This Cookie Policy describes the cookies and similar technologies that Banxs Technologies EOOD (trading as Skybyte, EIK 206285017, VAT BG206285017, registered office Blvd. Alexander Malinov 31, Sofia 1000, Bulgaria) uses on the Skybyte website and customer area at skybytesim.com, the legal basis on which we set each one, and how you can control them. It supplements — and should be read together with — our Privacy Policy, which sets out the wider framework for our processing of personal data.
We take a deliberately minimalist approach to cookies. We use the smallest set of identifiers necessary to operate the Service securely, plus a small number of optional functional and analytics cookies that are only set after you give consent through our cookie banner. We do not use third-party advertising trackers, cross-site behavioural advertising cookies, social-media share trackers, or fingerprinting libraries.
1. What Are Cookies & Similar Technologies
A “cookie” is a small text file that a website asks your browser to store on your device. When you return to the website, your browser sends the cookie back, allowing the site to recognise your browser and remember information about your visit. Cookies are governed in the European Union by Article 5(3) of Directive 2002/58/EC (the ePrivacy Directive), as transposed into Bulgarian law by the Electronic Communications Act, and — where they involve processing of personal data — by Regulation (EU) 2016/679 (the GDPR).
Article 5(3) of the ePrivacy Directive permits the storage of, or access to, information on a user’s terminal equipment only if (a) the user has given specific, informed consent, or (b) the storage/access is strictly necessary for the provision of an information-society service explicitly requested by the user. We classify each cookie below against one of those two limbs.
“Similar technologies” means client-side storage mechanisms functionally equivalent to cookies, including:
- Local Storage and Session Storage (Web Storage API) — key/value storage scoped to an origin, persistent (Local) or per-tab (Session). We use Local Storage to remember your currency and theme preferences and to cache your cookie-consent choice in a way that does not require a network round-trip on every page load.
- IndexedDB — a structured client-side database. We do not currently use IndexedDB.
- Service Workers and the Cache Storage API — used by our installable web app (PWA) to cache static assets for offline availability of marketing pages. No personal data is stored in the cache.
- Pixel tags / web beacons — tiny image references in HTML emails used to confirm whether an email was opened. We use them only in transactional and (where consented) marketing emails delivered through our email infrastructure provider.
For brevity, references to “cookies” in the rest of this Policy include all of the technologies listed above.
2. How Skybyte Uses Cookies
Skybyte uses cookies for four families of purpose, each subject to a distinct legal basis:
- Essential — strictly necessary for the Service to function (authentication, session continuity, CSRF protection, recording your cookie-consent choice, edge-network DDoS protection). These are exempt from the consent requirement under the second limb of ePrivacy Article 5(3) and cannot be disabled in our preferences centre because doing so would render core features inoperable. The lawful basis for any associated processing of personal data is GDPR Article 6(1)(b) (performance of contract) or 6(1)(f) (legitimate interest in the security and integrity of the Service).
- Functional — improve usability by remembering your choices (display currency, language). Off by default; require your consent under ePrivacy Article 5(3) and GDPR Article 6(1)(a).
- Analytics — help us understand how the Service is used, on an aggregated and pseudonymised basis, so that we can improve it. We rely on first-party, privacy-preserving analytics with no cross-site tracking, no IP-address persistence, and no fingerprinting. Off by default; require your consent.
- Marketing — currently none. Skybyte does not run third-party advertising trackers, retargeting pixels, or cross-site behavioural advertising. The “Marketing” consent control is presented in our preferences centre for forward compatibility and transparency only; toggling it on today has no effect because no cookies in this category are deployed.
We never bundle non-essential cookies into the “essential” category to bypass consent. We never use a pre-ticked checkbox, a “dark pattern”, or an unbalanced cookie banner that makes rejection harder than acceptance. The “Reject all” option in our banner is presented with equal visual prominence to “Accept all”, in line with European Data Protection Board Guidelines 03/2022 on deceptive design patterns and Guidelines 05/2020 on consent.
Lifecycle of a cookie on Skybyte. When you arrive on the site for the first time, only strictly necessary cookies are set (the authentication tokens are absent because you have not yet signed in; the Cloudflare bot-management cookie is set at the edge; the consent record is empty). The cookie banner is rendered. If you choose “Accept all”, your selection is recorded as a consent receipt and the functional and analytics categories are activated immediately. If you choose “Reject all”, your selection is recorded with the same evidentiary completeness, and no non-essential cookie is set on this or any subsequent visit until you change your mind. If you choose “Customise”, the preferences dialog opens with all non-essential toggles in the off position; you must take an affirmative action to enable any category.
Server-side state vs. client-side cookies. Most of your account state (orders, eSIMs, support threads, notification preferences) lives on Skybyte’s servers and is keyed off your authenticated session, not off cookies. Cookies are used as the minimum-necessary mechanism to (a) authenticate that session, (b) remember a small number of presentation-layer preferences, and (c) allow our edge network to protect the Service from abuse. We do not replicate server-side personal data into cookies.
No covert identifiers. We do not use ETag-based tracking, canvas or WebGL fingerprinting, audio fingerprinting, font enumeration, or any other technique designed to reconstruct an identifier when cookies are unavailable. We do not chain first-party cookies to third-party identifiers via CNAME cloaking or server-side bridges.
3. Detailed Cookie Inventory
The table below lists every cookie and equivalent storage item set on your device by the Service. For each item we disclose: the technical name, the party that sets it (first-party means Skybyte itself; third-party means an external provider acting at our request), the category, the lifetime, the legal basis, and the purpose.
| Name | Provider | Category | Type | Lifetime | Legal basis | Purpose |
|---|---|---|---|---|---|---|
| sb-access-token | First-party (Skybyte / Lovable Cloud) | Essential | HTTP cookie | 1 hour (rotates) | ePrivacy Art. 5(3) strictly necessary; GDPR Art. 6(1)(b) | Authenticates an active session. |
| sb-refresh-token | First-party (Skybyte / Lovable Cloud) | Essential | HTTP cookie (HttpOnly, Secure) | 7 days | ePrivacy Art. 5(3) strictly necessary; GDPR Art. 6(1)(b) | Refreshes the access token without requiring re-login. |
| skybyte_guest_session | First-party (Skybyte) | Essential (guests) | HTTP cookie | 30 days | ePrivacy Art. 5(3) strictly necessary; GDPR Art. 6(1)(f) | Resumes guest support thread without forcing account creation. |
| skybyte_cookie_consent | First-party (Skybyte) | Essential | Local Storage | 12 months | ePrivacy Art. 5(3) strictly necessary; GDPR Art. 6(1)(c) (Art. 7 evidentiary) | Stores your cookie-consent choices and policy version so we do not re-prompt at every visit. |
| skybyte_currency | First-party (Skybyte) | Functional | Local Storage | 1 year | GDPR Art. 6(1)(a) consent | Remembers your display currency (EUR / USD / GBP). |
| skybyte_theme | First-party (Skybyte) | Functional | Local Storage | 1 year | GDPR Art. 6(1)(a) consent | Remembers your light/dark theme choice. |
| skybyte_analytics_id | First-party (Skybyte) | Analytics | Local Storage (random pseudonymous ID) | 12 months | GDPR Art. 6(1)(a) consent | Aggregated, privacy-preserving analytics. No cross-site tracking; truncated IP; no fingerprinting. |
| __cf_bm | Third-party (Cloudflare, Inc.) | Essential | HTTP cookie | 30 minutes (rolling) | ePrivacy Art. 5(3) strictly necessary; GDPR Art. 6(1)(f) | Cloudflare bot management — distinguishes humans from bots to protect the Service. |
| cf_clearance | Third-party (Cloudflare, Inc.) | Essential | HTTP cookie | 30 days | ePrivacy Art. 5(3) strictly necessary; GDPR Art. 6(1)(f) | Cloudflare DDoS / bot challenge clearance. |
| __Host-paynovus-csrf | Third-party (PayNovus AD) | Essential (checkout only) | HTTP cookie (HttpOnly, Secure) | Session | ePrivacy Art. 5(3) strictly necessary; GDPR Art. 6(1)(b) | CSRF protection inside the PayNovus hosted card-fields iframe. Set only on the checkout page. |
The list above is current as of the “Last updated” date at the top of this page. We review the inventory at least every six months and on each material change to the Service. If we add or replace a cookie, we update the list and — for any non-essential addition — invite you to renew your consent before the new cookie is set. Cookie names beginning with __Host- or __Secure- use the additional security restrictions defined by RFC 6265bis.
4. Consent Management
On your first visit (and after any material change to this Policy or to our cookie inventory), Skybyte presents a cookie banner offering three equally prominent choices: Accept all, Reject all, and Customise. Until you make a choice, no non-essential cookie is set; only the strictly necessary cookies described above are loaded.
Choosing Customise opens a granular preferences dialog allowing you to opt in or out of each non-essential category independently (Functional, Analytics, Marketing). Within each category, we explain what is stored, by whom, for how long and why, with a link to the relevant row of the table above. Toggles default to off; you must take an affirmative action to enable a category, in line with GDPR Article 4(11) and Recital 32 (no pre-ticked boxes; clear affirmative action).
Your choice is recorded as a consent receipt in our consent_receipts table, capturing: the categories you accepted or rejected, the consent method (banner click or preferences dialog), the policy version in effect at the time, the timestamp, your IP address (for evidentiary purposes only), and your user-agent string. Consent receipts are retained for 5 years in order to discharge our evidentiary burden under GDPR Article 7(1) and the accountability principle of Article 5(2). For unauthenticated visitors, the receipt is associated with an anonymous session identifier rather than a user account.
Consent is granular, freely given, specific, informed, and unambiguous — and as easy to withdraw as it is to give (Article 7(3) GDPR). You can re-open the preferences dialog at any time using the “Cookie preferences” link in the site footer or the button below; on signed-in accounts you can also manage consent at /account/privacy. Withdrawal takes effect immediately and we delete the corresponding cookies on your next page load.
Consent is sought again automatically (i) on every material change to this Cookie Policy or the inventory, (ii) on the introduction of a new processing purpose within an existing category, (iii) on the introduction of a new third-party processor that sets cookies, and (iv) at the latest on the 12-month anniversary of your most recent consent, in line with the EDPB’s recommended “consent freshness” window.
Proof of consent and proof of refusal. Both consent and refusal generate a record of equal evidentiary value. This matters because under Article 7(1) GDPR the controller bears the burden of demonstrating consent, and under Article 21 the burden of honouring an objection. By recording refusals as well as acceptances, we can demonstrate to ourselves, to you, and to a supervisory authority that the Service has respected your stated choice on every subsequent visit. The record is keyed off a server-generated session identifier for unauthenticated visitors and off the user account for signed-in customers.
Banner accessibility. The cookie banner is accessible by keyboard, traps focus while open, exposes ARIA roles to assistive technologies, and meets WCAG 2.1 AA contrast requirements. Buttons carry meaningful labels (no “OK” ambiguity) and the dialog can be dismissed only by an explicit choice — closing the browser tab or scrolling the page does not imply consent. We track the time-to-decision aggregately to detect and remediate any pattern that could be interpreted as making rejection harder than acceptance.
Cross-device and cross-browser. Consent is stored in the browser local storage of the device used to give it; it does not synchronise across browsers or devices automatically. Signed-in customers can additionally store an account-level cookie preference set at /account/privacy, which is re-applied to any new browser when they sign in.
5. Third-Party Cookies
Most cookies set by the Service are first-party cookies set directly by Skybyte. The only third parties that set cookies on your device through the Service are Cloudflare, Inc. (for edge-network security and bot management — strictly necessary for the Service to remain available) and PayNovus AD (for CSRF protection inside the hosted card-fields iframe on the checkout page only — strictly necessary to complete a payment you have requested).
Skybyte currently sets no third-party marketing cookies: no Meta Pixel, no Google Ads tag, no LinkedIn Insight Tag, no TikTok Pixel, no Twitter/X conversion tag, no Pinterest tag, no Reddit pixel, no advertising-network retargeting tracker, and no social-media share-button tracker. We have no plans to introduce any of the foregoing without first updating this Policy and re-soliciting consent.
If you have given consent for our first-party analytics, the data collected is processed by Skybyte alone and is not shared with any advertising network. We use only event-level data (page URL, referrer, coarse country derived from a truncated IP, browser family, screen size bucket) and we do not link analytics events to your account profile or to any persistent cross-site identifier.
Each third-party processor that sets cookies is bound by the same data- protection commitments described in our Privacy Policy and listed at /legal/sub-processors.
Why these third parties are unavoidable for the strictly- necessary tier. Cloudflare sits in front of every request to the Service to absorb denial-of-service traffic and to filter malicious bots; without it the Service would be unavailable to legitimate users during routine attack volumes seen on the public internet. PayNovus operates the regulated payment flow; the CSRF cookie inside its hosted card-fields iframe is set by PayNovus itself and is required by the iframe’s own security model. We have evaluated alternatives in both cases and have concluded that equivalently effective protection cannot currently be achieved without these third-party cookies.
What changes if a third party adds a cookie. If Cloudflare or PayNovus introduces a new cookie, or repurposes an existing one, we update the inventory in Section 3 and re-prompt for consent if the new cookie falls outside the strictly-necessary category. Their published privacy notices are linked from the sub-processor list and we monitor changes during our routine vendor reviews.
6. Do Not Track & Global Privacy Control
Skybyte honours user-agent privacy signals where they exist. When your browser transmits the DNT: 1 header (the so-called “Do Not Track” signal) or the Sec-GPC: 1 header (the Global Privacy Control signal described in the W3C Community Group draft), we treat the request as a standing objection to non-essential cookies and to the processing of personal data for marketing purposes:
- We do not set Functional, Analytics or Marketing cookies on a visit that carries either signal, regardless of the choices in our preferences dialog.
- We do not include open-tracking pixels in marketing emails sent to recipients whose most recent visit carried either signal.
- We continue to set the strictly-necessary cookies described in Section 3, because they are required for the Service to function and are exempt from the consent requirement under ePrivacy Article 5(3).
We treat the GPC signal as a valid expression of opt-out under Article 21 GDPR; you do not need to take any further action to make it effective. If you later want to opt back in, you can do so at any time from the preferences dialog (your browser’s GPC setting will then override the dialog on subsequent visits).
7. Managing & Withdrawing Your Choices
You can change your cookie choices at any time using the “Cookie preferences” link in the site footer, your account privacy dashboard, or the button below. Changes take effect on your next page load and we delete cookies in any category you have opted out of.
Effect of withdrawal. Withdrawing consent for a functional cookie means we forget the relevant preference (your chosen currency, theme, etc.) and the Service reverts to defaults on the next visit. Withdrawing consent for analytics cookies stops the collection of any further analytics events tied to your device and deletes the pseudonymous identifier locally; previously aggregated and anonymised metrics derived from earlier consented visits remain in our reporting because they are no longer personal data within the meaning of Article 4(1) GDPR. Withdrawal does not affect the lawfulness of processing carried out before withdrawal (Article 7(3) GDPR).
Mobile and PWA contexts. If you have installed Skybyte as a Progressive Web App (PWA), the same cookie and storage rules apply inside the installed app surface. Uninstalling the PWA, or clearing site data from your browser settings, will remove all first-party cookies and Local Storage entries, including your consent record — on next launch the cookie banner will reappear.
Browser-level signals we honour. In addition to the DNT and Global Privacy Control signals described in Section 6, we respect the Sec-Fetch-Site and SameSitecookie attributes (all our first-party cookies use SameSite=Lax at minimum, and authentication cookies use SameSite=Strict; payment-flow cookies use SameSite=None; Secure only where required by the third-party iframe context). We do not bypass browser anti-tracking protections such as Apple’s Intelligent Tracking Prevention, Firefox’s Enhanced Tracking Protection or the Brave Shields.
How we test our cookies. Before each release we verify the cookie inventory against this Policy using an automated scan of the rendered pages with no consent given (essential only should be present), with consent partially given (the additional allowed categories should appear), and with consent withdrawn (only essential cookies should remain). Any deviation is treated as a release-blocking defect.
Children. The Service is not directed at children under 18 (see our Privacy Policy, Section 10). We therefore do not knowingly set non-essential cookies on devices used by children. If you are a parent or guardian and believe a child has used the Service, you may exercise the rights described in our Privacy Policy on the child’s behalf.
Cross-references. For the wider framework that governs all of our processing of personal data — including legal basis, data sharing, retention, international transfers, your GDPR rights, and our breach-notification commitments — please see the Privacy Policy. For the live list of third-party processors that may receive personal data through cookie interactions, see /legal/sub-processors.
Changes to this Policy. We may update this Cookie Policy from time to time to reflect changes in the cookies we use, changes in applicable law, or changes in regulatory guidance. We will indicate the date of the most recent revision in the “Last updated” field at the top of this page. For material changes (a new third-party processor setting cookies, a new processing purpose, or a substantively different consent mechanism), we will re-prompt for consent and, where appropriate, give you advance notice in-product or by email.
Glossary. “First-party cookie” — set directly by Skybyte under the skybytesim.com domain or a Skybyte sub-domain. “Third-party cookie” — set by an external provider acting at our request, under that provider’s own domain. “Session cookie” — deleted automatically when you close your browser. “Persistent cookie” — remains on your device until its declared expiry date or until you delete it. “HttpOnly” — the cookie is not accessible to JavaScript, reducing exposure to cross-site scripting. “Secure” — the cookie is only sent over HTTPS. “SameSite” — controls whether the browser sends the cookie on cross-site requests (Strict, Lax, None).
You can also manage cookies at the browser level — most browsers allow you to view, block or delete cookies, and to refuse third-party cookies. Doing so will affect the strictly necessary cookies as well as the optional ones; that may break essential functionality, including signing in and managing your eSIMs. The following links describe how to manage cookies in popular browsers (we provide them for convenience and take no responsibility for their content):
When this Policy changes materially, we will ask you to renew your consent before any non-essential cookie is set under the new version. The “Last updated” date at the top of this page reflects the current version. For questions about cookies that are not answered here, see our Privacy Policy or contact us at contact@banxs.com.
The data controller for cookies set on this site is Banxs Technologies EOOD (trading as Skybyte), Blvd. Alexander Malinov 31, Sofia 1000, Bulgaria, EIK 206285017, VAT BG206285017. To lodge a complaint, contact the Bulgarian Commission for Personal Data Protection (www.cpdp.bg) or the supervisory authority of your habitual residence.
This Cookie Policy is published in addition to, and not instead of, the disclosures we make at the moment of cookie deployment via the consent banner. Where any inconsistency arises between this Policy and the banner text, the disclosure most favourable to the user applies. Nothing in this Policy limits any non-waivable consumer right granted to you by mandatory law in your country of residence.