Samsung, Hiya, and a Very Short Transparency Horizon

My Samsung Galaxy phone prompted me to enable Caller ID and spam protection. Once activated, it linked out to Hiya’s terms of service. I wanted to know what data was being shared and what, materially, I should be aware of.

Samsung’s Smart Call feature is provided by Hiya. The question is what follows from that relationship.

The Samsung-specific Hiya privacy policy describes processing of a hashed phone number, device identifiers, carrier, language, country, device model and OS version, and call event metadata. It also states that Hiya may match phone log information against calls made or received and information in its database, and retain that information for later validation.

That is enough to dispose of the idea that this is just local filtering on the handset. There is a service behind it, and that service has its own data layer.

The same policy also states that Hiya may provide Samsung with information relating to the user’s use of the service. After that, the disclosure language broadens into recipient categories:

• affiliates or subsidiaries
• service providers, contractors, or agents
• business users, who may receive anonymized usage data
• a third-party data vendor, if Hiya needs help filling in business-search information

That is where the useful names stop.

Beyond Samsung and Hiya, the service-specific materials do not name the organizations behind onward recipients. They identify categories. That may be enough for a privacy notice. It is poor disclosure for a feature embedded in the phone app and presented as a safety measure.

At the front of the system there are two named parties:

• Samsung
• Hiya

After that, the user is left with buckets. A category may refer to one company or many. Two categories may overlap. The organizations behind them may change over time. The documentation does not say.

Sharing is not the issue on its own. The onward recipient layer is described in terms that leave the user unable to identify who is actually there.

Hiya sells business-facing products around caller reputation and branded calling. Samsung user data may or may not feed those systems. I am not claiming that it does. I am saying that if my call-related data is retained, reused, or shared beyond the immediate feature, I want to know who is involved by name, not by category, and I want a real opt-in or at least an opt-out.

GDPR Article 13 allows notices to disclose recipients or categories of recipients. That may satisfy the notice requirement. It still leaves the user unable to see who receives the data beyond Samsung and Hiya.

Formal compliance and meaningful transparency are not the same thing.

Public scrutiny of Hiya has focused more on its standalone app than on Samsung’s built-in integration. I could not find comparable reporting or technical analysis of Samsung Smart Call itself.

Samsung ships roughly one-fifth of the world’s smartphones. That scale makes the lack of deeper public scrutiny more striking. Samsung presents this as a straightforward protective feature. It looks useful, and I would like to use it. The documentation tells me enough to know that call-related data is processed and disclosed. It still does not tell me who receives that data once it moves beyond Samsung and Hiya, which means I cannot judge the trade properly. In 2026, that is a poor standard of transparency for a feature built on trust.