01Introduction
When we say "Eflexsim", "we", "our", or "us", we mean Top Explore Pte Limited, a company registered in Hong Kong with its registered office at Room A, 12/F, ZJ 300, 300 Lockhart Road, Wan Chai, Hong Kong. Top Explore Pte Limited is the controller of your personal data.
Eflexsim is operated from Hong Kong, where the Personal Data (Privacy) Ordinance (PDPO) applies. Because we offer our Services to travelers worldwide, including in the European Economic Area (EEA) and the United Kingdom, we also comply with the EU General Data Protection Regulation (GDPR) and the UK GDPR in respect of those visitors, in addition to the PDPO.
Where you have been provided with access to Eflexsim's Services by a third party (for example a travel agency or your employer), Eflexsim may receive your personal data from that third party. You should also read their privacy policy, because they may collect, handle, and process your personal data differently from how we do.
02Personal Data We Collect
Personal data is any information that relates to an identifiable individual. We collect personal data in three ways: directly from you, through your use of the Services or Platform, and from authorised third parties.
Directly from you — when you register for an Eflexsim account, sign up to receive communications, make a purchase, or contact us via email or chat.
Through your use of the Services or Platform — information such as your IP address, cookie and similar identifiers, approximate location, the device and browser you are using, and how you interact with our website or apps. Some of this information is collected by cookies and similar technologies described in our Cookie Policy.
From authorised third parties — where you have authorised it, where it is legally permitted, or where it is necessary to provide the Services. For example, when you have purchased through a partner, when you have authorised a third-party platform (such as Apple, Google, or Facebook) to share your details with us, or when we work with marketing partners.
Categories of personal data
- Account data. First name, last name, email address, postal address or location (country, region, city), and a phone number you provide at sign-up. The phone number is collected for support purposes and is not currently used for SMS verification.
- Third-party log-in data. If you create an account using a third-party platform (such as Apple, Google, or Facebook), we may receive log-in information from that platform, depending on what you have shared and your privacy preferences there.
- Purchase and order data. Records of the eSIM packages you purchase, the destination and dates of travel they relate to, and metadata about each order (order number, status, dates, refund history).
- Payment data. When you pay, our payment processor collects your card details directly. We do not store full card numbers on our servers. We retain payment metadata such as the last four digits of your card, the card brand, and the payment-intent identifier.
- Usage data. Information about your browser, operating system, and IP address; the pages you visit, time spent, and links followed; and how you interact with our app.
- Device and approximate location data. Generic device information (IP address, make, model, operating system); non-specific location based on your IP address; and, where you grant permission, more specific location data from your mobile device.
- Preference data. Consents you have provided or declined; email and push notification preferences; cookie preferences; preferred language and currency.
- Communications data. The content of communications with our support team, including feedback, help requests, and chat transcripts (including via our live-chat provider); and metadata such as time, date, and how you interact with our marketing emails (open and click-through rates).
- User-generated content. Reviews, photos, comments, or content you upload or share with us, and your public engagement with us on social media or review platforms (such as Trustpilot).
Special categories of personal data
These are more sensitive types of data, such as information relating to your health, religion, or ethnic origin. We do not normally collect these categories, but you may choose to reveal them — for example when you contact our support team or provide accessibility feedback. We do not use such information except to respond to your request.
03How We Use Your Personal Data and Our Legal Bases
We use your personal data for the following purposes. For visitors protected by the GDPR/UK GDPR, the legal basis for each is shown.
- To perform our contract with you (Article 6(1)(b)). Providing the Services you purchase, processing payments, provisioning and delivering your eSIM, sending order confirmations and delivery information, and providing customer support.
- To pursue our legitimate interests (Article 6(1)(f)). Improving our Services and Platform, developing features, fixing faults, enhancing security and preventing fraud, responding to your questions, operating our business (analysis, audits, internal reporting), and — where permitted — limited marketing to existing customers. Where we rely on legitimate interests, we balance them against your rights, and you may object (see "Your Rights").
- Where you have given consent (Article 6(1)(a)). For example, to send you marketing communications, and to set non-essential cookies and similar technologies (analytics and marketing) as described in our Cookie Policy. You can withdraw consent at any time through the in-app preference controls, the cookie preference centre, or by contacting privacy@eflexsim.com.
- To comply with legal obligations (Article 6(1)(c)). For example, retaining transaction records for tax law, responding to lawful requests from authorities, and defending legal claims.
Where you withdraw consent, we may continue to process your personal data if we can justify doing so on another lawful basis (for example, to perform our contract with you or to comply with a legal obligation).
Automated processing. Our payment processors use automated tools to assess transactions for fraud and risk. We do not make decisions that produce legal or similarly significant effects about you based solely on automated processing without human involvement. If you believe a transaction was wrongly declined, contact support@eflexsim.com.
04Who May Have Access to Your Personal Data
Eflexsim staff. A limited number of staff have access on a need-to-know basis to operate our business and provide support.
External service providers (sub-processors). We rely on third parties to provide our Services and operate our Platform. These currently include:
- Airalo — eSIM connectivity supplier; your eSIM is provisioned by Airalo on the underlying networks.
- Our third-party payment provider — payment processing.
- Supabase — database, authentication, file storage.
- Vercel — web hosting and cookieless web analytics.
- ZeptoMail — transactional email delivery.
- Sentry — error tracking and monitoring.
- Google (Google Analytics / Google Tag Manager) — website analytics and tag management (loaded subject to your consent).
- Meta Platforms (Meta/Facebook Pixel) — advertising measurement (loaded subject to your consent).
- Tawk.to — live chat and customer support messaging. Tawk.to sets cookies to maintain your chat session; the chat widget loads on our website (except the checkout page).
We require all sub-processors to provide appropriate contractual safeguards for the transfer and processing of personal data. An up-to-date list is available on request.
Distribution and marketing partners. Where we work with partners to sell or promote our Services, we may share information with them, particularly if you purchased through a partner.
Legal and compliance disclosures. We may disclose personal data to comply with laws, respond to legal claims (including subpoenas and court orders) and requests from authorities, cooperate with regulators, investigate or prevent fraud, or in connection with a sale, merger, or acquisition of our business.
05How Long We Keep Your Personal Data
We keep your personal data only for as long as we need it, or as required by law. Retention depends on why it was collected and whether we have a continuing legal basis (for example, performing our contract or meeting tax record-keeping requirements). When we no longer have a reason to keep your data, we delete or anonymise it. You can ask us to delete your data at any time (see "Your Rights"); in some cases we may be required by law, or have compelling legitimate grounds, to retain some of it.
06How We Keep Your Personal Data Secure
We have put in place security measures including encryption in transit and at rest, role-based access controls, audit logging, and limiting access to staff and contractors with a business need to know. No method of transmission or storage is completely secure, and while we use appropriate safeguards we cannot guarantee absolute security. If we become aware of a personal-data breach that is likely to affect you, we will notify you and the relevant authorities as required by applicable law.
To protect our checkout and accounts from automated abuse and fraud, we use Cloudflare Turnstile. Turnstile runs invisibly in the background and analyses signals about your device and browser to confirm you are a genuine visitor rather than an automated bot; it normally requires no action from you. Your use of Turnstile is subject to Cloudflare's Turnstile Privacy Addendum (https://www.cloudflare.com/turnstile-privacy-policy/) and Cloudflare's Privacy Policy.
07International Transfer of Your Personal Data
We operate from Hong Kong and use service providers located in the United States and other countries. Your data may therefore be stored and processed outside your home country, including outside the EEA and the UK. Laws in those countries may not provide the same level of protection.
Where personal data of EEA or UK individuals is transferred to a country without an adequacy decision, we rely on appropriate safeguards:
- Some of our US providers (including Vercel and Google) are certified under the EU-U.S. Data Privacy Framework and its UK Extension, which provides a recognised basis for transferring EEA/UK personal data to the United States.
- For providers not covered by that framework (such as our payment provider), we use the EU Standard Contractual Clauses for EEA transfers and the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU clauses for UK transfers, together with appropriate technical and organisational measures.
You may contact privacy@eflexsim.com for more information about the safeguards we use.
08Your Rights
Depending on your location, you may have the following rights:
- Access — request a copy of the personal data we hold and check that we process it lawfully.
- Correction — request that we correct inaccurate data.
- Erasure — request deletion where there is no good reason for us to continue holding it.
- Restriction — request that we restrict processing.
- Objection — object to processing based on legitimate interests; you have an absolute right to object to direct marketing.
- Withdrawal of consent — withdraw consent at any time where we rely on it.
- Portability — receive your data in a structured, commonly used, machine-readable format, or have it transferred to another controller.
You can exercise most of these rights through your account settings. Otherwise, contact privacy@eflexsim.com. For individuals protected by the GDPR/UK GDPR, we will respond within one month, extendable by a further two months for complex requests, as permitted by law.
09Children
Our Services and Platform are not directed at children under 16, and we do not knowingly collect their personal data, nor permit purchases by them. If you believe a child has provided personal data to us, please notify privacy@eflexsim.com and we will take steps to delete it.
10Regional Notice — EU/EEA and UK
If you are located in the EU, the EEA, or the UK, additional rights apply under the GDPR and the UK GDPR, including those listed in "Your Rights". You have the right to lodge a complaint with your local data protection supervisory authority (in the UK, the Information Commissioner's Office).
EU and UK representatives. As a controller established outside the EEA and the UK that offers services to individuals there, we are in the process of appointing representatives under Article 27 GDPR / UK GDPR. Once appointed, their names and contact addresses will be published here, and you will be able to contact the relevant representative regarding the processing of your personal data. In the meantime, you can reach us about any data-protection matter at privacy@eflexsim.com.
11Regional Notice — United States (California)
If you are a California resident, the CCPA (as amended by the CPRA) gives you rights including the right to know what personal data we have collected, to delete it, to correct it, to opt out of the "sale" or "sharing" of personal data, and to limit our use of sensitive personal data. Where we use advertising technologies such as the Meta Pixel, certain data practices may constitute "sharing" under the CPRA; you can exercise your opt-out and other rights by contacting privacy@eflexsim.com or using the cookie preference controls on our site.
12Changes and Contact
We may update this Privacy Policy from time to time; the "Last updated" date will reflect changes. If you have questions or wish to exercise your rights, contact privacy@eflexsim.com. If you need this policy in an alternative format due to a disability, please contact us at the same address.