Privacy Policy
RedSim eSIM — Operated by Forceplay OÜ
Last updated: June 10, 2026 | Version 1.3
At RedSim eSIM, operated by Forceplay OÜ (an Estonian company), we are committed to protecting your privacy and personal data. This Privacy Policy explains how we collect, use, store, and safeguard your information when you use our eSIM services, mobile application, and website (redsim.app). This policy complies with the EU General Data Protection Regulation (GDPR).
1. Information We Collect
We collect only the minimum data necessary to deliver our services:
Account Information
- Email address — required for account creation and eSIM delivery
- Full name — required for account identification
Service & Technical Information
- Device model, operating system version, and locale — to verify eSIM compatibility and adapt the app to your device
- Data usage statistics — to monitor and optimize your active plan
- Connection logs — for troubleshooting connectivity issues
- App usage events (screens viewed, packages browsed, checkout steps) — collected via Firebase Analytics and linked to your user ID, used to improve product flow and diagnose issues
- Crash diagnostics (stack traces, device state at the time of failure) — collected via Firebase Crashlytics so we can fix bugs that affect you and other users
Advertising Identifiers & Attribution Data
When you consent to tracking (see Section 8 — App Tracking Transparency), we collect and process the following identifiers to measure the effectiveness of paid advertising and to attribute installs to specific marketing campaigns:
- IDFA (Identifier for Advertisers, iOS only): Apple-issued advertising identifier, available only when you grant App Tracking Transparency permission. Reset or disabled at any time from Settings → Privacy & Security → Tracking.
- IDFV (Identifier for Vendor, iOS only): Apple-issued vendor-scoped identifier, always available, unique to our app. Reset when you uninstall and reinstall.
- GAID / AAID (Google Advertising ID, Android only): Google-issued advertising identifier, reset or opted out from Settings → Google → Ads.
- Hashed user identifiers: Your account email address and internal user ID, transmitted to advertising partners only after irreversible SHA-256 hashing — partners cannot recover the plaintext value from the hash.
These identifiers are shared only with the marketing partners listed in Section 4 (Information Sharing). We never sell them, trade them, or expose them to data brokers.
Payment Information
We do NOT store credit or debit card details. All payment transactions are processed directly by our certified PCI DSS-compliant partner (Stripe). We only retain the transaction ID and amount for our records.
2. Legal Basis for Processing
We process your personal data under the following legal bases as required by GDPR Article 6:
- Contract performance (Art. 6(1)(b)): Processing necessary to provide the eSIM service you purchased — account creation, eSIM provisioning, and payment processing.
- Legal obligation (Art. 6(1)(c)): Retaining transaction records as required by Estonian and EU financial law (typically 7 years).
- Legitimate interests (Art. 6(1)(f)): Fraud prevention, service security, and product improvement — where these interests are not overridden by your rights.
- Consent (Art. 6(1)(a)): For optional features such as analytics cookies or marketing communications. You may withdraw consent at any time.
3. How We Use Your Information
We use your data only for the following legitimate purposes:
Service Delivery
- Provision and activate eSIM profiles on your device
- Process payments securely
- Deliver eSIM installation details via email
- Provide customer and technical support
Service Improvement
- Monitor and optimize network and plan performance
- Troubleshoot connectivity issues
- Improve the mobile application and overall experience
- Meet legal and regulatory compliance requirements
Marketing & Attribution
To make our paid advertising spend efficient — and ultimately to keep package prices low for paying customers — we measure how new users discover RedSim. Specifically, we use a Mobile Measurement Partner (Singular) and Meta’s Conversions API to attribute app installs and purchases to the ad campaigns that brought them in. This involves sharing the data described in Section 1 (Advertising Identifiers, hashed user IDs, purchase amount in USD) with the partners listed in Section 4. We do not engage in cross-app behavioural profiling, retargeting based on third-party browsing history, or sale of personal data to data brokers.
We do NOT: sell your personal data to third parties, build behavioural profiles to target you with unrelated advertising, or share unhashed personal data (raw email, name) with advertising networks.
4. Information Sharing
We share personal data only to the extent strictly necessary for service delivery:
Essential Service Partners
- eSIM Network Providers: Our third-party eSIM connectivity providers, to provision your eSIM profile. Only the data technically required for activation is shared (email, name, device model).
- Payment Processor (Stripe, Inc.): To process your payment. We share transaction amount, currency, and your account email; we do not pass unnecessary personal details.
- Email Service Providers: To deliver your eSIM installation instructions and transactional notifications (order confirmations, refunds, support replies).
- Push Notification Provider (Google Firebase Cloud Messaging): To deliver push notifications to your device. The FCM token is a device-scoped identifier issued by Google; it is reset on every reinstall.
Analytics & Crash Reporting Partners
- Google — Firebase Analytics: Provides app-usage analytics linked to your user ID, used to understand how the app is used and to improve the product. We do not enable Google Signals or cross-property linking. Data is processed under Google’s standard Data Processing Terms.
- Google — Firebase Crashlytics: Captures unhandled exceptions and stack traces when the app crashes. This includes device model, OS version, and the user ID associated with the session, used purely to diagnose and fix bugs.
Marketing Attribution Partners
To measure the effectiveness of our paid advertising and prevent ad fraud, we share a limited set of attribution-relevant data with the following partners. All sharing happens either client-side (via the partner’s mobile SDK, gated by your App Tracking Transparency choice on iOS) or server-side (via a server-to-server API, with personal identifiers hashed before transmission).
- Singular Labs, Inc. (Mobile Measurement Partner): Attribution and fraud-prevention service. Receives advertising identifier (IDFA / IDFV / GAID), hashed user ID, purchase amount and currency, app version, OS version, and IP address. Used to attribute installs and purchases to the ad campaign that brought you in.
- Meta Platforms, Inc. (Facebook): Receives the same identifiers via the Facebook SDK on-device (gated by ATT) and via Meta’s Conversions API server-side. The server-side payload includes hashed email, hashed user ID, purchase amount in USD, IP address, and user-agent string; raw email is never transmitted.
Data Recipient Summary
| Recipient |
Purpose |
Data Shared |
Region |
| Stripe |
Payment processing |
Email, amount, currency, transaction id |
US / EU |
| eSIM network providers |
eSIM provisioning |
Email, name, device model |
Global |
| Google (Firebase Analytics & Crashlytics) |
Usage analytics, crash reporting, push delivery |
User ID, events, device info, crash traces, FCM token |
US / Global (SCCs) |
| Singular Labs |
Mobile measurement (attribution + fraud) |
IDFA / IDFV / GAID, hashed user ID, purchase amount, IP |
US / Global (SCCs) |
| Meta Platforms |
Conversion attribution & ad optimisation |
Hashed email, hashed user ID, advertising id, IP, user-agent |
US / Global (SCCs) |
| Apple — Sign in with Apple |
Authentication |
Apple-issued user identifier, name (first sign-in), real or relay email |
US / EU |
| Google — Sign in with Google |
Authentication |
Google-issued user identifier, name, profile email |
US / Global |
Legal Disclosures
- Legal authorities: Where required by applicable law or a valid court order
- Emergency situations: Where disclosure is necessary to protect life or safety
All recipients above are bound by Data Processing Agreements (DPAs) and contractual confidentiality obligations consistent with GDPR Articles 28 and 46. International transfers (US, etc.) rely on EU Standard Contractual Clauses (see Section 9).
5. Data Security
We apply industry-standard security measures to protect your data:
- TLS/SSL encryption for all data in transit
- Encrypted storage on secure cloud infrastructure
- Role-based access controls — only authorized personnel can access personal data
- Multi-factor authentication for all admin systems
- Regular security reviews and vulnerability assessments
- PCI DSS-compliant payment processing (via Stripe)
While no system is 100% secure, we follow best practices to minimize risk and respond promptly to any security incidents as required by GDPR Article 33 (72-hour breach notification).
6. Data Retention
We retain your personal data only as long as necessary:
- Account & profile data: Retained until you delete your account, then permanently removed within 30 days.
- Transaction records: 7 years from the transaction date, as required by Estonian financial law.
- Usage & connection logs: Up to 12 months for service optimization and troubleshooting.
- Support communications: Up to 24 months from the date of last contact.
- Temporary session data: Maximum 30 days.
Your right: You can request deletion of your personal data at any time — from your in-app account settings, through our self-service web form at redsim.app/legal/data-deletion (verify by email code, no app needed), or by emailing support@redsim.app. Note that some data may be retained longer where legally required (e.g. transaction records).
7. Your Privacy Rights (GDPR)
As a data subject under GDPR, you have the following rights:
Access & Portability
- Right of access (Art. 15): Request a copy of all personal data we hold about you.
- Right to data portability (Art. 20): Receive your data in a structured, machine-readable format.
Correction & Deletion
- Right to rectification (Art. 16): Correct inaccurate or incomplete data.
- Right to erasure / "right to be forgotten" (Art. 17): Request deletion of your personal data, subject to any legal retention obligations.
Control & Objection
- Right to restrict processing (Art. 18): Temporarily limit how we process your data.
- Right to object (Art. 21): Object to processing based on legitimate interests.
- Right to withdraw consent (Art. 7(3)): Withdraw any previously given consent at any time, without affecting the lawfulness of prior processing.
How to Delete Your Account
You can delete your account and all associated data in three ways:
- In-App: Delete your account at any time from your account settings in the app
- Web (self-service): Visit redsim.app/legal/data-deletion, verify ownership with a one-time code sent to your email, and delete your account directly — no app required
- By Email: Send a deletion request to support@redsim.app from your registered email address
Account deletion is permanent and cannot be undone. All your personal data will be permanently removed within 30 days, except for data we are legally required to retain.
Right to Lodge a Complaint
If you believe we have processed your personal data in violation of GDPR, you have the right to lodge a complaint with a supervisory authority. As we are registered in Estonia, the competent authority is:
Andmekaitse Inspektsioon (Estonian Data Protection Inspectorate)
Website: www.aki.ee | Email: info@aki.ee
You may also contact the data protection authority in your country of residence.
8. Cookies, Tracking & App Tracking Transparency
Website cookies
On the redsim.app website we use a small number of cookies:
- Essential cookies: Required for core functionality (session management, security, fraud prevention). No consent required.
- Analytics cookies: Aggregated usage data to improve the service. Used only with your consent via the cookie banner.
You can change your cookie preferences any time from the cookie tool on the website footer or your browser settings.
App Tracking Transparency (iOS)
On iOS 14.5 and later, Apple’s App Tracking Transparency (ATT) framework requires us to ask for your permission before collecting your IDFA (Identifier for Advertisers) or sharing data that could be used to track you across other apps and websites. The first time the app needs this data we present the system ATT prompt with the question: “Allow tracking so we can show you better deals tailored to your travel destinations.”
- If you allow tracking: Your IDFA is shared with Singular and Meta (see Section 4) so they can attribute your install and purchase to the ad campaign that brought you in. This helps us reduce wasted ad spend and ultimately keep package prices lower.
- If you ask the app not to track: Your IDFA is not collected. We still measure attribution where possible using IDFV (vendor-scoped, on-device only) and SKAdNetwork (Apple’s privacy-preserving aggregate framework), but cross-app tracking does not occur.
You can change your ATT choice at any time from Settings → Privacy & Security → Tracking → RedSim.
Android Advertising ID
On Android, your Google Advertising ID (GAID) is collected by default if Google Play Services is available on your device. You can disable personalised advertising or reset your GAID at any time from Settings → Google → Ads.
No third-party advertising SDKs in the app surface
RedSim does not display in-app advertising. The advertising identifiers described above are used only to measure how new users discovered RedSim — never to deliver targeted ads inside the app.
9. International Data Transfers
As a global eSIM service, your data may be processed outside the European Economic Area (EEA). Where such transfers occur, we ensure adequate protection through:
- EU Standard Contractual Clauses (SCCs) — the primary mechanism for lawful transfers under GDPR Chapter V
- Adequacy decisions — where the European Commission has recognized the destination country as providing adequate protection
- Binding Corporate Rules (BCRs) — where applicable for intra-group transfers
Your GDPR rights (access, erasure, objection, etc.) apply regardless of where your data is processed.
10. Children's Privacy
Our services are not intended for users under 16 years of age.
We do not knowingly collect personal information from children under 16. If we become aware that a child has provided us with personal data, we will delete that information promptly. If you believe a child has registered with our service, please contact us at support@redsim.app.
11. Policy Updates
We may update this Privacy Policy from time to time to reflect changes in our practices or legal obligations. When we make significant changes, we will notify you via:
- An in-app notification on your next login
- An email to your registered email address
- A prominent notice on our website
The updated policy will take effect on the date shown at the top of this page. Continued use of our services after that date constitutes acceptance of the revised policy. If you do not agree, you may delete your account before the changes take effect.
12. Sign in with Apple / Google
When you choose Sign in with Apple, Apple shares with us a stable Apple-issued identifier, your name (first sign-in only), and either your real email or a private relay address (when you choose to hide your email). When you choose Sign in with Google, Google shares your Google-issued identifier, name, profile email, and (optionally) profile photo URL. We use this information solely to authenticate you and link sessions to your account; we do not share Apple- or Google-specific identifiers with the marketing partners listed in Section 4.
13. Account Deletion & Data Retention After Closure
You can delete your account at any time — from your in-app account settings, or through our self-service web form at redsim.app/legal/data-deletion (verify by a one-time email code, no app required). Both run the identical process below:
- Personal data — name, address, profile photo, push token, advertising identifiers (IDFA / IDFV / GAID), linked Apple / Google identities — is removed; your email is replaced with a non-routable placeholder so the account cannot be re-used.
- Linked Apple or Google identities are revoked from our authentication provider, so the same Apple / Google sign-in cannot reach this account again.
- Your customUserId is unset on Singular and we stop sending events tied to your account to Meta, Singular, or Firebase Analytics.
- Financial records (orders, top-ups, refunds, wallet transactions) are kept in anonymised form for the period required by Estonian tax law and EU accounting law — typically up to 7 years. After this period they are permanently deleted.
- Any wallet balance is forfeited per the Terms of Service in effect when you accepted them.
A deleted account cannot be restored, and re-signing-in with the same email creates a brand-new, empty account.
14. Company Information
- Company Name: Forceplay OÜ
- Service Brand: RedSim eSIM
- Registration Country: Estonia (EU)
- Registered Address: Harju maakond, Tallinn, Kesklinna linnaosa, Narva mnt 5, 10117
- Website: redsim.app
15. Contact Us
For any privacy-related questions, data access requests, or concerns, please contact us:
- Email: support@redsim.app
- In-App: WhatsApp support is available in the app
- Response time: We aim to respond to all privacy requests within 30 days, as required by GDPR.
© 2026 Forceplay OÜ. All rights reserved. This policy is governed by the laws of Estonia and the European Union.