Simlink Limited (esim.cc) Privacy Policy

Last Updated: 6 November 2025

1. Scope and Role

This Privacy Policy (“Policy”) applies to the personal data processing activities carried out by Simlink Limited (“Company”) in the course of providing eSIM-related products and services (“Services”) to individual and corporate users (“you”) via the esim.cc website, related mobile applications / mini-programs and customer service channels (collectively, the “Platform”). The Company acts as the party that collects personal data and determines the purposes and means of processing such personal data.

2. Legal Basis and Principles (Hong Kong PDPO)

Within the jurisdiction of Hong Kong, the Company processes your personal data in accordance with the Personal Data (Privacy) Ordinance (Cap. 486, “PDPO”) and its six Data Protection Principles (DPP1–DPP6), including:

• lawful, proper, and fair collection;
• clearly defined purposes;
• data adequacy and appropriate retention periods;
• security safeguards;
• transparent disclosure of data policies and practices; and
• mechanisms for access and correction.

Cross-border supplement: Where users in the EU, UK, Singapore, Japan and other regions are involved, the Company will take into account the mandatory local rules and international data transfer requirements applicable to those regions, and will adopt additional compliance measures on the premise that such measures do not conflict with the PDPO.

3. Categories of Data We Collect

• Account and identity data: Name, title, country/region, email address, mobile phone number, account identifiers, identity verification records (such as one-time verification codes).
• Transaction and billing data: Order records, plan/package information, payment status and transaction numbers returned by payment channels (the Company does not store complete payment credentials).
• Device and technical data: Device model, operating system, browser type, language, time zone, IP address, device identifiers, crash/diagnostic logs.
• Network and usage data: Login times, feature clicks, page views, data usage, eSIM activation and configuration status, error codes.
• Customer service and compliance data: Your communications with customer service, complaint and enquiry records, and necessary supporting documents required for compliance checks (for example, for anti-fraud/abuse purposes).
• Cookies / local storage: See Section 9 below.

Data may be collected through:

• information you proactively provide;
• automatic collection (via client, SDK or server logs); and
• obtaining the minimum necessary data lawfully and/or under contract from service providers (such as payment providers and network partners).

4. Purposes and Uses of Processing

We may process your personal data for the following purposes:

• Provision and performance of the Services: Account creation, authentication, purchase, activation/management of eSIM, data usage settlement, customer support and service notifications.
• Security and fraud prevention: Risk control and identification, anti-abuse, intrusion detection and protection against illicit activities.
• Product improvement: Fault diagnosis, performance optimization, feature iteration and statistical analysis (using de-identified or aggregated data where feasible).
• Legal obligations: Responding to regulatory requirements, handling disputes, and complying with valid orders from courts or regulatory authorities.
• Marketing (optional): Sending you updates, offers or surveys related to the Services after obtaining your consent. You may withdraw your consent at any time (see Section 10).

5. Legal Bases for Processing (Where Applicable)

Under the Hong Kong PDPO framework, the Company mainly relies on the basis of “fulfilling the lawful purposes explicitly stated and directly related to those purposes” to process personal data. For users located in the EEA/UK and other regions, we may additionally rely on legal bases under the GDPR / UK GDPR (such as performance of a contract, legitimate interests, legal obligations or consent) and adopt enhanced safeguards, provided that these do not conflict with the PDPO.

6. International Transfers and Data Location

Personal data may be accessed and processed in Hong Kong and in other jurisdictions where the Company or its service providers operate facilities. To mitigate the risks of cross-border transfers, the Company will:

• use contractual clauses (such as standard contractual clauses / data transfer agreements) or equivalent protective measures;
• implement access control, encryption and segmented storage, as well as other technical and organizational measures; and
• minimize the scope and frequency of cross-border data transfers based on necessity and proportionality.

7. Data Retention

The Company retains personal data only for the shortest period necessary to achieve the specified purposes, after which it will delete or anonymize the data in accordance with applicable laws and business needs. Different categories of data may be subject to different retention periods (for example, transaction and accounting records may need to be retained for a specified number of years as required by law).

8. Security

The Company adopts reasonable administrative, technical and physical security measures (access control, least-privilege principle, encryption in transit and at rest, log auditing, backup and recovery) to prevent unauthorized access, disclosure, alteration or destruction of personal data. Despite our reasonable efforts, no online service can guarantee absolute security.

9. Cookies and Similar Technologies

To ensure site functionality, statistical analysis, and preference recall, we use necessary Cookies and performance/analytics Cookies or local storage items. You may manage or delete Cookies via your browser or system settings; disabling necessary Cookies may affect core functionalities. We will not use information stored in Cookies for purposes unrelated to the purposes for which such information was originally collected.

10. Your Rights

Under the PDPO, you have the following rights:

• Right of access: To request confirmation as to whether we hold your personal data and to obtain a copy of such data.
• Right of correction: To request the rectification of inaccurate or incomplete personal data.
• Withdrawal of consent (where applicable): For processing based on your consent, such as marketing or specific processing activities, you may withdraw your consent at any time.
• Opt-out of direct marketing: You may at any time refuse to receive direct marketing communications.

To ensure security and compliance, we may require you to complete identity verification before handling the above requests and will respond within a reasonable timeframe. Any legal or compliance-related exceptions and limitations will be clearly explained.

11. Minors

The Platform is primarily intended for users who have full legal capacity. Users who have not reached the statutory age should use the Platform only with the consent and under the supervision of their guardians, and where necessary, rights should be exercised by the guardians on their behalf. The Company does not actively collect children’s personal data in an identifiable manner.

12. Third-Party Services and Links

The Platform may integrate third-party payment, network or analytics services and may contain links to third-party websites or applications. Third parties’ processing of personal data is governed by their respective privacy policies. Please read those policies before using such services. The Company is not responsible for the compliance or security of third parties.

13. Changes

The Company may update this Policy from time to time and publish the updated version on the Platform; the updated Policy will take effect from the date of publication. For material changes, we will provide prominent notice. Your continued use of the Platform and Services will be deemed as acceptance of the updated Policy.

14. Channels for Complaints, Enquiries and Exercising Rights

To exercise your rights described in Section 10, to make enquiries about this Policy, or to lodge privacy-related complaints, please submit your request via the “Contact Us / Customer Service” entry within the Platform. To process your request, we may require you to complete identity verification and provide necessary information.

15. Governing Law and Dispute Resolution

The formation, validity, interpretation and performance of this Policy, as well as any disputes related to the processing of personal data, shall be governed by the laws of the Hong Kong Special Administrative Region of the People’s Republic of China (excluding its conflict-of-laws rules). The courts of the Hong Kong Special Administrative Region shall have exclusive jurisdiction.