Terms & Conditions Privacy Policy Cookie Policy

Nexpat Privacy Policy

Last updated: 26/02/2025

This Privacy Policy ("Policy") explains how NEXPAT LTD ("Nexpat," "we," "us," or "our") collects, uses, discloses, transfers, and stores your personal data, and describes your rights and choices. Please read it with our General Terms and, if you use our Services, our Terms of Use.

Controller:NEXPAT LTD, 71-75 Shelton Street, Covent Garden, London, United Kingdom, WC2H 9JQ
Privacy contact:[email protected]
Data Protection Officer (DPO):[email protected]
Supervisory authority:UK Information Commissioner's Office (ICO)

If your access to Nexpat is provided by a third party (e.g., your employer, a travel agency, or a marketplace partner), we may receive personal data about you from them. Their processing may differ; please also review their privacy notices.

1) Scope of this Policy

This Policy applies to:

Nexpat apps and websites (the "Platform");
eSIM services and telecom integrations (e.g., connectivity provisioning, ICCID activation via approved providers/aggregators);
Identity verification (KYC/KYB) and compliance screening where required;
Events & e-tickets features;
AI-powered features (e.g., virtual assistant, personalization, fraud prevention, content moderation);
Customer support, surveys, marketing communications and promotions .

Excluded: wallet/fintech features (payments, cards, financial accounts) are not processed under this Policy.

2) Personal Data We Collect & Sources

Personal data is information relating to an identified or identifiable individual.

A. Data you provide directly

Account & profile: name, email, phone, country/region, preferred language, avatar; optional: professional role, company (for providers/partners).
KYC/KYB (where required): identity documents and numbers, date of birth, address, selfie/biometric checks (for liveness/match), company documents and signatory authority.
Support & communications: emails, chats, in-app messages, feedback, help tickets, attachments.
User content: posts, photos/videos, comments, reviews/ratings, preferences; social handles you choose to share.
Events & e-tickets: attendee details, preferences, ticket ownership and transfer metadata.
Marketing & surveys: subscription choices, responses, testimonials.

B. Data collected automatically (when you use the Platform)

Usage & diagnostics: pages/screens viewed, features used, session duration, referral/UTM, crash logs, performance metrics.
Device & network: IP address, device IDs, OS, app version, browser, non-precise location from IP, time zone, language, mobile carrier.
Precise location: only if you enable device permissions, to power location features (e.g., events near you).
Cookies/SDKs: identifiers and telemetry for authentication, security, analytics, A/B testing, personalization, and (where permitted) marketing. See our Cookie Policy: [link].

C. Data from third parties (as permitted)

Login providers (Apple/Google/Facebook): basic account info as authorized (e.g., name, email; Apple "Hide My Email" may mask your email).
Identity & compliance vendors: verification results and required screening outcomes.
Telecom & eSIM partners: activation status, ICCID/eSIM profile references, network provisioning metadata (not the content of communications).
Distribution/marketplace partners: order/fulfillment and account linking details when you sign up or redeem via partners.
Marketing/analytics partners: campaign performance, attribution, audience engagement.
Public/enterprise sources (for Nexpat Business profiles): business contact, role/title, company info.

We do not collect the content of your personal communications (calls/SMS) carried over cellular networks.

3) Legal Bases (UK/EU)

We process personal data under:

Contract: create/manage your account; provide eSIM and events & e-tickets; support; core Platform functions.
Legitimate interests: secure and improve services; prevent fraud/abuse; product analytics; personalization; B2B relationship management; business continuity—balanced against your rights.
Legal obligations: identity verification, audit/log retention, lawful requests, sanctions/export controls where applicable.
Consent: certain marketing, non-essential cookies/SDKs, precise location, and (where required) biometrics. You may withdraw consent at any time (see Your Rights).

4) How We Use Personal Data

Provide & operate services: account creation, authentication, eSIM provisioning (via partners), events & e-ticket delivery, content hosting, backups.
AI-powered features:
- Personalization (recommendations, ranking, localization),
- Safety/quality (spam/fraud detection, content moderation),
- Support assistance (routing, suggested replies),
- Product analytics (aggregated insights).
We apply safeguards and avoid sensitive data unless strictly necessary and lawful.
Identity verification & compliance: eKYC/KYB checks and screening where required by law/partner terms.
Security & integrity: detect/prevent fraud, abuse, or Terms violations; protect users and Platform.
Communications: service notices, updates, support replies.
Research & development: analytics, A/B tests, feature performance, de-identified trend analysis.
Marketing: newsletters, offers, referral programs, surveys, reviews/UGC (with permissions and opt-outs as applicable).
Legal & business operations: audits, compliance, dispute handling, corporate transactions (merger, acquisition, asset sale).

We do not perform automated decision-making producing legal or similarly significant effects without human involvement, unless required by law and with safeguards.

5) Sharing & Disclosure

We share personal data with:

Nexpat group companies: access on a need-to-know basis under intra-group agreements.
Service providers / processors:
- Infrastructure/hosting, security, logging, analytics, error monitoring;
- Identity verification/compliance vendors;
- eSIM aggregators/telecom partners (for provisioning only);
- Communication tools (email, in-app messages, push);
- Marketing/survey tools (respecting your choices);
- Content moderation and trust & safety vendors.
These providers are bound by contracts and process data per our instructions.
Distribution/marketplace partners: to fulfill orders initiated through them.
Independent third-party platforms: review sites or co-marketing/webinar partners—only as relevant and with appropriate notices/consents.
Business transfers: for mergers, acquisitions, or asset sales, subject to this Policy.
Legal/compliance: to comply with law, respond to lawful requests, protect rights/safety, prevent fraud/abuse, and enforce terms.

We do not sell your personal information.

6) International Data Transfers

Your data may be stored and processed outside the UK/EU. Where no adequacy decision applies, we use Standard Contractual Clauses (SCCs) (and UK IDTA/Addendum where relevant) plus supplementary measures as appropriate. You may request a copy of transfer safeguards (redacted) at [email protected].

7) Data Retention

We retain personal data only as long as necessary for the purposes described or as required by law:

Account data: for the account lifetime and a reasonable period thereafter for queries/disputes/backups.
KYC/KYB records: per legal/regulatory requirements.
Operational logs & security records: per security/audit schedules.
Marketing: until you unsubscribe or withdraw consent (or earlier, per our schedule).

When no longer needed, data is deleted or irreversibly anonymized.

8) Security

We implement appropriate technical and organizational measures (access controls, encryption in transit/at rest where applicable, vulnerability management, least-privilege access, confidentiality obligations). No system is 100% secure; we continually improve our safeguards.

9) Your Rights

Subject to applicable law, you may:

Access your personal data;
Rectify inaccurate/incomplete data;
Erase data in certain circumstances;
Restrict processing;
Object to processing based on legitimate interests and object to direct marketing at any time;
Withdraw consent where processing relies on consent;
Port your data in a commonly used, machine-readable format.

You can exercise many rights via in-app/account settings. Otherwise, contact [email protected]. We may need to verify your identity as permitted by law.

10) Children

Our Platform is not directed to children under 13 (or higher age where required). We do not knowingly collect personal data from children below the applicable age. If you believe a child has provided data, contact [email protected].

11) Cookies & Similar Technologies

We use cookies, SDKs, and similar technologies for essential operations, analytics, personalization, and (where permitted) marketing. See our Cookie Policy (types, purposes, retention, choices): [link]. Manage preferences via our Consent Manager and your browser/device settings.

12) Regional Supplements

A) United Kingdom & EU/EEA (UK-GDPR/GDPR)

Controller/DPO: NEXPAT LTD (see header). DPO: [email protected]
Supervisory authority: You may lodge a complaint with the ICO (UK) or your local EU authority.
International transfers: SCCs/UK IDTA/Addendum used where no adequacy decision (see Section 6).
Biometrics for KYC: used only where required/consented and subject to strict safeguards and retention limits.

B) United States (including California CCPA/CPRA)

If you are a California resident:

Categories collected: identifiers (name, email, phone, device IDs, IP), customer records (account details), internet/network activity (usage, logs), geolocation (IP-based; precise location only with consent), professional info (for providers), inferences (for personalization), sensitive (biometrics for KYC, government ID, account login credentials).
Sources: you/your devices, partners/vendors, public sources.
Purposes & disclosures: as described in Sections 4-5.
"Sale"/"Sharing": We do not sell PI. If we engage in cross-context behavioral advertising, it is only with your consent; you can opt out via "Do Not Sell or Share My Personal Information": [link].
Sensitive information: used only for permitted purposes (e.g., KYC, security).
Rights: know/access, correct, delete, opt-out of sale/sharing, limit use/disclosure of sensitive PI (where applicable), and non-discrimination for exercising rights. Submit requests via [webform link] or [email protected].

C) South Africa (POPIA)

You may request access under PAIA and lodge complaints with the Information Regulator ([email protected]). We process personal information per POPIA.

D) Saudi Arabia (PDPL)

We may process/store your personal data outside KSA with appropriate safeguards. Unresolved concerns may be raised with SDAIA.

E) Philippines (DPA)

You have portability and redress rights and may lodge complaints with the National Privacy Commission.

F) Malaysia (PDPA)

A Bahasa Malaysia version will be provided where required. We maintain technical and organizational protections appropriate to PDPA.

G) Colombia (Law 1581/2012; Decree 1377/2013)

You have rights to access, update, correct, revoke consent, and request deletion, subject to legal retention. Complaints may be lodged with the Superintendence of Industry and Commerce (SIC).

Where local law requires specific disclosures beyond those above, we will provide additional country-specific notices here.

13) Social Media, UGC & Public Content

If you tag/mention Nexpat or post public reviews/UGC about Nexpat, we may view, engage with, and—where permitted—repost or feature your content (crediting your handle). Please avoid sharing sensitive data publicly.

14) Third-Party Links & Integrations

Our Platform may link to third-party sites/apps or integrate third-party SDKs. Their privacy practices are governed by their own policies.

15) Changes to this Policy

We may update this Policy. Material changes will be notified via the Platform or email. Your continued use after the effective date indicates acceptance of the updated Policy.

16) Contact Us

Privacy & rights requests:[email protected]
DPO:[email protected]
Postal address: NEXPAT LTD, 71-75 Shelton Street, Covent Garden, London, United Kingdom, WC2H 9JQ
In-app support: via the Nexpat app help center

If you are not satisfied with our response, you may have the right to lodge a complaint with the ICO (UK) or your local EU data protection authority.

17) Key Definitions

Services: Nexpat Platform features including eSIM integrations, identity verification, events & e-tickets, AI-powered assistance, and related support.
Controller/Processor: as defined by applicable data protection laws.
Personal data / personal information: any information relating to an identified or identifiable individual.
Biometrics: data from technical processing of physical/physiological/behavioral traits (e.g., face templates) used for identification.

18) Disclosures Specific to Nexpat

Telecom & eSIM partners: We share only what's necessary to provision eSIMs (e.g., ICCID/eSIM profile references and activation metadata). We do not access or process the content of your communications.
AI model training: We do not use identifiable personal data to train public or third-party foundation models. We may use aggregated/anonymized data to improve systems.
Precision location: off by default; collected only if you enable it, used for features (e.g., local events) and fraud reduction.
Biometric KYC: performed only where required by law or partner policy; stored for the minimum legally required period and then deleted or anonymized, with strict access controls.
Provider/Business accounts: if you join Nexpat Business, we may publish business profile details you supply (e.g., brand, services, public contact fields you designate).