at ORA Ltd
ORA Inc. is a Gibraltar corporation (Reg. No. [●]) with its principal place of business at [Address]. We serve as the “data controller” under applicable privacy laws, meaning we decide how and why your personal data is processed.
We collect various categories of information when you use our web application. This includes account and profile data (full name, email address, telephone number, password, and optional profile picture); order and payment data (details of your eSIM plan, billing address, transaction date and method, and the last four digits of your card or transaction ID); usage and device data (device type and model, operating system, unique device ID, IP address, browser type and version, time zone, and web-app events such as page views, plan downloads, form submissions, and error reports); cookies and similar trackers (essential session cookies, analytics cookies for performance measurement, and marketing cookies for promotional tailoring—each of which you can manage via your browser settings); communications data (chat transcripts, email exchanges, support tickets, and any feedback you submit); and, where applicable, basic profile information from social-login providers.
Under GDPR and comparable regulations, we process your data primarily to perform our contract with you (delivering eSIM plans), on the basis of our legitimate interests (improving and securing our Services and issuing system updates), with your consent for marketing and non-essential cookies (which you may withdraw at any time), and where necessary to fulfill legal obligations such as tax or regulatory record-keeping.
Your information enables us to activate and manage your eSIM plan, maintain and improve our web application, handle your support requests, send you transactional notifications (e.g., confirmations and renewal reminders) and—if you’ve opted in—marketing offers, detect and prevent fraud, and perform usage analytics to refine our features and performance.
We disclose personal data only as needed to trusted third parties under strict confidentiality: payment processors (e.g., Stripe); hosting and infrastructure providers (AWS, Cloudflare); analytics platforms (Google Analytics); email and messaging services (Intercom); legal authorities when compelled by valid subpoenas or court orders; and potential acquirers in the event of a merger or sale, always subject to this Privacy Policy’s protections.
Because we operate globally, your data may be processed in Gibraltar, the UK, or other jurisdictions. Where required, we implement Standard Contractual Clauses or equivalent safeguards to ensure that transfers meet legal data-protection standards.
We keep your account and profile data for three years after your last active subscription; order and payment records for ten years to satisfy tax and accounting rules; usage and device logs for two years; support interactions for three years; and marketing opt-in records for one year after your last interaction (unless you opt out sooner). Once these periods expire, we securely delete or irreversibly anonymize your data.
Depending on where you live, you may have the right to access, correct, delete, restrict, or object to our processing of your personal data; to receive your data in a machine-readable format; and to withdraw any consent you’ve given (for marketing or cookies). To exercise these rights, please send a “Privacy Request” email to We’ll ask you to verify your identity before acting on your request.
We protect your data with industry-standard measures, including TLS encryption in transit, AES-256 encryption at rest, strict access controls following the principle of least privilege, regular security audits, vulnerability scanning, and a formal incident-response plan that includes user notification in the event of a breach.
Depending on your jurisdiction, you are responsible for contacting your local data protection regulator or supervisory authority if you wish to exercise your rights or lodge a complaint about how we process your Personal Data.
We’ll update this page with a new “Last updated” date whenever the policy changes. For significant revisions, we’ll also notify you by email or via in-app banner. Continued use after those changes means you accept the new terms.