Phone maker BLU has reached a settlement with the Federal Trade Commission (FTC) over accusations that it allowed a Chinese third-party service to harvest its user data.

Back in 2016, security firm Kryptowire reported that BLU was one of several budget Android handset manufacturers running software from Shanghai Adups Technology Company.

The FTC’s press release states that BLU had a contract with Adups to issue security and operating system updates to its devices. But the phones were sending a massive amount of user data—much more than was claimed—back to Adups. Kryptowire said the info was used to help manufacturers and carriers track customer behavior and for ad purposes.

Some of the data harvested included the complete content of text messages, real-time location data, call and text logs with phone numbers, contact lists, and lists of apps used and installed on BLU handsets.

Following the Kryptowire revelations, BLU issued a statement to its customers assuring them that Adups was no longer collecting masses of data, but the FTC alleges that it “continued to allow ADUPS to operate on its older devices without adequate oversight.”

Under the proposed settlement, BLU and its co-owner and president Samuel Ohev-Zion must “implement and maintain a comprehensive security program” that prevents similar security risks in current and future devices, while also refraining from “misrepresenting the extent to which they protect the privacy and security of personal information.” Additionally, BLU will be subject to third-party assessments of its security program every two years for the next twenty years. It appears that the company escaped any financial penalties.