Simourgh Simourgh Plus
فارسی Get started
Legal

Privacy Policy

Last updated: April 21, 2026

1. Who We Are

Simourgh Plus ("Simourgh", "we", "us", "our") operates as an independent digital-services brand providing a marketplace at simourgh.plus where users purchase digital goods, software licenses, subscription accounts, gift cards, in-game currency top-ups, and VPN access tailored to Iranian users abroad. This Privacy Policy explains how we collect, use, store, share, and protect personal information in connection with our services. By using the Site, you agree to this Policy.

2. Data We Collect

We collect only the data we reasonably need to deliver your order and operate the marketplace. Specifically:

a. Account data

  • Email address (required) — used as your primary login identifier and for order/delivery notifications.
  • Display name (optional) — shown in your dashboard and on support tickets.
  • Password hash — passwords are stored only as bcrypt hashes; we never see or store your plain password.
  • Google OAuth identifier — if you sign in with Google, we receive your Google account email, name, and the `sub` (stable user ID) token from Google. We do not receive your Google password or access any Google services on your behalf beyond sign-in.

b. Profile & service data

  • Telegram ID, username, and verified phone number — optional; captured only if you link a Telegram account via our bot @simourghplus_bot for expedited support and delivery notifications.
  • KYC verification status — a boolean tier (Basic / Full) required only for services that involve restricted Iranian banking or government portals. We do not store copies of ID documents on our servers; KYC is performed via our identity partner and we keep only a status flag.
  • Wallet balance (USD) — store credit held in your account; a ledger of deposits, purchases, refunds, and referrals is kept against your user record.
  • Locale and currency preference — language (`fa`/`en`) and display country for pricing.

c. Transaction & payment data

  • Order records — service purchased, plan/variation, price in USD, local currency equivalent at time of purchase, quantity, coupon code, referral attribution.
  • Payment metadata — payment method (Cryptomus / Stripe / SwapWallet / Wallet), provider reference IDs, status, payment amount, network fees. We do not store full credit-card numbers. Card payments are processed on Stripe's hosted checkout and Stripe is the controller of the card data; we only receive a confirmation token and last-4 digits.
  • Crypto transaction hashes — for Cryptomus payments we store the on-chain TX hash for reconciliation and fraud investigation.
  • Delivered digital assets — VPN configuration URLs (VLESS), account credentials, gift-card codes, license keys, OTP codes, eSIM QR payloads, or in-game top-up confirmations are stored encrypted at rest and revealed to you on demand in your dashboard.

d. Technical data

  • IP address and approximate geolocation — logged at login, at checkout, and on sensitive actions for fraud prevention; resolved to country/region, not pinpoint location.
  • User-agent string, browser language, screen size — for rendering, responsive design, and anomaly detection.
  • VPN bandwidth counters — for iran-vpn plans that are metered by GB, we store a per-plan running total of bytes uploaded and downloaded. We do not log the content, destinations, or timing of your VPN traffic. See Section 11 for details.
  • Server logs — standard web-server access logs (timestamp, path, status code, response time) retained for a limited window for security and debugging.

3. Why We Collect It

  • Service delivery — to provision VPN configs, deliver license keys and account credentials, top-up in-game balances, and route gift-card codes to you.
  • Payment processing and reconciliation — to accept payments, detect failed transactions, process refunds, and close out accounting.
  • Fraud and abuse prevention — to detect stolen-card chargebacks, account takeover attempts, multi-account abuse of free-tier features, and coupon fraud.
  • KYC for restricted services — Iranian banking and government portals require identity verification before we grant access via our infrastructure.
  • Support — to investigate tickets, recover account access, and replace defective codes.
  • Legal compliance — to comply with tax-reporting obligations and respond to lawful requests.
  • Analytics (aggregate) — to understand which services are used, improve navigation, and plan capacity.

4. Lawful Basis

We rely on the following legal grounds under GDPR-style frameworks:

  • Performance of a contract — delivering the service you purchased.
  • Legitimate interests — fraud prevention, network security, and product improvement, weighed against your interests and rights.
  • Consent — for optional features such as marketing emails, Telegram linking, and non-essential analytics cookies; revocable at any time from your account settings.
  • Legal obligation — where applicable law compels disclosure or retention.

5. Third-Party Processors

We share the minimum data required with the following processors. Each operates under its own privacy policy.

  • Cryptomus — crypto payment processing (USDT, USDC, BTC, ETH, TRX). Receives: order ID, amount, currency, return URL. Privacy policy.
  • Stripe — card payments via Stripe Checkout (hosted by Stripe). Receives: order ID, amount, customer email, billing address you enter on Stripe's page. Privacy policy.
  • SwapWallet — Iranian Rial payment gateway. Receives: order ID, amount, payer phone number if provided.
  • Google LLC — Google OAuth (sign-in-with-Google) and Google Analytics (aggregate usage). Google Analytics IP anonymization is applied. Privacy policy.
  • Cloudflare, Inc. — CDN, DDoS protection, WAF, and DNS. Sees all inbound HTTPS traffic. Privacy policy.
  • Transactional email providers — for password resets, order confirmations, and ticket replies. Message contents and recipient address are transmitted.
  • Telegram — if you link your Telegram account, our bot communicates with Telegram's Bot API. Privacy policy.
  • Cloud hosting — AWS (Frankfurt, EU), DigitalOcean, and our Iran-side bridge nodes host the application and VPN infrastructure.

We do not sell or rent your personal information to advertising networks.

6. Cookies & Tracking

We set a small number of first-party cookies:

  • simourgh_session — essential; authenticates your logged-in session.
  • XSRF-TOKEN — essential; prevents cross-site request forgery.
  • locale — remembers your language (`fa` or `en`).
  • currency_country — remembers your display-currency preference.
  • remember_me — optional; issued only if you check "Remember me" at login.

Third-party cookies are set by Google Analytics (_ga, _ga_*) and by Stripe/Cryptomus when their payment widgets load. You can opt out of Google Analytics via the Google Analytics Opt-out Browser Add-on or by blocking third-party cookies in your browser. Disabling essential cookies will break login.

7. Data Retention

  • Active accounts: data is retained for as long as your account exists.
  • Closed accounts: account identifiers, order history, and financial records are retained for up to 3 years after account closure to satisfy tax, accounting, and anti-fraud obligations. All other profile data is deleted on request within 30 days of account closure.
  • Delivered credentials (gift-card codes, license keys, account credentials) are retained for up to 1 year after purchase so that you can retrieve them from your dashboard, after which we may purge them from our encrypted vault.
  • Server access logs: 30 days.
  • Backups: encrypted backups older than 90 days are rotated out.

8. Your Rights

Regardless of where you reside, we extend the following rights to all users:

  • Access — request a copy of the personal data we hold about you.
  • Correction — ask us to update inaccurate data; most profile fields can be self-served from your dashboard.
  • Deletion — request deletion of your account and personal data, subject to the retention windows in Section 7.
  • Export (portability) — request a machine-readable export of your order history and profile.
  • Objection & restriction — object to processing based on legitimate interests, or ask us to restrict processing while a dispute is resolved.
  • Withdraw consent — revoke consent for optional processing at any time.

To exercise any right, open a ticket at /user/tickets or email [email protected]. We respond within 30 days. We may ask you to verify ownership of the email address on the account.

9. Children

Our services are not directed to children. You must be at least 18 years old (or the age of majority in your jurisdiction) to create an account or make a purchase. Under Iranian civil law and our own policy, purchases by minors are void. If we learn that a minor has created an account, we will promptly deactivate it and refund any deposited funds through the same payment channel where possible.

10. International Data Transfers

Our primary application servers are located in AWS EU Frankfurt (Germany) and DigitalOcean data centers. Our Iran-side bridge and VPN exit nodes operate inside Iran solely for the purpose of delivering the access services you purchase. Depending on where you connect from, your data may be transferred across these regions. Where applicable, we rely on standard contractual clauses or equivalent safeguards with our processors.

11. VPN-Specific Privacy Terms

We do not log the content, destinations, timing, or DNS queries of your VPN traffic. Our iran-vpn service exists to help users reach Iranian banking, government, and domestic e-commerce sites from abroad. Our servers forward your traffic without recording what you do.

  • Bandwidth counters: for plans metered by GB, our Xray manager records only the total bytes uploaded and downloaded per configuration, so we can enforce the plan's GB cap. This counter is a pair of integers; it contains no destination information.
  • Plan expiry: we record the expiration timestamp of each plan and delete the configuration after expiry.
  • Fraud signals: if the same configuration is used simultaneously from more than a reasonable number of devices (indicating resale), we may log the anomaly and suspend the config, per Section 11 of our Terms.
  • No content logs: we do not run packet capture, deep-packet-inspection, or per-connection logging on our VPN infrastructure.

12. Security

  • All traffic to simourgh.plus is served over HTTPS with TLS 1.3 where the client supports it.
  • Passwords are stored as bcrypt hashes with Laravel's default work factor.
  • Two-factor authentication (2FA) via TOTP is available in your account settings and is strongly recommended.
  • Cloudflare WAF and rate-limiting protect against brute-force and scraping attacks.
  • Delivered credentials and VPN configurations are encrypted at rest.
  • Access to production databases is limited to a small engineering team and is audit-logged.

No system is perfectly secure; if you believe your account has been compromised, change your password, revoke active sessions from your dashboard, and open a support ticket immediately.

13. Changes to This Policy

We may update this Policy from time to time. Material changes (e.g., adding a new processor, changing the retention window, broadening the data we collect) will be announced at the top of this page and by email to the address on your account at least 30 days before taking effect. Non-material clarifications may be published without prior notice. The "Last updated" date above always reflects the current revision.

14. Contact

For privacy questions, data-subject requests, or complaints:

Simourgh Plus operates as an independent digital-services brand. Because we serve users globally and are not bound to a single jurisdiction, privacy complaints are handled through our internal support channel. If you are not satisfied with our response, you may pursue alternative dispute resolution at your own cost.

View Terms of Service →