Celvo
Legal

Privacy Policy

Effective Date: 02.06.2026 · Last Updated: 02.06.2026

1. Introduction

This Privacy Policy explains how Mtislab LLC (“Celvo”, “we”, “our”, or “us”) collects, uses, shares and protects personal data of individuals who use the Celvo mobile application, the website at celvoapp.com and our eSIM data services (collectively, the “Service”).

We take your privacy seriously. This Policy is designed to comply with:

  • The EU General Data Protection Regulation (Regulation (EU) 2016/679, “GDPR”) and the UK GDPR;
  • The California Consumer Privacy Act, as amended by the California Privacy Rights Act (“CCPA/CPRA”);
  • The Law of Georgia on Personal Data Protection; and
  • Other applicable privacy laws.

2. Data Controller

The data controller responsible for your personal data is:

Mtislab LLC
A limited liability company organized under the laws of Georgia
Identification Number: 448430911
Registered Office: Georgia, Batumi, 12th St., N1

  • Email (all data-protection inquiries, including DPO / EU privacy contact): info@mtislab.com

3. Information We Collect

We collect the following categories of personal data.

3.1 Identity and Authentication Data

  • Full name
  • Email address
  • Authentication identifierswe do not store account passwords. Authentication is performed through email-based one-time codes (magic links / OTP) and/or third-party identity providers (such as Apple Sign-In and Google Sign-In). We retain only the session tokens or provider-issued identifiers necessary to keep you signed in.
  • Optional profile information you choose to provide

3.2 Technical and Network Data

  • Device model, manufacturer and unique device identifiers
  • Operating system and version
  • Application version and configuration
  • eSIM identifiers: ICCID (Integrated Circuit Card Identifier) and EID (eUICC Identifier)
  • IP address and approximate location derived from it
  • Network attachment events and serving Network Partner
  • Real-time data consumption metrics (volume of data used, session timestamps)
  • Diagnostic logs, crash reports and performance data

3.3 Transaction and Payment Data

  • Purchase history (Data Packages bought, dates, amounts, currencies)
  • Billing country and, where required by law, tax identifiers
  • We do not store full payment card numbers, CVV codes or bank account details. All payments are processed by certified third-party payment processors — primarily Bank of Georgia (BOG) as our acquiring bank, together with Apple Pay and Google Pay — which handle and store card data in accordance with PCI-DSS standards. We only receive a transaction confirmation and a tokenized reference.

3.4 Communications Data

  • Messages you send to our customer support (in-app chat, email)
  • Feedback, ratings and survey responses

3.5 Usage Data

  • Pages and screens viewed within the application
  • Features used, buttons clicked and navigation paths
  • Referral source and marketing campaign identifiers
  • Cookies and similar technologies (see Section 11)

4. How We Collect Your Information

We collect personal data:

  • Directly from you, when you register, make a purchase, contact support or otherwise interact with the Service;
  • Automatically, through the application and our servers when you use the Service (e.g., diagnostic and consumption telemetry);
  • From third parties, such as payment processors (transaction confirmations) and Network Partners (provisioning status, data usage reports).

5. Legal Bases for Processing (GDPR)

If you are in the European Economic Area, the United Kingdom or another jurisdiction with similar requirements, we rely on the following legal bases:

  • Performance of a contract (Art. 6(1)(b) GDPR) — to create your account, deliver Data Packages, provision eSIM profiles, process payments and provide support.
  • Legitimate interests (Art. 6(1)(f) GDPR) — to operate, secure, improve and analyze the Service, prevent fraud and abuse, and communicate with you about your account.
  • Consent (Art. 6(1)(a) GDPR) — for optional marketing communications and certain analytics or advertising cookies. You may withdraw your consent at any time.
  • Legal obligation (Art. 6(1)(c) GDPR) — to comply with tax, accounting, anti-money-laundering and other legal duties under Georgian and other applicable law.

6. How We Use Your Information

We use personal data to:

  • Create and manage your account;
  • Process purchases and deliver eSIM Data Packages;
  • Provision eSIM profiles with Network Partners and monitor data consumption;
  • Provide customer support and respond to your inquiries;
  • Send transactional communications (purchase receipts, account notifications, service alerts);
  • Detect, prevent and investigate fraud, abuse and security incidents;
  • Comply with legal obligations and respond to lawful requests from authorities;
  • Improve the Service through analytics, A/B testing and bug fixing;
  • With your consent, send marketing communications about new features, destinations or offers.

7. How We Share Your Information

We share personal data only as described below.

7.1 Network Partners (Telecommunications Operators)

To provision and deliver your eSIM Data Package, we share certain technical identifiers (such as ICCID, EID, device model and country of use) with the upstream Network Partner serving the destination country. This sharing is strictly necessary to perform the contract with you. Network Partners process this data under their own privacy practices and applicable telecommunications law.

7.2 Payment Processors

Payment information you provide is transmitted directly to and processed by our payment processors — primarily Bank of Georgia (BOG) as the acquiring bank, together with Apple Pay and Google Pay. We receive a tokenized confirmation but do not access raw card data.

7.3 Analytics and Performance Providers

We use industry-standard tools, including Google Analytics and Firebase, to understand how the Service is used, monitor crashes and improve performance. These tools may collect device identifiers, IP addresses and usage events. Where required by law, analytics that are not strictly necessary are deployed only with your consent.

7.4 Service Providers

We engage trusted vendors for hosting, email delivery, customer-support tooling, identity verification and similar functions. These vendors process personal data on our behalf, under written agreements that require appropriate confidentiality and security.

7.5 Legal and Safety Disclosures

We may disclose personal data when we believe in good faith that doing so is necessary to:

  • Comply with applicable law, regulation, legal process or governmental request;
  • Enforce our Terms of Service;
  • Protect the rights, property or safety of Celvo, our users or others;
  • Detect, prevent or address fraud, security or technical issues.

7.6 Corporate Transactions

If we are involved in a merger, acquisition, financing or sale of assets, personal data may be transferred as part of that transaction, subject to standard confidentiality protections.

We do not sell your personal information. We do not “sell” or “share” personal information for cross-context behavioral advertising as those terms are defined under the CCPA/CPRA.

8. International Data Transfers

Celvo is established in Georgia, and the Service is offered globally. Personal data may be processed in Georgia, in the European Economic Area and in other countries where our service providers operate.

Where personal data is transferred from the EEA, the UK or other jurisdictions with cross-border transfer rules, we rely on appropriate safeguards, such as the European Commission’s Standard Contractual Clauses and supplementary measures, where required.

9. Data Retention

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, including:

  • Account data: for the duration of your account and for a reasonable period thereafter;
  • Transaction records: for the period required by applicable tax, accounting and consumer-protection laws (typically up to 6 years in Georgia, longer where required);
  • Technical and consumption data: for as long as needed to operate, secure and improve the Service and resolve disputes;
  • Support communications: for a reasonable period to provide continuity of support and defend against claims.

When the retention period expires, we delete or anonymize the data so it can no longer be associated with you.

10. Data Security

We implement administrative, technical and physical safeguards designed to protect personal data, including:

  • Encryption of data in transit (TLS) and at rest where appropriate;
  • Access controls, role-based permissions and authentication requirements for our staff;
  • Hashing of account passwords;
  • Regular vulnerability assessments and security monitoring;
  • Vendor due diligence for all data processors.

No system is perfectly secure, however. You are responsible for keeping your account credentials confidential and notifying us promptly if you suspect unauthorized access.

11. Cookies and Similar Technologies

The Site uses cookies and similar technologies (e.g., local storage, SDKs within the application) for purposes such as authentication, preferences, analytics and performance. You can manage non-essential cookies through the in-app / Site consent banner and through your browser or device settings.

12. Your Rights Under the GDPR / UK GDPR

If you are in the EEA, the UK or a jurisdiction with similar law, you have the following rights:

  • Access — request a copy of your personal data;
  • Rectification — request that we correct inaccurate or incomplete data;
  • Erasure (“Right to be Forgotten”) — request that we delete your data, subject to legal retention requirements;
  • Restriction — request that we restrict processing in certain circumstances;
  • Portability — receive your data in a structured, commonly used, machine-readable format and transmit it to another controller;
  • Objection — object to processing based on legitimate interests, and to processing for direct marketing;
  • Withdrawal of Consent — where processing is based on consent, withdraw your consent at any time;
  • Lodge a Complaint — with your local supervisory authority (your national data-protection authority, or the Personal Data Protection Service of Georgia for users in Georgia).

You can exercise these rights by contacting info@mtislab.com or by using the in-app account settings, including the Delete Account function. We will respond within the timeframes required by applicable law (generally within one month under the GDPR).

13. Your Rights Under the CCPA / CPRA (California Residents)

If you are a California resident, you have the right to:

  • Know what categories and specific pieces of personal information we have collected about you, the sources of that information, the business or commercial purposes of collection, and the categories of third parties with whom we share it;
  • Delete personal information we have collected from you, subject to certain exceptions;
  • Correct inaccurate personal information;
  • Limit the use and disclosure of sensitive personal information;
  • Opt out of the “sale” or “sharing” of personal information (as defined under California law). As noted above, we do not sell or share personal information in that sense, but you may submit a request to confirm;
  • Non-discrimination — we will not discriminate against you for exercising your rights.

You may exercise these rights by emailing info@mtislab.com or using the in-app settings. We may need to verify your identity before responding. You may also designate an authorized agent to make a request on your behalf.

14. Your Rights Under Georgian Law

If you are a resident of Georgia, the Law of Georgia on Personal Data Protection grants you rights of access, rectification, blocking, deletion and destruction of personal data, as well as the right to be informed about the processing of your data.

You may lodge a complaint with the Personal Data Protection Service of Georgia (www.personaldata.ge).

15. Children’s Privacy

The Service is not directed to children under the age of 16, and we do not knowingly collect personal data from children under 16. If we learn that we have collected such data, we will promptly delete it. If you believe a child has provided us with personal data, please contact info@mtislab.com.

16. Account Deletion

You may delete your account at any time through the in-app Delete Account function or by contacting info@mtislab.com. Upon a verified deletion request:

  • Your account and associated profile data will be deleted or anonymized within a reasonable period (typically 30 days);
  • Data we are required to retain for legal, tax, accounting, fraud-prevention or dispute-resolution purposes will be retained only for the period and to the extent required;
  • Pseudonymized or aggregated data that no longer identifies you may continue to be used for analytics and Service improvement.

Deletion of your account does not entitle you to a refund of unused or activated Data Packages, except as set out in the Terms of Service.

17. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated through the application, by email or by posting a notice on the Site at least 14 days before they take effect. The “Last Updated” date at the top reflects the latest version.

18. Contact Us

For questions, requests or complaints relating to this Privacy Policy or our processing of your personal data, please contact:

Mtislab LLC
Georgia, Batumi, 12th St., N1
Identification Number: 448430911

Privacy Policy · Celvo