01Introduction
When we say "Eflexsim", "we", "our", or "us", we mean NexWeb Solutions LLC, a company registered in the United Arab Emirates at Shams Business Center, Sharjah Media City Free Zone, Al Messaned, Sharjah, UAE.
Where you have been provided with access to Eflexsim's Services by a third party (for example a travel agency or your employer), Eflexsim may receive your personal data from that third party. You should also read their privacy policy, because they may collect, handle, and process your personal data differently from how we do.
02Personal Data We Collect
Personal data is any information that relates to an identifiable individual. We collect personal data in three ways: directly from you, through your use of the Services or Platform, and from authorised third parties.
Directly from you. When you provide it to us — for example when you register for an Eflexsim account, sign up to receive communications, make a purchase, or contact us via email or chat.
Through your use of the Services or Platform. Information such as your IP address, cookie identifiers, approximate location, the device and browser you are using, and how you interact with our website or apps. Some of this information is collected by cookies and similar technologies described in our Cookie Policy.
From authorised third parties. Where you have authorised it, where it is legally permitted, or where it is necessary for us to provide the Services. For example, when you have purchased our Services through a partner, when you have authorised a third-party platform (such as Apple, Google, or Facebook) to share your personal details with us, or when we work with marketing partners.
Information we collect
When you are a customer of our Services or Platform, we collect, use, store, and share the following categories of personal data:
Account data. First name, last name, email address, postal address or location (country, region, city), and a phone number you provide at sign-up. The phone number is collected for support purposes and is not currently used for SMS verification.
Third-party log-in data. If you create an account using a third-party platform (such as Apple, Google, or Facebook), we may automatically receive log-in information from that platform. The information varies depending on what you have shared with the platform and your privacy preferences there.
Purchase and order data. Records of the eSIM packages you purchase, the destination and dates of travel they relate to, and metadata about each order (order number, status, dates, refund history).
Payment data. When you pay for a purchase, our payment processor Stripe collects your card details directly. We do not store full card numbers on our servers. We retain payment metadata such as the last four digits of your card, the card brand, and the Stripe payment intent identifier.
Usage data. Information about your browser, operating system, and IP address; information about the pages you visit, how long you spend on them, and the links you follow; and information about how you interact with our app.
Device and approximate location data. Generic information from your device such as IP address, make, model, and operating system; non-specific location based on your IP address; and, where you grant permission, more specific location data from your mobile device.
Preference data. Specific consents you have provided or declined; email and push notification preferences; cookie preferences; preferred language and currency.
Communications data. The content of communications between you and our support team, including feedback, help requests, and chat transcripts; metadata such as time, date, and how you interact with our marketing emails (open rate, click-through rate).
User-generated content. Reviews, photos, comments, or other content you upload to our Platform or share with us. Your engagement with us on social media platforms or third-party review platforms (such as Trustpilot), including comments, photos, and publicly available information about your social media account.
Special categories of personal data
These are more sensitive types of data, such as information relating to your health, religion, or ethnic origin. We do not normally collect these categories of data, but you may choose to reveal them — for example when you contact our support team or provide accessibility feedback.
03How We Use Your Personal Data
We use your personal data for the following purposes, or a combination of them:
- To perform our contract with you. Including providing the Services you purchase, processing payments, sending order confirmations and eSIM delivery information, and providing customer support.
- To pursue Eflexsim's legitimate interests. Including improving our Services and Platform, developing new features, fixing faults, enhancing security and preventing fraud, responding to your questions, personalising your experience, performing surveys and market research, sending marketing communications where consent has been provided, and operating our business (data analysis, audits, internal reporting).
- To exercise or comply with legal rights and obligations. For example, retaining transaction records to comply with tax law, responding to lawful requests from authorities, or defending legal claims.
- Where you have given consent. For example to send you marketing emails. You can withdraw your consent at any time, either through the in-app preference controls or by contacting us at legal@eflexsim.com.
Where you withdraw consent, we may continue to process your personal data if we can justify doing so on another lawful basis listed above (for example, to perform our contract with you or to comply with a legal obligation).
04Who May Have Access to Your Personal Data
Eflexsim staff. A limited number of Eflexsim staff have access to your data to help operate our business and provide support. Access is on a need-to-know basis.
External service providers (sub-processors). We rely on third parties to provide certain elements of our Services or to support the technical operation of our Platform. These include:
- Airalo (our eSIM connectivity supplier — your eSIM is provisioned by Airalo on the underlying mobile networks)
- Stripe (payment processing)
- Supabase (database, authentication, file storage)
- Vercel (web hosting)
- ZeptoMail (transactional email delivery)
- Sentry (error tracking and monitoring)
We require all sub-processors to provide appropriate contractual safeguards for the transfer and processing of personal data.
Distribution and marketing partners. Where we work with partners to sell or promote our Services, we may need to share information with them, particularly if you have purchased Services from a partner rather than from us directly.
Legal and compliance disclosures. We may disclose your personal data to comply with laws, respond to legal claims (including subpoenas and court orders) and requests from government or public authorities, cooperate with regulatory bodies, investigate or prevent fraud or misuse of our Services, or in connection with the sale, merger, or acquisition of all or part of our business.
05How Long We Keep Your Personal Data
We keep your personal data only for as long as we need it, or for as long as we are required to retain it by law. This depends on why it was collected and whether we have a continuing legal basis to retain it (for example, to perform our contract with you or to meet tax record-keeping requirements).
When we no longer have a reason to keep your data, we either delete it or anonymise it so it can no longer identify you. You can ask us to delete your personal data at any time using the controls described in the "Your Rights" section below. In some cases, we may be required by law to retain some or all of your personal data, or have compelling legitimate interests to do so, even after a deletion request.
06How We Keep Your Personal Data Secure
We have put in place security measures to prevent your personal data from being lost, used, or accessed in an unauthorised way, altered, or disclosed. These include encryption in transit and at rest, role-based access controls, audit logging, and limiting access to staff and contractors who have a business need to know.
No method of transmission over the internet or method of electronic storage is completely secure. While we use appropriate safeguards, we cannot guarantee the absolute security of your personal data.
07International Transfer of Your Personal Data
Your data may be stored and processed globally. The exact location of the data centres depends on where you are when you use the Platform, the locations of our service providers, and where Airalo provisions your eSIM. Laws and regulations in countries where processing happens may not provide the same level of protection of personal data as the regulations in your own country. Where data is transferred outside the European Economic Area (EEA) to a country for which the European Commission has not issued an adequacy decision, we use the EU Standard Contractual Clauses to provide an equivalent level of protection.
08Your Rights
Depending on your location, you may have certain rights in relation to your personal data:
- Access. Request a copy of the personal data we hold about you, and check that we are lawfully processing it.
- Correction. Request that we correct inaccurate personal data.
- Erasure. Request that we delete your personal data where there is no good reason for us to continue holding it.
- Restriction. Request that we restrict how we process your data.
- Objection. Object to processing where we are relying on a legitimate interest. You have an absolute right to object to direct marketing.
- Withdrawal of consent. Withdraw consent at any time where we are relying on consent.
- Portability. Request transfer of your personal data to a third party in a structured, commonly used, machine-readable format.
You can exercise most of these rights through your account settings on our Platform. Where a right is not available through our settings, contact us at legal@eflexsim.com and we will respond within the timeframes required by applicable law.
09Children
Our Services and Platform are not directed at children under the age of 13 and we do not knowingly collect personal data from children under 13. If you become aware that a child under 13 has provided personal data to us, please notify us at legal@eflexsim.com and we will take steps to delete it.
10Regional Notice — EU/EEA and UK
If you are located in the European Union, the European Economic Area, or the United Kingdom, additional rights apply under the GDPR and the UK GDPR. You may contact our designated point of contact at legal@eflexsim.com, and you have the right to lodge a complaint with your local data protection supervisory authority.
11Regional Notice — United States (California)
If you are a California resident, the California Consumer Privacy Act of 2018 (CCPA) as amended by the California Privacy Rights Act of 2020 (CPRA) gives you specific rights, including the right to know what personal data we have collected, the right to delete personal data we have collected from you, the right to correct inaccurate personal data, the right to opt out of the sale or sharing of personal data, and the right to limit our use of sensitive personal data. You can exercise these rights by contacting us at legal@eflexsim.com.
12Contact
If you have any questions about this Privacy Policy or would like to exercise your rights, please contact us at legal@eflexsim.com.
If you need this Privacy Policy in an alternative format due to a disability, please contact us at the same address.