Legal · Privacy

Privacy Policy

Version 2.1 · Last updated 01 July 2026

This Privacy Policy explains how Mindszi Technologies Ltd (“Mindszi”, “we”, “us” or “our”) handles personal data. It covers the personal data we process as a controller in connection with our website, marketing and business relationships, and explains our role as a processor where we handle personal data on behalf of our business customers through the Mindszi platform.

We are committed to protecting personal data in accordance with the UK General Data Protection Regulation (“UK GDPR”), the Data Protection Act 2018, and, where applicable, the EU General Data Protection Regulation (“EU GDPR”).

1. Who we are

Mindszi Technologies Ltd is a company registered in England and Wales, with its registered office at 128 City Road, London, EC1V 2NX, United Kingdom. Our website is https://www.mindszi.com.

We have appointed a Data Protection Officer. You can contact our DPO, Michael Moorfield, by email at dpo@mindszi.com, or by writing to the registered office address above marked for the attention of the Data Protection Officer.

2. Our role: controller and processor

Data protection law distinguishes between a controller, who decides why and how personal data is processed, and a processor, who processes personal data on a controller’s behalf and on its instructions. Mindszi acts in both roles depending on the context.

2.1 Where Mindszi is the controller

We are the controller for personal data we determine the purposes and means of processing, which includes:

  • visitors to our website and users of our online forms;
  • business contacts at our customers, partners, suppliers and prospects;
  • individuals who contact us, request information, or sign up to our communications; and
  • personnel of organisations that hold a direct account with us for administering the platform.

Sections 4, 6 and 7 of this policy describe this controller processing. Where we act as controller, this Privacy Policy governs that processing.

2.2 Where Mindszi is the processor

Mindszi provides an eSIM orchestration and business support system (BSS) platform to mobile operators, connectivity brands and other business customers. When we operate the platform for a customer, we process personal data relating to that customer’s subscribers and end users on the customer’s behalf and on its instructions.

In that context the customer is the controller and Mindszi is the processor. That processing is governed by the data processing terms in our agreement with the relevant customer, not by this Privacy Policy. Section 5 sets out the categories of such data and how it is handled. If you are a subscriber or end user of one of our customers, please refer to that customer’s own privacy notice and direct any data protection requests to them in the first instance; we will support our customer in responding.

3. Key terms

TermMeaning
UK GDPRThe UK General Data Protection Regulation, read with the Data Protection Act 2018.
Personal dataAny information relating to an identified or identifiable individual.
ControllerThe person who determines the purposes and means of processing personal data.
ProcessorA person who processes personal data on behalf of a controller.
Sub-processorA third party engaged by Mindszi to process personal data in connection with the services.
Services / platformThe Mindszi eSIM orchestration and BSS platform, related applications, APIs and our website.

4. Personal data we process as controller

Depending on how you interact with us, we may process the following categories of personal data in our capacity as controller:

  • Identity and contact data: name, business email address, telephone number, employer and job role.
  • Account data: username and credentials for individuals who administer the platform under a direct account.
  • Usage and technical data: IP address, device and browser information, and information about how you use our website, collected through cookies and similar technologies.
  • Communications data: the content of enquiries, support requests and other correspondence with us.

4.1 Purposes and legal bases

We process this personal data for the following purposes and on the following legal bases under UK GDPR:

PurposeLegal basis
Operating, maintaining and securing our websiteLegitimate interests
Responding to enquiries and taking steps prior to entering a contractPerformance of a contract / legitimate interests
Administering accounts for individuals who use the platform directlyPerformance of a contract
Managing our relationship with customers, partners and suppliersLegitimate interests / performance of a contract
Sending business communications and marketing to business contactsConsent or legitimate interests
Website analytics and improving our servicesConsent (for non-essential cookies) / legitimate interests
Meeting legal, regulatory and tax obligationsLegal obligation

Where we rely on legitimate interests, we have assessed that those interests are not overridden by your rights and freedoms. Where we rely on consent, you may withdraw it at any time.

5. Personal data we process as processor

When operating the platform on behalf of a customer, we process the following categories of personal data relating to that customer’s subscribers and end users. We do so only on the customer’s documented instructions and under the data processing terms in our agreement with that customer.

CategoryExamples
Identity and contact dataName, email address and telephone number of the customer’s subscribers or end users.
Subscription and SIM/eSIM identifiersICCID, IMSI, MSISDN, EID, profile, plan and order references.
Device and network dataDevice identifiers, IP address, and network, location and roaming information.
Usage and traffic dataCall detail records (CDRs), data session records and service event logs.
Billing and payment dataPlan, charges and transaction references. Card payment details are handled by payment processors and are not stored by us.
Support dataRecords of support requests and related interactions.

The purpose of this processing is to provide, operate, secure and support the platform and the services the customer has requested, including provisioning, rating, billing, fraud prevention and customer support. Retention of this data is determined by the customer and set out in our agreement with them; for example, call detail records are typically retained for up to 24 months unless the customer specifies otherwise or a longer period is required by law.

6. Cookies and website analytics

Our website uses cookies and similar technologies. We use strictly necessary cookies to operate the website and keep it secure, and, with your consent, functional and analytics cookies to remember your preferences and understand how the website is used. You can manage non-essential cookies through our cookie banner and through your browser settings; blocking some cookies may affect how the website works.

We use Google Analytics to understand website traffic and usage. Google Analytics sets cookies and processes usage data such as IP address and pages visited. We do not use it to serve advertising. You can opt out using the Google Analytics opt-out browser add-on, and you can review Google’s practices in the Google Privacy Policy.

7. Sharing and sub-processors

We share personal data only where necessary and with appropriate safeguards. Recipients may include:

  • sub-processors and service providers who support the platform and our business, such as cloud hosting, connectivity and network partners, payment processors, communications tools and analytics providers;
  • professional advisers, auditors and regulators where required;
  • a purchaser or successor in the context of a business sale, merger or reorganisation; and
  • public authorities where we are legally required to disclose personal data.

Where we act as processor, we engage sub-processors under written terms that impose data protection obligations consistent with those in our customer agreements. We maintain an up-to-date list of sub-processors, which we make available to customers. Where required by the relevant agreement, we give customers advance notice of any intended addition or replacement of a sub-processor so that they may object.

8. International transfers

Our platform is hosted on Amazon Web Services (AWS), with the primary hosting region in the United Kingdom (London). Personal data is processed primarily within the United Kingdom.

Where personal data is transferred outside the United Kingdom, for example for resilience and disaster recovery, or to a sub-processor located abroad, we rely on a transfer mechanism recognised under UK data protection law. These include transfers to countries covered by UK adequacy regulations, the UK International Data Transfer Agreement, or the UK Addendum to the EU Standard Contractual Clauses, together with any supplementary measures needed to protect the data. Details of the safeguards applied to a specific transfer are available on request.

9. Data retention

We keep personal data only for as long as necessary for the purposes for which it was collected, including to meet legal, accounting and regulatory requirements and to resolve disputes. Where we act as processor, retention periods are set by the customer and governed by our agreement with them. Where we act as controller, we apply internal retention schedules based on the type of data and the purpose of processing, and we securely delete or anonymise personal data when it is no longer required.

10. Security

We operate an information security programme and are undergoing SOC 2 examination. Our technical and organisational measures include encryption of personal data in transit and at rest, role-based and least-privilege access controls, network segregation, logging and monitoring, vulnerability and patch management, secure development practices, staff training, and due diligence over sub-processors.

No method of transmission or storage can be guaranteed to be completely secure, but we maintain measures appropriate to the risk as required by UK GDPR, and we operate an incident response process to manage and, where required, report personal data breaches.

11. Your data protection rights

Subject to certain conditions, you have the following rights under UK GDPR in relation to personal data for which we are the controller:

  • to be informed about how we use your personal data;
  • to access a copy of the personal data we hold about you;
  • to have inaccurate or incomplete personal data corrected;
  • to have your personal data erased in certain circumstances;
  • to restrict or object to our processing in certain circumstances;
  • to data portability for data you provided to us; and
  • to withdraw consent at any time where we rely on consent.

To exercise any of these rights, please contact us at privacy@mindszi.com. We may need to verify your identity before responding, and we will respond within the time limits set by law. There is normally no charge. Where Mindszi processes your personal data as a processor on behalf of one of our customers, please direct your request to that customer as the controller; we will assist them in responding.

12. Complaints

If you have a concern about how we handle your personal data, please contact us first so we can try to resolve it. You also have the right to lodge a complaint with the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection:

  • Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
  • Helpline: 0303 123 1113
  • Website: ico.org.uk

If you are in the European Economic Area, you may also contact your local supervisory authority.

13. Children

Our website and services are intended for businesses and are not directed to children. We do not knowingly collect personal data relating to children under the age of 13. If you believe a child has provided us with personal data in our capacity as controller, please contact us and we will take appropriate steps to delete it.

14. Changes to this policy

We may update this Privacy Policy from time to time. We will post the updated version on our website and update the “Last updated” date above. Where changes are significant, we will provide a more prominent notice. Please review this policy periodically.

15. Contact us

For any questions about this Privacy Policy or our handling of personal data, please contact us:

  • Data Protection Officer (Michael Moorfield): dpo@mindszi.com
  • Privacy enquiries and rights requests: privacy@mindszi.com
  • General enquiries: hello@mindszi.com
  • Post: Data Protection Officer, Mindszi Technologies Ltd, 128 City Road, London, EC1V 2NX, United Kingdom