Legal · Privacy
Privacy Policy
Version 2.1 · Last updated 01 July 2026
This Privacy Policy explains how Mindszi Technologies Ltd (“Mindszi”, “we”, “us” or “our”) handles personal data. It covers the personal data we process as a controller in connection with our website, marketing and business relationships, and explains our role as a processor where we handle personal data on behalf of our business customers through the Mindszi platform.
We are committed to protecting personal data in accordance with the UK General Data Protection Regulation (“UK GDPR”), the Data Protection Act 2018, and, where applicable, the EU General Data Protection Regulation (“EU GDPR”).
1. Who we are
Mindszi Technologies Ltd is a company registered in England and Wales, with its registered office at 128 City Road, London, EC1V 2NX, United Kingdom. Our website is https://www.mindszi.com.
We have appointed a Data Protection Officer. You can contact our DPO, Michael Moorfield, by email at dpo@mindszi.com, or by writing to the registered office address above marked for the attention of the Data Protection Officer.
2. Our role: controller and processor
Data protection law distinguishes between a controller, who decides why and how personal data is processed, and a processor, who processes personal data on a controller’s behalf and on its instructions. Mindszi acts in both roles depending on the context.
2.1 Where Mindszi is the controller
We are the controller for personal data we determine the purposes and means of processing, which includes:
- visitors to our website and users of our online forms;
- business contacts at our customers, partners, suppliers and prospects;
- individuals who contact us, request information, or sign up to our communications; and
- personnel of organisations that hold a direct account with us for administering the platform.
Sections 4, 6 and 7 of this policy describe this controller processing. Where we act as controller, this Privacy Policy governs that processing.
2.2 Where Mindszi is the processor
Mindszi provides an eSIM orchestration and business support system (BSS) platform to mobile operators, connectivity brands and other business customers. When we operate the platform for a customer, we process personal data relating to that customer’s subscribers and end users on the customer’s behalf and on its instructions.
In that context the customer is the controller and Mindszi is the processor. That processing is governed by the data processing terms in our agreement with the relevant customer, not by this Privacy Policy. Section 5 sets out the categories of such data and how it is handled. If you are a subscriber or end user of one of our customers, please refer to that customer’s own privacy notice and direct any data protection requests to them in the first instance; we will support our customer in responding.
3. Key terms
| Term | Meaning |
|---|---|
| UK GDPR | The UK General Data Protection Regulation, read with the Data Protection Act 2018. |
| Personal data | Any information relating to an identified or identifiable individual. |
| Controller | The person who determines the purposes and means of processing personal data. |
| Processor | A person who processes personal data on behalf of a controller. |
| Sub-processor | A third party engaged by Mindszi to process personal data in connection with the services. |
| Services / platform | The Mindszi eSIM orchestration and BSS platform, related applications, APIs and our website. |
4. Personal data we process as controller
Depending on how you interact with us, we may process the following categories of personal data in our capacity as controller:
- Identity and contact data: name, business email address, telephone number, employer and job role.
- Account data: username and credentials for individuals who administer the platform under a direct account.
- Usage and technical data: IP address, device and browser information, and information about how you use our website, collected through cookies and similar technologies.
- Communications data: the content of enquiries, support requests and other correspondence with us.
4.1 Purposes and legal bases
We process this personal data for the following purposes and on the following legal bases under UK GDPR:
| Purpose | Legal basis |
|---|---|
| Operating, maintaining and securing our website | Legitimate interests |
| Responding to enquiries and taking steps prior to entering a contract | Performance of a contract / legitimate interests |
| Administering accounts for individuals who use the platform directly | Performance of a contract |
| Managing our relationship with customers, partners and suppliers | Legitimate interests / performance of a contract |
| Sending business communications and marketing to business contacts | Consent or legitimate interests |
| Website analytics and improving our services | Consent (for non-essential cookies) / legitimate interests |
| Meeting legal, regulatory and tax obligations | Legal obligation |
Where we rely on legitimate interests, we have assessed that those interests are not overridden by your rights and freedoms. Where we rely on consent, you may withdraw it at any time.
5. Personal data we process as processor
When operating the platform on behalf of a customer, we process the following categories of personal data relating to that customer’s subscribers and end users. We do so only on the customer’s documented instructions and under the data processing terms in our agreement with that customer.
| Category | Examples |
|---|---|
| Identity and contact data | Name, email address and telephone number of the customer’s subscribers or end users. |
| Subscription and SIM/eSIM identifiers | ICCID, IMSI, MSISDN, EID, profile, plan and order references. |
| Device and network data | Device identifiers, IP address, and network, location and roaming information. |
| Usage and traffic data | Call detail records (CDRs), data session records and service event logs. |
| Billing and payment data | Plan, charges and transaction references. Card payment details are handled by payment processors and are not stored by us. |
| Support data | Records of support requests and related interactions. |
The purpose of this processing is to provide, operate, secure and support the platform and the services the customer has requested, including provisioning, rating, billing, fraud prevention and customer support. Retention of this data is determined by the customer and set out in our agreement with them; for example, call detail records are typically retained for up to 24 months unless the customer specifies otherwise or a longer period is required by law.
8. International transfers
Our platform is hosted on Amazon Web Services (AWS), with the primary hosting region in the United Kingdom (London). Personal data is processed primarily within the United Kingdom.
Where personal data is transferred outside the United Kingdom, for example for resilience and disaster recovery, or to a sub-processor located abroad, we rely on a transfer mechanism recognised under UK data protection law. These include transfers to countries covered by UK adequacy regulations, the UK International Data Transfer Agreement, or the UK Addendum to the EU Standard Contractual Clauses, together with any supplementary measures needed to protect the data. Details of the safeguards applied to a specific transfer are available on request.
9. Data retention
We keep personal data only for as long as necessary for the purposes for which it was collected, including to meet legal, accounting and regulatory requirements and to resolve disputes. Where we act as processor, retention periods are set by the customer and governed by our agreement with them. Where we act as controller, we apply internal retention schedules based on the type of data and the purpose of processing, and we securely delete or anonymise personal data when it is no longer required.
10. Security
We operate an information security programme and are undergoing SOC 2 examination. Our technical and organisational measures include encryption of personal data in transit and at rest, role-based and least-privilege access controls, network segregation, logging and monitoring, vulnerability and patch management, secure development practices, staff training, and due diligence over sub-processors.
No method of transmission or storage can be guaranteed to be completely secure, but we maintain measures appropriate to the risk as required by UK GDPR, and we operate an incident response process to manage and, where required, report personal data breaches.
11. Your data protection rights
Subject to certain conditions, you have the following rights under UK GDPR in relation to personal data for which we are the controller:
- to be informed about how we use your personal data;
- to access a copy of the personal data we hold about you;
- to have inaccurate or incomplete personal data corrected;
- to have your personal data erased in certain circumstances;
- to restrict or object to our processing in certain circumstances;
- to data portability for data you provided to us; and
- to withdraw consent at any time where we rely on consent.
To exercise any of these rights, please contact us at privacy@mindszi.com. We may need to verify your identity before responding, and we will respond within the time limits set by law. There is normally no charge. Where Mindszi processes your personal data as a processor on behalf of one of our customers, please direct your request to that customer as the controller; we will assist them in responding.
12. Complaints
If you have a concern about how we handle your personal data, please contact us first so we can try to resolve it. You also have the right to lodge a complaint with the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection:
- Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
- Helpline: 0303 123 1113
- Website: ico.org.uk
If you are in the European Economic Area, you may also contact your local supervisory authority.
13. Children
Our website and services are intended for businesses and are not directed to children. We do not knowingly collect personal data relating to children under the age of 13. If you believe a child has provided us with personal data in our capacity as controller, please contact us and we will take appropriate steps to delete it.
14. Changes to this policy
We may update this Privacy Policy from time to time. We will post the updated version on our website and update the “Last updated” date above. Where changes are significant, we will provide a more prominent notice. Please review this policy periodically.
15. Contact us
For any questions about this Privacy Policy or our handling of personal data, please contact us:
- Data Protection Officer (Michael Moorfield): dpo@mindszi.com
- Privacy enquiries and rights requests: privacy@mindszi.com
- General enquiries: hello@mindszi.com
- Post: Data Protection Officer, Mindszi Technologies Ltd, 128 City Road, London, EC1V 2NX, United Kingdom