Privacy Policy
Last updated : 4/1/2026
1. Data Controller
Simtasy OÜ
Registry Code : 17463804
Tornimäe tn 5
Kesklinna linnaosa, Tallinn
Harju maakond, 10145
Estonia
2. Purposes and Legal Bases of Data Processing
Contract Performance
Processing of orders, eSIM activation, payment processing, and customer accounts for contract fulfillment.
Legal basis : Art. 6 Abs. 1 lit. b DSGVO
Customer Communication
Support requests, transaction emails (order confirmations, eSIM data), and technical notifications.
Legal basis : Art. 6 Abs. 1 lit. b, f DSGVO
Legal Obligations
Retention of accounting records in accordance with the Estonian Accounting Act (Raamatupidamise seadus) and EU law (7 years).
Legal basis : Art. 6 Abs. 1 lit. c DSGVO
Marketing and Advertising
Newsletter, promotional emails, and personalized ads (Google Ads, Meta Ads) only with your consent.
Legal basis : Art. 6 Abs. 1 lit. a DSGVO
Existing Customer Advertising (Art. 13(2) ePrivacy Directive)
If you provided your email address in connection with a purchase, we may use it for direct marketing of our own similar products or services (e.g. discount codes, top-up reminders, upsell offers). This is based on Art. 13(2) of the ePrivacy Directive (2002/58/EC) in conjunction with Art. 6(1)(f) GDPR (legitimate interest). You may object to this use at any time – e.g. via email to support@sim.do or using the unsubscribe link in every email.
Legal basis : Art. 6 Abs. 1 lit. f DSGVO
3. Recipients and Third-Party Services
To provide our services, we use the following service providers:
Stripe (Payment Processing)
Credit card payments, invoicing
Supabase (Database & Authentication)
Customer data storage, login management
Cloudflare Pages (Hosting & CDN)
Website delivery, DDoS protection, SSL/TLS
Resend (Email Delivery)
Transaction emails, order confirmations
eSIM Access (API & Webhooks)
eSIM provisioning, activation, status queries
4. Data Transfers to Third Countries
Some service providers (Stripe, Supabase, Cloudflare, Google, Meta) process data in the USA. Transfers are based on Standard Contractual Clauses (SCC) approved by the EU Commission and/or the EU-U.S. Data Privacy Framework.
Note : Standard Contractual Clauses and adequacy decisions ensure an adequate level of data protection according to Art. 46 and Art. 45 GDPR.
5. Retention Period and Deletion
- • Contract data: until full contract completion + statutory retention periods
- • Accounting records: 7 years (Estonian Accounting Act)
- • Marketing consents: until withdrawal or deletion request; existing customer advertising: until objection
- • Server log files: maximum 90 days
6. Data Subject Rights
You have the following rights regarding your personal data:
- • Right of Access (Art. 15 GDPR) : Right to confirmation whether and which data is being processed
- • Right to Rectification (Art. 16 GDPR) : Correction of inaccurate data
- • Right to Erasure (Art. 17 GDPR) : Deletion of your data, unless statutory retention obligations apply
- • Right to Restriction (Art. 18 GDPR) : Blocking of processing under certain conditions
- • Right to Data Portability (Art. 20 GDPR) : Receive your data in a structured, commonly used format
- • Right to Object (Art. 21 GDPR) : Object to processing based on legitimate interests
- • Right to Lodge a Complaint (Art. 77 GDPR) : Right to file a complaint with the competent supervisory authority. The responsible data protection authority is the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon, AKI), Tatari 39, 10134 Tallinn, Estonia, info@aki.ee
7. Cookies and Tracking
Our website uses cookies. We distinguish between technically necessary cookies and those requiring your consent (Art. 5(3) ePrivacy Directive 2002/58/EC, implemented in the Estonian Electronic Communications Act).
Technically Necessary Cookies
Storage of language settings, session management, shopping cart functionality. These are required to provide the website.
Analytics (Google Analytics 4)
This website uses Google Analytics 4, a web analytics service provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland ("Google"). We use "Consent Mode" so that no personal data is processed without your consent. Google Analytics uses cookies to analyze your use of the website. The information generated by the cookie about your use of this website is usually transmitted to and stored by Google on servers in the United States. We have activated IP anonymization so that your IP address is truncated by Google within member states of the European Union or in other contracting states of the Agreement on the European Economic Area beforehand. The legal basis is your consent according to Art. 6(1)(a) GDPR.
Legal basis : Art. 6 Abs. 1 lit. a DSGVO, Art. 5 Abs. 3 ePrivacy-Richtlinie
Marketing Cookies (Google Ads, Meta Ads)
Only with consent: Personalized advertising, conversion tracking.
Legal basis : Art. 6 Abs. 1 lit. a DSGVO, Art. 5 Abs. 3 ePrivacy-Richtlinie
You can adjust or withdraw your cookie settings at any time in the footer under "Cookie Settings".
8. Payment Processing (Stripe)
All payment transactions are processed through Stripe Inc. Payment data (credit card number, name, billing address) is transmitted directly to and processed by Stripe. We do not store complete credit card data.
Legal basis : Art. 6 Abs. 1 lit. b DSGVO
Stripe Inc. , 510 Townsend Street, San Francisco, CA 94103, USA
9. Contact and Communication
When you contact us via email, your information (name, email, message) will be stored to process your inquiry.
Legal basis : Art. 6 Abs. 1 lit. f DSGVO
10. Technical Security
We implement technical and organizational measures to protect your data:
- • SSL/TLS encryption for all data transmissions
- • Access controls and authentication
- • Regular security updates and monitoring
11. Changes to this Privacy Policy
We reserve the right to update this privacy policy as needed. The current version is always available on our website.