Privacy Policy

TimeTransfers OÜ (“TimeTransfers”, “we”, “us”) is committed to processing personal data in a lawful, fair, and transparent manner in line with Regulation (EU) 2016/679 (GDPR), the Estonian Personal Data Protection Act, and the ePrivacy framework. This Privacy Policy explains what data we collect when you browse timetransfers.com, purchase a single-destination, regional, or global eSIM package, top up or manage a Pay As You Go (“PAYG”) balance, communicate with us, or use any ancillary services.

1. Data controller and contact

The controller responsible for processing is TimeTransfers OÜ, Erika tn 14-208, Tallinn, 10416, Estonia (reg. no. 14223554). For any privacy question, exercise of rights, or complaint you may contact contact@timetransfers.xyz. We respond without undue delay and always within one month, subject to lawful extensions.

2. Scope and definitions

This Policy applies to visitors, prospects, and customers using our website, checkout, support, and delivery flows for digital connectivity products, including eSIMs for a single country, multi-country regional bundles, global passes, PAYG balances, and future top-up options. “Personal data” means any information relating to an identified or identifiable natural person such as name, identifier, location, or online identifier.

3. Categories of data we process

• Account and order data: name, email, billing and delivery details, package selections (single destination, regional, global), SIM identifiers, country of residence, number of packages, payment confirmation numbers.
• Support and communication data: messages, attachments, troubleshooting notes, language preferences, consent logs.
• Payment and invoicing data: tokenized card identifiers, transaction references, currency, VAT country, and top-up history (processed via our PCI-DSS compliant partners).
• Technical and telemetry data: log files, IP address, browser or device metadata, session identifiers, cookie preferences, analytics metrics (collected only after consent).
• Regulatory and fraud-prevention data: usage records required to investigate misuse, export control flags, records of user approvals, and PAYG abuse prevention signals.

4. Legal bases for processing

Depending on the context, we rely on the following legal bases under Art. 6 GDPR:

• Contract performance – to provision eSIM profiles, deliver data packages, manage orders, and provide support.
• Legal obligations – to comply with Estonian accounting rules, tax reporting, telecom regulations, and consumer protection laws.
• Legitimate interests – to secure our systems, prevent fraud, improve services, and defend legal claims. We balance these interests against your rights.
• Consent – for non-essential cookies, optional newsletters, and marketing communications. You may withdraw consent at any time without affecting prior processing.

5. How we collect data

Data is collected (i) directly from you via forms, checkout, chat, email, or telephone; (ii) automatically through cookies or analytics after you accept tracking; and (iii) from payment processors or telecom partners strictly for delivery and compliance purposes. We do not purchase third-party marketing databases.

6. Retention

We keep personal data only for as long as necessary:

• Order and billing records: 7 years from the end of the financial year, as required by Estonian accounting law.
• Support transcripts: up to 3 years after ticket closure, unless local law requires longer storage or a dispute is ongoing.
• Inactive PAYG/eSIM identifiers: deleted or anonymized 24 months after last activity (365 days of inactivity for PAYG balances plus a 12-month audit buffer), unless mandated otherwise.
• Consent logs: maintained as long as needed to demonstrate compliance with GDPR obligations.

7. Sharing and processors

We never sell personal data. We share it only with trusted processors that support our operations under written agreements, including hosting providers, payment processors (e.g., Stripe, PayPal), telecom carriers that activate eSIM profiles, analytics vendors, couriers (when applicable), and professional advisers. Authorities may receive data if required by law or court order.

8. International transfers

When processors are located outside the European Economic Area, we implement GDPR-compliant safeguards, such as adequacy decisions (e.g., EU–US Data Privacy Framework) or Standard Contractual Clauses plus supplementary measures. Copies of these safeguards are available upon request.

9. Security

We employ industry-standard administrative, technical, and physical safeguards including strong encryption (TLS), least-privilege access, network segmentation, monitoring, and staff training. Access to personal data is restricted to personnel who need it to fulfill contractual duties.

10. Your rights

You may exercise the following GDPR rights at any time: access, rectification, erasure, restriction, data portability, objection to processing, and withdrawal of consent. You also have the right to lodge a complaint with the Estonian Data Protection Inspectorate or your local supervisory authority.

11. Marketing choices

We send service and transactional emails without prior opt-in because they are necessary for your order. Promotional updates or newsletters are sent only if you subscribed, and every message contains an unsubscribe option. We do not conduct automated decision-making that produces legal effects.

12. Cookies and tracking

Essential cookies are required to operate the site. Analytics and marketing cookies are loaded only after you grant consent via the banner or footer link. Please review the Cookie Policy for detailed information, storage periods, and management options.

13. Children

Our services are not intended for individuals under 16. If we learn that we processed data from a child without verifiable parental consent, we will delete it promptly. Parents or guardians can contact us to review or delete such information.

14. Updates to this Policy

We may amend this Privacy Policy to reflect legal requirements or product changes. The “Last updated” date at the top of the page shows the current version. Material changes will be announced on our website or via email when feasible.

15. Governing law and disputes

This Policy is governed by Estonian law. Any dispute relating to privacy matters shall be resolved before the competent courts of Estonia, without prejudice to your statutory right to lodge a complaint with your supervisory authority.