Privacy Policy
Last updated: April 27, 2026ZhiEra LLC ("ZhiEra," "we," "us," "our"), a Colorado limited liability company, builds Global eSIM Access and related connectivity software (the "Services"). This policy explains what personal data we collect, why, how we share it, how long we keep it, and the rights you have over it. If anything here is unclear, write to us at business@zhiera.com — we will answer.
1. Data we collect
Account information
Your email address, a hashed password (we never store the plaintext), an optional username, and a public encryption key generated by your device for end‑to‑end‑encrypted chat. Your device's push token if you enable notifications.
Order & billing information
The eSIM packages you buy, your account balance, top‑up history, and metadata returned by Stripe (payment intent IDs, last four digits of the card, country of card issuer). Card numbers are tokenized by Stripe and never enter our infrastructure.
Connectivity & messaging
To activate an eSIM we share an upstream identifier (ICCID/LPA) and the country code with our wholesale carrier-facing partner. If you buy a virtual phone number, Twilio handles the SMS — we store the message body, sender, and recipient in our database so you can read history. Friend chat between users is end‑to‑end encrypted with X25519 + AES‑256‑GCM; the server stores only ciphertext and cannot decrypt the contents.
Network & device data
Your IP address (used to suggest relevant destinations and to throttle abuse), basic device info (iOS version, app version, language), and rate‑limit counters keyed to your email or IP.
Usage telemetry
Page‑level events such as "opened catalog," "added to cart," "completed purchase." We do not use third‑party advertising or behavioral tracking SDKs.
2. How we use it
- To deliver the Services you requested — provisioning eSIMs, processing payments, sending and receiving SMS.
- To prevent fraud, account takeover, and abuse (rate limiting, anomaly detection).
- To improve the product (debug failures, measure conversion, prioritize features).
- To meet legal obligations (tax, anti‑money‑laundering, lawful requests).
We do not sell your personal data, and we do not share it for cross-context behavioral advertising.
3. Third parties we use
| Vendor | Purpose | Region |
|---|---|---|
| Stripe | Payment processing (cards, billing) | US / global |
| Twilio | Virtual phone numbers, SMS delivery | US |
| Apple (APNs) | iOS push notifications | US |
| Wholesale eSIM platform | eSIM provisioning, activation status | HK / global |
| Unsplash | Destination photo CDN (no personal data sent) | US |
| ipwho.is | IP geolocation lookup (IP only) | EU |
4. International transfers
ZhiEra is based in the United States. By using the Services you understand that personal data may be transferred to, stored on, and processed in the United States. Where required by law (e.g., the EU GDPR), we rely on Standard Contractual Clauses with our processors to safeguard the transfer.
5. Retention
- Account, order, and ledger records: for the life of your account, plus 7 years for tax and accounting.
- SMS bodies and friend chat ciphertext: for the life of your account, or until you delete them.
- Server logs (IP, request path): 30 days.
- Encrypted database backups: 30 days, then deleted.
- On account deletion: most data is removed within 30 days; the residual record kept for accounting carries no contact handles or behavioral history.
6. Your rights
Wherever you live, you can:
- Request a copy of the data we hold about you.
- Correct inaccurate data.
- Delete your account (which removes most personal data — see Section 5).
- Withdraw consent for optional processing such as push notifications.
- Lodge a complaint with your data protection authority.
Send any request to business@zhiera.com from the email associated with your account; we respond within 30 days. EU/UK residents have additional rights under the GDPR/UK GDPR; California residents have additional rights under the CCPA/CPRA. We honor those rights without discrimination.
7. Children
The Services are not directed to children under 13. We do not knowingly collect personal data from a child under 13. If you believe a child has signed up, contact us and we will delete the account.
8. Security
Passwords are hashed with bcrypt. Sensitive fields (push tokens, secrets) are encrypted at rest. Web traffic is forced to HTTPS with HSTS. Friend chat is end‑to‑end encrypted with keys held only on your device. Backups are encrypted. Even with these measures, no online service is perfectly secure; if we discover a breach affecting your data we will notify you without undue delay.
9. Changes
We may update this policy. Material changes are announced in-app or by email at least 14 days before they take effect. The "Last updated" date at the top reflects the latest version.
10. Contact
Mail and email work; we read both.
ZhiEra LLC
Colorado, United States
business@zhiera.com