This page is maintained by VERO ESIMS to answer common security and privacy questions about our travel eSIM service. It describes practices we have in place today and is not an independent certification.
Customer accounts are protected by email/password and Google sign-in. Sessions use short-lived access tokens with automatic refresh. Account data is scoped per user through row-level access policies in our database, and privileged operations are gated by server-side role checks.
The site runs on Lovable Cloud, which provides our managed database, authentication and edge runtime. Traffic is served over HTTPS with TLS in transit. Application and database access is restricted to the VERO ESIMS team and the platform provider acting as our processor.
We collect the minimum needed to deliver your eSIM: account email and name, the plan and destination you bought, eSIM identifiers and activation/usage status returned by our network partner, and basic device/usage telemetry. Full detail is in our Privacy Notice.
Order and tax records are kept for up to 7 years to meet legal and accounting obligations. Account data is retained while your account is active and for up to 24 months of inactivity, after which it is deleted or anonymised. Support tickets are kept for up to 3 years. You can request deletion at any time.
To exercise data access, correction, deletion, portability or objection rights, email privacy@vero.travel. We respond within one month.
To report a suspected vulnerability or security concern, email security@vero.travel with steps to reproduce. Please give us a reasonable time to investigate before any public disclosure. We do not currently run a paid bug bounty.
VERO ESIMS is responsible for application security, access controls and our handling of your data. Our platform provider is responsible for the underlying cloud infrastructure. You are responsible for keeping your account credentials and the device holding your eSIM secure.