Roameo

Privacy Policy

Last updated: 2026-05-21

Roameo (“we”, “our”, “us”) operates roameoesim.com and the Roameo mobile app (together, the “Service”), which sells travel eSIM data plans. This policy explains what personal information we collect, why we collect it, and the choices you have. We are a Hong Kong–based business and process personal data in accordance with the Hong Kong Personal Data (Privacy) Ordinance (Cap. 486).

1. Information we collect

  • Account data — name, email address, and (for users who sign up with email) a salted password hash. If you sign in with Google, we receive your Google account's unique identifier, email, name, profile picture, and email-verification status.
  • Order data — the eSIM plans you buy, the date, amount, currency, and your payment status. We do not store full card numbers; payment is processed by Stripe under their own terms.
  • eSIM activation data — the activation code (QR code) and ICCID issued by our wholesale provider for plans you have purchased.
  • Technical data — IP address (used for rate limiting, fraud prevention, and locale detection), device user agent, and push-notification tokens (if you opt in).
  • Support data — messages you send to support and any attachments you provide.

2. How we use it

  • To create and authenticate your account.
  • To process payments and deliver eSIM activation codes.
  • To send transactional emails (welcome, receipts, password reset, activation, support replies).
  • To detect and prevent abuse, fraud, and security incidents.
  • To comply with legal obligations (tax, anti-money-laundering, government requests).

3. Service providers we share data with

  • Stripe — payment processing.
  • Resend — transactional email delivery.
  • eSIM Access — our wholesale eSIM provisioning partner. They receive the eSIM SKU you purchase and a randomized order ID; they do not receive your name or email.
  • Google — when you choose “Sign in with Google”.
  • Railway — hosting infrastructure for our database and application servers.
  • Cloudflare — CDN, DNS, and DDoS protection.
  • Sentry — application error tracking (PII such as email and auth headers is scrubbed before transmission).

4. Data retention

We retain account data for as long as the account exists, and order/ invoice records for at least 7 years to comply with HK tax record requirements. You can request deletion of your account at any time from your account settings, after which we will anonymise or delete personal data not needed for legal record keeping within 30 days.

5. Your rights

Under the Hong Kong PDPO (and applicable laws if you reside elsewhere), you may request access to, correction of, or erasure of your personal data. Contact [email protected] and we will respond within 40 days.

6. Children

The Service is not directed to children under 13. We do not knowingly collect personal information from children under 13.

7. International transfers

We use service providers located outside Hong Kong (United States, European Union, and other regions). By using the Service you consent to your data being transferred to and processed in those jurisdictions under safeguards comparable to those required by the PDPO.

8. Security

We protect personal data with TLS 1.2+ in transit, encryption at rest for our database, salted password hashing (bcrypt), short-lived JWT access tokens with refresh-token rotation, IP- and account-level rate limiting, and continuous error monitoring. No system is perfectly secure; please notify us at [email protected] if you believe you have found a vulnerability.

9. Changes

We may update this policy and will revise the “Last updated” date above. For material changes, we will notify registered users by email.

10. Contact

Roameo — [email protected]

Privacy Policy | Roameo