Privacy Policy
We explain the data we actually process when you buy eSIM, use your account, and interact with analytics or marketing measurement.
1. Data controller
Who runs the site and where we are based.
Legal name
Byte development s.r.o.
Company ID
21661235
Data box
hjhpcu9
Registered address
Příkop 843/4, Zábrdovice, 602 00 Brno
2. What we process
Only the data the site actually needs.
- Email and order details for eSIM delivery, billing and support.
- Billing profile and company details only when the customer saves them or enters them in checkout.
- IP address, CSRF token and order code for fraud prevention and ownership verification.
- Technical identifiers required for operations, GA4/PostHog under separate project settings, and Umami/marketing identifiers only after the relevant consent.
- Browser storage used by the consent banner, cart persistence and security checks.
- Connection-quality diagnostic records after eSIM activation: reachability result, speed estimate, latency, app version, related profile/order reference, network status and provider usage delta where available. Automatic tests are off by default; they run only when you explicitly enable them or start a manual test. One test usually uses up to 1 MB and can be turned off again in app Settings.
3. Purposes and legal bases
Purpose, legal basis and retention in one table.
| Purpose | Legal basis | Retention |
|---|---|---|
| eSIM delivery and order management | GDPR Art. 6(1)(b) | 10 years for accounting records, otherwise for the order lifecycle |
| Invoicing and accounting | GDPR Art. 6(1)(c) | 10 years |
| Fraud prevention and support | GDPR Art. 6(1)(f) | As long as needed for the request and security logs |
| Automatic connection-quality diagnostics and public aggregate speed reporting | GDPR Art. 6(1)(f) | As long as needed to improve service and resolve claims; public reporting is aggregate only, without profile, order, ICCID, QR code or precise location |
| Umami/consent-managed analytics and marketing measurement | GDPR Art. 6(1)(a) (consent) | Until consent is withdrawn / according to the tool settings; GA4/PostHog according to project settings |
| Affiliate and referral attribution for partner payouts | GDPR Art. 6(1)(f) / performance of partner agreement | According to the cookie window and claim hold period; shared with ad networks only after marketing consent |
4. Processors and sharing
Who helps us run the service and accept payments.
- Stripe for payments
- Appwrite for database and account operations
- eSIM Access and MobiMatter for eSIM provisioning and provider usage status checks during diagnostics
- Appwrite Messaging with MailerSend SMTP for transactional email
- GA4 measurement and PostHog including session replay under separate project settings; Umami only after analytics consent
- Meta, Google Ads, TikTok, Microsoft Ads and Reddit for advertising pixels, server-side conversions, attribution and remarketing – only after marketing consent
- mPOHODA for invoicing and accounting records
5. Your rights
What you can request and through which channel.
- Right of access, rectification, erasure, portability, objection and restriction.
- You can also request export and deletion through the GDPR portal.
- Accounting records are anonymized on deletion but kept for the period required by law.
- You can lodge a complaint with the supervisory authority — the Czech Office for Personal Data Protection (ÚOOÚ), Pplk. Sochora 27, 170 00 Prague 7, www.uoou.gov.cz (Article 77 GDPR).
Use the GDPR portal or email support@tvojedata.cz for export or deletion requests.
6. Cookies and browser storage
Map of essential, analytics, ads and affiliate/referral cookies.
- Essential: `td_session` with Appwrite session secret for account login
- Essential: `csrf_token` for form protection and `cookie_consent` for storing your choice
- Affiliate/referral and attribution: `td_attribution` stores referral or affiliate identifiers for contractual payout attribution and ad click identifiers (e.g. gclid, UTM) for server-side purchase conversion measurement; it is a first-party cookie unavailable to third-party scripts
- Analytics: GA4 measurement and PostHog including session replay under separate project settings; Umami only after analytics consent
- Advertising cookies and conversions: client-side Meta, Google Ads, TikTok, Microsoft Ads and Reddit pixels for remarketing run only after marketing consent; server-side purchase conversion measurement (including hashed email or phone for conversion verification) runs under our legitimate interest independently of the cookie banner
- Cart state and consent choices may be stored in localStorage/cookies according to your settings
7. Contact
Last stop and service contact.
Contact: support@tvojedata.cz. GDPR requests can also be submitted through the GDPR portal.
Need something else? Contact support.Back to home