esimple

Privacy Policy

What we collect, why, who we share it with, and the rights you have.

Effective 11 May 2026

1. About this policy

This Privacy Policy describes how esimple Pte Ltd (“esimple”, “we”) processes personal data when you visit our websites, sign in to an account, or buy and use one of our travel eSIMs. We are the data controller for the personal data described here.

esimple Pte Ltd is incorporated in Singapore. We comply with Singapore’s Personal Data Protection Act (PDPA) and, where applicable, the EU General Data Protection Regulation (GDPR), the UK Data Protection Act, and the California Consumer Privacy Act / California Privacy Rights Act (CCPA/CPRA).

2. Data we collect

Information you give us

  • Account details: email address and (optional) name when you sign in or create an account.
  • Purchase details: buyer name, email, and phone number, and per-SIM recipient details (name, email, phone) when you send an eSIM as a gift or address SIMs to different people.
  • Payment information: card payments are processed by Stripe. We receive a token reference and the last four digits of the card; we do not store full card numbers or CVCs on our systems.
  • Support correspondence: emails or chat messages you send us.

Information we collect automatically

  • Technical and device data: IP address, approximate country derived from IP, user-agent, screen size, and similar.
  • Usage data: pages viewed, products clicked, and other events that help us understand how the Service is used and improve it. We use first-party cookies and a privacy-respecting analytics tool for this; see “Cookies” below.
  • Operational data from your eSIM: our Network Providers may report aggregate usage (data consumed, validity remaining, country of attachment) to us so we can show you remaining balance and send top-up reminders.

3. How we use your data

We use personal data to:

  • Sell, deliver, and support travel eSIMs you buy from us, including dispatching activation emails and recipient communications.
  • Authenticate you when you sign in to an account.
  • Process payments and refunds.
  • Send transactional emails (receipts, activation, top-up reminders) — you cannot opt out of these and still use the Service.
  • Provide customer support and respond to inquiries.
  • Detect and prevent fraud, abuse, and violations of our Terms.
  • Improve and operate the Service, including measuring performance and analyzing usage in aggregate.
  • Comply with legal obligations, respond to lawful requests, and enforce our agreements.

We do not sell your personal data. We do not use your data for third-party advertising profiling.

Where the GDPR applies, we rely on the following legal bases:

  • Contract: processing necessary to deliver the Service you bought.
  • Legitimate interests: protecting the Service against fraud, improving it, and securing our systems — balanced against your interests.
  • Legal obligation: compliance with tax, accounting, and regulatory requirements.
  • Consent: for any optional marketing or analytics that go beyond what is strictly necessary; you can withdraw consent at any time.

5. Who we share data with

We share personal data only with parties that help us deliver the Service or as required by law. Today these include:

  • Network Providers (KeepGo, Maya Mobile, RedTeaMobile, and similar) — we send the minimum information they need to allocate an eSIM profile, typically a transaction identifier and the plan you bought. Their privacy practices govern any data they collect directly from your device once the eSIM is active.
  • Stripe — payment processing. Stripe receives the data needed to charge your card and to perform anti-fraud checks.
  • Resend — transactional email delivery (receipts, activation, sign-in links).
  • Cloud infrastructure providers (Amazon Web Services and Cloudflare) — for hosting, content delivery, and security.
  • Customer support tools — when you contact support, your messages and the context we need to help are accessible to our support staff.
  • Professional advisers and authorities — accountants, lawyers, regulators, and law enforcement where we have a legal obligation or legitimate interest to share.

6. International transfers

We operate from Singapore, our infrastructure is primarily in the United States and globally distributed via Cloudflare, and our Network Providers operate internationally. Your personal data may be transferred to and processed in countries other than the one you live in. Where required by law, we put in place appropriate safeguards (such as the Standard Contractual Clauses) for cross-border transfers.

7. Data retention

We retain personal data for as long as needed to provide the Service and meet our legal, tax, and accounting obligations. In practice:

  • Order records (purchases, refunds, activation data): up to 7 years after purchase, to satisfy Singapore accounting law.
  • Account records: for the lifetime of the account plus 1 year of inactivity; you can request earlier deletion.
  • Support correspondence: up to 2 years from the date of last contact.
  • Server access logs and security records: typically 30–90 days.

8. Security

We protect personal data with reasonable technical and organisational measures: TLS for data in transit, encrypted storage for credentials and payment tokens, scoped access for staff, network segmentation, and regular review of our practices. No system is perfectly secure; if we ever become aware of a breach affecting your data we will notify you and the relevant authorities as required by applicable law.

9. Your rights

Depending on where you live, you may have the right to:

  • Access — request a copy of the personal data we hold about you.
  • Rectify — ask us to correct inaccurate or incomplete data.
  • Delete — ask us to delete your personal data, subject to legal retention obligations.
  • Restrict — ask us to limit how we use your data.
  • Object — object to processing we carry out on the basis of legitimate interests.
  • Portability — request a machine-readable copy of certain personal data you provided to us.
  • Withdraw consent — at any time, where processing is based on consent.
  • Lodge a complaint — with the Singapore Personal Data Protection Commission (PDPC) or your local supervisory authority.

To exercise any of these rights, email legal@esimple.ai. We’ll respond within 30 days (or as required by your local law) and may need to verify your identity first.

10. Cookies and similar tech

We use a small number of cookies and similar technologies:

  • Strictly necessary — for sign-in sessions and cart state. Without these, the Service does not work.
  • Performance — to understand how our pages perform and where they fail. These are anonymised and aggregated.

We do not use third-party advertising trackers or behavioral retargeting cookies.

11. Children

Our Service is intended for travelers aged 18 and over. We do not knowingly collect personal data from anyone under 18. If you believe a child has provided us personal data, contact us and we will delete it.

12. Changes to this policy

We may update this Privacy Policy from time to time. Material changes will be announced on the website and, where appropriate, emailed to account holders. The “Effective” date at the top tells you when the current version took effect.

13. Contact us

Privacy questions and rights requests: legal@esimple.ai
Post: esimple Pte Ltd, 160 Robinson Road, #14-04 Singapore Business Federation Center, Singapore (068914).

Privacy Policy · esimple