Privacy Policy

1. Data Controller

The data controller responsible for your personal data is:

BlueGo Solutions OÜ
Registry code: 17482859
Tartu mnt 67/1-13b, Tallinn 10115, Estonia
Contact: info@bluego.io

2. What Data We Collect

We collect the following categories of personal data:

• Identity data: first name, last name
• Contact data: email address, phone number (optional)
• Billing data: billing address, company name, VAT number (when provided)
• Transaction data: order history, payment references (card details are processed by Stripe and never stored on our servers)
• Account data: email, hashed password, session tokens
• Technical data: IP address, browser type, device type, pages visited, referring URL
• Communication data: support tickets, contact form submissions, chatbot interactions
• Flight data: flight numbers, dates, airports (when using flight protection service)

3. How We Use Your Data

We process your data for the following purposes:

• Order fulfilment: Processing purchases, delivering eSIM activation codes, generating invoices
• Account management: Creating and managing your account, authenticating access
• Customer support: Responding to enquiries, managing support tickets
• Flight protection: Submitting compensation claims on your behalf through AirHelp
• Legal compliance: Tax reporting, fraud prevention, responding to legal requests
• Service improvement: Analysing usage patterns to improve our platform (anonymised)

4. Legal Basis for Processing

We process your data under the following legal bases (Art. 6 GDPR):

• Contract performance (Art. 6(1)(b)): Processing necessary to fulfil our contract with you — delivering eSIM plans, managing your account, processing payments
• Legal obligation (Art. 6(1)(c)): Tax record-keeping, responding to lawful data requests from authorities
• Legitimate interests (Art. 6(1)(f)): Fraud prevention, security monitoring, service improvement. Our legitimate interest is balanced against your rights and does not override your fundamental freedoms
• Consent (Art. 6(1)(a)): Non-essential cookies, marketing communications (where applicable). You may withdraw consent at any time

5. Data Sharing

We share your data with the following categories of recipients only as necessary:

• Payment processor: Stripe, Inc. (USA) — processes card payments under their own privacy policy. Transfer safeguarded by EU–US Data Privacy Framework
• eSIM providers: eSIM Go, Airalo — receive minimal data required to provision your eSIM (country, plan type)
• Flight protection partner: AirHelp — receives flight details and contact information to process compensation claims
• Hosting provider: Vercel, Inc. (USA) — hosts our platform. Transfer safeguarded by Standard Contractual Clauses (SCCs)
• Email service: Our SMTP provider delivers transactional emails (invoices, support notifications)

We do not sell your personal data to third parties. We do not share your data with advertisers or marketing networks.

6. International Data Transfers

Some of our service providers are located outside the European Economic Area (EEA). When we transfer data outside the EEA, we ensure appropriate safeguards are in place, including:

• EU–US Data Privacy Framework (for certified US recipients)
• Standard Contractual Clauses approved by the European Commission
• Adequacy decisions where applicable

7. Data Retention

We retain your data for the following periods:

• Account data: Until you request account deletion
• Transaction/invoice data: 7 years (Estonian Accounting Act requirement)
• Support tickets: 2 years after resolution
• Technical logs: 90 days (security and debugging)
• Marketing consent records: Until consent is withdrawn + 1 year

After the retention period expires, data is securely deleted or anonymised.

8. Cookies

Our Platform uses the following categories of cookies:

• Strictly necessary: Session cookies, authentication tokens, CSRF protection. These are essential for the Platform to function and cannot be disabled
• Functional: Language preference, currency selection. These enhance your experience but are not essential

We do not use advertising cookies, tracking pixels, or third-party analytics that profile individual users. Cookie consent is managed through our cookie banner in accordance with the ePrivacy Directive (2002/58/EC).

9. Your Rights

Under the GDPR, you have the following rights regarding your personal data:

• Right of access (Art. 15): Request a copy of the personal data we hold about you
• Right to rectification (Art. 16): Correct inaccurate data via your account settings or by contacting us
• Right to erasure (Art. 17): Request deletion of your personal data, subject to legal retention obligations
• Right to restriction (Art. 18): Request that we limit processing of your data in certain circumstances
• Right to data portability (Art. 20): Receive your data in a structured, machine-readable format
• Right to object (Art. 21): Object to processing based on legitimate interests
• Right to withdraw consent (Art. 7(3)): Withdraw consent at any time without affecting prior processing

To exercise any of these rights, please use our email (info@bluego.io). We will respond within 30 days as required by law. You can also manage most data through your account settings at /account/profile.

10. Security

We implement appropriate technical and organisational measures to protect your data, including: encrypted password storage (bcrypt), secure HTTPS connections, session management with automatic expiry, rate limiting on authentication endpoints, and access controls for administrative systems.

11. Children's Privacy

Our services are not directed at individuals under 18 years of age. We do not knowingly collect personal data from children. If we become aware that we have collected data from a child without parental consent, we will delete it promptly.

12. Supervisory Authority

If you believe we have violated your data protection rights, you have the right to lodge a complaint with a supervisory authority. Our lead supervisory authority is:

Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon)
Tatari 39, 10134 Tallinn, Estonia
https://www.aki.ee

You may also lodge a complaint with the data protection authority in your country of residence.

13. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email or through a notice on the Platform. The "Effective" date at the top of this page indicates when the policy was last updated.

14. Contact

For any questions regarding this Privacy Policy or your personal data:

BlueGo Solutions OÜ
Tartu mnt 67/1-13b, Tallinn 10115, Estonia
Registry: 17482859
info@bluego.io