Vyroam
Privacy Policy

Privacy Policy

Last updated: April 2026

This Privacy Policy explains how Nordevia AS ("Vyroam", "we", "us", "our") collects, uses, and protects your personal data when you use our service. We are committed to handling your information with care and in accordance with applicable data protection law, including the General Data Protection Regulation (GDPR).

Contents

  1. 1. Data Controller
  2. 2. Data We Collect
  3. 3. How We Use Your Data
  4. 4. Legal Basis (GDPR)
  5. 5. Third-Party Services
  6. 6. Data Retention
  7. 7. International Transfers
  8. 8. Cookies & Tracking
  9. 9. Your Rights
  10. 10. Changes to This Policy

1. Data Controller

The data controller responsible for your personal data is:

Nordevia AS

Operating as: Vyroam

Registered in Norway

Contact: support@vyroam.com

2. Data We Collect

We collect only the data we need to provide our service. This includes:

Account information

Your email address and, if you sign in with Google or Apple, your name as provided by those services. This is used to create and manage your Vyroam account.

Order data

Details of your eSIM purchases, including the destination, plan type, and the email used at checkout. We also store the technical eSIM credentials associated with your order — including the ICCID, SM-DP+ address, and activation code — so that you can access your eSIM from your account.

Payment information

Payments are processed by Stripe. We do not store your card details. We retain a reference to the transaction (such as a session identifier) for order tracking and accounting purposes.

Vyroam Wallet data

Your Travel Credit balance and the transaction history associated with your wallet, including credits earned and credits applied at checkout.

Technical and security data

Basic technical information such as your IP address, device type, and browser — used to maintain service security, detect fraud, and ensure the platform functions correctly.

3. How We Use Your Data

We use the data we collect to:

  • Process and fulfil your eSIM orders, including delivering your QR code and eSIM credentials
  • Manage your account and provide access to your order history and eSIM details
  • Apply and record Travel Credit in your Vyroam Wallet
  • Communicate with you about your orders, account, or support requests
  • Detect and prevent fraud, abuse, and security threats
  • Deliver and protect our website efficiently through infrastructure and security providers
  • Measure the performance of our advertising campaigns and understand which channels lead to purchases, where you have given consent for this
  • Comply with our legal and regulatory obligations

5. Third-Party Services

To deliver our service, we work with third-party providers across the following functions. Each provider processes data in accordance with their own terms and applicable data protection law. Where required, we have data processing agreements in place.

Authentication

We use Clerk (US-based) to manage account creation and sign-in, including via email, Google, and Apple. Clerk processes the information necessary to authenticate your identity and maintain a secure session.

Payment processing

We use Stripe (US-based) to handle payments securely. Stripe processes your card details directly and operates under their own privacy policy. We do not store your card information.

eSIM provisioning and connectivity

We work with third-party providers that support eSIM provisioning, activation, order fulfilment, and mobile connectivity. These providers operate telecommunications infrastructure on our behalf and receive the technical data necessary to deliver your eSIM plan.

Infrastructure and security

We use Cloudflare to deliver our website efficiently and protect it against security threats. When you visit Vyroam, Cloudflare may process technical information such as your IP address, request metadata, device type, and browser information. This is used to route traffic, improve site performance and reliability, and defend against fraud, abuse, bots, and attacks. This processing is carried out on the basis of our legitimate interests in operating a secure and reliable service.

Analytics and advertising

Where you have given consent, we may use the following technologies to measure the performance of our advertising and understand which campaigns lead to purchases:

  • Google Ads / Google Tag — We may use the Google Ads tag to track conversions (such as completed purchases) originating from Google advertising campaigns, and to understand overall campaign effectiveness. This may involve Google setting cookies or using similar identifiers on your device. If enabled, Google may also use this data to support audience features or remarketing. This processing is based on your consent.
  • Meta (Facebook) Pixel — We may use the Meta Pixel to measure the performance of our advertising on Meta platforms (including Facebook and Instagram) and to understand which campaigns contribute to purchases. The Pixel may use cookies, pixel tags, or similar identifiers. If enabled, Meta may also use event data to support audience features. This processing is based on your consent.

These technologies are only active where you have provided consent through our cookie settings. You can update your preferences at any time via the cookie settings available on our website.

6. Data Retention

We retain your data only for as long as necessary for the purposes described in this policy. The following table summarises our approach by data category:

Account informationRetained while your account is active and for a reasonable period thereafter, as needed for legal, fraud-prevention, or service continuity purposes.
Order and billing recordsRetained as required by applicable accounting and legal obligations — typically 5 years under Norwegian law.
Wallet / Travel Credit historyRetained as needed to document your balance, for fraud prevention, and for accounting records.
Support communicationsRetained for a reasonable period to support follow-up, dispute resolution, and service improvement.
Technical and security logsRetained for a limited period for security monitoring and fraud detection purposes.

You can request deletion of your account and associated data at any time via support@vyroam.com. Please note that certain records may be retained where required by law.

7. International Data Transfers

Some of the third-party services we use — including Clerk, Stripe, Cloudflare, Google, and Meta — are based in the United States or operate global infrastructure. As a result, your personal data may be transferred to and processed in countries outside the European Economic Area (EEA).

Where such transfers occur, we use appropriate safeguards as required by applicable law. These may include Standard Contractual Clauses (SCCs) as approved by the European Commission, or other valid transfer mechanisms under the GDPR.

8. Cookies & Tracking

Vyroam uses cookies and similar tracking technologies across two categories:

Strictly necessary (no consent required)

  • Authentication and session cookies — Set by Clerk to keep you signed in and manage your session securely.
  • Payment cookies — Set by Stripe as part of the secure payment process.
  • Security and infrastructure cookies — Set or used by Cloudflare and our platform to protect against bots, fraud, and abuse, and to ensure the website is delivered correctly.

Analytics and advertising (consent required)

Where you have given consent, the following technologies may be active:

  • Google Ads tag — May set cookies or use similar identifiers to measure conversions from Google advertising campaigns and understand which campaigns contributed to a purchase.
  • Meta Pixel — May use cookies or pixel tags to measure the effectiveness of our advertising on Meta platforms (Facebook, Instagram) and attribute purchases to campaigns.

These technologies are only loaded based on your consent. You can manage or withdraw your consent at any time through our cookie settings. Withdrawing consent does not affect the lawfulness of any processing that took place before you withdrew it.

9. Your Rights Under GDPR

As a data subject under the GDPR, you have the following rights:

  • Right of access — You can request a copy of the personal data we hold about you.
  • Right to rectification — You can ask us to correct inaccurate or incomplete data.
  • Right to erasure — You can ask us to delete your personal data, subject to any legal retention obligations.
  • Right to data portability — You can request your data in a structured, commonly used, machine-readable format.
  • Right to object — You can object to processing based on legitimate interests.
  • Right to lodge a complaint — You have the right to complain to the Norwegian Data Protection Authority (Datatilsynet) if you believe we have handled your data unlawfully.

To exercise any of these rights, please contact us at support@vyroam.com. We will respond within 30 days.

10. Changes to This Policy

We may update this Privacy Policy from time to time. When we make significant changes, we will update the "Last updated" date at the top of this page. For material changes that affect how we handle your data, we will take reasonable steps to notify you directly where required.

We encourage you to review this policy periodically to stay informed about how we protect your information.

Contact & Complaints

For any privacy-related questions, requests to exercise your rights, or concerns about how we handle your data, please contact us:

Nordevia AS — Vyroam

support@vyroam.com

You may also contact the Norwegian Data Protection Authority (Datatilsynet) directly if you wish to lodge a formal complaint: datatilsynet.no

Privacy Policy | Vyroam