GDPR Policy

Travel eSIMple ("we", "us", "our") is committed to protecting and respecting your personal data in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. This policy sets out the basis on which we process any personal data we collect from you, or that you provide to us, in connection with your use of travelesimple.com.

Following the United Kingdom's departure from the European Union, the EU GDPR was incorporated into UK domestic law as the UK GDPR. This policy is therefore written in full compliance with the UK GDPR as it stands following the EU (Withdrawal) Act 2018 and the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019.

Please read this policy carefully alongside our Privacy Policy and Cookie Policy to understand our practices regarding your personal data.

Travel eSIMple is the data controller responsible for your personal data. As data controller, we determine the purposes for which, and the manner in which, your personal data is processed.

We are registered with the Information Commissioner's Office (ICO), the UK's independent supervisory authority for data protection matters. Our ICO registration number is available upon request.

Under the UK GDPR, we are required to identify a lawful basis for each processing activity. We rely on the following legal bases:

• Consent (Article 6(1)(a) UK GDPR): Where you have given us clear consent to process your personal data for a specific purpose, such as receiving marketing communications or placing non-essential cookies on your device.
• Legitimate interests (Article 6(1)(f) UK GDPR): Where processing is necessary for our legitimate interests or the legitimate interests of a third party, provided those interests are not overridden by your rights and interests. This includes website analytics, fraud prevention, and improving our comparison services.
• Legal obligation (Article 6(1)(c) UK GDPR): Where processing is necessary to comply with a legal obligation we are subject to under UK law.
• Contract (Article 6(1)(b) UK GDPR): Where processing is necessary for the performance of a contract to which you are a party, or to take steps at your request before entering into a contract.

Where we process special category data, we will additionally identify an Article 9 condition. We do not generally process special category data in the ordinary course of operating our eSIM comparison platform.

We may collect and process the following categories of personal data:

• Identity data: Name, username, or similar identifiers if you contact us or create an account.
• Contact data: Email address and other contact details you provide when reaching out to us.
• Technical data: Internet protocol (IP) address, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform, and other technology on the devices you use to access our website.
• Usage data: Information about how you use our website, including pages viewed, eSIM plans compared, affiliate links clicked, and time spent on site.
• Marketing and communications data: Your preferences in receiving marketing communications from us and your communication preferences.
• Transaction referral data: Where you click through an affiliate link to an eSIM provider, we may receive confirmation data from the provider regarding completed purchases, solely for commission accounting purposes.

We do not process payment card data directly. Any purchase transactions are handled entirely by our affiliate partners (including Saily and 1Global) under their own data protection frameworks.

Under the UK GDPR, you have a number of rights in relation to your personal data. These rights are not absolute and may be subject to exemptions in certain circumstances. Your rights are:

• Right of access (Article 15): You have the right to request a copy of the personal data we hold about you, together with supplementary information about how we use it. We will respond to a Subject Access Request (SAR) within one calendar month.
• Right to rectification (Article 16): You have the right to request that we correct inaccurate personal data or complete incomplete personal data held about you, without undue delay.
• Right to erasure (Article 17): Also known as the "right to be forgotten", you may request that we delete your personal data where there is no longer a compelling reason for us to continue processing it.
• Right to data portability (Article 20): Where processing is based on consent or contract, and carried out by automated means, you have the right to receive personal data you have provided to us in a structured, commonly used, and machine-readable format.
• Right to object (Article 21): You have the right to object to processing based on legitimate interests. You also have an absolute right to object to processing for direct marketing purposes at any time.
• Right to restriction (Article 18): You have the right to request that we restrict the processing of your personal data in certain circumstances, for example while a complaint or objection is being resolved.
• Rights relating to automated decision-making: You have rights in relation to any automated decision-making, including profiling, that produces legal or similarly significant effects. We do not currently engage in such processing.

Some of our third-party service providers are based outside the UK. Where we transfer personal data to countries or territories outside the UK, we ensure that appropriate safeguards are in place in accordance with Chapter V of the UK GDPR.

For transfers to countries not covered by UK adequacy regulations, we rely on one or more of the following mechanisms:

• UK International Data Transfer Agreements (IDTAs) or addendums to the EU Standard Contractual Clauses approved by the ICO;
• The ICO's approved binding corporate rules; or
• Other lawful transfer mechanisms permitted under the UK GDPR.

In particular, where data is processed by Google LLC (for analytics and advertising purposes), transfers are made in reliance on the UK-US Data Bridge (adequacy regulations) or appropriate supplementary measures. You may request details of the specific safeguards in place by contacting us at contact@travelesimple.com.

We will only retain your personal data for as long as necessary to fulfil the purposes for which it was collected, including for the purposes of satisfying any legal, accounting, or reporting requirements. Our general retention periods are as follows:

• Website analytics data: 26 months from collection (in line with ICO guidance on analytics cookies).
• Email enquiry correspondence: 3 years from the date of last contact.
• Affiliate commission records: 7 years from the relevant financial year end, to comply with HMRC record-keeping requirements.
• Cookie consent records: 3 years from the date consent was given or withdrawn.

To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure, the purposes for which we process the data, and the applicable legal requirements.

We have implemented appropriate technical and organisational measures to protect your personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access, in accordance with Article 32 of the UK GDPR. These measures include:

• Encryption of data in transit using TLS (Transport Layer Security);
• Access controls and authentication mechanisms limiting data access to authorised personnel;
• Regular review of our information security practices and third-party processor agreements;
• Pseudonymisation and anonymisation of data where appropriate.

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the ICO within 72 hours of becoming aware of the breach, and we will notify you where the breach is likely to result in a high risk to your rights and freedoms, as required by Articles 33 and 34 of the UK GDPR.

We engage third-party data processors who process personal data on our behalf. We ensure that all processors are bound by written Data Processing Agreements in accordance with Article 28 of the UK GDPR. Our key processors include:

• Saily (Nord Security): Our primary eSIM affiliate partner. When you click through to Saily's platform, Saily becomes an independent data controller in respect of your purchase data. Saily's own privacy policy governs data processed on their platform.
• 1Global: An eSIM connectivity provider whose products may be featured on our comparison platform. 1Global processes data independently as a data controller when you transact with them.
• Google LLC: We use Google Analytics 4 to understand how visitors use our website and Google Ads for advertising purposes. Google processes data as a data processor under the terms of Google's Data Processing Agreement.
• Hosting and infrastructure providers: Our website and any associated data are hosted with reputable providers who are bound by appropriate data processing terms.

A full list of our sub-processors is available upon request. We review our processors regularly and will update this list as our supplier relationships change.

Our website and services are not directed at children under the age of 13, and we do not knowingly collect personal data from children under 13 years of age. Where we rely on consent as our legal basis for processing, we comply with the UK GDPR requirement that children under 13 must have parental or guardian consent.

If we become aware that we have inadvertently collected personal data from a child under 13, we will take prompt steps to delete such data. If you believe we may have collected information from a child under 13, please contact us immediately at contact@travelesimple.com.

To exercise any of your data subject rights, please submit a written request to us by email. We will respond to all legitimate requests within one calendar month. Occasionally, where requests are complex or numerous, we may extend this period by a further two months, in which case we will notify you within the initial one-month period and explain the reason for the extension.

We will not charge a fee for exercising your rights unless your request is manifestly unfounded or excessive. In such cases, we may charge a reasonable administrative fee or refuse to comply with the request, as permitted by Article 12(5) of the UK GDPR.

To protect your privacy, we may need to verify your identity before responding to your request. This is to ensure we do not disclose personal data to an unauthorised person.

We have appointed a Data Protection Officer (DPO) responsible for overseeing compliance with this policy and our data protection obligations. If you have any questions, concerns, or complaints about our data protection practices, or if you wish to exercise your data subject rights, please contact our DPO:

You have the right to make a complaint at any time to the Information Commissioner's Office (ICO), the UK supervisory authority for data protection issues. We would, however, appreciate the chance to deal with your concerns before you approach the ICO, so please contact us in the first instance.