Privacy Policy

ASOCIACION ESTUDIANTIL JUNIOR NEXIO (NIF G75579508) ("we", "us", or "our") operates the website simforme.com and related services (the "Service"). This Privacy Policy explains how we collect, use, disclose, and safeguard your personal information when you use our Service. Data Controller: ASOCIACION ESTUDIANTIL JUNIOR NEXIO Registered address: PS/ URIBITARTE, 6, 48001 BILBAO (BIZKAIA), Spain Tax ID (NIF): G75579508 Data Protection Contact: privacy@simforme.com We are committed to protecting your privacy and complying with the General Data Protection Regulation (GDPR), the UK Data Protection Act 2018, and other applicable data protection laws. By using our Service, you agree to the collection and use of information in accordance with this policy.

We collect the following types of personal information: Account Information: When you create an account using Google Sign-In, we receive your name, email address, and profile picture from Google. Purchase Information: When you make a purchase, we collect details necessary to process your order, including your email address and payment-related information. Payment card details are processed directly by Stripe and are never stored on our servers. eSIM Data: We store eSIM identifiers (ICCID), activation status, and usage data to provide and manage your eSIM service. Usage Data: We automatically collect information about how you interact with our Service, including your IP address, browser type, pages visited, and timestamps. Communication Data: If you contact our support, we collect the content of your messages and associated metadata.

We use your personal information for the following purposes: - To provide, operate, and maintain our eSIM services - To process your purchases and manage your orders - To send you order confirmations, eSIM QR codes, and service notifications - To provide customer support and respond to your inquiries - To send you expiry warnings and low data alerts for your eSIMs - To detect, prevent, and address fraud or technical issues - To comply with legal obligations - To improve our Service and develop new features

Under the GDPR, we process your personal data based on the following legal grounds: Performance of a Contract: Processing necessary to fulfill our obligations when you purchase an eSIM or use our Service. Legitimate Interests: Processing necessary for our legitimate business interests, such as fraud prevention, service improvement, and security, provided these interests do not override your fundamental rights. Legal Obligation: Processing necessary to comply with applicable laws and regulations. Consent: Where required, we will obtain your explicit consent before processing your personal data for specific purposes, such as marketing communications. You may withdraw your consent at any time.

We may share your personal information with the following third parties acting as Data Processors, Joint Controllers, or Independent Controllers. For each provider we use EU-hosted regions where available, and we rely on Standard Contractual Clauses (SCCs) and other safeguards approved by the European Commission for any transfers outside the EEA. AirGSM Pte Ltd (Singapore, outside the EEA) — our eSIM wholesale provider. AirGSM/Airalo processes certain customer-related data on our behalf under our Partner Agreement and its Data Processing Addendum, which incorporates the EU Standard Contractual Clauses (Commission Implementing Decision 2021/914, Modules 2 and 3) to safeguard the transfer to Singapore. Through our API integration we transmit a package selection and an internal order reference, and Airalo provisions and manages the eSIM accordingly. Stripe Payments Europe, Ltd (Ireland, within the EEA) — our payment processor. Stripe processes your payment information as an Independent Data Controller under its own privacy policy. Supabase Inc. — our database and authentication provider. Although the company is incorporated in the United States, your account data is hosted in the EU (Ireland, eu-west-1) under Supabase's data-residency configuration. Role: Data Processor. SCCs apply as the safeguard for any onward transfer outside the EEA (for example, remote support access). Resend Inc. — our transactional email service provider (order confirmations, eSIM delivery, alerts). Although the company is incorporated in the United States, the sending infrastructure for our domain is hosted in the EU (Ireland, eu-west-1). Role: Data Processor. SCCs apply as the safeguard for any onward transfer outside the EEA. Google LLC (United States, outside the EEA) — provider of Google Analytics 4 and Google Sign-In. Depending on the service and the applicable contractual arrangement, Google may act as a Data Processor (Analytics) or as an Independent Data Controller (Sign-In). Analytics cookies are only set with your consent (lawful basis). SCCs apply as the safeguard for transfers outside the EEA. Meta Platforms Ireland Ltd (Ireland, within the EEA) — provider of Meta Pixel and other Business Tools used for advertising measurement. Depending on the specific integration (e.g., Meta Pixel or other Business Tools), Meta may act as a Joint Controller or as an Independent Data Controller. Cookies and tracking pixels are only set with your consent (lawful basis). Where data leaves the EEA, SCCs apply as the safeguard. Microsoft Ireland Operations Ltd (Ireland, within the EEA) — provider of Microsoft Clarity for UX analysis and session recording. Role: Data Processor. Cookies are only set with your consent (lawful basis). Sensitive inputs (passwords, payment fields, personal identifiers) are automatically masked and are not captured in recordings. SCCs apply as the safeguard for any onward transfer outside the EEA. Vercel Inc. (United States, outside the EEA) — our hosting and performance analytics provider. Vercel is not our long-term store of personal data (that is Supabase), but it processes operational logs (including IP addresses) and performance telemetry necessary to operate the website. Role: Data Processor. SCCs apply as the safeguard. Notion (internal accounting): We previously used Notion as an internal accounting tool. Following a data minimisation review, customer-identifying data (such as names) is no longer transmitted to Notion; only order identifiers, amounts, and dates are mirrored for bookkeeping. Notion therefore no longer receives personal data from us and is not listed as a processor above. We do not sell your personal information to third parties. We only share data as necessary to provide our Service.

We use cookies and similar tracking technologies to operate our Service. These include: Essential Cookies: Required for the Service to function properly, including authentication and session management. Analytics Cookies: Help us understand how visitors interact with our Service to improve user experience. You can control cookie preferences through your browser settings. Disabling essential cookies may affect the functionality of our Service. For more information about the cookies we use, please contact us.

We retain your personal information for as long as necessary to provide our Service and fulfill the purposes described in this policy. Specifically: - Account data: Retained while your account is active and for 3 years after account deletion - Order and transaction data: Retained for 7 years to comply with financial and tax regulations - eSIM data: Retained for the duration of the eSIM validity plus 1 year - Usage logs: Retained for 90 days When retention periods expire, we securely delete or anonymize your data.

Most of our core processing (database, transactional email, payments) is configured to run in the EU (Ireland) under each provider's data-residency settings where available. However, some of our service providers are established outside the EEA, and certain processing activities — including remote support access, telemetry, or specific services such as eSIM provisioning, analytics, and hosting infrastructure — may involve transfers of personal data to countries outside the EEA. When personal data is transferred outside the EEA, we rely on the following safeguards under Chapter V of the GDPR: - Standard Contractual Clauses (SCCs) approved by the European Commission. SCCs are standard data protection clauses adopted by the Commission as a legal safeguard for transfers of personal data to third countries that do not benefit from an adequacy decision. - Adequacy decisions issued by the European Commission, where applicable. - Other lawful transfer mechanisms under applicable data protection laws. For the specific destination countries and safeguards applicable to each of our providers, see Section 5 ("How We Share Your Information"). Consent (for example, for analytics cookies) is described in Section 4 as the lawful basis for certain processing activities. Consent itself does not legitimise an international transfer; where personal data leaves the EEA, a Chapter V GDPR mechanism such as the SCCs described above applies as the legal safeguard.

Under the GDPR and applicable data protection laws, you have the following rights: Right of Access: You may request a copy of the personal data we hold about you. Right to Rectification: You may request correction of inaccurate or incomplete personal data. Right to Erasure: You may request deletion of your personal data where there is no compelling reason for continued processing. Right to Restrict Processing: You may request that we limit the processing of your personal data in certain circumstances. Right to Data Portability: You may request a copy of your data in a structured, machine-readable format (JSON or CSV). Right to Object: You may object to the processing of your personal data based on legitimate interests. Right to Withdraw Consent: Where processing is based on consent, you may withdraw your consent at any time. How to Exercise Your Rights (Data Subject Access Request): - Send your request to: privacy@simforme.com - We will respond within 30 days of receiving your request (GDPR Art. 12(3)) - We may request identity verification via your account email - Data will be provided in electronic format (JSON or CSV) Right to Lodge a Complaint: You have the right to lodge a complaint with your local data protection supervisory authority: - Spain: Agencia Española de Protección de Datos (AEPD) — https://www.aepd.es - Germany: Bundesbeauftragte für den Datenschutz und die Informationsfreiheit (BfDI) — https://www.bfdi.bund.de - United Kingdom: Information Commissioner's Office (ICO) — https://ico.org.uk

Our Service is not intended for individuals under the age of 18. We do not knowingly collect personal information from children under 18. If we become aware that we have collected personal data from a child under 18, we will take steps to delete that information promptly. If you believe we have collected information from a child under 18, please contact us immediately.

We implement appropriate technical and organizational measures to protect your personal information against unauthorized access, alteration, disclosure, or destruction. These measures include: - Encryption of data in transit (TLS/SSL) and at rest - Row Level Security (RLS) on our database - Secure authentication via OAuth 2.0 (Google Sign-In) - Regular security reviews However, no method of transmission over the Internet or electronic storage is 100% secure. While we strive to protect your personal information, we cannot guarantee its absolute security.

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the updated policy on our website and updating the "Last updated" date. We encourage you to review this policy periodically to stay informed about how we protect your information.

If you have any questions about this Privacy Policy or wish to exercise your data protection rights, please contact us: General inquiries: support@simforme.com Data protection inquiries: privacy@simforme.com For EU residents, you also have the right to lodge a complaint with your local data protection supervisory authority (see Section 9 for details).