Privacy Policy

At IbiPoint, we believe respect starts with transparency. Different countries have different privacy laws — so we adapt. Whether you’re visiting from the EU, the UK, or anywhere else, your privacy choices matter, and we honor them.

That’s why you’ll see our consent banner when you visit the IbiPoint eSIM Shop. In regions with strict privacy laws (like the EU and UK), the site waits until you choose whether analytics and advertising cookies may run. In other regions, the banner appears for transparency, but browsing continues normally.

We try to keep things human and simple — but below you’ll find all the details required by law.

Who We Are

IbiPoint eSIM Shop
Operated by IbiPoint Ltd
128 City Road, London EC1V 2NX, United Kingdom
Email: [email protected]
Support: support.ibipoint.com

IbiPoint Ltd is the data controller for the personal data processed through our websites (ibipoint.com, ibipoint.es, worldwideesim.com, worldwide-esim.com, worldwide-sim.com, easy-esim.com, esim-global.vip, hel-kom.de) and our mobile apps (iOS and Android).

EU / EEA representative (GDPR Art. 27)

For data protection inquiries from the EU / EEA, our designated representative can be contacted at:

IbiPoint Ltd
Carrer de can Custera 380
07817 Sant Jordi de ses Salines / Ibiza / Spain
Email: [email protected]

What This Policy Covers

This Privacy Policy applies to all data collected through:

  • Our websites and sub-domains (ibipoint.com, ibipoint.es, worldwideesim.com, worldwide-esim.com, worldwide-sim.com, easy-esim.com, esim-global.vip, hel-kom.de)
  • Our mobile apps for iOS (Apple App Store) and Android (Google Play Store)
  • All services available through the above, including eSIM purchases, eSIM top-ups, and customer support

Our mobile apps display the IbiPoint eSIM Shop within an in-app browser. By default, the apps do not set analytics or marketing cookies — consent is denied unless you actively grant it through the consent banner within the app.

Data We Collect & Why

1. Essential data (always collected)

  • Order and account data: name, email address, billing address, eSIM order details, top-up order details
  • Technical data: IP address (for fraud prevention and security), country code, browser type, device type, session identifiers
  • Payment confirmation: transaction result (success/failure) from Stripe — we never see or store your full card number

Legal basis: Performance of a contract (GDPR Art. 6(1)(b)); legitimate interest in fraud prevention and platform security (Art. 6(1)(f)); compliance with legal obligations (Art. 6(1)(c)).

2. Analytics (with consent)

If you allow, we use Google Analytics 4 (GA4) to understand how people use the shop and improve the experience. GA4 does not store full IP addresses. We may also use an in-house analytics tool (IbiPoint Live Visitor Monitor) that tracks anonymous session activity without storing IP addresses or personal data. This tool is consent-gated and will only run if you grant analytics consent.

Legal basis: Your consent (GDPR Art. 6(1)(a)).

3. Advertising (with consent)

If you allow, we use Google Ads to measure ad performance and show relevant ads to people interested in our products. We implement Google Consent Mode v2, which distinguishes between:

  • Ad storage & user data: whether Google may store advertising cookies and use your data for ad measurement
  • Ad personalisation: whether your data may be used for remarketing and personalised ad targeting

We do not sell your personal data — ever. Google may use pseudonymous identifiers for ad performance measurement only if you consent.

Legal basis: Your consent (GDPR Art. 6(1)(a)).

4. Payments

All payments are processed by Stripe. Stripe supports a wide range of payment methods including credit and debit cards, Apple Pay, Google Pay, PayPal, Alipay, Amazon Pay, and others. Stripe acts as an independent data controller for payment data it processes and is subject to its own privacy obligations under PCI-DSS, GDPR, and applicable financial regulations.

We receive from Stripe only the transaction result (success or failure), a truncated card reference (last four digits), and information needed to fulfil your order. We never see or store your full card number, CVV, or other sensitive payment credentials.

5. Fraud protection

To protect our customers and payment system, we use multiple layers of fraud prevention:

  • Stripe Radar: Stripe’s machine-learning fraud detection analyses transaction patterns to block fraudulent payments.
  • Cloudflare Turnstile: During checkout, we use Cloudflare Turnstile to verify that the transaction is initiated by a real person, not a bot. Turnstile runs only on checkout pages and is classified as essential for payment security. It does not require separate consent.
  • Secure Device Signature (SDS): Our in-house fraud detection system collects technical signals from your device during checkout (such as screen resolution, browser type, timezone, and graphics capabilities) and converts them into a unique one-way hash. Only this hash is stored — not the underlying data. The hash is used solely for fraud detection and is deleted within 30 days of your order being fulfilled.
  • IP-based security: We process IP addresses for rate limiting and security purposes. If our system detects patterns consistent with fraudulent activity (such as repeated failed payment attempts), access may be temporarily restricted. This processing involves automated decision-making that may affect your ability to complete a purchase. You have the right to contest such decisions — see “Your Rights” below.

Legal basis:

  • EU / EEA / UK: Legitimate interest in fraud prevention (GDPR Art. 6(1)(f)). For automated decisions that significantly affect you, we rely on Art. 22(2)(b) (necessity for contract performance) and provide you with the right to obtain human review.
  • California / US: Business purpose under CCPA — we do not sell this data.
  • Brazil: Legitimate interest under LGPD (Art. 7, X).
  • Japan: Necessary for the protection of life, body, or property under APPI.
  • Australia: Permitted under the Australian Privacy Act for fraud prevention.
  • Other regions: Fraud prevention as permitted by applicable law.

For questions or to contest an automated decision, contact [email protected].

6. Communications

We send transactional emails related to your orders (confirmation, invoice, eSIM delivery, service status, payment failure notifications). These are necessary for performing our contract with you and do not require marketing consent.

Service status emails may include a brief invitation to top up your eSIM or leave a review. These are considered part of the transaction and fall within the legitimate communication about your purchased service.

If you subscribe to marketing emails (optional, opt-in only), we process your email address to send promotional content. You can unsubscribe at any time.

Legal basis (transactional): Performance of a contract (GDPR Art. 6(1)(b)).
Legal basis (marketing): Your consent (GDPR Art. 6(1)(a)); or, for existing customers receiving related product communications, legitimate interest (Art. 6(1)(f)) in accordance with the “soft opt-in” exception under ePrivacy rules.

International Visitors

We use Cloudflare as our CDN and security provider. Cloudflare sends your browser’s country code to our server. This helps us:

  • Display the correct language and currency
  • Apply the correct privacy mode for your region

Privacy modes:

  • Hard Block (EU / EEA / UK): You must accept or refuse non-essential cookies before they are set.
  • Soft Mode (rest of world): The site remains usable while you decide. Non-essential cookies are not set until you consent.

The country code lookup does not share personal data with third parties.

How Long We Keep Data

Data typeRetention period
Orders & invoices6–10 years (legal & tax requirements)
Fraud detection hashes (SDS)Deleted within 30 days of order fulfilment
Security logs (including IP data)Up to 90 days; personal data anonymised within 30 days
Support messagesUntil issue resolved + up to 12 months
Analytics & ads dataUp to 26 months (GA4 default)
Consent records12 months (compliance proof)
Marketing email preferencesUntil you unsubscribe + up to 30 days

Order-level fraud metadata (such as dispute flags or chargeback records) is retained alongside the order for the same legal retention period (6–10 years) as required for compliance and dispute resolution.

Your Rights

EU / EEA / UK (GDPR & UK GDPR)

  • Access, correct, or delete your personal data
  • Restrict or object to processing
  • Withdraw consent for analytics, advertising, or marketing at any time
  • Data portability — receive your data in a structured, machine-readable format
  • Object to automated decision-making, including profiling, and request human review
  • Lodge a complaint with your national data protection authority or the UK Information Commissioner’s Office (ICO)

California / US residents (CCPA / CPRA)

  • Know what personal information we collect and why
  • Request deletion of your personal information (where applicable)
  • Opt out of the “sale” or “sharing” of personal data — we do not sell personal data
  • Non-discrimination for exercising your rights
  • Limit the use of sensitive personal information

You can exercise your rights via Manage Cookies in the footer or by emailing us.

Canada (PIPEDA)

  • Access your personal information held by us
  • Request correction of inaccurate information
  • Withdraw consent (subject to legal or contractual restrictions)
  • Complain to the Office of the Privacy Commissioner of Canada

Australia (Privacy Act)

  • Access your personal information
  • Request correction of inaccurate, out-of-date, or incomplete data
  • Complain to the Office of the Australian Information Commissioner (OAIC)

Japan (APPI)

  • Request disclosure of your personal information
  • Request correction, addition, or deletion
  • Request cessation of use or provision to third parties
  • We notify you of cross-border data transfers to countries that may not have equivalent data protection standards

China (PIPL)

  • Right to know and decide about the processing of your personal information
  • Right to restrict or refuse processing (except as required by law)
  • Right to access, copy, correct, and delete your personal information
  • Cross-border data transfers are conducted in accordance with applicable Chinese law

Brazil (LGPD)

  • Confirm the existence of processing
  • Access, correct, anonymise, block, or delete unnecessary data
  • Data portability
  • Revoke consent at any time
  • Complain to the ANPD (Autoridade Nacional de Proteção de Dados)

All other regions

Regardless of where you are located, you may contact us at any time to request access to, correction of, or deletion of your personal data. We will respond in accordance with applicable law.

To exercise any of your rights, contact us at [email protected]. We aim to respond within 30 days (or sooner where required by law).

Service Providers & Data Transfers

We work with the following third-party service providers who may process data on our behalf or as independent controllers:

ProviderPurposeData processedLocation
StripePayment processingPayment data, transaction detailsUS / EU
CloudflareCDN, security, TurnstileIP address, country code, security tokensGlobal
Google (GA4)Analytics (consent-gated)Pseudonymous usage dataUS / EU
Google (Ads)Advertising (consent-gated)Pseudonymous ad identifiersUS / EU

These providers may process data outside your country of residence. We rely on contractual safeguards, including data processing terms incorporated in our service provider agreements and, where applicable, standard contractual clauses (SCCs) or equivalent transfer mechanisms recognised by relevant authorities.

All traffic between your browser and our servers is encrypted via HTTPS.

Children’s Privacy

Our Services are not directed to children under 16 (or under the applicable minimum age in your jurisdiction). We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.

Anti-Money-Laundering (AML) Policy

IbiPoint Ltd fully supports the prevention of money laundering and illegal activities. All payments are processed by Stripe, a regulated payment provider that performs identity verification and transaction screening. Our products are prepaid digital eSIMs that cannot be redeemed for cash, so the risk is minimal by design.

We cooperate with authorities and comply with international AML and KYC standards. If additional verification is required, we will contact you directly and treat your data confidentially.

For full details, you can download our signed AML Policy document here:
? IbiPoint AML Policy (PDF)

Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. If we make significant changes, we will clearly announce them on our website. We encourage you to review this page periodically.

Imprint / Legal Notice

IbiPoint Ltd
128 City Road, London EC1V 2NX, United Kingdom
Email: [email protected]

Websites:
ibipoint.com · ibipoint.es · worldwideesim.com · worldwide-esim.com · worldwide-sim.com · easy-esim.com · esim-global.vip · hel-kom.de

Company Registration: 16730748
UTR: 1675904775
VAT:
Responsible for content (per §18 Abs. 2 MStV, Germany): IbiPoint Ltd, 128 City Road, London EC1V 2NX

Last updated: February 2026

Scroll to Top