Skybyte

Privacy Policy

Last updated: 3 May 2026Effective from: 3 May 2026

This Privacy Policy explains how Skybyte EOOD processes personal data in connection with the Skybyte eSIM service. It is provided in accordance with Articles 13 and 14 of Regulation (EU) 2016/679 (“GDPR”) and the Bulgarian Personal Data Protection Act (ZZLD).

1. Who We Are

The data controller for personal data processed in connection with the Service is:

Skybyte EOOD
[PLACEHOLDER: REGISTERED ADDRESS], Sofia, Bulgaria
EIK: [PLACEHOLDER: EIK NUMBER] · VAT: BG[PLACEHOLDER: VAT NUMBER]
Data Protection Officer: [PLACEHOLDER: dpo@skybyte.com]

2. What Personal Data We Collect

  • Account data — name, email address, hashed password, optional phone number (E.164), country, language and currency preferences, profile picture (optional).
  • Order data — items purchased, billing country, currency, amounts, payment status, invoice number, VAT number (for B2B customers), VAT validation outcome from the EU VIES system.
  • eSIM usage data — ICCID, activation timestamps, data consumption (in megabytes), expiry status. We do not see the content of your communications or the websites you visit.
  • Support data — chat messages and attachments you send via support, the IP address at thread creation, internal staff notes attached to your records.
  • Technical data — IP address, browser type and language, device type, country derived from IP, cookie identifiers (see Cookie Policy), session tokens, security event logs.
  • Marketing preferences — channel opt-ins (email, WhatsApp), subscription status, suppression list entries.
  • Consent records — the choices you make in our cookie consent banner, including timestamp, IP address, user-agent string, and the policy version in effect at the time.

3. How We Use Your Data

We process personal data on the following lawful bases under GDPR Article 6:

  • Performance of contract — Article 6(1)(b): order processing, eSIM provisioning, top-ups, account management, customer support, refunds, fulfilment of statutory pre-contractual information duties.
  • Legal obligation — Article 6(1)(c): issuing and retaining VAT-compliant invoices (Bulgarian VAT Act, Art. 114), retaining accounting records for 7 years (Art. 38), responding to lawful requests from supervisory and law-enforcement authorities, sanctions and AML screening where applicable.
  • Legitimate interests — Article 6(1)(f): fraud and abuse prevention, security monitoring, service-quality measurement on an aggregated basis, defending legal claims, improving our products. We have balanced these interests against your fundamental rights and freedoms; you may object at any time (see “Your Rights” below).
  • Consent — Article 6(1)(a): non-essential cookies, marketing communications, WhatsApp opt-in, optional features. You may withdraw your consent at any time without affecting the lawfulness of processing carried out before withdrawal.

4. Who We Share Data With

We share personal data with the following categories of recipients, each acting either as our data processor under a written processing agreement or, where indicated, as an independent controller:

  • Lovable Cloud / Supabase — managed database, authentication, and storage. EEA hosting region.
  • PayNovus AD — payment processing, regulated as an Electronic Money Institution by the Bulgarian National Bank. Independent controller for fraud prevention and payment settlement.
  • eSIM connectivity providers (e.g. eSIM Go, Maya Mobile) — eSIM provisioning and underlying network access. Established in the United Kingdom and the European Union; act as independent controllers for the operation of mobile networks.
  • Postmark / equivalent email provider — transactional and (with consent) marketing email delivery. Standard Contractual Clauses for any transfer to the US.
  • Meta Platforms Ireland — WhatsApp Business messages, where you opt in to that channel. EU-resident controller; SCCs apply where data is onward-transferred.
  • Cloudflare — content delivery, DDoS protection, WAF. Standard Contractual Clauses apply to extra-EEA processing.
  • Bulgarian National Revenue Agency — invoices and transaction records as legally required.
  • Law-enforcement and supervisory authorities — only on receipt of a lawful and binding request, and only to the extent legally compelled.

A live list of our sub-processors is maintained at /legal/sub-processors.

5. International Transfers

Some of our processors are established outside the European Economic Area. Where personal data is transferred outside the EEA to a country without an adequacy decision from the European Commission, we rely on the European Commission’s Standard Contractual Clauses (Decision 2021/914) and, where appropriate, supplementary technical and organisational measures, to ensure your data receives a level of protection essentially equivalent to that guaranteed within the EEA.

6. Retention

We retain personal data only for as long as necessary:

  • Account data — until you delete your account, plus a 30-day grace period.
  • Order, invoice, and accounting data — 7 years from the order date (Bulgarian VAT Act, Art. 38; Bulgarian Accounting Act).
  • eSIM and Top-Up records — 7 years (linked to order records).
  • Refund records — 7 years.
  • Support threads and messages — 3 years from thread closure.
  • Audit log — 7 years (combined financial and compliance retention).
  • Webhook event records — 1 year (operational reconciliation only).
  • Marketing data — until you withdraw consent or unsubscribe, plus 30 days for processing the withdrawal.
  • Cookie / consent receipts — 5 years (legal proof of consent under GDPR Art. 7, plus a 2-year buffer).
  • Technical logs — up to 13 months.

When you exercise your right to erasure, your profile is anonymised — your name, phone number, profile picture, and marketing preferences are removed — but order, invoice, and accounting records remain in pseudonymised form for the 7-year retention period required by Bulgarian law.

7. Your Rights

You have the following rights under the GDPR:

  • Right of access (Art. 15) — obtain a copy of the personal data we hold about you. Available self-service via /account/privacy.
  • Right to rectification (Art. 16) — correct inaccurate or incomplete data. Edit your profile at /account/profile.
  • Right to erasure (Art. 17) — request deletion of your account and personal data, subject to legal retention obligations.
  • Right to restriction of processing (Art. 18) — limit our processing in defined circumstances.
  • Right to data portability (Art. 20) — receive your data in a structured, machine-readable JSON format.
  • Right to object (Art. 21) — object to processing based on legitimate interests, including profiling, and object to direct marketing at any time.
  • Right not to be subject to automated decision-making (Art. 22) — Skybyte does not use solely automated decision-making producing legal or similarly significant effects.
  • Right to withdraw consent (Art. 7(3)) — at any time, without affecting the lawfulness of pre-withdrawal processing.
  • Right to lodge a complaint — with the Bulgarian Commission for Personal Data Protection (www.cpdp.bg) or with the supervisory authority of your habitual residence or workplace.

To exercise any right, use the self-service tools at /account/privacy or email [PLACEHOLDER: dpo@skybyte.com]. We respond within 30 days (extendable by a further 60 days for complex requests, with notice).

8. Cookies & Tracking

We use a small number of essential cookies to operate the Service, and (with your consent) functional and analytics cookies to improve it. We do not use third-party advertising cookies. Full details are available in our Cookie Policy; you can change your choices at any time via the “Cookie preferences” link in the site footer.

9. Children

The Service is not directed at children under 18 and we do not knowingly collect personal data from children. If we become aware that we have collected personal data from a child, we will delete it without undue delay.

10. Security

We employ appropriate technical and organisational measures to safeguard personal data, including TLS encryption in transit, encryption at rest for our database and storage layers, row-level access controls, role-based administrative access, comprehensive audit logging, and secret management via a managed vault. Payment card data is never stored on Skybyte servers and is tokenised at our PCI-DSS-compliant payment processor.

11. Breach Notification

In the event of a personal data breach, we will notify the competent supervisory authority within 72 hours of becoming aware of the breach, in accordance with Article 33 GDPR. Where a breach is likely to result in a high risk to the rights and freedoms of natural persons, we will also notify affected individuals without undue delay (Article 34 GDPR).

12. Changes to This Policy

We may update this Policy from time to time. The “Last updated” date at the top of the page reflects the most recent revision. For material changes, we will notify you by email or in-account notification at least 30 days before the changes take effect.

13. Contact & DPO

For privacy-related enquiries or to exercise your rights, contact our Data Protection Officer at [PLACEHOLDER: dpo@skybyte.com], or write to Skybyte EOOD, [PLACEHOLDER: REGISTERED ADDRESS], Sofia, Bulgaria.

Need a signed PDF copy? Email dpo@skybyte.com.