Privacy policy

We only collect data you give us directly or that's strictly needed to run the site:

• Account & order data: name, email, shipping address, phone number (optional), order history.
• Payment data: handled by Stripe — we never see your card number, only the last four digits and a payment ID.
• Affiliate data: if you join the affiliate program — name, email, payout details, your custom codes, the orders that used them.
• Technical data: IP address, browser type, pages visited, referring URL — used for security, fraud prevention, and aggregate site analytics.

We do not collect or store eSIM profile contents. Profiles live on your card; we never have a copy.

Strictly to operate the service:

• Process orders and ship cards to the right address
• Process payments and handle refunds
• Reply to support requests
• Pay affiliate commissions and track redemptions
• Detect and prevent fraud
• Comply with UK accounting and customs rules

We do not sell or rent your data, and we do not use it for behavioural advertising.

We rely on:

• Contractual necessity — for order processing, payments, and shipping.
• Legitimate interest — for fraud prevention, basic analytics, and replying to support.
• Consent — for any marketing email; you can opt out at any time.
• Legal obligation — for tax records and customs declarations.

If you're outside the UK, equivalent local data-protection rules apply via the Standard Contractual Clauses we use with our processors.

Only the processors we need to operate the service:

• Stripe — payments
• Royal Mail, DHL, EMS — shipping label generation and tracking
• Resend / Postmark — transactional email (order confirmations, support replies)
• Cloudflare — DNS, edge caching, DDoS protection
• Sentry — error tracking (no PII in payloads)

Each processor signs a Data Processing Agreement with us. None of them have a right to use your data for their own purposes.

Order data is retained for 7 years to satisfy UK accounting law (Companies Act 2006). After that, it's deleted or fully anonymised.

Account data not tied to an order can be deleted on request at any time. Affiliate referral data is retained as long as your affiliate account is active, plus 7 years for accounting.

Under UK GDPR you can:

• Ask for a copy of the data we hold about you (Subject Access Request)
• Ask us to correct inaccurate data
• Ask us to delete your data, subject to the 7-year accounting retention
• Ask us to stop processing your data for marketing
• Lodge a complaint with the ICO (https://ico.org.uk)

To exercise any of these, email service@9esim.com from the address on file. We respond within 30 days.

We use only strictly necessary cookies — for the cart, the locale picker, and the affiliate code state. We do not run third-party tracking scripts and do not display a cookie consent banner because none is required for strictly necessary cookies under UK law.

If we add analytics in the future (e.g. Plausible, which is privacy-friendly and EU-hosted), it will be IP-anonymised and disclosed here before deployment.

We update this page when our processors or practices change. The 'last updated' date at the top reflects the latest revision. Material changes that affect existing customers are also emailed.