Privacy Policy

SimForMe ("we", "us", or "our") operates the website simforme.com and related services (the "Service"). This Privacy Policy explains how we collect, use, disclose, and safeguard your personal information when you use our Service. Data Controller: ASSOCIACION ESTUDIANTIL JUNIOR NEXIO Trade name: SimForMe Registered address: PS/ URIBITARTE, 6, 48001 BILBAO (BIZKAIA), Spain Tax ID (NIF): G75579508 Data Protection Officer (DPO): privacy@simforme.com We are committed to protecting your privacy and complying with the General Data Protection Regulation (GDPR), the UK Data Protection Act 2018, and other applicable data protection laws. By using our Service, you agree to the collection and use of information in accordance with this policy.

We collect the following types of personal information: Account Information: When you create an account using Google Sign-In, we receive your name, email address, and profile picture from Google. Purchase Information: When you make a purchase, we collect details necessary to process your order, including your email address and payment-related information. Payment card details are processed directly by Stripe and are never stored on our servers. eSIM Data: We store eSIM identifiers (ICCID), activation status, and usage data to provide and manage your eSIM service. Usage Data: We automatically collect information about how you interact with our Service, including your IP address, browser type, pages visited, and timestamps. Communication Data: If you contact our support, we collect the content of your messages and associated metadata.

We use your personal information for the following purposes: - To provide, operate, and maintain our eSIM services - To process your purchases and manage your orders - To send you order confirmations, eSIM QR codes, and service notifications - To provide customer support and respond to your inquiries - To send you expiry warnings and low data alerts for your eSIMs - To detect, prevent, and address fraud or technical issues - To comply with legal obligations - To improve our Service and develop new features

Under the GDPR, we process your personal data based on the following legal grounds: Performance of a Contract: Processing necessary to fulfill our obligations when you purchase an eSIM or use our Service. Legitimate Interests: Processing necessary for our legitimate business interests, such as fraud prevention, service improvement, and security, provided these interests do not override your fundamental rights. Legal Obligation: Processing necessary to comply with applicable laws and regulations. Consent: Where required, we will obtain your explicit consent before processing your personal data for specific purposes, such as marketing communications. You may withdraw your consent at any time.

We may share your personal information with the following third parties (Data Processors and Controllers): AirGSM Pte Ltd (Singapore) — our eSIM wholesale provider. We share necessary order details (email, order data) to provision and manage your eSIM. Role: Data Processor. Data is processed under Standard Contractual Clauses (SCCs). Stripe Inc. (United States) — our payment processor. Stripe processes your payment information as an Independent Data Controller in accordance with their privacy policy. Supabase Inc. (United States) — our database and authentication provider. Your account data is stored securely on Supabase infrastructure. Role: Data Processor. Data is processed under Standard Contractual Clauses (SCCs). Resend Inc. (United States) — our email service provider. We share your email address to send transactional emails (order confirmations, eSIM delivery, alerts). Role: Data Processor. Data is processed under Standard Contractual Clauses (SCCs). We do not sell your personal information to third parties. We only share data as necessary to provide our Service.

We use cookies and similar tracking technologies to operate our Service. These include: Essential Cookies: Required for the Service to function properly, including authentication and session management. Analytics Cookies: Help us understand how visitors interact with our Service to improve user experience. You can control cookie preferences through your browser settings. Disabling essential cookies may affect the functionality of our Service. For more information about the cookies we use, please contact us.

We retain your personal information for as long as necessary to provide our Service and fulfill the purposes described in this policy. Specifically: - Account data: Retained while your account is active and for 3 years after account deletion - Order and transaction data: Retained for 7 years to comply with financial and tax regulations - eSIM data: Retained for the duration of the eSIM validity plus 1 year - Usage logs: Retained for 90 days When retention periods expire, we securely delete or anonymize your data.

Your personal data may be transferred to and processed in countries outside the European Economic Area (EEA), including where our service providers operate. When we transfer data outside the EEA, we ensure appropriate safeguards are in place, including: - Standard Contractual Clauses (SCCs) approved by the European Commission - Adequacy decisions by the European Commission - Other lawful transfer mechanisms under applicable data protection laws By using our Service, you acknowledge that your data may be processed in these jurisdictions.

Under the GDPR and applicable data protection laws, you have the following rights: Right of Access: You may request a copy of the personal data we hold about you. Right to Rectification: You may request correction of inaccurate or incomplete personal data. Right to Erasure: You may request deletion of your personal data where there is no compelling reason for continued processing. Right to Restrict Processing: You may request that we limit the processing of your personal data in certain circumstances. Right to Data Portability: You may request a copy of your data in a structured, machine-readable format (JSON or CSV). Right to Object: You may object to the processing of your personal data based on legitimate interests. Right to Withdraw Consent: Where processing is based on consent, you may withdraw your consent at any time. How to Exercise Your Rights (Data Subject Access Request): - Send your request to: privacy@simforme.com - We will respond within 30 days of receiving your request (GDPR Art. 12(3)) - We may request identity verification via your account email - Data will be provided in electronic format (JSON or CSV) Right to Lodge a Complaint: You have the right to lodge a complaint with your local data protection supervisory authority: - Spain: Agencia Española de Protección de Datos (AEPD) — https://www.aepd.es - Germany: Bundesbeauftragte für den Datenschutz und die Informationsfreiheit (BfDI) — https://www.bfdi.bund.de - United Kingdom: Information Commissioner's Office (ICO) — https://ico.org.uk

Our Service is not intended for individuals under the age of 18. We do not knowingly collect personal information from children under 18. If we become aware that we have collected personal data from a child under 18, we will take steps to delete that information promptly. If you believe we have collected information from a child under 18, please contact us immediately.

We implement appropriate technical and organizational measures to protect your personal information against unauthorized access, alteration, disclosure, or destruction. These measures include: - Encryption of data in transit (TLS/SSL) and at rest - Row Level Security (RLS) on our database - Secure authentication via OAuth 2.0 (Google Sign-In) - Regular security reviews However, no method of transmission over the Internet or electronic storage is 100% secure. While we strive to protect your personal information, we cannot guarantee its absolute security.

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the updated policy on our website and updating the "Last updated" date. We encourage you to review this policy periodically to stay informed about how we protect your information.

If you have any questions about this Privacy Policy or wish to exercise your data protection rights, please contact us: General inquiries: support@simforme.com Data protection inquiries (DPO): privacy@simforme.com For EU residents, you also have the right to lodge a complaint with your local data protection supervisory authority (see Section 9 for details).