Privacy Policy
Last updated: March 2026
This privacy policy explains how Telcomia OÜ collects, uses, and protects your personal data in accordance with the EU General Data Protection Regulation (GDPR).
1. Data Controller
The data controller responsible for processing your personal data is:
Telcomia OÜ
Registrikood: 17447975
Narva mnt 5, Tallinn 10117, Estonia
Email for privacy enquiries: support@telcomia.com
2. Data Protection Officer
Given Telcomia's current size and nature of data processing, we are not required to appoint a formal Data Protection Officer (DPO) under Article 37 of the GDPR. However, all privacy-related enquiries can be directed to support@telcomia.com and will be handled with priority.
3. Personal Data We Collect
We collect and process the following categories of personal data:
| Category | Data | Legal Basis (GDPR) | Purpose |
|---|---|---|---|
| Account | Email address, name, password (hashed) | Art. 6(1)(b) — Performance of a contract | Create and manage your account |
| Purchase | Payment data (processed by our PCI-DSS certified payment processor), purchase history, selected country | Art. 6(1)(b) — Performance of a contract | Process your order and deliver your eSIM |
| eSIM/Technical | ICCID, activation status, data usage | Art. 6(1)(b) — Performance of a contract | Provisioning and technical support |
| Browsing | IP address, user agent, pages visited, language preference | Art. 6(1)(f) — Legitimate interest | Security, service improvement |
| Communications | Support emails, messages | Art. 6(1)(b) / Art. 6(1)(f) | Customer support |
Telcomia does not collect sensitive personal data as defined in Article 9 of the GDPR (such as health data, biometric data, or political opinions).
4. Sharing with Third Parties
We share your personal data with the following categories of processors, each acting under a Data Processing Agreement (DPA):
| Processor | Purpose | Location | Safeguards |
|---|---|---|---|
| Stripe, Inc. | Payment processing | United States | EU-US Data Privacy Framework (DPF) / Standard Contractual Clauses (SCCs) |
| Supabase, Inc. | Database infrastructure and authentication | United States | DPA / SCCs |
| Vercel, Inc. | Website hosting | United States | DPA / SCCs |
| Wildbit LLC (Postmark) | Transactional emails | United States | DPA / SCCs |
| Connectivity providers | eSIM provisioning (receive ICCID and provisioning data) | Various | Contractual obligations |
We do not sell your personal data to any third party.
5. International Data Transfers
Some of our service providers are located outside the European Economic Area (EEA), primarily in the United States. We ensure that your data is protected when transferred internationally through the following mechanisms:
- EU-US Data Privacy Framework (DPF): For providers that have been certified under the framework adopted by the European Commission's Adequacy Decision of 10 July 2023.
- Standard Contractual Clauses (SCCs): As approved by the European Commission (Decision 2021/914), incorporated into our agreements with all US-based processors.
You may request further details about the safeguards in place by contacting support@telcomia.com.
6. Data Retention
We retain your personal data only for as long as necessary for the purposes for which it was collected:
| Data Category | Retention Period | Reason |
|---|---|---|
| Account data | Duration of active account + 3 years after deletion | Tax and legal obligations |
| Purchase data | 7 years | Estonian accounting requirements |
| Browsing / Cookies | Maximum 13 months | Analytics and security |
| Support communications | 3 years | Service quality and dispute resolution |
7. Your Rights
Under the GDPR, you have the following rights regarding your personal data:
| Right | GDPR Article | How to Exercise |
|---|---|---|
| Access | Art. 15 — Obtain a copy of all your personal data | Email support@telcomia.com. Response within 30 days. |
| Rectification | Art. 16 — Correct inaccurate data | Via your account dashboard or by email |
| Erasure (Right to be forgotten) | Art. 17 — Request deletion of your personal data | By email. Subject to legal retention exceptions (tax, contractual) |
| Restriction | Art. 18 — Restrict the processing of your data | By email. Data is retained but not processed. |
| Portability | Art. 20 — Receive your data in a structured, machine-readable format | By email. Delivery in JSON/CSV within 30 days. |
| Objection | Art. 21 — Object to processing based on legitimate interest | By email. Applies to data processed under Art. 6(1)(f). |
| Automated decisions | Art. 22 — Not to be subject to solely automated decisions with legal effects | Telcomia does not use automated decision-making with legal or similarly significant effects. |
8. Right to Lodge a Complaint
If you believe that we have not handled your personal data in accordance with applicable data protection law, you have the right to lodge a complaint with a supervisory authority.
Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon):
Website: www.aki.ee
You also have the right to lodge a complaint with the data protection authority in your country of residence.
9. Data Security
We implement appropriate technical and organisational measures to protect your personal data, including:
- Encryption in transit (TLS/HTTPS for all communications)
- Encryption at rest for stored data
- Secure authentication mechanisms
- Access controls limiting data access to authorised personnel only
- Regular security reviews
While we strive to protect your data, no system is completely secure. If you become aware of any security vulnerability, please contact us immediately at support@telcomia.com.
10. Children and Minors
Telcomia does not direct its services to persons under the age of 18. Under Estonian law, full legal capacity to enter into contracts is acquired at the age of 18. Separately, for the processing of personal data of minors in the context of information society services, the GDPR (Article 8) establishes a minimum age of 16 in Estonia.
We do not knowingly collect personal data from anyone under 18 years of age. If we become aware that we have collected data from a minor, we will promptly delete such data.
11. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices or applicable law. We will notify you of material changes by email or by posting a prominent notice on our website.
The date of the last update is indicated at the top of this page. We encourage you to review this policy periodically.