Does my phone support eSIM?

Most phones made after 2019 support eSIM: iPhone XS and newer, Google Pixel 3+, Samsung Galaxy S20+, and most current Android flagships. The device also needs to be unlocked from your home carrier.

What does 'unlimited with throttle' actually mean?

Mango never cuts your data. If you hit the daily fair-use threshold for your speed tier, your speed drops to 1 Mbps for the rest of that day. Maps, WhatsApp, and most browsing still work fine. Full speed resets at midnight UTC.

How does refund work if activation fails?

If your eSIM fails to activate within 24 hours of purchase, you get a full refund — no questions asked. Message us on WhatsApp and we'll sort it immediately.

What are your WhatsApp support hours?

We cover 20 hours per day across EU, Americas, and Asia-Pacific shifts. Response time is typically under 5 minutes during business hours. No bots, no tier-1 scripts.

Can I keep my regular phone number active?

Yes. Dual-SIM devices let you keep your home SIM active for calls and SMS while using Mango for data.

Can I pause my subscription between trips?

Yes. Pause anytime from your account — your subscription billing pauses until you resume. No fee to pause or resume.

Privacy Policy

Last updated: 14 May 2026

1. Who we are

Lifecycle Innovations Limited (Hong Kong Company No. [HK_COMPANY_NUMBER], registered office: [HK_REGISTERED_OFFICE_ADDRESS]) operates the Mango travel eSIM service at mango.talk as a DBA (trading name).

We are the data controller for personal data collected through Mango. This policy explains what we collect, why, and what your rights are under the Hong Kong Personal Data (Privacy) Ordinance (Cap. 486) (“PDPO”) and, where applicable, the EU General Data Protection Regulation (“GDPR”).

Privacy contact: privacy@mango.talk

PDPO — DPP5: Openness

This policy is publicly available at mango.talk/legal/privacy and is provided free of charge. A copy can be requested by email at any time.

2. What data we collect

We collect only what we need to provide the service. Here is every category, in plain terms:

Account data

Email address — used to create your account and send your eSIM QR code.
Name — used for your account profile and receipts.
Password — we never see or store your raw password. Clerk (our auth provider) manages credential hashing.

Device and eSIM data

EID (embedded SIM identifier) — the hardware identifier of your device's eSIM slot. Required to issue your eSIM profile.
ICCID (SIM card identifier) — assigned when your eSIM is provisioned. Used to track activation status and usage.
Data usage and session timestamps — how much data you consumed, when sessions started/ended, and which country you roamed in. Used for fair-use monitoring and support. Not linked to the content of your browsing.

Payment data

What Stripe handles: your full card number, CVV, and bank details. We never see or store these.
What we receive from Stripe: last 4 digits of card, card brand, transaction ID, and amount. Used for your receipt and for refund processing.

Support data

Messages you send us via WhatsApp, SMS, or email — including any details you voluntarily share (e.g., device model, destination).
We use support conversations only to resolve your issue. We do not mine them for marketing.

Analytics data (pseudonymous)

Page views, feature interactions, and purchase funnel events — used to understand how the service is used and to improve it.
These events are pseudonymous (no direct identifier). We do not build individual behavioral profiles.

Attribution data

If you arrive via a marketing link, AppsFlyer logs the campaign source (e.g., “Instagram story”, “Google Ads”). No advertising ID is stored after attribution fires.

Cookies and similar technologies (web only)

Essential cookies: Clerk session token (authentication) and Stripe fraud prevention token. These are required for the service to work.
No advertising cookies: we do not use third-party advertising or cross-site tracking cookies.

Error and diagnostic data

Anonymized crash reports and server-side log lines, collected via Sentry. Stack traces are scrubbed of personal data before storage.

PDPO — DPP1: Collection is limited to stated purposes

We collect only the data listed above. We do not buy data lists, scrape social profiles, or acquire personal data from brokers.

3. Why we collect it

Under PDPO DPP1, we must state the purpose of collection before or at the time of collection. Our purposes are:

Account creation and authentication — so you can sign in and manage your plans.
eSIM provisioning and activation — to issue your eSIM profile to your device via our carrier network.
Payment processing and receipts — to charge you for your plan and provide a record of the transaction.
Customer support — to respond to your questions and resolve technical issues.
Fair-use monitoring and network integrity — to detect abuse of unlimited plans (e.g., commercial resale of data).
Service improvement — to fix bugs and make Mango better, using anonymized usage signals.
Marketing effectiveness — to measure which campaigns drive sign-ups at an aggregate level (AppsFlyer, pseudonymous).
Legal and regulatory compliance — to retain billing records as required by the Hong Kong Inland Revenue Ordinance (Cap. 112) and to comply with lawful requests from authorities.

We do not use your data for behavioral advertising or sell it to any third party.^{[PDPO s.26; DPP3 — Use must match purpose]}

4. Legal basis (for EU/UK users)

If you are in the EU, EEA, or UK, the GDPR requires us to state a legal basis for each use of your data:

Contract performance (Art. 6(1)(b)) — provisioning your eSIM, processing payment, sending your QR code.
Legitimate interests (Art. 6(1)(f)) — fraud detection, fair-use monitoring, anonymized analytics, error diagnostics. Our interest in running a reliable service does not override your rights.
Legal obligation (Art. 6(1)(c)) — retaining billing records as required by applicable tax law.
Consent (Art. 6(1)(a)) — direct marketing by email, SMS, or WhatsApp. You can withdraw consent at any time (see Section 11).

5. Who we share your data with

We do not sell your data. We share it only with service providers who need it to help us deliver Mango. Each is bound by a written data processing agreement.

Stripe — payment processing and fraud detection. Data may reside in the EU or US.
Clerk — authentication and session management. EU data residency available.
Carrier / OCS — our eSIM provisioning partner. Processes your EID and ICCID to issue and activate your eSIM. Data residency varies by carrier region.
Cloudflare — CDN, DDoS protection, edge routing, and short-term request log retention. Global infrastructure.
Vercel — web hosting and edge functions. US + EU infrastructure.
Sentry — error tracking and crash reporting. US-based. Stack traces are scrubbed of PII before transmission.
Twilio — SMS and WhatsApp message delivery for support and transactional notifications. US-based.
Resend — transactional email (QR codes, receipts). US + EU infrastructure.
AppsFlyer — mobile attribution analytics. EU data residency, GDPR-compliant mode enabled.

What this means for you

None of these providers can use your data for their own marketing purposes. They process it only on our instructions.

6. Cross-border transfers

Mango is a global service. Your data is processed by providers in the United States, the European Union, and other countries. This means your personal data leaves Hong Kong.^{[PDPO s.33]}

We protect cross-border transfers through:

Data processing agreements (DPAs) with every provider listed in Section 5, incorporating standard contractual clauses where required.
Encryption in transit — TLS 1.3 for all data moving between systems.
Encryption at rest — databases and file stores are encrypted at rest using AES-256 or equivalent.
Minimal transfer — only the data each provider needs for their specific function is transferred.

By creating an account and purchasing a plan, you acknowledge that your data will be transferred outside Hong Kong under these safeguards.

7. How long we keep your data

Account and order data — retained for 24 months after your last activity. If you close your account, we delete this data within 30 days, except where we are required to keep it for legal reasons.
Billing records — retained for 7 years to comply with Hong Kong Inland Revenue Ordinance (Cap. 112) record-keeping obligations.
Usage telemetry (data consumed, session timestamps) — retained for 90 days.
Error and diagnostic data — retained for 30 days.
Support messages — retained for 12 months after the last message in a conversation, then deleted.
Attribution data — no advertising ID is stored after attribution fires. Aggregate campaign stats are retained indefinitely but are not linked to individuals.

PDPO — DPP2: Data must not be kept longer than necessary

We review retention schedules annually. You can request deletion of your account data at any time — see Section 8.

8. Your rights under the HK PDPO

The PDPO gives you the following rights.^{[PDPO DPP6; ss.18–22]}

Right of access — you may request a copy of the personal data we hold about you.
Right of correction — if your data is inaccurate, you may request that we correct it.
Right to withdraw consent — where we process your data based on consent (e.g., direct marketing), you may withdraw that consent at any time. Withdrawal does not affect any processing done before withdrawal.
Right to opt out of direct marketing — under PDPO ss.35A–35M, you may ask us to stop using your personal data for direct marketing at any time (see Section 11).

To exercise any of these rights, email privacy@mango.talk. We will respond within 40 days as required by PDPO s.19. We may ask you to verify your identity before processing the request.

A fee may be charged for data access requests as permitted under PDPO s.20. We will tell you the fee before processing.

9. Your rights under GDPR (if you are in the EU or UK)

In addition to Section 8, EU and UK residents have the following rights under the GDPR:^{[GDPR Arts. 15–21]}

Erasure (Art. 17) — request deletion of your personal data, subject to our legal retention obligations.
Data portability (Art. 20) — receive your data in a structured, machine-readable format.
Restriction of processing (Art. 18) — ask us to limit how we use your data in certain circumstances.
Object to processing (Art. 21) — object to processing based on legitimate interests.
Complaint to a supervisory authority (Art. 77) — you have the right to lodge a complaint with the data protection authority in your EU member state or, for UK residents, the ICO (ico.org.uk).

We aim to respond to GDPR rights requests within 30 days. Email privacy@mango.talk.

10. Cookies and tracking

We use only what is necessary for the service to function. Here is the full list:

Clerk session cookie — keeps you signed in. Session-duration or up to 30 days if you select “remember me”. Essential — cannot be disabled without breaking sign-in.
Stripe fraud prevention token — helps Stripe detect fraudulent payments. Essential for payment processing.

We do not use advertising cookies, social media tracking pixels, or cross-site third-party cookies.

Analytics events are collected server-side where possible to avoid placing cookies in your browser.

11. Direct marketing

^{[PDPO ss.35A–35M]}

We will only send you marketing messages (email, SMS, or WhatsApp) if you have explicitly opted in. We will not use your data for direct marketing without your prior consent.

Every marketing message we send includes a clear, one-click opt-out link. You can also opt out at any time by:

Clicking the unsubscribe link in any email we send.
Replying “STOP” to any SMS or WhatsApp message we send.
Emailing privacy@mango.talk with the subject “Unsubscribe”.

Transactional messages (e.g., your eSIM QR code, payment receipt, activation confirmation) are not marketing and are not affected by marketing opt-out.

What this means for you

If you have not opted in, you will not receive marketing from us. Full stop.

12. Children

Mango is not directed at children under 13. Our Terms of Service require users to be at least 18 years old.

If you believe a person under 13 has created an account, contact privacy@mango.talk and we will delete the account and associated data promptly.

13. Security

^{[PDPO DPP4]}

We use the following measures to protect your data:

TLS 1.3 for all data in transit between your device and our systems, and between our systems and third-party providers.
Encryption at rest for databases and file stores using AES-256 or equivalent.
No raw password storage — Clerk manages authentication with industry-standard hashing. We never have access to your password.
No raw payment card storage — payment data is handled entirely by Stripe. It never touches our servers.
Access controls — production systems are accessible only to authorised personnel. Access is logged and reviewed.
Error monitoring — Sentry is wired to catch and alert on anomalies. PII is scrubbed from error reports before transmission. In the event of a personal data breach, we will notify affected users and the Privacy Commissioner for Personal Data (PCPD) in accordance with applicable law.

14. Changes to this policy

We may update this policy when our data practices change. For material changes — for example, adding a new category of data or a new third-party processor — we will:

Post the revised policy at mango.talk/legal/privacy.
Update the “Last updated” date at the top of this page.
Notify you by email at least 30 days before the change takes effect.

Non-material changes (e.g., clarifying wording, adding links) may be made without advance notice.

15. Contact and complaints

For any question about this policy or to exercise your rights, contact us at:

Lifecycle Innovations Limited (trading as Mango)
[HK_REGISTERED_OFFICE_ADDRESS]
Hong Kong
privacy@mango.talk

Escalation — Hong Kong

If you are not satisfied with our response, you may escalate to the Privacy Commissioner for Personal Data (PCPD):

Website: pcpd.org.hk
Tel: +852 2827 2827
Address: Room 1303, 13/F, Dah Sing Financial Centre, 248 Queen's Road East, Wanchai, Hong Kong

Escalation — EU / UK

If you are in the EU, you may lodge a complaint with the data protection supervisory authority in your member state. If you are in the UK, contact the Information Commissioner's Office (ICO) at ico.org.uk.

Personal Information Collection Statement (PICS)

This statement is provided in accordance with PDPO DPP1(3). It is displayed at every point where we collect personal data (account registration, checkout).

Purposes of collection: as listed in Section 3.
Classes of transferees: as listed in Section 5.
Is collection mandatory? Account data (email, name) is required to use the service. Device EID is required to provision your eSIM. Payment data is required to complete a purchase. Support data is voluntary.
Consequence of not providing data: if you do not provide required data, we cannot create your account, process your payment, or provision your eSIM.
Access and correction rights: you have the right to access and correct personal data we hold about you (PDPO DPP6).
Access request contact: privacy@mango.talk