Privacy Policy - Graba SIM

This Privacy Policy explains how Graba Mobile Ltd ("Graba SIM", "we", "us") collects, uses, discloses and protects your personal data when you interact with our websites, apps and connectivity services.

Who We Are
Controller: Graba Mobile
Data-Protection Lead: [email protected]

The Data We Collect

Category	Examples	Source
Account data	Name, email, password (hashed), country, preferred currency	Directly from you
Transaction data	Order number, plan code, amount, currency, payment status	From you and payment processor
eSIM profile data	ICCID, EID, activation code, QR-code URL, usage statistics, status events	From our eSIM Access API partner
Device & log data	IP address, device type/OS, browser, time zones, diagnostic logs, crash reports	Automated
Marketing preferences	Newsletter opt-in/out, cookies, tracking pixels	Directly from you
Support data	Tickets, chat transcripts, screenshots you provide	Directly from you

We do not intentionally collect special-category (sensitive) data nor data of children under 16.

Purpose & Lawful Basis

Purpose	Lawful basis (UK GDPR Art. 6)
Account creation & plan delivery	Contract performance
Payment processing & fraud prevention	Contract performance; Legitimate interest
Network provisioning & real-time usage notifications	Contract performance
Customer support & troubleshooting	Contract performance; Legitimate interest
Service improvement & analytics	Legitimate interest
Marketing emails & push notifications	Consent
Compliance with legal obligations (e.g. HMRC, telecoms regulations, law-enforcement requests)	Legal obligation

Sharing Your Data
We share data only where necessary and under written agreements:
- Payment processors (PCI-DSS compliant)
- eSIM profile supplier (eSIM Access) and local carrier partners for network onboarding
- Cloud hosting, email and customer-support platforms
- Professional advisers (lawyers, accountants, auditors)
- Authorities where required by law or enforceable request
We never sell your personal data.
International Transfers
Some partners operate outside the UK/EEA. Where we transfer data internationally, we rely on:
- Adequacy decisions (e.g. UK–US Data Bridge)
- Standard Contractual Clauses (SCCs) or UK Addendum
Copies of safeguards can be requested via [email protected].
Retention
Account & transaction records – 6 years after your last purchase (statutory limitation).
Diagnostic & analytics logs – up to 24 months.
Marketing opt-out records – indefinitely to honour suppression.
We securely delete or anonymise data when retention ends.
Security
We employ industry-standard measures: TLS encryption, firewalls, strict access controls, regular penetration tests and 24 / 7 monitoring. No system is 100 % secure; you are responsible for keeping your credentials confidential.
Your Rights
Under UK GDPR/UK DPA 2018 you can:
- Access, rectify or erase your data
- Restrict or object to processing
- Port data to another provider
- Withdraw consent at any time (marketing)
- Lodge a complaint with the UK Information Commissioner (ico.org.uk)
Contact [email protected] to exercise your rights. We aim to respond within one calendar month.
Marketing & Cookies
We send newsletter or promotional messages only with your explicit consent. You may unsubscribe at any time via the link in each email or through your account settings.
Cookies and similar technologies are used to remember preferences, perform analytics and deliver personalised ads. For details, please see our separate Cookie Notice.
Automated Decision-Making
We do not engage in automated decision-making that produces legal or similarly significant effects.
Children
Our Services are not directed to persons under 16. If we learn that a child has provided personal data we will delete it promptly.
Changes to this Policy
Updates will be posted on our website and, where appropriate, notified by email. The effective date is at the top of the document.
Contact
Questions or concerns? Email [email protected].

Graba SIM Privacy Policy