Privacy Policy
Last updated: March 30, 2026
This privacy policy describes how WassaSim (hereinafter "we", "our") collects, uses and protects your personal data when you use our mobile application, website and online services (hereinafter "the Service").
WassaSim is an eSIM data marketplace for purchasing international data plans across 178 countries. The Service operates in two modes: with an account (passwordless magic link authentication) and guest checkout (no account required).
This policy complies with the General Data Protection Regulation (GDPR — EU Regulation 2016/679) and the French Data Protection Act of January 6, 1978 (as amended).
1. Data controller
SASU WassaSim (being incorporated)
Contact email: contact@wassasim.com
Privacy email: privacy@wassasim.com
Website: https://wassasim.com
2. Data collected
We apply the principle of data minimization: we only collect what is strictly necessary for the operation of the Service.
Data you provide to us
- Email address — eSIM delivery, order confirmations, invoices, and authentication if you create an account
- Name — identification on invoices
- Destination country — selection of the appropriate plan
- Recipient email (if purchasing for someone else) — eSIM delivery to the recipient
Automatically collected data
- IP address — security, fraud prevention, and buyer country determination for VAT calculation (via our CDN's CF-IPCountry header, without precise geolocation)
- Technical data (device model, operating system, browser version) — technical error diagnosis
- Anonymized usage data — Service improvement (pages visited, purchase flow)
Payment data
Your banking data (card number, expiration date, CVV) is collected and processed exclusively by our payment provider, certified PCI-DSS Level 1 (the highest certification level in the payment industry). Card data flows directly from your browser or app to the provider's servers, without ever passing through our systems. WassaSim does not store, process or access any banking data.
Data we do NOT collect
- Credit card numbers or payment data
- Passwords (authentication uses magic links sent by email)
- Biometric data
- Precise geolocation data
- Social media data
- Phone numbers (unless you voluntarily provide them to support)
3. Why we use your data (legal bases)
Each data processing activity relies on a legal basis provided by the GDPR:
- Performance of a contract (Art. 6.1.b GDPR) — payment processing, eSIM provisioning, email delivery, invoice generation, refund management
- Legal obligation (Art. 6.1.c GDPR) — invoice retention (10 years, French Commercial Code Art. L123-22), VAT calculation and reporting, compliance with judicial requests
- Legitimate interest (Art. 6.1.f GDPR) — fraud prevention, Service security, technical error monitoring, Service improvement through anonymized usage analysis
We never sell, rent or share your personal data for advertising, profiling or commercial purposes. We do not send unsolicited marketing emails.
4. Subprocessors and data sharing
For the proper functioning of the Service, we use a limited number of technical providers, each bound by a GDPR-compliant Data Processing Agreement (DPA).
| Category | Role | Data location | Certifications |
|---|---|---|---|
| Hosting | Servers and database | France | ISO 27001, SOC 1 & 2 |
| Payment | Transaction processing | EU (Ireland) | PCI-DSS Level 1, SOC 2 Type II |
| CDN / Security | DDoS protection, Web Application Firewall (WAF), SSL certificates | Global (edge caches), EU config | SOC 2 Type II, ISO 27001 |
| Transactional email | eSIM delivery, invoices, confirmations | EU | SOC 2 Type II |
| Monitoring | Technical error tracking (no personal data transmitted) | EU (Frankfurt) | SOC 2 Type II |
| Analytics | Anonymized usage analytics (no personal data transmitted) | EU (Frankfurt) | — |
| eSIM providers | eSIM profile provisioning | Singapore / EU | SOC 2 Type II, PCI-DSS |
Our entire supply chain is audited. Our eSIM providers and payment processor are SOC 2 Type II certified (annual independent audit covering security, availability and confidentiality) and PCI-DSS certified (Payment Card Industry Data Security Standard). These certifications ensure that the entire chain — from payment to eSIM provisioning — meets the most demanding security standards in the industry.
We do not share any data with third parties for advertising or profiling purposes.
5. Transfers outside the European Union
The vast majority of your data is hosted in France (a certified datacenter in France) and within the European Union. Some providers partially operate outside the EU:
- Payment provider — certified under the EU-US Data Privacy Framework
- CDN / Security — Standard Contractual Clauses (SCCs) approved by the European Commission
- eSIM providers — SCCs and SOC 2 Type II certifications
These transfers are governed by the safeguards provided by the GDPR (Chapter V): adequacy decisions, Standard Contractual Clauses, and/or the EU-US Data Privacy Framework.
You may obtain a copy of the appropriate safeguards by contacting us at privacy@wassasim.com.
6. Data retention periods
Your data is retained only for as long as necessary for the purpose for which it was collected:
- Order data (email, name, country) — 3 years after last order, then anonymized
- eSIM QR codes and activation codes — 90 days after delivery, then deleted
- Billing data — 10 years (legal obligation, French Commercial Code Art. L123-22)
- Authentication tokens — 30 days (automatically renewed, revocable at any time)
- Security logs — 12 months
- Anonymized usage data — 24 months
At the end of these periods, data is deleted or irreversibly anonymized. Database access credentials are automatically rotated every month.
7. Your rights
Under the GDPR (Articles 15 to 22), you have the following rights regarding your personal data:
- Access (Art. 15) — obtain a copy of all personal data we hold about you
- Rectification (Art. 16) — correct inaccurate or incomplete data. If you have an account, you can update your information directly from your profile
- Erasure (Art. 17) — request deletion of your data when it is no longer necessary. Some data may be retained due to legal obligations (billing)
- Restriction (Art. 18) — restrict processing of your data in certain cases
- Portability (Art. 20) — receive your data in a structured, commonly used and machine-readable format (JSON). Available from your account
- Objection (Art. 21) — object to processing based on our legitimate interest
To exercise your rights, contact us at privacy@wassasim.com. We respond within one month. If your request is complex, this period may be extended by two months (we will inform you).
If our response does not satisfy you, you may file a complaint with the CNIL (French Data Protection Authority), 3 place de Fontenoy, TSA 80715, 75334 Paris Cedex 07, France.
8. Security
We implement state-of-the-art technical and organizational security measures to protect your data:
Encryption
- All communications encrypted in transit (TLS 1.2+ / mandatory HTTPS)
- Sensitive data encrypted at rest in our database
- SSL certificates managed via our CDN with automatic renewal
Infrastructure
- Servers hosted in France (a certified datacenter in France), access restricted to SSH key authentication only
- Database accessible only locally (port closed to external traffic)
- Secrets and credentials managed by a digital vault — no secrets stored on disk, everything injected into memory at runtime
- Automatic monthly rotation of database credentials and API keys
Application protection
- Web Application Firewall (WAF) with custom rules against common attacks
- DDoS protection at network and application level
- Rate limiting by IP address
- CSRF protection on all sensitive actions
- Security HTTP headers (HSTS, X-Content-Type-Options, X-Frame-Options)
Authentication
- Magic link login — no passwords stored or transmitted
- Cryptographically signed access tokens (JWT HS256) with automatic expiration
- Admin access protected by strict rate limiting (5 attempts / 15 min) and anti-indexation headers
Supply chain trust
- Payments processed by a PCI-DSS Level 1 certified provider
- eSIM providers certified SOC 2 Type II (annual independent audit covering security, availability and confidentiality) and PCI-DSS
- Automated vulnerability scanning in our deployment pipeline (SAST, dependency auditing)
In case of a data breach, we notify the CNIL within 72 hours in accordance with GDPR Article 33, and inform you without undue delay if a high risk to your rights and freedoms exists (Article 34).
9. Cookies
WassaSim uses no advertising, profiling or third-party tracking cookies.
Only strictly essential cookies for the technical operation of the Service are used:
- Language preference (
wassasim_langcookie) — to remember your language choice - Attack protection — security cookies managed by our CDN
These cookies are exempt from consent in accordance with Article 82 of the French Data Protection Act and CNIL recommendations (deliberation No. 2020-091). We do not use Google Analytics, Facebook Pixel or any advertising tracking tool.
10. Children
The Service is not intended for persons under 16 years of age. We do not knowingly collect personal data from minors. If you are a parent or guardian and believe your child has provided us with personal data, contact us at privacy@wassasim.com and we will delete it.
11. Changes
We may modify this policy to reflect changes in our practices or regulations. The update date at the top of this document is authoritative. In case of substantial changes, we will notify account holders by email.
12. Contact
For any question regarding your personal data:
- Privacy: privacy@wassasim.com
- General contact: contact@wassasim.com
This policy is governed by French law. In case of dispute, the French courts shall have exclusive jurisdiction.