1. Introduction

This Privacy Policy describes how Devotel ("we", "us", "our") collects, processes, and protects personal data when individuals and organizations use the Connectivity Management Platform (CMP), CMP White-Label, CMP Retail, Esimora (B2C App/Web), and any related services powered by our multi-provider eSIM ecosystem.

We adhere to the EU General Data Protection Regulation (GDPR), UK GDPR, and other applicable data protection laws.

2. Data We Collect

2.1. Account & Profile Information

• Name, email address, company information
• Role and permissions within tenant/sub-account
• Billing details (VAT number, address)*
• White-label configuration (logo, domain, theme)*

(*where applicable to WL tenants)

2.2. eSIM & Connectivity Data

To operate our services, we process the following:

• ICCID (masked when displayed to users)
• Activation status & timestamps
• Device type & OS
• Country-of-use (derived from network events)
• Usage data (MB consumed, expiry, add-ons)
• Activation logs, failover attempts

These are technically required to provision, monitor, and maintain eSIM services.

2.3. Order, Payment & Financial Data

• Order history, invoices, refunds
• Payout and settlement details for WL tenants & affiliates
• Referral activities and commission records

Payments are processed via PCI-compliant third-party payment processors. We do not store full card details.

2.4. Support & Communication Data

• Support tickets
• Email communications
• Audit logs of user actions (per GDPR requirements and fraud prevention)

2.5. Technical & Analytics Data

• IP address, device identifiers, browser data
• Event logs (activation success/failure, usage alerts)
• Security telemetry

3. How We Use Personal Data

We process data to:

• Provision eSIM profiles and manage their lifecycle
• Enable multi-provider routing and failover
• Deliver usage dashboards, analytics, and reporting
• Verify payments, issue invoices, perform settlements
• Provide customer support and fraud monitoring
• Show plan catalog according to WL tenant settings
• Comply with regulatory, tax, and security obligations

Legal Basis: Contract performance, legitimate interest, compliance with legal obligations, and explicit consent where required.

4. Data Sharing & International Transfers

We may share data with:

• eSIM providers only for activation and lifecycle operations
• Payment processors
• White-label tenants (restricted to their own tenant's data via RBAC and tenancy isolation)
• Cloud hosting providers
• Fraud prevention and analytics tools

We implement:

• Standard Contractual Clauses (SCCs)
• Data Processing Agreements (DPAs)
• Encryption in transit & at rest
• Provider state normalization & audit trails (CMP orchestration)

5. Data Retention

• Event logs & telemetry: 60 days (CMP spec)
• Billing, invoicing & payouts: 7 years (legal obligation)
• Support tickets: 2 years
• Account data: kept until deletion or termination of service

6. Rights of Data Subjects (GDPR)

Users may request:

• Access to their data
• Correction or deletion
• Restriction of processing
• Transfer of their data
• Objection to certain types of processing

Requests are handled within 30 days.

Contact: cmp@devotel.io

7. Security Measures

We apply:

• Role-based access control (RBAC) & tenant isolation
• ICCID masking for all non-admin roles
• Encrypted storage and secure key handling
• Provider-agnostic orchestration with state validation
• Anti-fraud rules & referral integrity checks
• Regular penetration tests and 24/7 monitoring

8. White-Label (WL) Tenancy

WL partners receive isolated access to their own tenant data only.

They do not access provider-level logs or other tenants' information.

Branding, domain, and catalog show/hide features do not expose any personal data.

9. Children's Privacy

Our platforms are not intended for users under 16.

10. Changes to This Policy

Updates will be published on our website with an updated "Last Updated" date.