What happens to your card details, the +973 number, and the Order ID.
Transport
The main site and the payment companion are served only over HTTPS with modern TLS configuration. Plain-HTTP requests are redirected to the encrypted version. Form submissions go to the same origin or to the payment companion subdomain; no third-party endpoints are involved in collecting the card data.
Card data
Card details are entered on the payment companion at pay.refillphone.org
and forwarded directly to the payment processor for authorisation. The Order ID
record on our side keeps only the last four digits of the card and the brand
(Visa or Mastercard) — never the full Primary Account Number, never the CVV,
never the expiry date in full.
Mobile number
The +973 number you enter is used to route the BHD top-up and to identify the Order ID when you contact support. It is not used for marketing or shared with third parties. The number is retained only for the period required by the refund policy, then anonymised.
Sessions and accounts
There is no account on this site. No password, no profile, no session token that can be stolen. The only persistent state on your browser is a small cookie that remembers your language preference (see the cookies policy for details).
Reporting an issue
If you spot a security issue — a suspicious page, a payment that someone made on your card without permission, or a vulnerability in the form — write to support@refillphone.org with as much detail as you can share. We respond to disclosure reports first.
What we don't claim
We do not advertise certificate numbers, audit reports or programme membership on this page. If you need to verify a specific compliance fact for procurement, write to support and we will share the relevant attestation directly with the named recipient under non-disclosure.