Privacy Policy

1. Who we are

The data controller responsible for your personal data is:

• Kauffen Studio (sole proprietorship)
• Established in Portugal
• Contact: geral@kauffen.com

You can contact us at any time using the email above for any privacy-related question or request.

2. Information we collect

We collect the following categories of personal data:

• Account data: email address, password (hashed; we never see your plain password), and, if you sign in with Google, your Google account email and basic profile information.
• Order data: the eSIM plans you purchase, destination countries, dates, prices, and order reference numbers.
• Payment data: processed entirely by Stripe. We never store your full card number. We receive only a token, the last four digits, and the card brand to display in your order history.
• eSIM technical data: ICCID, activation code, and usage statistics returned by our network provider Celitech, used to deliver the data plan you purchased.
• Communications: emails you send to us and our replies (for support and dispute resolution).
• Technical data: IP address, browser type, device type, language preference, and basic interaction events needed to operate, secure, and improve the Service.

3. How we use your data and legal bases

We use your personal data only for the purposes described below:

• To provide the Service (deliver your eSIM, process payment, manage your account). Legal basis: performance of a contract (GDPR Art. 6(1)(b)).
• To comply with legal obligations (issue invoices, retain accounting records, respond to lawful requests). Legal basis: legal obligation (GDPR Art. 6(1)(c)).
• To secure and improve the Service (prevent fraud, detect bugs, analyse performance). Legal basis: legitimate interest (GDPR Art. 6(1)(f)).
• To send service emails (order confirmation, eSIM delivery, support replies, password resets). Legal basis: performance of a contract.
• To send marketing messages, if and only if you explicitly opt in. Legal basis: consent (GDPR Art. 6(1)(a)). You may withdraw consent at any time.

4. Sub-processors we share data with

We rely on a small number of trusted service providers (sub-processors) to operate the Service. They process your data only on our instructions and under written agreements that meet GDPR requirements:

• Supabase — authentication and database hosting (EU and US regions).
• Stripe — payment processing (US/EU).
• Celitech — eSIM provisioning and connectivity (US/EU).
• Resend — transactional email delivery (US/EU).
• Vercel — website and application hosting (global edge).
• Google — when you choose to sign in with your Google account, Google receives a sign-in request limited to your email and basic profile.

We do not sell your personal data to anyone, and we do not share it with third parties for their own marketing purposes.

5. International data transfers

Some of our sub-processors are located outside the European Economic Area (EEA), notably in the United States. When personal data is transferred outside the EEA, we rely on the European Commission's Standard Contractual Clauses (SCCs) or, where applicable, on adequacy decisions. Copies of the relevant safeguards are available on request.

6. Cookies and similar technologies

We use only cookies and local storage that are strictly necessary to operate the Service — for example, to keep you signed in, remember your language preference, and maintain your shopping cart. We do not use advertising cookies. If we ever introduce optional analytics cookies, we will ask for your consent first via a clear cookie banner.

7. How long we keep your data

• Account data: kept while your account is active. If you delete your account, we delete or anonymise it within 30 days, except where retention is required by law.
• Order and invoice data: kept for 10 years after the year of the transaction, as required by Portuguese tax law.
• Support communications: kept for up to 3 years after the last interaction.
• Technical logs: kept for up to 12 months for security and debugging.

8. Your rights

Under the GDPR, you have the right to:

• Access the personal data we hold about you
• Have inaccurate data corrected
• Have your data deleted (right to erasure)
• Restrict or object to certain processing
• Receive your data in a portable format
• Withdraw consent at any time, where processing is based on consent
• Lodge a complaint with the Portuguese supervisory authority (Comissão Nacional de Proteção de Dados — CNPD, www.cnpd.pt) or the authority in your country of residence.

To exercise any of these rights, email us at geral@kauffen.com. We will respond within 30 days.

9. Children's privacy

The Service is not directed at people under 16 years of age. We do not knowingly collect personal data from children. If you believe a child has provided us personal data, contact us and we will delete it.

10. Security

We take reasonable technical and organisational measures to protect your data — including encrypted connections (HTTPS), hashed passwords, restricted access, and the use of reputable sub-processors. No system is perfectly secure; if we become aware of a personal data breach that affects you, we will notify you and the relevant authorities as required by law.

11. Changes to this policy

We may update this Privacy Policy from time to time. The "Last updated" date at the top of this page reflects the most recent change. For material changes, we will notify you by email or through a notice in the app before the changes take effect.

12. Contact

For any privacy-related question or to exercise your rights, contact us at: geral@kauffen.com.