legal · privacy policy

Your data plan.

The long version of our trust page — what we collect, why, who sees it, and how long we keep it. Plain English, with exactly the amount of detail a privacy officer expects.

effective · April 1, 2026last updated · April 12, 2026

1. What to read first

We sell data plans, not your data. This policy explains what we collect, why, who sees it, and when we delete it. The complete list — every piece of data we store — lives on our trust page. If you want the short version, start there.

2. What we collect

Account & checkout

  • Email, name — for sign-in, receipts, delivery of your activation QR.
  • Payment token — Stripe's token, not your card number. We never see the 16-digit PAN.
  • Preferred currency & locale — so the catalog displays in the format you expect.

Plans & usage

  • ICCID and plan metadata — what plan is installed, how much data is left, validity window.
  • Usage counters from the provider — aggregated MB used; not which sites or apps.
  • Order history — so you can re-download credentials and we can issue refunds if we owe you one.

Support

  • Device model — only if you share it when asking for help.
  • Conversation transcripts — stored for 180 days to help us improve help articles and train agents.

3. Why we collect it

  • To deliver the eSIM you bought and help you install it.
  • To process payments and prevent fraud.
  • To diagnose support issues and make refund decisions.
  • To comply with tax, anti-fraud, and consumer-protection laws.
  • To improve the product in aggregate — never by profiling you as an individual.

4. Who sees it

We share data only with the narrow set of providers needed to run the service:

  • Stripe — payment processing.
  • Droam — our upstream eSIM wholesaler; receives the ICCID and plan provisioning requests, not your name or email.
  • Postmark — transactional email delivery.
  • Cloudflare — hosting, CDN, and DDoS protection.

None of these parties are permitted to use your data for marketing or resale. We're happy to share our DPAs on request.

5. How long we keep it

  • Account profile — while the account exists, plus 30 days after deletion.
  • Order & payment records — 7 years, as required by tax and accounting regulations.
  • Support conversations — 180 days.
  • Anonymized usage counters — 30 days, then aggregated and the row is dropped.

6. Your rights

Depending on where you live, you may have the right to access, correct, export, or delete your personal data — and to object to how we process it. We honor these rights regardless of jurisdiction:

  • Export: downloadable JSON bundle from your account settings.
  • Delete: one click in your account settings; email, payment token, and support history are wiped within 72 hours.
  • Correct: edit email or name from the same page at any time.
  • Object: stop us from processing your data by closing your account; for narrower objections, email privacy@zingroam.com.

7. Security

Data in transit is TLS-encrypted; data at rest sits in Neon Postgres with encryption on. Passwords are hashed with argon2id. We run security reviews on every release and keep dependency scans in CI.

If we ever detect a breach that puts you at material risk, we'll notify affected users within 72 hours of confirming it — as required by GDPR and in line with broader industry practice.

8. Contact

Privacy questions, data requests, and complaints go to privacy@zingroam.com. If you're in the EU/EEA and aren't satisfied with our response, you can lodge a complaint with your local data protection authority.