Privacy Policy

1. What We Collect

When you use Guac, we collect:

• Account Information: Your email address when you sign up (via Google, Apple, or email authentication)
• Payment Information: Payment details processed securely by Stripe (we never store your card numbers)
• eSIM Data: Your eSIM identifiers (ICCID), usage statistics, installation status, and share tokens
• Device Information: Push notification tokens to send you important updates about your eSIM
• Usage & Log Data: IP address, device details, and request logs processed by our service providers for security, fraud prevention, and analytics
• Order History: Records of your purchases, any promo codes used, and Guac Credit earned or redeemed
• Preferences: Your display currency, locale, and favorite countries

2. How We Use Your Data

We use your information to:

• Provide and manage your eSIM service
• Process payments and prevent fraud
• Send important notifications about your eSIM (low data, expiration, etc.)
• Send transactional emails (order confirmations, payment alerts, top-up confirmations)
• Provide customer support via in-app chat
• Improve our services and fix bugs through analytics and error monitoring
• Comply with legal obligations

We do not sell your personal information to third parties. Ever.

3. Third-Party Services

We work with trusted partners to provide our service. Each handles your data according to their own privacy policies:

• Clerk - Secure authentication and account management
• Stripe - Payment processing (PCI compliant)
• eSIM Access - eSIM provisioning and data delivery
• Expo - Push notifications for our mobile app
• Convex - Secure database hosting
• Vercel Analytics - Anonymous usage analytics (page views, referrers)
• PostHog - Product analytics and session replay. We use PostHog (hosted in the EU) to understand how users interact with our app, including recording screen sessions for debugging and product improvement. Session recordings may capture screen content, taps, and navigation. Your user ID is associated with analytics events
• Sentry - Error monitoring and crash reporting. When errors occur, we send diagnostic information (including your user ID, stack traces, and relevant context such as order or eSIM identifiers) to help us fix issues quickly
• Tawk.to - Live chat customer support. When you use in-app chat, Tawk processes your IP address, device information, and chat messages
• Resend - Transactional email delivery. Resend processes your email address and order details to send confirmations and alerts. We monitor email delivery status (opens, bounces, complaints) to ensure reliable communication
• Svix - Webhook delivery for internal event processing

These providers may process IP address, device identifiers, and request logs for security and fraud prevention. We use Clerk session cookies for authentication and do not use tracking cookies. Vercel Analytics helps us understand page views and referrers and may process anonymized IP data.

4. Data Retention

We keep your data for as long as you have an account with us, plus:

• Order and payment records: Retained indefinitely in anonymized form (your user ID is removed) for tax and legal compliance
• eSIM data: Deleted when you delete your account
• Account data: Deleted promptly upon account deletion request
• Guac Credit balance: Forfeited and deleted upon account deletion
• Analytics data: Retained per our analytics providers' retention policies

5. Your Rights

For all users:

• Access your personal data
• Correct inaccurate information
• Delete your account and data
• Export your data in a portable format

For EU/EEA residents (GDPR):

• Right to data portability
• Right to restrict processing
• Right to object to processing
• Right to lodge a complaint with a supervisory authority

For California residents (CCPA):

• Right to know what personal information is collected
• Right to know if personal information is sold or disclosed
• Right to opt-out of the sale of personal information (we do not sell your data)
• Right to non-discrimination for exercising your rights

To exercise any of these rights, contact us at privacy@guac.online.

6. Children's Privacy

Guac is intended for users 18 and older. We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact us and we will delete it.

7. Security

We use safeguards designed to protect your data, including:

• Encryption in transit (TLS), and at rest where supported by our providers
• Secure authentication via Clerk
• PCI-compliant payment processing via Stripe
• Reasonable security reviews and updates
• Access controls limiting who can view your data

8. International Data Transfers

Your data may be processed in the following locations:

• United States: Convex (database), Stripe (payments), Clerk (authentication), Sentry (error monitoring)
• European Union: PostHog (analytics and session replay)
• Singapore: eSIM Access (eSIM provisioning)

If you access our service from outside these regions, your information may be transferred to and processed in those locations. We rely on our service providers\' data protection measures and contractual commitments to safeguard your data during transfers.

9. Updates to This Policy

We may update this policy from time to time. We'll notify you of significant changes via email or in-app notification. Continued use of Guac after changes constitutes acceptance of the updated policy.

10. Contact Us

Questions about your privacy? We're here to help.

• Email: privacy@guac.online
• Mailing Address: 1309 Coffeen Avenue STE 1200, Sheridan, Wyoming 82801, USA
• Legal Entity: POLEX Zbigniew Kubinski LLC, Wyoming, USA