eSIM Today01Data Controller
OHA Labs Limited, a company registered in England and Wales (Company No. 17183250), with its registered office at 71-75 Shelton Street, Covent Garden, London, United Kingdom, WC2H 9JQ ("we", "us", "our"), is the data controller responsible for your personal data. For any data protection enquiries, contact us at [email protected]. OHA Labs Limited is registered with the UK Information Commissioner's Office (ICO) as a data controller under registration number ZC137188. Our entry on the ICO public register is verifiable at https://ico.org.uk/ESDWebPages/Entry/ZC137188.
02Information We Collect
We collect the following categories of personal data: **Account Information:** • Email address — required for account creation and eSIM delivery • Name — optional, for personalising your account **Transaction Data:** • Order history, amounts, and currency • Payment information — processed securely by Stripe; we never store your card details • Promotional codes applied to orders **eSIM Data:** • eSIM identifiers (ICCID) and activation details • Data usage statistics • Auto top-up configuration and history **Technical Data:** • IP address and browser type — for security and fraud prevention • Session data — for maintaining your login **User-Generated Content:** • Product reviews and ratings • Contact form submissions **Client-Side Data (not sent to our servers):** • Recently viewed products — stored only in your browser's local storage
03Lawful Basis for Processing
We process your personal data on the following legal grounds under UK GDPR: **Contract (Article 6(1)(b)):** • Account data — to provide our service • Order and payment data — to complete your purchase • eSIM provisioning — to deliver the product • Transactional emails — order confirmations and delivery notifications **Legitimate Interest (Article 6(1)(f)):** • IP address and session data — security and fraud prevention • Error monitoring — maintaining service quality • Rate limiting — preventing abuse • Operational notifications — internal monitoring **Consent (Article 6(1)(a)):** • Contact form submissions — you voluntarily provide your information • Product reviews — you choose to write a review • Auto top-up — you explicitly enable this feature We process anonymised website usage data (page views, click events, conversion funnels) under legitimate interest to improve our service. This data contains no personal identifiers, no cookies, and no cross-session tracking.
04How We Use Your Information
We use your personal data to: • Process and deliver your eSIM orders • Send order confirmations, eSIM activation details, and support communications • Prevent fraud and enforce our terms of service • Improve our website and services • Comply with legal obligations
05Third-Party Services
We share data with the following trusted service providers to deliver our service: **Payment Processing:** • Stripe — processes payments securely (PCI DSS compliant). We never store your card details. **Email Delivery:** • Resend — sends transactional emails (order confirmations, eSIM delivery, account notifications) **Error Monitoring:** • Sentry — monitors application errors and performance to improve our service **Hosting & Infrastructure:** • Vercel — website hosting and content delivery • Neon — database hosting (UK, London region) • Upstash — caching and rate limiting (UK, London region) **eSIM Provisioning:** • We work with an eSIM provisioning partner to deliver your eSIM profiles. We minimise data shared with this partner — no personal information (name, email, or phone number) is transmitted. Only technical identifiers and pricing data are exchanged. **Analytics:** • PostHog (EU Cloud, Frankfurt) — Anonymised usage analytics to understand how our site is used and improve the experience. No personal data is shared. Privacy policy: posthog.com/privacy **Bot Protection:** • Cloudflare Turnstile — protects our contact form from spam (processes CAPTCHA tokens only) All service providers are contractually bound to protect your data and process it only as instructed.
06International Data Transfers
Your core data (database and cache) is stored in the United Kingdom (London). Some of our service providers are based outside the UK: • Stripe (US) — payment processing, covered by their Standard Contractual Clauses • Resend (US) — email delivery, covered by Data Processing Agreement • Sentry (US) — error monitoring, covered by Data Processing Agreement • Vercel (US/Global) — website hosting, covered by Data Processing Agreement All international transfers are protected by appropriate safeguards including UK International Data Transfer Agreements (IDTA) and EU Standard Contractual Clauses (SCCs), in compliance with UK GDPR requirements.
07Data Retention
We retain your personal data for the following periods: • Account data — for as long as your account is active • Order records — 6 years after the transaction (UK Companies Act 2006, s.386), anonymised after account deletion • eSIM records — for the contract duration plus 1 year • Contact form submissions — 2 years • Application logs — 90 days • Session data — for the duration of your login session • Magic link tokens — 10 minutes When you delete your account, your personal data is permanently deleted. Financial records (orders, top-up transactions) are retained in anonymised form as required by law.
08Cookies and Local Storage
We use PostHog for anonymised analytics in cookieless mode — no analytics cookies are set and no personal data is collected. PostHog processes only anonymous page views and interaction events to help us improve our service. We do not use advertising cookies or third-party tracking pixels. • Authentication session cookie — maintains your login (HTTP-only, secure) **Local Storage:** We store your recently viewed products in your browser's local storage for convenience. This data never leaves your device and is not sent to our servers.
09Your Rights
Under UK GDPR, you have the following rights: • **Right of Access** — You can export all your personal data in machine-readable format (JSON) from your account settings. • **Right to Rectification** — You can update your name and profile information in your account settings. • **Right to Erasure** — You can permanently delete your account from your account settings. Active eSIMs will be suspended and unused eSIMs will be cancelled. No refunds are issued for active or cancelled eSIMs upon account deletion. Order records are retained in anonymised form for legal compliance. • **Right to Restrict Processing** — You may request that we limit how we process your data. • **Right to Data Portability** — You can download your data in a structured, machine-readable format from your account settings. • **Right to Object** — You may object to processing based on legitimate interest. To exercise any right not available through your account settings, contact us at [email protected]. We will respond within one month. **Right to Complain:** You have the right to lodge a complaint with the Information Commissioner's Office (ICO): • Website: ico.org.uk • Phone: 0303 123 1113 • Address: Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
10Automated Decision-Making
We do not make any decisions based solely on automated processing that produce legal or similarly significant effects on you.
11Children's Data
Our services are not directed at children under 16 years of age. We do not knowingly collect personal data from children. If you believe we have collected data from a child, please contact us immediately at [email protected].
12Data Security
We implement appropriate technical and organisational measures to protect your personal data, including encrypted connections (HTTPS), secure authentication, and access controls.
13California Residents
If you are a California resident, you may have additional rights under the California Consumer Privacy Act (CCPA). We do not sell your personal information to third parties. For any enquiries regarding your California privacy rights, please contact us at [email protected].
14Regional Privacy Rights
If you are located in certain jurisdictions, you may have additional rights: **Brazil (LGPD):** You have the right to request access, correction, deletion, and portability of your personal data. Contact us at [email protected]. **Thailand (PDPA):** You have the right to access, correct, and delete your personal data. You may also withdraw consent at any time. **Japan (APPI):** You have the right to request disclosure, correction, and deletion of your personal data held by us. In all cases, exercising your rights under UK GDPR (as described in the 'Your Rights' section above) will also fulfil these regional requirements.
15Language and Contact
This privacy policy is provided in multiple languages for your convenience. In the event of any discrepancy between the English version and any translated version, the English language version shall prevail. If you have any questions about this privacy policy, please contact us at [email protected].