Privacy Policy

1. Who We Are (Controller Identity)

The data controller for personal data processed in connection with the Service is:

Banxs Technologies EOOD (trading as Skybyte)
Registered office: Blvd. Alexander Malinov 31, Sofia 1000, Bulgaria
Unified Identification Code (EIK): 206285017
VAT Identification Number: BG206285017
Authorised representative: Daniela Georgieva, Manager
General contact: contact@banxs.com
Privacy / Data Protection contact: contact@banxs.com (subject line “Privacy”)

We are registered as a data controller with the Bulgarian Commission for Personal Data Protection (Комисия за защита на личните данни, “CPDP”) [OPERATOR DECISION: insert CPDP registration number once issued or confirm exemption].

Skybyte has not appointed a Data Protection Officer under Article 37 GDPR because our processing does not meet the mandatory thresholds set by Article 37(1). However, we have designated a single point of contact for all privacy matters at the email address above and our authorised representative is accountable for all decisions affecting personal data.

2. Scope & Definitions

This Policy applies to personal data we process about: (a) visitors to our website, (b) registered customers (“Customers”), (c) guest checkout buyers, (d) recipients of our transactional and marketing communications, (e) people who contact our customer support, and (f) representatives of business partners and suppliers. Where we process personal data on behalf of a B2B Customer (for example, the personal data of that Customer’s end users), our role is that of a data processor and the Customer is the controller; in those cases the terms of our Data Processing Addendum apply.

For convenience, the following terms used here have the meanings set out in Article 4 GDPR: “personal data”, “processing”, “controller”, “processor”, “recipient”, “third party”, “consent”, “personal data breach”, “profiling”, and “supervisory authority”.

Material scope. This Policy covers wholly or partly automated processing of personal data carried out via the Service, the public website, our customer support channels, our notification infrastructure (email and WhatsApp), and any non-automated processing where the data forms part of, or is intended to form part of, a filing system within the meaning of Article 2(1) GDPR. It does not cover the processing of personal data by Customers themselves in respect of their own end users, by independent third-party services that you choose to integrate (such as your bank or your handset operating system vendor), or by network operators carrying traffic across their infrastructure once an eSIM is active.

Territorial scope. Skybyte is established in Bulgaria (a Member State of the European Union) and offers the Service to data subjects in the EEA and worldwide. We process personal data in accordance with the GDPR by virtue of Article 3(1) (establishment in the Union) and, where you are located in the EEA but outside Bulgaria, by virtue of Article 3(2)(a) (offering of services to data subjects in the Union). For UK residents, we apply the UK GDPR equivalent protections; for residents of jurisdictions with comparable laws (e.g. Switzerland under the revised Federal Act on Data Protection), we apply equivalent safeguards.

Languages. The authoritative version of this Policy is the English text. Translations are provided for convenience only and are not legally binding; in case of discrepancy, the English version prevails. Material updates are first published in English and then translated.

3. Personal Data We Collect

We collect only the personal data that we genuinely need to deliver the Service, to comply with our legal obligations, and to improve the customer experience in privacy-respecting ways. The categories below are exhaustive for ordinary use of the Service; if we ever expand them, we will update this Policy and (where required) request your consent before doing so.

• Account data — full name, email address, hashed password, optional phone number in E.164 format, country, language and currency preferences, profile picture (optional), avatar emoji.
• Order and invoice data — items purchased, billing country, currency, gross and net amounts, applicable VAT rate and amount, payment status, payment intent and transaction identifiers, statement descriptor (“SKYBYTE BANXS BG”), invoice number, invoice PDF, Customer VAT number for B2B buyers, VAT validation outcome from the EU VIES system.
• eSIM provisioning and usage data — Integrated Circuit Card Identifier (ICCID), activation timestamp, expiry timestamp, cumulative data usage in megabytes, status (issued, active, depleted, expired), the connectivity provider that fulfilled the eSIM, and the wholesale SKU. We do not see the contents of your communications, the websites you visit, the apps you use, your real-time location, or any data carried over the network.
• Support data — chat messages and attachments you send via support, the IP address recorded at thread creation, internal staff notes attached to your records, support ticket priority and status, and the email or WhatsApp address used for replies.
• Technical data — IP address, derived country, browser type and language, device type, screen size, referrer URL, session tokens, security event logs, rate-limit and abuse-prevention signals, and minimal first-party analytics events (page views, navigation paths and conversion outcomes) where you have given functional/analytics consent.
• Marketing preferences — channel opt-ins (email, WhatsApp), suppression list entries, unsubscribe events, the source of an opt-in (e.g. checkout checkbox, account settings), and the version of the marketing preference text accepted.
• Consent records — the choices you make in our cookie consent banner, including timestamp, IP address, user-agent string, and the policy version in effect at the time, plus the explicit esim_activation_consent receipt acknowledging waiver of the EU CRD Article 16(m) right of withdrawal at the moment of eSIM activation.
• Compliance and audit data — entries in our internal audit log capturing who did what to which record (e.g. an admin issuing a refund, a system function provisioning an eSIM, a customer downloading their data export). Sensitive metadata is scrubbed by our internal safeAuditMeta() helper before storage.

Special categories of data (Article 9 GDPR). We do not intentionally collect or process special categories of personal data (data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, health data, or data concerning a natural person’s sex life or sexual orientation). If you voluntarily share such data with us through support conversations, we will only use it to the extent necessary to resolve the underlying issue and we will delete it from our systems as soon as the interaction is closed.

Sources. The vast majority of personal data we process is collected directly from you. We also receive (a) outcome data from PayNovus AD when you make a payment (e.g. authorisation code, decline reason), (b) provisioning data from our eSIM connectivity providers (e.g. eSIM Go, Maya Mobile) when an eSIM is issued, (c) bounce, deferral and complaint signals from our email infrastructure provider, and (d) IP-based country information from our edge-network provider Cloudflare.

What we deliberately do NOT collect. Skybyte does not collect or process: (i) the contents of your communications carried over the eSIM (call audio, SMS bodies, instant-messaging payloads, IP packet payloads); (ii) your real-time location, cell-tower identifiers, or GPS coordinates; (iii) the websites you visit or apps you use; (iv) your device’s IMEI, MAC address, advertising identifiers, or any other persistent device fingerprint beyond what is strictly necessary for fraud prevention on the checkout page; (v) biometric identifiers; (vi) full payment-card numbers, security codes or magnetic-stripe data — all card data is captured directly by our payment processor in a hosted iframe and only a non-reversible token is returned to Skybyte; (vii) any data from third-party data brokers or list providers.

How long we hold each item before initial processing. We aim to act on personal data as soon as it is received, then to retain only what is necessary for the purposes set out below. Drafts (for example, a half-completed checkout form abandoned before submission) are not retained beyond the active browser session unless you have given explicit consent for cart-abandonment communications (which we do not currently offer).

4. Legal Basis for Processing

Each processing activity below is mapped to the specific lawful basis on which we rely under Article 6(1) GDPR. Where we rely on legitimate interests, we have conducted a Legitimate Interests Assessment (LIA) balancing those interests against your rights and freedoms; you may request a summary at contact@banxs.com.

Where consent is the lawful basis, you may withdraw it at any time without affecting the lawfulness of processing carried out before withdrawal (Article 7(3) GDPR). Withdrawal is as easy as giving consent: use the unsubscribe link in any marketing email, the “Stop” reply on WhatsApp, the cookie preferences link in the footer, or your privacy dashboard at /account/privacy.

5. Purposes of Processing

We process personal data for the specific, explicit and legitimate purposes listed in the table above. We do not further process personal data in a manner incompatible with those purposes (Article 5(1)(b) GDPR — purpose limitation). In particular:

• We do not sell, rent or otherwise commercialise personal data to any third party.
• We do not use personal data to train machine-learning or generative-AI models.
• We do not engage in “dark patterns” designed to manipulate consent or deter the exercise of rights.
• We do not combine personal data across services to build behavioural advertising profiles.

Where we propose any new processing purpose that is not compatible with the original collection purpose, we will inform you in advance and (where the new purpose requires it) request your consent before commencing.

Data minimisation. We collect only the personal data that is adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed (Article 5(1)(c) GDPR). We periodically review our forms, API surfaces and database schema to remove fields that are no longer needed. Optional fields are clearly marked as such and are never required to use the Service.

Accuracy. We take reasonable steps to ensure that personal data is accurate and, where necessary, kept up to date (Article 5(1)(d) GDPR). You can update your account details at any time at /account/profile; for fields that are not editable in-product (for example, the legal name on an already-issued invoice), contact us and we will issue a corrective credit note where lawfully possible.

Integrity and confidentiality. Personal data is processed in a manner that ensures appropriate security, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical and organisational measures (Article 5(1)(f) GDPR). See Section 9 for the specific safeguards in place.

Accountability. We are able to demonstrate compliance with the principles set out above (Article 5(2) GDPR). We maintain internal Records of Processing Activities under Article 30 GDPR, an audit log of administrative actions, retention-run audit records, and documented Legitimate Interests Assessments and Transfer Impact Assessments where relevant.

6. Recipients & Sub-processors

We share personal data only with the categories of recipient described below, and only to the extent strictly necessary for the relevant purpose. Each processor is bound by a written contract that meets the requirements of Article 28 GDPR; for sub-processors located outside the EEA we apply the safeguards described in Section 12 (International Transfers).

• Lovable Cloud / Supabase — managed PostgreSQL database, authentication, file storage, edge functions. EEA hosting region; processor under Article 28 GDPR.
• PayNovus AD — card payment processing, regulated as an Electronic Money Institution by the Bulgarian National Bank. Independent controller for fraud prevention, sanctions screening, payment settlement and statutory record-keeping under PSD2 and AML legislation. Bulgaria (EU).
• eSIM connectivity providers (e.g. eSIM Go Limited, United Kingdom; Maya Mobile, Hong Kong/Singapore) — eSIM provisioning, network access. Independent controllers for the operation of mobile networks; processors for the act of provisioning the eSIM.
• Postmark / equivalent email provider — transactional and (with consent) marketing email delivery. Standard Contractual Clauses apply to any transfer to the United States.
• Meta Platforms Ireland Limited — WhatsApp Business messages, where you opt in to that channel. EU-resident controller; SCCs apply where data is onward-transferred outside the EEA.
• Cloudflare, Inc. — content delivery network, DDoS protection, web application firewall, bot management. Standard Contractual Clauses apply to extra-EEA processing.
• Bulgarian National Revenue Agency (Национална агенция за приходите) — invoices and transaction records as legally required, including SAF-T submissions where applicable.
• Law-enforcement and supervisory authorities — only on receipt of a lawful and binding request, and only to the extent legally compelled. We assess each request for validity, proportionality and scope, and we challenge requests that exceed legal authority. Where permitted, we notify affected individuals.
• Professional advisors — lawyers, accountants and auditors bound by professional confidentiality, where necessary to defend a legal claim, comply with audit obligations, or obtain regulated advice.
• Successors in title — in the event of a merger, acquisition, reorganisation or sale of assets, personal data may be transferred to the successor entity, subject to advance notice and the ongoing protection of this Policy.

A live, dated list of our sub-processors — including each one’s function, country of establishment, data categories processed and transfer mechanism — is maintained at /legal/sub-processors. B2B Customers subject to our DPA can subscribe to advance change notifications at the address indicated on that page.

7. Data Retention

We retain personal data only for as long as necessary for the purposes set out above, then we delete or anonymise it. The table below summarises the retention period applicable to each category, the legal or operational basis for that period, and the point at which the clock starts to run. These periods are enforced automatically by our retention cleanup job (the retention-cleanup cron) and are auditable in our retention_runs table.

When you exercise your right to erasure under Article 17 GDPR, your active profile is anonymised — your name, phone number, profile picture, and marketing preferences are removed — but order, invoice and accounting records remain in pseudonymised form for the statutory retention period required by Bulgarian law. After that period elapses, the records are deleted permanently. We document each retention run in the retention_runs table for audit purposes.

8. Your Rights under the GDPR

You have the following rights in respect of personal data we process about you. We will respond to your request within one calendar month of receipt (extendable by a further two months for complex or numerous requests, with notice given to you within the first month — Article 12(3) GDPR).

• Right of access (Art. 15) — obtain confirmation of whether we process personal data about you and, if so, a copy of that data together with the supplementary information specified in Article 15(1). Available on a self-service basis at /account/privacy as a structured JSON export.
• Right to rectification (Art. 16) — correct inaccurate or incomplete data without undue delay. Edit your profile at /account/profile; for fields not editable in-product (e.g. invoice details), email contact@banxs.com.
• Right to erasure / ‘right to be forgotten’ (Art. 17) — request deletion of your account and personal data, subject to legal retention obligations (see Section 7). Initiate from /account/privacy.
• Right to restriction of processing (Art. 18) — limit our processing in defined circumstances (e.g. while a rectification request is being verified). Email contact@banxs.com.
• Right to data portability (Art. 20) — receive the personal data you provided to us in a structured, commonly used and machine-readable JSON format, and have it transmitted to another controller where technically feasible. Available at /account/privacy.
• Right to object (Art. 21) — object to processing based on legitimate interests (including any profiling). Object to direct marketing at any time, in which case we will stop processing your data for that purpose without delay.
• Rights related to automated decision-making (Art. 22) — see Section 11.
• Right to withdraw consent (Art. 7(3)) — withdraw at any time without affecting the lawfulness of pre-withdrawal processing.
• Right to lodge a complaint — with the Bulgarian Commission for Personal Data Protection (www.cpdp.bg; address: 2 Prof. Tsvetan Lazarov Blvd., 1592 Sofia) or with the supervisory authority of your habitual residence, place of work, or place of the alleged infringement (Article 77 GDPR).

Identity verification. To prevent unauthorised disclosure we may ask you to verify your identity before fulfilling a request — for example, by signing in to your account, or by replying from the email address registered to that account. If we cannot reasonably verify identity, we will refuse to act and explain why (Article 12(6) GDPR).

No fee. Exercising your rights is free. We may charge a reasonable fee, or refuse to act, only where requests are manifestly unfounded or excessive (Article 12(5) GDPR).

How to make a request. The fastest route for most rights is the privacy dashboard at /account/privacy. From there you can download a complete JSON export of your personal data (right of access and portability), correct profile fields (rectification), adjust marketing and cookie preferences (consent withdrawal), and initiate account deletion (erasure). For requests that cannot be self-served, email contact@banxs.com including (a) the right you wish to exercise, (b) enough information to identify yourself and the data concerned, and (c) any specific instructions (e.g. format for portability, scope of erasure).

Authorised representatives. If you instruct a third party (for example a lawyer, family member or consumer advocacy organisation) to act on your behalf, we will require evidence of the mandate before acting on the request. We may communicate directly with you to confirm the instruction.

Records of requests. We keep a record of every rights request received and the response given for three years from resolution, in order to demonstrate accountability under Article 5(2) GDPR. The record contains the request type, dates, outcome and any correspondence; it does not retain personal data beyond what is strictly necessary for that purpose.

Refusing or restricting a request. In the limited cases where we refuse, partially refuse or restrict a request (for example, where erasure conflicts with our statutory invoice retention duty under ZDDS Art. 121), we will explain in writing the reason for refusal, the parts of the request we are unable to fulfil, and your right to lodge a complaint with the supervisory authority and to seek a judicial remedy.

9. Security of Processing (Art. 32 GDPR)

Taking into account the state of the art, the cost of implementation, and the nature, scope, context and purposes of processing, as well as the risks to your rights and freedoms, we implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including:

• TLS 1.2+ encryption in transit, with HSTS, secure cookie flags, and a strict Content-Security-Policy.
• Encryption at rest for our database and storage layers.
• Row-Level Security on every customer-data table; least-privilege role separation between customers, support staff and administrators.
• Centralised audit logging with PII scrubbing via safeAuditMeta().
• Secrets stored in a managed vault; no secrets in source code or environment files committed to version control.
• Web Application Firewall and DDoS protection at the edge (Cloudflare).
• Per-IP and per-user rate limiting on sensitive endpoints (login, password reset, payment intent, support thread creation).
• Automated dependency scanning and timely security patching.
• Background checks and confidentiality undertakings for personnel with access to personal data.
• Documented incident-response and breach-notification procedures.
• No storage of full payment-card numbers on Skybyte servers — card data is tokenised at our PCI-DSS-compliant payment processor and Skybyte is in PCI DSS SAQ A scope only.

Operational security. Production access is gated by multi-factor authentication and is restricted to a defined number of named engineers; every administrative action against customer data is recorded in the audit log with the actor, action, entity and (PII-scrubbed) metadata. We use ephemeral credentials wherever technically possible and rotate long-lived secrets on a defined cadence and after any departure of personnel with knowledge of those secrets. Backups are encrypted, taken on a documented schedule, and tested for restorability at least annually.

Vendor due diligence. Before engaging any new processor that will handle personal data, we carry out a written due diligence assessment covering the processor’s certifications (e.g. ISO/IEC 27001, SOC 2 Type II, PCI DSS), location of data, sub- processor chain, contractual safeguards, transfer mechanism, and breach-notification commitments. The assessment is recorded and is re-reviewed at least every two years or upon a material change.

Limits of security. No system can be guaranteed absolutely secure. By using the Service you acknowledge that, despite our reasonable efforts, no method of transmission over the Internet or method of electronic storage is 100% secure. We commit to applying the state-of-the-art standard required by Article 32 GDPR and to notifying you and the supervisory authority promptly of any notifiable breach (see Section 13).

10. Children

The Service is not directed at children under 18 and we do not knowingly collect personal data from children. We do not target advertising at children. If we become aware that we have collected personal data from a child, we will delete it without undue delay. If you believe a child has provided us with personal data, contact contact@banxs.com.

Where the Service is purchased on behalf of a minor (for example, a parent buying an eSIM for a child travelling abroad), the contracting party remains the adult Customer and Skybyte processes only that Customer’s personal data; no separate account is created for the minor and no minor-specific data is collected.

11. Automated Decision-Making & Profiling

Skybyte does not subject you to decisions based solely on automated processing, including profiling, that produce legal effects concerning you or similarly significantly affect you, within the meaning of Article 22 GDPR. Specifically:

• Fraud prevention signals are automated, but a high-risk score never automatically declines or refunds a transaction; it is surfaced to a human for review before a final decision is taken.
• 3-D Secure / SCA outcomes are determined by the card issuer, not by Skybyte; we relay the outcome to you and you may retry with a different card or contact your bank.
• Routing of an eSIM order to a particular connectivity provider is automated, but it does not produce a legal effect on you and the underlying eSIM product is functionally equivalent regardless of which provider fulfils the order.

If, in the future, we introduce any feature that involves solely automated decision-making with legal or similarly significant effects (Article 22 GDPR) — for example, automatic cancellation of an order on a fraud signal without human review — we will (a) update this Policy in advance, (b) implement the safeguards required by Article 22(3) (right to obtain human intervention, to express your point of view, and to contest the decision), and (c) provide meaningful information about the logic involved and the envisaged consequences.

Profiling. “Profiling” means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to you, in particular to analyse or predict aspects concerning your performance, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements. Skybyte does not engage in profiling for marketing or advertising purposes. The limited automated scoring used for fraud prevention is based only on signals derived from the current transaction (IP, device consistency, velocity of attempts) and never produces an automated decision without human review.

12. International Transfers

Some of our processors are established outside the European Economic Area. Where personal data is transferred outside the EEA to a country without an adequacy decision from the European Commission, we rely on the European Commission’s Standard Contractual Clauses (Implementing Decision (EU) 2021/914) and, where appropriate, supplementary technical and organisational measures (encryption in transit and at rest, pseudonymisation, contractual restrictions on government access requests, transparency reports), to ensure your data receives a level of protection essentially equivalent to that guaranteed within the EEA, in line with the CJEU’s ruling in Schrems II (Case C-311/18).

Specific transfer mechanisms by destination:

• United Kingdom — adequacy decision (European Commission Implementing Decision (EU) 2021/1772 of 28 June 2021).
• United States — Standard Contractual Clauses; where the recipient is self-certified under the EU-US Data Privacy Framework, we also rely on adequacy (Implementing Decision (EU) 2023/1795 of 10 July 2023).
• Other third countries — Standard Contractual Clauses (Modules 2 or 3, as applicable) plus supplementary measures.

A copy of any SCC and the relevant Transfer Impact Assessment is available on request to contact@banxs.com.

Supplementary measures applied to extra-EEA transfers. For each transfer outside the EEA we have completed a Transfer Impact Assessment in accordance with the European Data Protection Board’s Recommendations 01/2020. Where the assessment indicates that the destination country’s law may interfere with the contractual safeguards (for example, broad government access powers without effective judicial redress), we apply additional measures including: encryption in transit and at rest under keys not accessible to the importing entity wherever feasible; pseudonymisation of personal data before transfer; contractual commitments by the importer to challenge any unlawful access request and to notify Skybyte to the extent legally permitted; minimisation of the personal data transferred; and ongoing monitoring of legal developments in the destination country. If we conclude that no combination of measures provides essentially equivalent protection, we suspend or terminate the transfer.

Onward transfers. Our processors are contractually prohibited from engaging further sub-processors without our prior written authorisation, and any onward transfer outside the EEA must be covered by an equivalent transfer mechanism. The chain of sub-processors is documented at /legal/sub-processors.

Government access requests. We commit to challenging, where lawful and reasonable, any government access request that appears to exceed the requesting authority’s legal mandate, is disproportionate, or fails to meet the standards of necessity and proportionality required by Article 52 of the EU Charter of Fundamental Rights. Statistics on the volume and disposition of any such requests are published periodically.

13. Breach Notification

In the event of a personal data breach, we will assess the severity and notify the competent supervisory authority (the Bulgarian CPDP) within 72 hours of becoming aware of the breach, in accordance with Article 33 GDPR — except where the breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where a breach is likely to result in a high risk to your rights and freedoms, we will also notify you without undue delay (Article 34 GDPR), describing in clear and plain language the nature of the breach, the likely consequences, the measures taken or proposed to address it, and a single point of contact for further information.

Internally, we maintain a documented breach register listing each incident, its facts, effects and remedial actions, in accordance with Article 33(5) GDPR.

What you can do. If you suspect that your account has been compromised, change your password immediately at /reset-password, sign out of all sessions, and notify us at contact@banxs.com with the subject line “Suspected security incident”. We treat such reports as priority and a member of staff will respond within one business day. If you are a security researcher, please review our security.txt for our coordinated-disclosure preferences.

Containment and eradication. Our incident-response procedure follows the contain-eradicate-recover model: (i) immediate containment of the affected component (for example, key rotation, token invalidation, network isolation), (ii) root-cause analysis and eradication of the underlying vulnerability, (iii) restoration from known-good state with verification, and (iv) post-incident review and lessons-learned.

14. Changes, Complaints & Contact

We may update this Policy from time to time to reflect changes in our practices, the Service, or applicable law. The “Last updated” and “Effective from” dates at the top of the page reflect the most recent revision. For material changes that affect your rights or the purposes/legal bases of processing, we will notify you by email or in-account notification at least 30 days before the changes take effect.

For any privacy-related enquiry, to exercise a right, or to lodge a complaint with us before going to a supervisory authority, contact us at contact@banxs.com or write to: Banxs Technologies EOOD, Blvd. Alexander Malinov 31, Sofia 1000, Bulgaria.

If you remain dissatisfied with our response, you have the right to lodge a complaint with the Bulgarian Commission for Personal Data Protection (see Section 8) or with another competent supervisory authority.