1. Introduction
1.1 This Privacy Policy explains how CoinFortCap OÜ (registry code 14898743) processes personal data when you visit https://esim2get.com (the Website), create an account (if available), place an order, receive eSIM installation details, use customer support, or otherwise interact with our services.

1.2 We process personal data as a data controller in accordance with Regulation (EU) 2016/679 (the General Data Protection Regulation, GDPR): https://eur-lex.europa.eu/eli/reg/2016/679/oj

1.3 This Privacy Policy is intended to meet the transparency requirements of Articles 12 to 14 GDPR and is written in a formal legal style. Where mandatory law requires, your statutory rights prevail over contractual terms or policy wording.

2. Controller and Contact Details
2.1 The data controller is CoinFortCap OÜ, Harju maakond, Tallinn, Kesklinna linnaosa, Vesivärava tn 50-301, 10152, Estonia.

2.2 You may contact us regarding data protection matters at info@esim2get.com.

2.3 We may appoint a data protection officer or other designated contact person where required by law. If appointed, the relevant contact details will be published on the Website.

3. Scope of Processing and Roles of Other Parties
3.1 This Privacy Policy applies to processing we control as a controller.

3.2 Payment service providers used to process card or alternative payments may process certain payment-related personal data as independent controllers or as our processors, depending on the provider and the service structure. Where they act as independent controllers, their privacy notices apply to their processing activities.

3.3 Our technical eSIM provisioning partner and related telecommunications or roaming partners may process certain data to create and provision your eSIM profile and to enable connectivity. They act as our processors or independent controllers depending on the service and legal requirements applicable to electronic communications and telecommunications operations.

4. Categories of Personal Data We Process
4.1 We may process the following categories of personal data, depending on how you use the Website and services.

4.2 Identification and contact data.

4.2.1 Name (if provided).

4.2.2 Email address.

4.2.3 Country of residence (if provided or inferred from order context).

4.3 Account and authentication data (if account functionality is available).

4.3.1 Account identifier and login-related metadata.

4.3.2 Passwords are processed only in hashed form where applicable.

4.4 Order and contract data.

4.4.1 Order number, plan selection, country or region, data allowance, validity period, and order status.

4.4.2 Delivery records for installation details and supply timestamps.

4.5 eSIM provisioning and service data.

4.5.1 Installation details such as QR code payload, SM-DP+ address, and activation code, and associated provisioning identifiers.

4.5.2 Technical status information related to provisioning, activation, and data package assignment.

4.5.3 Limited usage indicators where available to us, such as activation status or remaining allowance, and not the content of communications.

4.6 Payment and transaction data.

4.6.1 Transaction identifiers, payment status, payment method type, currency, amount, and fraud screening outcomes.

4.6.2 We do not normally receive or store full payment card numbers, and such data is handled by payment service providers.

4.7 Communications and support data.

4.7.1 Messages you send to us, including emails and support requests.

4.7.2 Attachments you provide, such as screenshots or error logs.

4.8 Technical, device, and log data.

4.8.1 IP address, device type, browser type, operating system version, language settings, referral source, timestamps, and diagnostic logs.

4.8.2 Cookie identifiers and similar tracking identifiers where you consent to non-essential cookies or where strictly necessary for service operation.

4.9 Legal and compliance data.

4.9.1 Records necessary to comply with legal obligations, respond to lawful requests, or establish, exercise, or defend legal claims.

5. Purposes and Legal Bases for Processing
5.1 We process personal data only where a legal basis under Article 6 GDPR applies, and for specified, explicit, and legitimate purposes.

5.2 Contract performance and pre-contract steps, Article 6(1)(b) GDPR.

5.2.1 To provide the Website functionality necessary to place orders.

5.2.2 To conclude and perform the contract, including provisioning eSIMs, providing installation details, assigning data packages, and providing service-related support.

5.2.3 To manage order history, confirmations, and communications related to contract performance.

5.3 Legal obligations, Article 6(1)(c) GDPR.

5.3.1 To comply with applicable accounting and tax obligations, including record keeping and audit requirements.

5.3.2 To comply with consumer protection, dispute handling, and other regulatory obligations applicable to our activities.

5.4 Legitimate interests, Article 6(1)(f) GDPR.

5.4.1 To secure the Website and prevent fraud, abuse, and misuse, including monitoring suspicious transactions and protecting accounts and orders.

5.4.2 To maintain and improve service quality, reliability, and troubleshooting capability.

5.4.3 To establish, exercise, or defend legal claims, and manage disputes.

5.4.4 Where we rely on legitimate interests, we assess necessity and balance our interests against your fundamental rights and freedoms.

5.5 Consent, Article 6(1)(a) GDPR.

5.5.1 To place non-essential cookies or similar technologies, where required by applicable law.

5.5.2 To send marketing communications where consent is required by applicable law and you have provided such consent.

5.5.3 Where processing is based on consent, you may withdraw consent at any time, without affecting the lawfulness of processing before withdrawal.

6. Recipients and Disclosures
6.1 We may disclose personal data to the following categories of recipients, subject to appropriate safeguards.

6.2 Service providers acting as processors under Article 28 GDPR.

6.2.1 Hosting and infrastructure providers.

6.2.2 Email and customer support tools.

6.2.3 Technical service providers supporting Website operations and security.

6.2.4 Analytics providers, where used, subject to your cookie preferences and applicable legal requirements.

6.3 Payment service providers and related financial institutions.

6.3.1 Payment service providers process payments, chargebacks, and fraud checks.

6.3.2 Depending on the provider, they may act as independent controllers for parts of the processing.

6.4 eSIM provisioning and connectivity partners.

6.4.1 Our eSIM provisioning partner processes the data necessary to create and manage your eSIM and to assign data packages.

6.4.2 Telecommunications and roaming partners may process technical identifiers and provisioning data necessary to deliver connectivity.

6.5 Public authorities and legal recipients.

6.5.1 We may disclose personal data where required by law, court order, or lawful request.

6.5.2 We may disclose data to professional advisers such as lawyers, auditors, and consultants, subject to confidentiality obligations.

6.6 We do not sell personal data.

7. International Transfers of Personal Data
7.1 We are established in Estonia and generally store and process personal data within the European Economic Area.

7.2 However, personal data may be transferred outside the European Economic Area where this is necessary for service provision, including where our payment service providers, fraud prevention services, hosting providers, or support tools are located outside the European Economic Area, or where they use sub-processors outside the European Economic Area.

7.3 Where personal data is transferred to a country outside the European Economic Area that is not subject to an adequacy decision under Article 45 GDPR, we implement appropriate safeguards under Article 46 GDPR, which may include the European Commission Standard Contractual Clauses.

7.4 The European Commission Standard Contractual Clauses are available at https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en and Commission Implementing Decision (EU) 2021/914 is available at https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj/eng

7.5 Where required, we carry out transfer risk assessments and implement supplementary measures appropriate to the transfer context.

7.6 You may request further information about applicable safeguards for international transfers by contacting us at info@esim2get.com.

8. Data Retention
8.1 We retain personal data only for as long as necessary for the purposes described in this Privacy Policy, unless a longer retention period is required or permitted by law.

8.2 Contract and order records are retained for the duration necessary to provide the service and manage customer support, dispute resolution, and legal claims.

8.3 Accounting, invoice, contract, and other business documents necessary for reconstructing business transactions are retained in accordance with Estonian accounting law, including retention obligations of seven years from the end of the relevant financial year, as set out in the Accounting Act: https://www.riigiteataja.ee/en/eli/ee/530102013006/consolide/current

8.4 Where we retain data for compliance or legal claims, retention periods are determined by applicable limitation periods and regulatory requirements.

8.5 Upon expiration of applicable retention periods, personal data is deleted or anonymised, unless further retention is required by law.

9. Your Rights Under GDPR
9.1 Subject to conditions and limitations under GDPR and applicable Estonian law, you have the following rights.

9.2 Right of access, Article 15 GDPR, to obtain confirmation and information about processing and a copy of personal data.

9.3 Right to rectification, Article 16 GDPR, to correct inaccurate personal data and complete incomplete data.

9.4 Right to erasure, Article 17 GDPR, where applicable, including where data is no longer necessary or processing is unlawful.

9.5 Right to restriction of processing, Article 18 GDPR, where applicable.

9.6 Right to data portability, Article 20 GDPR, where processing is based on consent or contract and carried out by automated means.

9.7 Right to object, Article 21 GDPR, where processing is based on legitimate interests, including objection to direct marketing.

9.8 Right to withdraw consent, Article 7(3) GDPR, where processing is based on consent.

9.9 To exercise your rights, contact us at info@esim2get.com. We may request reasonable verification to confirm your identity and protect your data.

10. Security Measures
10.1 We implement appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access.

10.2 Measures may include access controls, encryption in transit where supported, secure credential storage, logging and monitoring, and least-privilege practices.

10.3 No method of transmission or storage is completely secure. You should also take appropriate steps to protect your account access and devices.

11. Cookies and Similar Technologies
11.1 The Website may use cookies and similar technologies for necessary functionality, security, and performance.

11.2 Where required by applicable law, we request your consent for non-essential cookies and provide options to manage your preferences through cookie controls on the Website.

11.3 You can also manage cookies through your browser settings, subject to the risk that blocking certain cookies may impair Website functionality.

12. Children’s Data
12.1 Our services are not intended for children. We do not knowingly collect personal data from children.

12.2 If you believe a child has provided personal data to us, contact us at info@esim2get.com and we will take appropriate steps.

13. Automated Decision-Making
13.1 We may use automated checks for fraud prevention and security, including screening transactions and account activity.

13.2 Where such processing produces legal effects or similarly significant effects for you, we provide the safeguards required by Article 22 GDPR, including the right to obtain human intervention, to express your point of view, and to contest the decision, where applicable.

14. Third-Party Links
14.1 The Website may include links to third-party websites or services. We are not responsible for the privacy practices of third parties, and their privacy notices apply.

15. Complaints to a Supervisory Authority
15.1 You have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work, or place of the alleged infringement.

15.2 In Estonia, the supervisory authority is the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon): https://www.aki.ee

16. Changes to This Privacy Policy
16.1 We may update this Privacy Policy from time to time to reflect changes in our processing activities, legal requirements, or operational needs.

16.2 The version published on the Website at the time of your use applies, unless mandatory law requires otherwise.