Legal
Privacy Policy
Last updated: June 2026
This Privacy Policy explains how NXTL, MB (“NXTL”, “we”, “us”) processes personal data when you use nxtlsim.com, your customer account, our eSIM services, and the NXTL eSIM mobile application (together, the “Services”). We process personal data in accordance with the EU General Data Protection Regulation (GDPR) and other applicable data protection laws.
1. Data controller
The data controller responsible for your personal data is NXTL, MB, company code 306225619, registered at Perkūnkiemio g. 13-91, LT-12114 Vilnius, Lithuania. For privacy-related questions or to exercise your rights, contact [email protected].
2. Scope
This Policy applies to:
- visitors and customers of nxtlsim.com;
- registered NXTL account holders;
- users of the NXTL eSIM mobile app for Android and iOS;
- individuals who contact support, request refunds, or submit privacy requests.
Our Terms and Conditions govern the contractual use of the Services. Payment partners, mobile network operators, and other suppliers may also process data under their own policies when providing their services to us.
3. Personal data we collect
| Category | Examples | Source |
|---|---|---|
| Account & identity | Name, email address, account ID, billing details, referral link usage, currency preference, nickname | You, checkout, account settings |
| Authentication | Magic-link tokens, session identifiers, app login tokens (JWT), login timestamps | Generated when you sign in |
| eSIM & service usage | eSIM identifiers (ICCID), package/tier selection, balance, usage records, suspension/resume events, country/network context | Service provisioning & telecom partners |
| Orders & payments | Order history, amounts, currency, payment status, transaction references | Checkout; payment processors (we do not store full card numbers) |
| Mobile app & push alerts | Expo push token, device platform (Android/iOS), device model name, notification preference settings, app open/activity events | NXTL eSIM app when you enable notifications or use the app |
| Support & compliance | Support messages, refund requests, KYC/verification documents where required, fraud-prevention signals | You; automated checks where permitted |
| Technical & cookies | IP address, browser/app user agent, cookie identifiers, session data — see our Cookie Policy | Website and webviews |
Providing account and order data is necessary to create an account, deliver eSIM services, and process payments. If you do not provide required data, we may be unable to provide some or all Services.
4. Purposes and legal bases (GDPR Article 6)
- Contract performance — to create and manage your account, deliver eSIM profiles, top up balance, provide customer dashboard features, and fulfil orders.
- Legitimate interests — to secure the Services, prevent fraud and abuse, improve reliability, send service-related notifications you enable, and maintain internal analytics in proportionate form.
- Legal obligation — to meet accounting, tax, telecom, anti-fraud, and regulatory requirements, and to respond to lawful requests from authorities.
- Consent — for optional push notifications, optional marketing where offered, and non-essential cookies where required. You may withdraw consent at any time without affecting the lawfulness of processing before withdrawal.
5. Push notifications (mobile app)
If you enable push notifications in the NXTL eSIM app, we store your device push token and preferences (such as low-balance alerts, eSIM status alerts, and optional engagement reminders). Notifications are delivered through Expo and, on Android, Firebase Cloud Messaging (Google). You can disable notifications in the app, in device settings, or by logging out (which removes registered push tokens from our systems). We do not use push tokens for unrelated advertising.
6. Recipients and processors
We share personal data only where necessary with:
- payment service providers and fraud-prevention partners;
- telecom suppliers, eSIM platforms, and mobile network operators;
- hosting, email, customer-support, and infrastructure providers;
- push notification delivery providers (Expo, Google FCM / Apple APNs as applicable);
- professional advisers, auditors, and insurers where required;
- public authorities when required by law.
We require processors to protect personal data under appropriate contractual safeguards. We do not sell personal data and we do not sell KYC documents for marketing purposes.
7. International transfers
Some partners may process data outside the European Economic Area (EEA). Where required, we rely on appropriate safeguards such as Standard Contractual Clauses, adequacy decisions, or other lawful transfer mechanisms under GDPR Chapter V.
8. Retention
We retain personal data only as long as necessary for the purposes described above, including:
- account and service data — for the life of your account and a reasonable period afterwards;
- order and billing records — as required by accounting and tax law (typically up to 10 years where applicable);
- push tokens — until you disable notifications, log out, uninstall, or we detect an invalid token;
- support and privacy request records — as needed to handle your request and demonstrate compliance;
- security logs — for a limited period proportionate to security needs.
When data is no longer required, we delete or anonymise it unless further retention is required by law.
9. Your rights
Depending on applicable law, you may have the right to:
- access your personal data and receive a copy;
- rectify inaccurate data;
- erase data (“right to be forgotten”) in certain circumstances;
- restrict processing in certain circumstances;
- data portability for data you provided, where applicable;
- object to processing based on legitimate interests or for direct marketing;
- withdraw consent where processing is based on consent;
- lodge a complaint with a supervisory authority — in Lithuania, the State Data Protection Inspectorate (VDAI): vdai.lrv.lt.
To exercise your rights, see our Account & Data Rights page or email [email protected]. We may need to verify your identity before responding.
10. Automated decision-making
We do not make decisions based solely on automated processing that produce legal or similarly significant effects on you. We may use automated fraud checks or service safeguards with human review where appropriate.
11. Children
The Services are not directed at children under 16. We do not knowingly collect personal data from children. If you believe a child has provided us data, contact us and we will take appropriate steps to delete it.
12. Security
We implement appropriate technical and organisational measures to protect personal data, including access controls, encryption in transit where supported, and limited access on a need-to-know basis. No method of transmission or storage is completely secure; please use strong account security practices.
13. Changes to this Policy
We may update this Privacy Policy from time to time. The “Last updated” date at the top will change when we do. Material changes may also be communicated through the website, app, or email where appropriate. Continued use of the Services after changes take effect constitutes acknowledgement of the updated Policy, without prejudice to your statutory rights.
NXTL, MB
Company code: 306225619
Perkūnkiemio g. 13-91, LT-12114 Vilnius, Lithuania
Website: nxtlsim.com
Privacy: [email protected]
Support: [email protected]