Privacy Policy

Black Fin LTD, registration number HE471760, VAT 60153090W, registered office Homer Buildings, 20 Homer Avenue, 1097 Nicosia, Cyprus.

Contact for privacy matters: hello@esimcruise.com.

• Identity and contact data: e-mail address (required to deliver the eSIM QR code).
• Order data: chosen plan, price, currency, order timestamp, order reference, partner/agent attribution parameters where present.
• Payment data: handled by Stripe directly. We receive only a payment token, the card brand, last four digits and country, and the transaction status.
• eSIM provisioning data exchanged with GigSky: ICCID of the eSIM profile, plan identifier, activation and usage status.
• Technical data: IP address, browser user-agent, device type, language, timestamps, essential cookies and, where applicable, analytics cookies.
• Support correspondence: any information you send us by e-mail.

• Performance of the contract (Art. 6(1)(b) GDPR): processing your order, delivering the QR code, providing customer support.
• Compliance with a legal obligation (Art. 6(1)(c) GDPR): bookkeeping, invoicing, VAT and tax obligations under Cyprus and EU law.
• Legitimate interest (Art. 6(1)(f) GDPR): fraud prevention, security of the website, statistical analysis to improve the Service.
• Consent (Art. 6(1)(a) GDPR): non-essential cookies and any direct marketing, where applicable. You may withdraw consent at any time.

We share personal data only with the recipients strictly necessary to operate the Service:

• Stripe Payments Europe, Limited (Ireland) — payment processing.
• GigSky, Inc. (United States) — eSIM provisioning, activation and network access.
• Supabase, Inc. — managed cloud database and authentication infrastructure used to host order records.
• Hosting and content delivery providers used to operate esimcruise.com.
• E-mail delivery provider used to send transactional e-mails (order confirmation, QR code).
• Professional advisors (accountants, lawyers) and competent authorities where required by law.

Some of our processors are established outside the European Economic Area (notably GigSky, Inc. in the United States). Such transfers are framed by the European Commission Standard Contractual Clauses (SCCs) and, where applicable, by additional safeguards in line with Schrems II case law.

You may obtain a copy of the safeguards in place by contacting hello@esimcruise.com.

• Order, invoice and accounting records: 7 years from the end of the relevant accounting year (Cyprus tax law).
• Customer support correspondence: up to 3 years after the last contact.
• Server and security logs: up to 12 months.
• Marketing data (if any): until you withdraw consent or object.

Under the GDPR you have the right to: access your personal data (Art. 15), rectify it (Art. 16), request its erasure (Art. 17), restrict its processing (Art. 18), receive it in a portable format (Art. 20), object to processing based on legitimate interest (Art. 21), and withdraw consent at any time without affecting the lawfulness of processing carried out before withdrawal.

To exercise any of these rights, write to hello@esimcruise.com. We will reply within one (1) month, possibly extended by two further months for complex requests.

Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with the Cyprus supervisory authority:

Office of the Commissioner for Personal Data Protection of the Republic of Cyprus, 1, Iasonos Street, 2nd Floor, 1082 Nicosia, Cyprus — https://www.dataprotection.gov.cy.

You may also lodge a complaint with the data protection authority of your country of residence within the European Union.

We use strictly necessary cookies to operate the website (session, language preference, security). Where we use analytics or marketing cookies, we collect your prior consent and you can withdraw it at any time through the cookie settings of your browser.

We use industry-standard technical and organisational measures: TLS encryption in transit, encryption at rest at our cloud providers, access controls, row-level security in the database, and least-privilege principles. No system is fully secure: should a breach occur, we will notify the supervisory authority and, where required, affected users in line with Articles 33–34 GDPR.

The Service is not intended for persons under 18 and we do not knowingly collect personal data from minors.

We may update this Privacy Policy from time to time. The current version, with its "Last updated" date, is always available on this page.

For any question about this Privacy Policy or our data processing practices, write to hello@esimcruise.com.