Legal

Privacy Policy

Version: 2026-05-20

Last updated: 20 May 2026

1. Introduction

This Privacy Policy explains how Eseemo collects, uses, and protects your personal data when you visit eseemo.com, create an account, or purchase an eSIM. It is written in compliance with the EU General Data Protection Regulation (GDPR) and Kosovo's Law on Personal Data Protection (Law No. 06/L-082).

2. Who is the data controller

The data controller responsible for your personal data is:

Slash Solutions L.L.C Rruga Hyzri Talla, pn. 10000 Pristina, Republic of Kosovo

For privacy inquiries: privacy@eseemo.com

3. What we collect

We collect the minimum data necessary to provide our service.

3.1 Account data

  • Email address — at account creation. Used for account identity, order delivery, and support.
  • Password — stored hashed, never in plain text. Used for account security.
  • Account creation date and login timestamps — collected automatically for security and fraud prevention.
  • Marketing preferences — if you opt in to marketing communications at checkout or in your account settings, we record your preference and the date you opted in, and use it to send occasional product news and promotional emails. You can opt out at any time via the unsubscribe link in any email or by contacting privacy@eseemo.com.

3.2 Purchase and eSIM data

  • Order history (destinations, plans, dates, amounts) — for order management, support, and loyalty calculation.
  • eSIM details (ICCID, activation status, usage) — for delivery, support, and top-up eligibility.
  • Payment card details — handled by Paysera at checkout; we never store card numbers.
  • Cardholder name — for payment verification.
  • Payment transaction metadata — when a payment is processed, Paysera sends us a confirmation record containing your billing country, payment method type, and transaction reference. We store this record as part of the payment audit trail.
  • Tax invoices — a Kosovo-compliant invoice is generated for each completed purchase. Invoices include your account email, billing country, the plan purchased, the amount paid, and the transaction reference. Invoices are stored as PDF records for 10 years (Kosovo tax law) and emailed to you on purchase.
  • Chargeback and dispute records — if a payment is disputed through your bank or card issuer, we receive and store the dispute details: the Paysera chargeback reference, the disputed amount, any evidence submitted, and the outcome. Used for dispute resolution and fraud prevention.
  • Gift order delivery data — if you purchase an eSIM as a gift, the recipient's name and email address you provide are stored for delivery purposes and linked to the order record.

3.3 Loyalty, credits, and referral data

Full details on these programs are in our Credits, Loyalty & Referrals Terms.

  • Credit balance and transaction history — for operating the credits program.
  • Loyalty tier and earn history — for operating the loyalty program.
  • Referral relationships (who referred whom) — for operating the referral program and fraud prevention. If you refer someone, we record that relationship; if you were referred, we record who referred you.
  • Per-referral fraud signals (IP address hash, user-agent hash, payment fingerprint) — captured at the time of referral link creation and at the point of sign-up by the referred user. Stored on the referral record to detect shared devices, coordinated fraud, and self-referral abuse.
  • Promotional spend audit records — when credits or a discount code are applied to a purchase, we record the mechanism used (e.g. credit, referral discount, promo code), the amount applied, and the order it applied to. Used for accounting accuracy, fraud detection, and support queries.
  • Roam Roulette participation data (spin timestamp, prize awarded, prize value) — collected when you participate in the Roam Roulette gamification feature after a purchase. Used to operate the feature, grant prizes, and audit prize delivery. Retained for the lifetime of your account and deleted with it.

3.4 Automatically collected data

  • IP address — server logs, for security, fraud prevention, and regional pricing.
  • Browser type, device, user-agent — for compatibility, security, and fraud prevention.
  • Pages visited — for service improvement.
  • Approximate location (country-level, derived from IP) — for currency display and fraud prevention.

3.5 What we do NOT collect

We do not collect your precise/GPS location, your phone number, browsing history outside Eseemo, the contents of communications made using our eSIMs, credit card numbers (handled by Paysera), government ID documents, or biometric data.

4. Why we collect it

We use your data to: create and manage your account; process payments and provision eSIMs; deliver eSIMs and provide support; operate top-ups; operate the credits, loyalty, and referral programs (see our Credits, Loyalty & Referrals Terms); detect and prevent fraud and abuse; improve our service; and comply with legal obligations (tax, accounting, sanctions).

5. Legal basis for processing

  • Account creation and management — performance of contract.
  • Fulfilling eSIM orders and top-ups — performance of contract.
  • Payment processing — performance of contract.
  • Credits, loyalty, and referral programs — performance of contract / legitimate interest.
  • Fraud detection and prevention — legitimate interest.
  • Service improvement (analytics) — legitimate interest.
  • Legal compliance (tax, accounting, sanctions) — legal obligation.
  • Marketing emails (if you opt in) — consent.

6. Who we share data with

We share data only with parties necessary to provide our service. We do NOT sell your data.

  • Paysera (Lithuania) — payment details, email, order amount — for processing payments and refunds.
  • Wholesale eSIM providers — minimum data needed to provision an eSIM.
  • Hosting provider (Vercel, USA) — data passing through the website.
  • Database provider (Supabase) — account, order, loyalty, and referral data.
  • Authentication provider — email and account credentials, for login and security.
  • Email delivery service (Resend, USA) — email address and message content.
  • Error monitoring (Sentry, USA) — technical error data and IP address.

All providers are contractually bound to protect your data. Where located outside the EU, appropriate safeguards (typically EU Standard Contractual Clauses) are in place. We may also disclose data to legal authorities where required by law.

7. International data transfers

Some providers are located outside the European Economic Area, including the United States. Where we transfer data outside the EEA, we rely on EU Standard Contractual Clauses, adequacy decisions, or the EU-US Data Privacy Framework where applicable. You may request copies of these safeguards from privacy@eseemo.com.

8. How long we keep data

  • Order and payment records — 7 years (tax and accounting law).
  • Tax invoices — 10 years (Kosovo tax law requires invoice retention for a minimum of 10 years).
  • Account data — until account closure plus 3 years (support, fraud prevention, legal claims).
  • Credit and loyalty transaction history — 7 years (accounting; credits are a financial liability).
  • Referral relationship data — 3 years after the referral (fraud prevention, dispute resolution).
  • Fraud-signal data — 2 years (detecting repeat fraud).
  • Chargeback and dispute records — 7 years (matches order record retention; required for payment dispute evidence).
  • Consent records — 7 years from the order date (legal evidence that you were informed of and agreed to our terms and policies at the time of purchase).
  • Server access logs — 90 days (security investigation).

After the retention period, data is deleted or anonymized. Some data may be retained longer where required by law or for ongoing legal proceedings.

9. Your rights

Under GDPR you have the right to access, correct, delete, and port your data; to restrict or object to processing; and to withdraw consent. You also have the right to lodge a complaint with a supervisory authority.

Note on account deletion: When you request deletion, we delete your account and personal data, subject to legal retention requirements. Order and payment records, and credit/loyalty transaction history, are retained for 7 years for tax and accounting purposes even after account closure, then deleted. Unused credits and pending rewards are forfeited on account closure and cannot be reinstated. Referral records linking your account to others may be retained in anonymized form for fraud prevention.

To exercise your rights, email privacy@eseemo.com from your account's email address. We respond within 30 days.

You may complain to Kosovo's Information and Privacy Agency (aip.rks-gov.net) or, for EU residents, your national data protection authority.

10. Cookies and tracking

We use essential cookies (session, authentication, security, language preference) that cannot be disabled, as they are necessary for the service — including keeping you logged in. We use minimal privacy-respecting analytics with your consent. We do NOT use advertising cookies, Google Analytics, or social media tracking pixels.

11. How we protect your data

We use HTTPS encryption in transit, encrypted database storage, hashed passwords (never stored in plain text), access controls, two-factor authentication for administrative access, and regular security reviews. Card payment details are handled by our PCI-DSS-compliant payment processor; we never store card numbers.

Administrative access to customer data is restricted to authorised personnel. All administrative actions are logged, including what was changed, the administrator's identity, and their IP address at the time of the action. These logs are retained for 3 years and are used for internal accountability and breach investigation.

Data breach notification: We will notify affected users and the relevant supervisory authority within 72 hours of becoming aware of any breach posing a risk to your rights and freedoms.

12. Children's privacy

Eseemo is intended for adults (18+). We do not knowingly collect data from children. If you believe a child has provided us data, contact privacy@eseemo.com and we will delete it.

13. Changes to this policy

We may update this Privacy Policy. Material changes will be communicated by email and by notice on the website. The "Last updated" date reflects the most recent change.

14. Contact and complaints

Privacy inquiries: privacy@eseemo.com

Slash Solutions L.L.C Attn: Privacy Rruga Hyzri Talla, pn. 10000 Pristina, Republic of Kosovo

Supervisory authority: Kosovo Information and Privacy Agency — aip.rks-gov.net. EU residents may also complain to their national data protection authority.

Back to current version