Skip to main content

Privacy Policy

We explain the data we actually process when you buy eSIM, use your account, and interact with analytics or marketing measurement.

1. Data controller

Who runs the site and where we are based.

Legal name

Byte development s.r.o.

Company ID

21661235

Data box

hjhpcu9

Registered address

Příkop 843/4, Zábrdovice, 602 00 Brno

2. What we process

Only the data the site actually needs.

  • Email and order details for eSIM delivery, billing and support.
  • Billing profile and company details only when the customer saves them or enters them in checkout.
  • IP address, CSRF token and order code for fraud prevention and ownership verification.
  • Technical identifiers required for operations, GA4/PostHog under separate project settings, and Umami/marketing identifiers only after the relevant consent.
  • Browser storage used by the consent banner, cart persistence and security checks.
  • Connection-quality diagnostic records after eSIM activation: reachability result, speed estimate, latency, app version, related profile/order reference, network status and provider usage delta where available. Automatic tests are off by default; they run only when you explicitly enable them or start a manual test. One test usually uses up to 1 MB and can be turned off again in app Settings.

3. Purposes and legal bases

Purpose, legal basis and retention in one table.

PurposeLegal basisRetention
eSIM delivery and order managementGDPR Art. 6(1)(b)10 years for accounting records, otherwise for the order lifecycle
Invoicing and accountingGDPR Art. 6(1)(c)10 years
Fraud prevention and supportGDPR Art. 6(1)(f)As long as needed for the request and security logs
Automatic connection-quality diagnostics and public aggregate speed reportingGDPR Art. 6(1)(f)As long as needed to improve service and resolve claims; public reporting is aggregate only, without profile, order, ICCID, QR code or precise location
Umami/consent-managed analytics and marketing measurementGDPR Art. 6(1)(a) (consent)Until consent is withdrawn / according to the tool settings; GA4/PostHog according to project settings
Affiliate and referral attribution for partner payoutsGDPR Art. 6(1)(f) / performance of partner agreementAccording to the cookie window and claim hold period; shared with ad networks only after marketing consent

4. Processors and sharing

Who helps us run the service and accept payments.

  • Stripe for payments
  • Appwrite for database and account operations
  • eSIM Access and MobiMatter for eSIM provisioning and provider usage status checks during diagnostics
  • Appwrite Messaging with MailerSend SMTP for transactional email
  • GA4 measurement and PostHog including session replay under separate project settings; Umami only after analytics consent
  • Meta, Google Ads, TikTok, Microsoft Ads and Reddit for advertising pixels, server-side conversions, attribution and remarketing – only after marketing consent
  • mPOHODA for invoicing and accounting records

5. Your rights

What you can request and through which channel.

  • Right of access, rectification, erasure, portability, objection and restriction.
  • You can also request export and deletion through the GDPR portal.
  • Accounting records are anonymized on deletion but kept for the period required by law.
  • You can lodge a complaint with the supervisory authority — the Czech Office for Personal Data Protection (ÚOOÚ), Pplk. Sochora 27, 170 00 Prague 7, www.uoou.gov.cz (Article 77 GDPR).

Use the GDPR portal or email support@tvojedata.cz for export or deletion requests.

6. Cookies and browser storage

Map of essential, analytics, ads and affiliate/referral cookies.

  • Essential: `td_session` with Appwrite session secret for account login
  • Essential: `csrf_token` for form protection and `cookie_consent` for storing your choice
  • Affiliate/referral and attribution: `td_attribution` stores referral or affiliate identifiers for contractual payout attribution and ad click identifiers (e.g. gclid, UTM) for server-side purchase conversion measurement; it is a first-party cookie unavailable to third-party scripts
  • Analytics: GA4 measurement and PostHog including session replay under separate project settings; Umami only after analytics consent
  • Advertising cookies and conversions: client-side Meta, Google Ads, TikTok, Microsoft Ads and Reddit pixels for remarketing run only after marketing consent; server-side purchase conversion measurement (including hashed email or phone for conversion verification) runs under our legitimate interest independently of the cookie banner
  • Cart state and consent choices may be stored in localStorage/cookies according to your settings

7. Contact

Last stop and service contact.

Contact: support@tvojedata.cz. GDPR requests can also be submitted through the GDPR portal.

Need something else? Contact support.Back to home
Privacy Policy | TvojeData.cz