it, to delete or erase it, to restrict or object to certain processing (including processing based on our legitimate interests), to receive a portable copy of data you provided, and to withdraw any consent you have given. Withdrawing consent does not affect processing that already took place.

To exercise any of these rights, write to [email protected]. We will verify your identity before acting on a request, and we aim to respond within 30 days. Exercising your rights is free, and we will never penalise you for it.

If you are not satisfied with how we have handled your data, you may complain to a regulator: the Personal Data Protection Commission (PDPC) in Singapore, your local supervisory authority in the EU/EEA or the UK's Information Commissioner's Office, or the California Attorney General.

You do not have to be a customer to control how your number appears. If a number that belongs to you is in the directory and you never signed up, you can ask us to remove or restrict it through our opt-out page. We will honour reasonable requests promptly. To be honest about the limits: we cannot stop other people from re-reporting a number, and removing an entry does not erase a number from public phone systems — but we can ensure that what we publish about your number reflects your wishes.

The Service is not intended for, and is not directed at, anyone under the age of 18. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact [email protected] and we will delete it.

EEA and UK (GDPR). The legal bases for our processing are set out in section 5. You have the rights listed in section 14, including the right to object to legitimate-interest processing and the right to lodge a complaint with a supervisory authority. We rely on Standard Contractual Clauses for international transfers (section 11).

California (CCPA/CPRA). California residents have the right to know what personal information we collect and how we use it, to request access and deletion, to correct inaccurate information, and to opt out of the “sale” or “sharing” of personal information. We do not sell or share your personal information as those terms are defined under the CCPA/CPRA, and we will not discriminate against you for exercising your rights. You can exercise these rights through [email protected].

Singapore (PDPA). As our home jurisdiction, we comply with the PDPA's consent, purpose-limitation, access, and correction obligations, and we honour the national Do Not Call (DNC) Registry. Our marketing-preference and list-scrubbing tools are built to support — not undermine — the DNC framework.

We use a small number of cookies and similar technologies to keep you signed in, to remember preferences, and to keep the Service secure. We do not use them to build advertising profiles or to sell your data. For details on what we set and how to control them, see our cookie notice.

We may update this policy from time to time to reflect changes to the Service, our practices, or the law. When we do, we will revise the “Last updated” date at the top of this page, and for material changes we will take reasonable steps to bring them to your attention. Please review this page periodically.

If you have any questions about this policy or how we handle your data, or you want to exercise a right, please contact us:

• Privacy and data-subject requests: [email protected]
• Data Protection Officer: [email protected]

The operator and data controller is Evergrow Management Pte. Ltd. (Singapore UEN 202524252D), with its registered office at 51 Lorong 21 Geylang, #04-03, Space 21, Singapore 388466.