Privacy Policy

1. Scope and Application

This Privacy Policy applies to personal information processed through the DataFly mobile App. The App is available to users worldwide, and we may process information about users located in different countries.

Our website is primarily informational; however, if you visit our website, we may use cookies and similar technologies (e.g., analytics tags) as described in Section 3.10.

Where third-party services are integrated into or used in connection with the App (for example, payment processors, identity providers, analytics and advertising measurement partners), those third parties may process information under their own privacy policies and terms.

2. Definitions

• Personal Information means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked (directly or indirectly) with an individual.
• Processing means any operation or set of operations performed on Personal Information, such as collecting, storing, using, disclosing, or deleting.
• Activation Details means information required to activate an eSIM, including SM-DP+ address, activation code, and QR activation data.
• Connectivity Partners means third parties involved in provisioning and delivering cellular connectivity for eSIM plans (including providing usage information such as MB consumption).
• Service Providers means vendors and contractors that process Personal Information on our behalf and under our instruction to provide services to us (e.g., hosting, analytics, payment processing).

3. Categories of Personal Information We Collect

The categories of Personal Information we collect depend on how you use the App. You may browse certain App content without creating an account.

3.1 Account Registration Information

If you create an account, we may collect your first and last name and email address. If you sign up using email, we also collect a password (stored in a protected form). If you sign in using Apple or Google, we receive the name and email address made available by the provider and your settings.

We do not require phone-number verification and we do not collect date of birth.

3.2 Purchases, Top-Ups, and Payment Information

If you purchase an eSIM or complete a top-up, payment is processed by Stripe. We do not store full payment card numbers or sensitive card authentication data on our servers. We may store limited payment-related information such as the cardholder name and the last four (4) digits of the payment card, and records of your purchases and top-ups.

For fraud prevention and payment verification purposes, we may collect billing address information for transactions in Canada and the United States.

We do not currently issue invoices.

3.3 eSIM Activation and Provisioning Data

To provision and deliver eSIM services and to enable you to access Activation Details within the App, we collect and store Activation Details on our servers and associate them with your account and/or transaction. Activation Details may include SM-DP+ address, activation code, and QR activation data.

3.4 eSIM and Device Identifiers

For provisioning, managing, troubleshooting, security, and fraud prevention, we may collect and process identifiers and technical information such as EID, ICCID, IMSI, IMEI, device serial number, and similar device identifiers.

3.5 Data Consumption Information

We may receive data consumption information (e.g., usage measured in MB) from Connectivity Partners to display usage and support service operations, troubleshooting, and customer support.

3.6 App and Network Log Data (Including IP Address)

We may automatically collect log and usage data when you use the App, including IP address and related technical information, timestamps, and information about interactions with the App, including during checkout and payment flows.

3.7 Device Information and Advertising Identifiers

We may collect device information such as device type, operating system, and device model, as well as advertising identifiers (where available, such as IDFA on iOS), Device ID and/or Install ID, and similar identifiers. These identifiers may be used for analytics, security, fraud prevention, and advertising measurement/attribution, subject to your device settings and applicable law.

iOS App Tracking Transparency (ATT): On iOS devices, we may request permission to access the device’s advertising identifier for measurement and attribution. If you deny permission, our ability to attribute installs or activity to advertising campaigns may be limited.

3.8 Performance and Crash Data

We collect performance and crash-related information through Firebase to diagnose issues, maintain the security and integrity of the App, and improve stability. This may include crash logs, diagnostic data, device/OS details, timestamps, and app state at the time of an error.

3.9 Customer Support Communications

If you contact support through in-app live chat or our support portal (support.datafly.app), we collect the content of communications, attachments you provide, and any information you choose to share (such as name and email address).

We use a proprietary/in-house support and ticketing system, although underlying hosting and infrastructure providers may process data as part of providing technical services.

The content of your support communications (including in-app live chat and email) may be shared with third-party service providers for the purpose of processing, resolving, and improving support operations. Accordingly, you should not disclose confidential, sensitive, or highly personal information (such as government-issued ID numbers, financial account details, or passwords) through support channels unless specifically requested and necessary to resolve your inquiry.

3.10 Website Cookies and Similar Technologies

If you visit our website, we may use cookies, pixels, SDKs, and similar technologies for functionality and analytics (for example, Google Analytics and Google Tag Manager, or similar tools). These technologies may collect information such as IP address, device/browser characteristics, and information about your interactions with the website. You can usually control cookies through your browser settings; if you disable cookies, certain website features may not function as intended.

3.11 Permissions and Communications

The App does not request access to location services, camera, contacts, or Bluetooth. The App may request iOS advertising tracking permission (ATT) as described above. We do not send marketing emails. The App may send push notifications for service-related purposes, including support message replies, data usage alerts, order confirmations, and eSIM activation updates. You can disable push notifications at any time through your device settings.

4. How We Use Personal Information

We use Personal Information for the following purposes:

• To provide and operate the App, including creating and managing user accounts.
• To provision and deliver eSIM services, including displaying Activation Details and enabling top-ups.
• To process transactions and payments, maintain transaction records, and resolve payment-related issues.
• To provide customer support and respond to requests, inquiries, and disputes.
• To monitor, prevent, detect, investigate, and address fraud, unauthorized activity, security incidents, and misuse of the App.
• To conduct analytics and improve the App’s performance, reliability, and user experience (including crash and performance analysis).
• To measure the effectiveness of our advertising campaigns and perform marketing attribution (without serving third-party ads inside the App).
• To comply with applicable law and lawful requests, and to enforce our terms and policies.

4.1 Legal Bases for Processing (EEA/UK)

If you are located in the European Economic Area (EEA) or the United Kingdom, we rely on the following legal bases (as applicable) to process Personal Information:

• Contract: To provide the App and eSIM services you request (including account creation, provisioning, and top-ups).
• Legitimate Interests: To secure the App, prevent fraud, improve reliability and performance, and measure the effectiveness of our advertising, where those interests are not overridden by your rights.
• Consent: For certain advertising measurement/tracking activities where required (for example, iOS ATT permission), and for certain cookies or similar technologies on the website where required.
• Legal Obligation: To comply with applicable laws and respond to lawful requests (including valid legal process such as a court order).

Where we rely on consent, you may withdraw it at any time (for example, through device settings). Withdrawal of consent does not affect the lawfulness of processing before withdrawal.

5. How We Disclose Personal Information

We may disclose Personal Information in the following circumstances:

• Service Providers: We disclose Personal Information to Service Providers that perform services on our behalf, such as payment processing (Stripe), hosting and infrastructure, analytics and crash/performance services (Firebase), and other technical service providers.
• Advertising and Measurement Partners: We may share certain identifiers and event data with advertising and measurement partners (such as TikTok and Meta) and related tools (such as Firebase) to measure the performance of our advertising campaigns and attribute installs or purchases.
• Connectivity Partners: We disclose technical information necessary to provision and deliver the eSIM service (including identifiers and Activation Details) to Connectivity Partners involved in providing the eSIM and connectivity. We do not share information that directly identifies you (such as your name or email address) with mobile network operators for their own purposes.
• Legal and Compliance: We may disclose information to government authorities, law enforcement, or other third parties if we believe disclosure is necessary to comply with a valid legal process (for example, a court order), to protect rights and safety, or to investigate fraud or security issues.
• Business Transfers: If we are involved in a merger, acquisition, financing, reorganization, bankruptcy, or sale of assets, Personal Information may be transferred as part of that transaction, subject to applicable law and appropriate confidentiality protections.
• With Your Direction or Consent: We may disclose information when you instruct us to do so or consent to the disclosure.

We do not sell Personal Information. We do not disclose Personal Information to third parties for their own direct marketing purposes.

6. Advertising, Analytics, and Tracking

We use analytics and measurement tools to understand App performance and to measure the effectiveness of our advertising. The App does not display third-party ads (for example, ad networks that serve ads inside the App).

Our advertising/measurement and analytics tools may include TikTok, Meta, and Firebase. These tools may receive device identifiers (such as advertising identifiers), event information, and other technical data to support measurement and attribution.

You can control certain tracking through your device settings. On iOS, you can grant or deny App Tracking Transparency (ATT) permission. If you deny ATT, we may still process non-identifier or aggregated information for analytics and security, to the extent permitted by law.

7. Data Retention and Account Deletion

We retain Personal Information for as long as reasonably necessary to provide the App and our services, to maintain records of your transactions and account, to comply with legal obligations, to resolve disputes, and to enforce our agreements.

As part of normal operation, we may retain the following categories of information associated with your account: your orders and transaction records (which may include Activation Details and technical identifiers necessary to provide the eSIM service), your first and last name, IP address and related log data, and limited payment-related information (such as the last four digits of a card and cardholder name).

If you request account deletion through the App, we will delete the above account-related information within fourteen (14) days, unless retention is required or permitted by law (for example, for accounting, compliance, fraud prevention, or security purposes).

If you sign in to your account during the fourteen (14) day deletion period, your deletion request will be cancelled. If you still wish to delete your account, you must submit a new deletion request, and the fourteen (14) day period will start again from the date of the new request.

Even after deletion, copies of certain information may persist in backup systems for a limited period as part of routine backup and disaster recovery practices, and will be deleted or overwritten according to our backup retention schedules.

8. Security

We implement administrative, technical, and physical safeguards designed to protect Personal Information. These measures include encryption in transit using TLS, encryption at rest, access controls, and audit logging.

Activation Details are not available to employees by default. Access is highly restricted to trusted personnel and each access is logged within our systems.

9. International Data Transfers

Our primary servers are hosted in the European Union. However, Personal Information may be processed in other countries in connection with backups, technical operations, and the third-party services we use (for example, payment processing and advertising measurement providers).

Where required by applicable law, we take steps designed to ensure an adequate level of protection for cross-border transfers, such as entering into appropriate contractual safeguards.

10. Your Rights and Choices

You may access and update certain account information through the App. You may also request deletion of your account through the App, subject to Section 7.

The App does not currently provide an in-app toggle to disable analytics or advertising measurement. You may still limit certain data collection through your device settings (for example, iOS ATT permission and advertising identifier settings) and through your platform or browser controls.

If you would like to make a privacy request or exercise rights that may be available under applicable law (such as access, deletion, correction, or objection), you may contact us at [email protected]. We may need to verify your identity before fulfilling certain requests.

10.1 Additional Information for EEA/UK Users

If you are located in the EEA or the UK, you may have the right to request access to, correction of, deletion of, restriction of processing of, or portability of your Personal Information, and to object to certain processing (including processing based on legitimate interests). You also have the right to lodge a complaint with a supervisory authority in your country of residence or work.

Where we process Personal Information based on your consent, you have the right to withdraw consent at any time (for example, through device settings).

10.2 California Notice

If you are a California resident, you may have additional rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA), including the right to request access to or deletion of certain Personal Information and the right to opt out of the “sale” or “sharing” of Personal Information as those terms are defined by California law.

We do not sell Personal Information. We use advertising measurement and attribution tools (see Section 6); under California law this may be considered “sharing.” You may limit this through device privacy controls (for example, iOS ATT) or contact us at [email protected] to opt out of sale/sharing.

11. Automated Decision-Making

Payment transactions may be subject to automated fraud and risk checks performed by our payment processor (Stripe). As a result, a payment may be declined. A declined payment does not necessarily result in an automatic account suspension. If you believe a transaction was incorrectly declined, please contact support.

12. Compliance Screening

We may have obligations to comply with applicable sanctions or other legal requirements. At this time, we do not perform automated screening of users for sanctions compliance, but we may take action where required by law.

13. Sensitive Personal Information

We do not intentionally collect sensitive personal information such as government-issued identification numbers (e.g., passport), identity photos, or biometric data. We also do not collect precise location data from your device because the App does not request location permission.

14. Children’s Privacy

The App is intended for users 18 years of age or older and is not directed to children. We do not knowingly collect Personal Information from individuals under 18. If you believe a child has provided us Personal Information, please contact us so we can take appropriate action.

15. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. If we make material changes, we will provide notice through the App or by other appropriate means. The “Effective Date” at the top of this Policy indicates when it was last updated.

16. Contact Us

If you have questions about this Privacy Policy or our privacy practices, please contact us at [email protected].