Privacy Policy

1. Who We Are

WeSIM OÜ ("WeSIM", "we", "our", "us") is a company registered in the Republic of Estonia, operating under EU digital business regulations. We provide instant eSIM data plans for travelers worldwide through our website at wesim.online.

Data Controller: WeSIM OÜ
Address: Tallinn, Estonia, European Union
Email: privacy@wesim.online

2. Data We Collect

We collect information you provide directly, data generated when you use our services, and technical data from your device.

2.1 Information You Provide

Account data: First name, last name, email address, password (hashed)
Payment data: Billing email address (card details are processed directly by Stripe — we never store full card numbers)
Communications: Messages sent to our support team
Partner data: Business name, business type, contact details for Partner Program participants

2.2 Data Generated Automatically

Order data: eSIM purchases, ICCID numbers, activation status, data usage
Technical data: IP address, browser type, device type, operating system
Usage data: Pages visited, features used, session duration

Data Type	Examples	Source
Identity	Name, email	You
Transaction	Order ID, amount, eSIM details	Generated on purchase
Technical	IP address, device, browser	Automated
Payment	Billing email, last 4 digits	Stripe
Usage	Data consumed, activation date	Airalo network

3. How We Use Your Data

We use your data only for the purposes described below:

Service delivery: Processing your eSIM orders, activating plans, sending QR codes and activation details by email
Account management: Creating and maintaining your account, authentication, password resets
Customer support: Responding to your inquiries and resolving issues
Payments: Processing transactions securely through Stripe
Partner Program: Managing partner accounts, calculating and paying commissions
Legal compliance: Meeting regulatory obligations, preventing fraud, resolving disputes
Service improvement: Analyzing usage patterns to improve our platform (anonymized/aggregated data only)

⚠️ We do not sell your personal data to third parties. We do not use your data for advertising targeting or behavioral profiling.

4. Legal Basis for Processing

Under GDPR, we process your personal data on the following legal bases:

Processing Activity	Legal Basis
Order fulfillment & eSIM delivery	Contract performance (Art. 6(1)(b))
Account creation & management	Contract performance (Art. 6(1)(b))
Payment processing	Contract performance (Art. 6(1)(b))
Customer support	Legitimate interests (Art. 6(1)(f))
Fraud prevention & security	Legitimate interests (Art. 6(1)(f))
Legal obligation compliance	Legal obligation (Art. 6(1)(c))
Service improvement analytics	Legitimate interests (Art. 6(1)(f))

5. Data Sharing & Third Parties

We share your data only with trusted partners required to deliver our services:

5.1 Airalo

We use Airalo's eSIM network to provision and activate your data plans. Airalo receives your order details (package ID, quantity) and returns eSIM credentials (ICCID, activation code). Airalo's privacy policy applies to data processed on their platform.

5.2 Stripe

All payment processing is handled by Stripe, Inc. We pass your billing email to Stripe; they process card data directly under PCI-DSS compliance. We never receive or store your full card number. See Stripe's Privacy Policy.

5.3 Hosting Provider

Our website and database are hosted on servers provided by Güzel Hosting. Your data is stored on servers located in Turkey/EU. We have a data processing agreement in place.

5.4 Legal Disclosure

We may disclose your data if required by law, court order, or to protect the rights, property, or safety of WeSIM, our users, or the public.

We do not share your data with advertising networks, data brokers, social media platforms, or any third party for marketing purposes.

6. Data Retention

We retain your data only as long as necessary for the purposes described in this policy:

Data Type	Retention Period
Account data	Until account deletion + 30 days
Order & transaction records	7 years (legal/accounting obligation)
eSIM activation data (ICCID)	2 years from activation
Support communications	2 years
Technical/server logs	90 days
Partner commission records	7 years (accounting)

When data is no longer needed, we securely delete or anonymize it.

7. Your Rights (GDPR)

As an EU resident (and users in other jurisdictions where applicable), you have the following rights:

Right of Access (Art. 15): Request a copy of the personal data we hold about you
Right to Rectification (Art. 16): Correct inaccurate or incomplete data
Right to Erasure (Art. 17): Request deletion of your data ("right to be forgotten")
Right to Restriction (Art. 18): Restrict how we process your data in certain circumstances
Right to Data Portability (Art. 20): Receive your data in a structured, machine-readable format
Right to Object (Art. 21): Object to processing based on legitimate interests
Right to Withdraw Consent: Where processing is based on consent, withdraw it at any time

To exercise your rights, email us at privacy@wesim.online. We will respond within 30 days. You also have the right to lodge a complaint with the Estonian Data Protection Inspectorate or your local supervisory authority.

8. Cookies & Tracking

We use minimal cookies and local storage to operate our service:

Name	Purpose	Duration
`wesim_token`	Authentication JWT token (localStorage)	Session / 24 hours
`wesim_user`	Cached user profile (localStorage)	Session
`wesim_saved_plans`	Locally saved plan wishlist (localStorage)	Until cleared
Stripe cookies	Payment fraud prevention (set by Stripe)	Varies

We do not use advertising cookies, tracking pixels, or analytics cookies (such as Google Analytics) that track your behavior across websites.

9. Data Security

We implement appropriate technical and organizational measures to protect your data:

HTTPS/TLS encryption for all data in transit (256-bit SSL)
Password hashing using bcrypt (passwords are never stored in plain text)
JWT authentication with expiry for session management
PCI-DSS compliant payments via Stripe (we never handle raw card data)
Access controls limiting database access to authorized systems only
Regular security reviews of our codebase and infrastructure

Despite our efforts, no system is 100% secure. In the event of a data breach that poses a high risk to your rights, we will notify you and the relevant supervisory authority within 72 hours as required by GDPR.

10. International Transfers

WeSIM is based in Estonia (EU). Some of our service providers (such as Stripe and Airalo) may process data outside the EU/EEA. Where such transfers occur, we ensure appropriate safeguards are in place, such as:

EU Standard Contractual Clauses (SCCs)
Adequacy decisions by the European Commission
Privacy Shield successor frameworks

11. Children's Privacy

WeSIM services are not directed to children under 16 years of age. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us at privacy@wesim.online and we will promptly delete it.

12. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. When we make material changes, we will:

Update the "Last Updated" date at the top of this page
Notify registered users by email for significant changes
Post a notice on our website

Continued use of our services after changes constitutes acceptance of the updated policy.

13. Contact Us

For privacy-related inquiries, data subject requests, or questions about this policy:

Email: privacy@wesim.online
General support: support@wesim.online
Address: WeSIM OÜ · Tallinn, Estonia · European Union

We will respond to all privacy requests within 30 days.