Privacy Policy

Zimly Ltd is the data controller responsible for your personal data. We are registered with the Information Commissioner's Office (ICO) under registration number [XXXXXXXX].

We collect the following categories of personal data:

Account Information

• Full name
• Email address
• Password (stored in hashed form)
• Account preferences (language, timezone, currency)

Payment & Billing Data

• Billing name and email
• Billing country and postal code
• Payment card type (e.g., Visa, Mastercard) — last four digits only
• Transaction history, invoice records, and refund history

eSIM & Service Data

• eSIM plan details (country, data allowance, validity, activation status)
• Data usage metrics
• Device compatibility information (brand and model selected)

Technical & Usage Data

• IP address
• Browser type and version
• Device type and operating system
• Pages visited, time spent on pages, and clickstream data
• Referral source

Communications Data

• Messages sent through our AI support assistant
• Feedback submissions (including persona and feedback type)
• Support correspondence

We process your personal data for the following purposes:

• Service delivery: To create your account, process orders, provision eSIM profiles, and manage your active plans.
• Payment processing: To process payments, issue receipts, manage refunds, and prevent fraud.
• Customer support: To respond to your queries, troubleshoot issues, and provide AI-assisted support.
• Personalisation: To provide AI-powered plan recommendations based on your search queries and preferences.
• Analytics: To understand how our service is used, generate usage statistics, and improve performance.
• Legal compliance: To comply with tax, regulatory, and legal obligations, including record-keeping requirements.
• Communications: To send order confirmations, service updates, and (where consented) marketing communications.
• Security: To detect, prevent, and investigate fraud, abuse, or security incidents.

We rely on the following legal bases under UK GDPR Article 6:

We share your data with the following categories of third parties, only to the extent necessary:

• eSIM Wholesale Providers: To provision and activate your eSIM profile. They receive minimal data necessary for activation.
• Payment Processors: To securely process card payments. They operate under PCI-DSS compliance standards.
• Google (Gemini AI): Your support chat messages and search queries are processed through Google's Gemini API to power our AI assistant and plan recommendations. Google's data processing terms apply.
• Analytics Providers: Anonymised and aggregated usage data for service improvement.
• Legal & Regulatory Bodies: Where required by law, court order, or regulatory obligation.

We do not sell your personal data to third parties. We do not share your data for third-party advertising purposes.

Your personal data may be transferred to, and processed in, countries outside the United Kingdom. This occurs when:

• Your eSIM is provisioned through Network Partners operating in other jurisdictions.
• AI services are processed through Google's infrastructure (primarily US-based).
• Payment processing involves international clearing networks.

Where transfers occur outside the UK, we ensure appropriate safeguards are in place, including:

• UK adequacy decisions (countries deemed to provide adequate protection by the UK government).
• International Data Transfer Agreements (IDTAs) or Standard Contractual Clauses (SCCs).
• Binding corporate rules where applicable.

We retain your personal data only as long as necessary for the purposes described in this policy:

When data is no longer needed, it is securely deleted or anonymised so it can no longer be associated with you.

Under the UK General Data Protection Regulation, you have the following rights:

• Right of access: Request a copy of the personal data we hold about you.
• Right to rectification: Request correction of inaccurate or incomplete data.
• Right to erasure ("right to be forgotten"): Request deletion of your data where there is no compelling reason for continued processing.
• Right to restrict processing: Request that we limit how we use your data in certain circumstances.
• Right to data portability: Receive your data in a structured, commonly used, machine-readable format.
• Right to object: Object to processing based on legitimate interests, including direct marketing.
• Rights related to automated decision-making: Not to be subject to decisions based solely on automated processing that have legal or significant effects on you.

To exercise any of these rights, email privacy@zimly.co.uk or use the data controls in your Account Settings. We will respond within 30 days.

We may ask you to verify your identity before fulfilling your request. In certain cases, we may be unable to comply (e.g., where data must be retained for legal obligations).

We use cookies and similar technologies (including localStorage) to operate our website and improve your experience. For full details on the cookies we use and how to manage them, please see our Cookie Policy.

Zimly uses artificial intelligence (Google Gemini) in two ways:

• Plan recommendations: When you search for plans, your query is sent to Google's Gemini API to generate personalised recommendations. This does not produce legally binding decisions and you are free to choose any plan.
• Support assistant: Our chat feature uses AI to answer your questions. Conversations are processed through Google's API. You can always request human support by emailing us directly.
• Feedback processing: Feedback you submit may be processed by AI to generate a personalised acknowledgement response.

No automated decisions with legal or similarly significant effects are made about you without human review.

We implement appropriate technical and organisational measures to protect your data, including:

• Encryption in transit (TLS/SSL) and at rest for sensitive data.
• Hashed password storage — we never store passwords in plaintext.
• Access controls limiting data access to authorised personnel only.
• Regular security reviews and vulnerability assessments.
• PCI-DSS compliant payment processing through certified partners.

While we take every reasonable precaution, no system is completely secure. If you suspect a security breach involving your account, contact us immediately at support@zimly.co.uk.

Zimly's services are not directed at children under the age of 16. We do not knowingly collect personal data from anyone under 16. If you believe a child under 16 has provided us with personal data, please contact us at privacy@zimly.co.uk and we will promptly delete it.

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. Material changes will be communicated via email or a prominent website notice at least 30 days before they take effect.

The "Effective Date" at the top of this page indicates when this version was last updated. We encourage you to review this policy periodically.

If you are unhappy with how we have handled your personal data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):

We would appreciate the opportunity to address your concerns before you approach the ICO. Please contact us first at privacy@zimly.co.uk.