ONYX
Docs

Privacy Policy

How Onyx handles personal data and privacy rights.

Privacy Policy

Last updated: June 2, 2026

1. Who We Are

ONYX LABS LIMITED, a company incorporated in Hong Kong with company number 78544157, is the data user responsible for personal data handled under this Privacy Policy unless another notice says otherwise.

Registered office: UNIT 2A, 17/F GLENEALY TOWER, NO.1 GLENEALY, CENTRAL, HONG KONG.

Privacy requests: privacy@onyxmobile.net.

Legal notices: legal@onyxmobile.net.

Support: support@onyxmobile.net.

2. Privacy-First Stance

Onyx is a privacy-first service. We protect privacy by limiting collection, limiting use, limiting disclosure, limiting retention, requiring consent for connected-app access, and avoiding data monetization.

Data minimization is one part of that stance. We collect personal data only where it is needed to provide Onyx, meet legal or provider obligations, protect accounts, prevent abuse, resolve disputes, or support recovery.

We do not sell, rent, broker, trade, or monetize personal data. We do not provide personal data to advertisers, data brokers, or investors for their independent use.

We choose less privacy-intrusive collection and processing methods where practical. If aggregated, anonymized, de-identified, or operationally scoped data can reasonably support the purpose, we prefer that over directly identifying data.

We use service providers only to operate, secure, support, or provide requested Onyx services. Those providers should receive only the minimum information needed for their specific function.

Connected apps receive personal data only through approved scopes, approved assertions, user-directed disclosure, or a legal basis that is disclosed or required by law.

3. Scope

This Privacy Policy explains how we collect, use, disclose, retain, transfer, and protect personal data when you use Onyx websites, apps, accounts, mobile service, eSIM activation, number service, wallet features, payments, card or FX features where available, Onyx ID, chat, communities, connected apps, Connect SDK integrations, support, and related services.

Some services are provided with third-party connectivity providers, telecom providers, payment providers, wallet providers, card issuers, FX providers, verification providers, cloud vendors, support vendors, security vendors, and connected apps.

Some features are available only in supported regions, on supported devices, or after additional verification.

4. Hong Kong Privacy Framework

Onyx is established in Hong Kong and this Privacy Policy is written with reference to the Personal Data (Privacy) Ordinance, including the six Data Protection Principles:

  • collection must be lawful, fair, and for a purpose directly related to Onyx functions or activities, and personal data should be adequate but not excessive for that purpose;
  • personal data should be accurate and retained no longer than necessary;
  • personal data should be used for the purpose collected or a directly related purpose unless you consent or an exemption applies;
  • personal data should be protected against unauthorized or accidental access, processing, erasure, loss, or use;
  • policies and practices should be open and available;
  • you have rights to request access to and correction of your personal data.

Where we collect personal data from you directly, the relevant screen, form, checkout flow, verification flow, support flow, connected-app consent flow, or other collection point should provide a Personal Information Collection Statement or equivalent collection notice on or before collection where required.

5. Providing Personal Data

Some personal data is required to provide a requested Onyx service. For example, we may need account data to create your account, device and eSIM data to activate service, payment data to process a transaction, verification data to assess eligibility, and contact data to provide support.

If you do not provide required personal data, we may be unable to provide the relevant service, activate a plan, assign a number, process a payment, verify eligibility, recover an account, respond to support, or authorize a connected app.

Other personal data may be optional. Where data is optional, the collection point should explain the effect of not providing it where that effect is not obvious.

We do not use optional personal data as a condition for unrelated necessary services unless the optional data becomes required for a specific feature you request.

6. Personal Data We Collect

We collect personal data only where needed for Onyx services, legal compliance, security, support, recovery, or product operation.

Account And Profile Data

This may include your name, email address, phone number, display name, handle, avatar, profile settings, account identifiers, linked devices, session state, recovery methods, support history, preferences, and account status.

We use account and profile data to create and secure your account, provide service, support recovery, show profile information you choose to make visible, and manage permissions.

You control profile fields and visibility where product controls are available. Public profile or community visibility should not expose verification evidence, raw KYC material, private wallet material, or unrelated payment activity.

Mobile Service And eSIM Data

This may include selected plan, coverage region, subscription state, renewal state, eSIM activation state, device type, operating system, eSIM profile identifiers, activation artifacts, roaming status, usage summaries, network registration state, support diagnostics, country or region of use, and service error information.

We collect mobile service and eSIM data only to provide connectivity, manage activation, report usage, manage renewals, troubleshoot service, prevent abuse, comply with telecom requirements, and support recovery.

We treat eSIM activation artifacts, activation codes, and operational provider references as sensitive operational data.

Location-related service data may be inferred from coverage region, roaming country, local network registration, IP address, device settings, or support diagnostics. We use this data only where needed for service, troubleshooting, abuse prevention, recovery, or compliance.

We do not use service location data to build advertising profiles or sell location information.

Number, Calling, SMS, And Communication Metadata

This may include assigned numbers, number status, voice/SMS plan, call records, SMS/MMS records, routing status, delivery status, timestamps, destination country or number, duration, rate class, wallet-rated usage, blocked-route information, and support diagnostics.

We use this data to provide number service, calling, SMS/MMS, billing, usage controls, abuse prevention, support, lawful compliance, and recovery.

Where Onyx-native messaging, calls, or media are end-to-end encrypted, content handling depends on the specific route and implementation. Fallback routes such as SMS, MMS, carrier calls, service conversations, connected-app messages, support messages, or provider-routed communications may not have the same encryption properties.

Wallet, Payment, Card, And FX Data

This may include wallet address, chain, wallet connection state, transaction intent, asset, balance summary, receive option, transaction activity, payment intent, order, subscription payment state, funding source, quote, fee, exchange rate, settlement state, chargeback or refund status, card state, card transaction metadata, issuer status, and payment eligibility.

We use payment data only to process requested transactions, check eligibility, prevent fraud, support settlement, resolve disputes, comply with law and provider requirements, provide support, and recover account access where applicable.

We do not ask you to provide private keys, seed phrases, recovery phrases, or wallet backup material to support. You should never disclose that material to us or anyone else.

If you use device biometric authentication, card wallet provisioning, passkeys, or other device-level authentication, biometric templates or device secrets are generally handled by your device, operating system, wallet provider, card issuer, or authentication provider unless a specific notice says otherwise.

Verification, KYC, And Trust Data

This may include verification status, trust state, eligibility result, provider session status, document type, document review result, proof-of-address status, age or jurisdiction eligibility, organization review status, sanctions or fraud review status, refresh requirement, expiration state, and verification audit history.

We request regulated verification only when needed for a specific action, account state, provider requirement, legal obligation, fraud review, sanctions review, or recovery step.

Verification providers may process identity documents, selfies, liveness checks, proof-of-address documents, sanctions screening, fraud checks, and organization documents. Onyx should receive only the verification results and operational status needed to provide or restrict services unless a lawful or operational need requires more.

Some verification, fraud, sanctions, abuse, eligibility, and transaction-review decisions may use automated or assisted review. Where a decision restricts a material service, the account or support flow should explain the affected action and next step where disclosure is lawful and does not compromise fraud, security, or compliance controls.

Chat, Communities, And Content

This may include profile projections, contacts, conversation identifiers, thread membership, community membership, roles, permissions, channel membership, posts, media, files, reports, moderation events, message delivery state, call events, notification settings, and block/restriction status.

Content visibility depends on your actions, the thread, route, encryption state, community permissions, moderation state, and connected-app permissions.

If you choose to sync contacts or use contact discovery, we may process contact identifiers to help find reachable users, prevent spam, and support communication features. Contact processing should be limited to the contact feature and related safety controls.

Connected App And SDK Data

This may include app identity, requested scopes, consent status, permission history, revocation records, trust assertions, verification assertions, reachability checks, message eligibility, webhook delivery state, reason codes, and developer support records.

Connected apps receive only approved scopes, approved assertions, approved profile fields, approved communication permissions, or user-directed disclosures.

Revoking a connected app should stop future access through Onyx-controlled permission systems. Revocation may not delete data the app already received before revocation; the app remains responsible for handling that data under its own obligations and any Onyx developer terms.

Website, App, Device, Cookies, And Logs

This may include IP address, device identifiers, browser type, operating system, app version, pages viewed, referral source, cookies, security events, rate-limit events, crash reports, diagnostic logs, API request logs, and abuse/fraud signals.

We use operational logs to operate, secure, debug, and support Onyx. We do not use operational logs to broker or monetize personal data.

Analytics should be limited to product reliability, security, performance, and service improvement. We do not use analytics to create third-party advertising profiles.

We avoid logging sensitive payloads where practical and restrict access to operational logs.

Support And Communications

This may include messages you send to support, screenshots, device details, account state, subscription state, activation state, transaction references, troubleshooting history, and support outcomes.

Support data is used to answer your request, troubleshoot service, protect your account, investigate abuse, comply with law, and improve support quality without unnecessary disclosure.

Do not send private keys, seed phrases, recovery phrases, one-time codes, full card numbers, raw identity documents, or other sensitive material unless an approved verification flow specifically requests it.

7. How We Collect Personal Data

We collect personal data:

  • directly from you when you create an account, build a plan, check out, activate service, verify identity, contact support, join a community, connect a wallet, or authorize an app;
  • automatically from your device, app, browser, account, network activity, service usage, and security events where needed to operate or protect Onyx;
  • from third-party providers that support connectivity, numbers, voice, SMS, payments, wallet activity, cards, FX, verification, support, security, cloud hosting, and connected apps;
  • from connected apps where you authorize app-linked access or communication.

8. How We Use Personal Data

We use personal data only for the purpose collected, a directly related purpose, a purpose you consent to, or a purpose permitted by law.

We use personal data to:

  • create, authenticate, secure, and recover your account;
  • provide mobile service, eSIM activation, subscriptions, usage reporting, renewals, number service, voice, SMS, and support;
  • process orders, payments, refunds, wallet actions, card actions, FX conversion, transaction monitoring, and settlement;
  • perform verification, KYC, sanctions screening, fraud prevention, account review, eligibility checks, and compliance obligations;
  • manage Onyx ID, profile visibility, trust state, connected apps, consent, permissions, and revocations;
  • provide chat, calls, communities, moderation, notifications, blocking, reporting, and safety controls;
  • operate Connect SDK, developer apps, scopes, assertions, app-linked messaging, webhooks, and consent history;
  • diagnose service issues, activation failures, payment issues, provider delays, fraud, abuse, security events, and account recovery;
  • improve product reliability, security, usability, and support quality using the least identifiable data practical;
  • comply with law, regulation, court orders, arbitration, regulator requests, provider rules, sanctions rules, tax requirements, telecom obligations, payment obligations, card-network rules, and enforcement requests;
  • send service notices, security notices, legal notices, support replies, transactional messages, and permitted marketing.

We do not combine personal data across unrelated Onyx services for advertising or data brokerage.

9. Accuracy

We take reasonably practicable steps to keep personal data accurate for the purposes for which it is used.

You should keep your account information, contact details, device information, payment information, verification information, and support information accurate and current.

If you believe personal data we hold about you is inaccurate, contact privacy@onyxmobile.net or use available account controls.

10. Direct Marketing

We will use your personal data for direct marketing only where we have provided the required notice and obtained your consent or indication of no objection where required by Hong Kong law.

Direct marketing may relate to Onyx mobile service, plans, numbers, wallet features, payment features, card or FX features, chat, communities, connected apps, promotions, events, and related services.

The personal data used for direct marketing may include your name, email address, phone number, account region, selected services, preferences, and usage category.

We will provide a response channel for you to give consent or indicate no objection. We will not treat silence, inactivity, or failure to respond as consent.

You may opt out of direct marketing at any time by using the unsubscribe link, account setting, or contacting privacy@onyxmobile.net.

Opting out of marketing does not stop service, security, transactional, support, or legal notices.

We will not sell, rent, broker, trade, or provide your personal data to third parties for their own direct marketing.

11. When We Disclose Personal Data

We disclose personal data only when needed for a specific service, a user-approved permission, a legal obligation, account protection, fraud prevention, dispute resolution, or support. We do not disclose personal data for third-party advertising, data brokerage, investor reporting, or unrelated monetization.

We may disclose personal data to:

  • telecom and connectivity providers only for activation, service delivery, number service, routing, roaming, usage reporting, support, compliance, abuse prevention, and recovery;
  • payment, wallet, card, FX, banking, liquidity, settlement, refund, chargeback, and payment compliance providers only for requested financial actions, eligibility checks, fraud prevention, settlement, disputes, support, and compliance;
  • identity verification, KYC, fraud, sanctions, risk, age, address, jurisdiction, and organization verification providers only for required regulated checks, account protection, fraud prevention, eligibility, recovery, and compliance;
  • cloud hosting, database, storage, security, monitoring, notification, customer support, email, and infrastructure vendors only to operate, secure, diagnose, notify, and support Onyx;
  • connected apps only with approved scopes, approved assertions, approved communication permissions, or user-directed disclosure;
  • regulators, courts, law enforcement, arbitration bodies, telecom authorities, tax authorities, payment networks, sanctions authorities, card issuers, or other legally authorized parties only where required or permitted by law, legal process, provider rules, or compliance obligations;
  • other users or community participants only where your profile, messages, posts, roles, or actions are visible under the relevant product settings, thread settings, community permissions, or communication feature;
  • legal counsel, auditors, and insurers only when strictly necessary for legal claims, audits, insurance, security, compliance, disputes, or professional duties, and only under confidentiality or equivalent professional obligations.

If Onyx is involved in a financing, merger, acquisition, restructuring, or sale process, we will use aggregated, anonymized, or de-identified information where practical. Identifiable personal data may be disclosed only if strictly necessary, legally controlled, and subject to confidentiality and purpose limits.

We review legal and regulatory requests before disclosure where practical. We aim to disclose only the data required for the request and may object to or narrow requests that appear overbroad, unlawful, or inconsistent with user privacy where we are legally able to do so.

12. Service Providers And Data Processors

When we use a service provider or data processor, we take reasonably practicable steps, including contractual or other means, to require the provider to protect personal data, use it only for authorized purposes, restrict access, retain it only as needed, and assist with security and compliance obligations.

Provider controls may include contractual terms, confidentiality duties, access controls, security requirements, audit rights where available, incident notice obligations, deletion or return obligations, and restrictions on subcontracting where appropriate.

Service providers should not sell, rent, broker, trade, monetize, or use Onyx personal data for their own unrelated purposes.

Where a provider no longer needs personal data to provide its service, we expect the provider to delete, return, anonymize, or isolate the data according to the applicable contract, law, or provider obligation.

13. Connected Apps And Permissioned Disclosure

Connected apps do not receive unrestricted account access.

An app may receive only the scopes, profile fields, trust assertions, verification assertions, communication permissions, or community permissions that are approved through Onyx ID or otherwise permitted by law.

Connected apps should not receive raw KYC documents, unrestricted payment history, private wallet material, unrelated chat history, provider payloads, or unrelated account data.

You may review, revoke, or allow permissions to expire where the app and account controls support those actions.

Connected apps must not treat an Onyx permission as consent for unrelated tracking, resale, advertising, or profiling.

14. Cross-Border Transfers

Onyx operates from Hong Kong, but our users, providers, infrastructure, carriers, payment partners, verification providers, support vendors, connected apps, and business operations may be located in other countries or regions.

Your personal data may be transferred to or accessed from countries or regions outside Hong Kong only where needed to provide a requested service, support security, meet legal or provider obligations, prevent abuse, resolve disputes, or support recovery.

Where we transfer personal data outside Hong Kong, we use appropriate safeguards where practical, which may include contractual commitments, data protection clauses, technical controls, access limits, provider due diligence, and security requirements.

Some transfers are necessary to provide the service you request. For example, mobile service, roaming, number service, payments, wallet actions, card issuing, FX, verification, fraud prevention, customer support, and connected-app authorization may require international processing.

At the time of drafting, section 33 of the Personal Data (Privacy) Ordinance relating to transfer of personal data outside Hong Kong is not yet in operation. We still treat PCPD cross-border transfer guidance as an important compliance reference and use safeguards where practical.

15. Retention

We retain personal data only as long as necessary for the purpose collected or a directly related purpose, unless a longer period is required or permitted by law, regulation, provider rule, dispute, audit, security, fraud prevention, tax, telecom, payment, card-network, sanctions, or compliance need.

When identifiable personal data is no longer needed, we delete it, anonymize it, aggregate it, or retain it only in backup or legally restricted records until deletion is practical or permitted.

Retention periods may vary by category:

  • account and profile data: while your account is active and for a reasonable period after closure;
  • subscription, eSIM, usage, number, call, SMS, billing, and support records: as needed for service operation, disputes, accounting, telecom obligations, and provider reconciliation;
  • wallet, payment, card, FX, refund, chargeback, and transaction records: as needed for settlement, audit, tax, AML, sanctions, dispute, fraud, and legal obligations;
  • KYC and verification records: as required by regulated providers, law, compliance obligations, audit, fraud prevention, or eligibility review;
  • chat, community, and content records: according to product settings, moderation needs, legal requirements, account state, and technical backup periods;
  • logs and security events: as needed for security, debugging, fraud prevention, incident response, and compliance;
  • marketing records: until you opt out or the data is no longer needed.

Backups may retain data for a limited period after deletion from active systems.

Where we keep a suppression record after you opt out of marketing, we keep only the information needed to honor the opt-out.

16. Security

We use administrative, technical, and organizational safeguards designed to protect personal data against unauthorized or accidental access, processing, erasure, loss, or use.

These safeguards may include encryption in transit, encryption at rest where appropriate, access controls, least-privilege permissions, audit logging, provider due diligence, webhook verification, secret management, monitoring, incident response, and restrictions on sensitive payload logging.

No service can guarantee absolute security. You are responsible for securing your devices, sessions, passwords, wallets, recovery material, email accounts, one-time codes, and linked accounts.

17. Data Breach Handling

If we identify a suspected data breach involving personal data, we will assess the incident, contain it, investigate impact, preserve relevant records, take remedial steps, and notify affected users, regulators, providers, or other parties where required by law or where we consider notice appropriate.

Although Hong Kong law does not generally require mandatory PCPD notification for every personal data breach at the time of drafting, we may notify the PCPD as a recommended practice where appropriate.

18. Your Rights

Subject to Hong Kong law and applicable exemptions, you may request access to personal data we hold about you and request correction of inaccurate personal data.

We may ask you to verify your identity before responding. We may refuse or limit a request where allowed by law, including where disclosure would reveal another person's data, confidential commercial information, security-sensitive information, privileged information, fraud controls, law enforcement information, or information we are not required to provide.

To make a request, contact privacy@onyxmobile.net.

We may ask you to use the data access request form specified by the Privacy Commissioner where required or appropriate.

We will respond within the time required by applicable law. Under Hong Kong law, the general response period for data access and data correction requests is 40 days after receiving the request.

We may charge a fee for complying with a data access request where permitted by law.

We do not charge a fee merely to make a correction request, although a permitted fee may apply to access copies where allowed by law.

19. Account Closure And Deletion

You may request account closure or deletion where supported.

Closing or deleting an account may not immediately delete all personal data. We may retain data where required or permitted for legal compliance, telecom obligations, payment obligations, card-network rules, AML/sanctions, tax, fraud prevention, disputes, arbitration, security, provider reconciliation, backup, or recovery.

Some services may stop working after account closure, including subscriptions, eSIM recovery, number service, wallet-linked features, card features, chat, communities, support history, connected apps, and recovery options.

20. Children

Onyx is not intended for children under 18 unless a specific service states otherwise and lawful consent requirements are satisfied.

We do not knowingly collect personal data from children under 18 for full-platform services. If you believe a child provided personal data to Onyx without authorization, contact privacy@onyxmobile.net.

21. Cookies And Similar Technologies

We may use cookies, local storage, SDKs, pixels, analytics tools, session identifiers, and similar technologies to operate the website and app, remember preferences, secure sessions, diagnose errors, measure usage, prevent fraud, and improve services.

Some cookies are necessary for the service. Others may be used for privacy-respecting analytics or marketing where permitted and where required consent or notice is provided.

We do not use cookies or similar technologies to sell personal data or build third-party advertising profiles.

You can manage cookies through your browser or device settings. Disabling cookies may affect authentication, checkout, support, or other product functions.

22. Changes To This Privacy Policy

We may update this Privacy Policy from time to time.

If changes are material, we will provide notice through the app, website, email, account notice, or another reasonable method. Continued use of Onyx after the effective date means you acknowledge the updated Privacy Policy.

23. Contact

For privacy requests, contact privacy@onyxmobile.net.

For legal notices, contact legal@onyxmobile.net.

For support, contact support@onyxmobile.net.