Privacy Policy

Company: ONECONNECT LTD
Registration number: HE 457873
Jurisdiction: Cyprus
Registered office: 28 Oktovriou 243, Christiana Sea View Court, Floor 3, Flat/Office 301-302, 3035 Limassol, Cyprus
Last updated: 13 March 2026

1. Introduction

This Privacy Policy explains how ONECONNECT LTD ("OneSIM," "OneConnect," "we," "us," or "our") collects, uses, stores, shares, and protects personal data when you use our website, create an account, purchase a plan, activate a SIM or eSIM, contact support, or otherwise interact with our Services.

We act as the data controller for personal data processed in connection with our Services, except where another role is expressly stated.

2. Controller Details

Data Controller: ONECONNECT LTD
Registration number: HE 457873

Registered office:
28 Oktovriou 243
Christiana Sea View Court
Floor 3, Flat/Office 301-302
3035 Limassol
Cyprus

Privacy contact: privacy@oneconnect.world

Data Protection Officer / Privacy Contact:
ONECONNECT LTD has determined that appointment of a DPO is not mandatory for its current processing activities. Privacy and data protection inquiries may be directed to privacy@oneconnect.world.

3. Personal Data We Collect

Depending on how you use the Services, we may collect the following categories of personal data.

A. Identity and account data

Full name
Username and password credentials
Billing and account identifiers
Customer type (individual or business)

B. Contact data

Email address
Phone number
Correspondence address
Communication preferences

C. Verification and compliance data

Company verification documents where relevant to business accounts or partnerships
Limited account or transaction verification information where reasonably necessary for fraud prevention, payment-provider requirements, telecom-partner requirements, or legal compliance
Sanctions, fraud, or risk-screening results
Tax or regulatory information required for compliance

D. Transaction and billing data

Order history
Subscription status
Invoices and payment records
Billing information connected to your purchase
Where you pay by card, payment card and transaction information processed by our payment providers and billing/payment records available to us in connection with the transaction
Payment method metadata provided by payment processors
Chargeback, dispute, and refund data

E. Service and technical usage data

SIM/eSIM identifiers
Device identifiers
IP addresses
Operating system, browser, app, and device information
Activation records
Connectivity logs, session timestamps, and plan usage metrics
Network, roaming, and destination-related technical events
Approximate location derived from service use or network activity

F. Support and communications data

Support tickets
Emails, chats, and call records where permitted
Feedback, surveys, and complaint records

G. Marketing and analytics data

Website interactions
Referral source
Campaign attribution
Cookie or similar technology data, subject to applicable consent requirements

We do not intentionally collect special-category personal data unless this is strictly necessary and lawful, such as where required for compliance or dispute handling.

4. How We Collect Data

We collect personal data:

Directly from you when you sign up, place an order, provide account or billing details, submit business information where relevant, or contact us
Automatically through your use of the website or Services
From payment processors, fraud prevention providers, carriers, and business partners, including card-payment and billing information where relevant to a transaction
From public or compliance databases where lawful
From referrals or business representatives acting on your behalf

5. Purposes and Legal Bases for Processing

Where the GDPR applies, we process personal data on one or more of the following legal bases.

A. Contract performance

We process data as necessary to:

Create and manage your account
Process orders and payments
Provision SIM/eSIM services
Deliver connectivity, subscriptions, and support
Notify you about service-related matters

B. Legal obligation

We process data where required to:

Comply with tax, accounting, consumer, telecom, sanctions, anti-fraud, anti-money laundering, lawful disclosure, or other legal obligations
Respond to lawful requests from authorities
Maintain required business records

C. Legitimate interests

We process data where necessary for our legitimate interests, provided these interests are not overridden by your rights and freedoms, including to:

Secure the Services and prevent fraud or abuse
Troubleshoot, monitor, and improve performance
Manage disputes and enforce our legal rights
Conduct internal reporting, forecasting, and operational analysis
Protect our users, network partners, payment providers, and infrastructure

D. Consent

Where required, we rely on your consent for:

Certain marketing communications
Certain cookies or analytics tools
Certain device-based security or verification steps where consent is the appropriate legal basis

Fraud prevention, account protection, transaction review, and similar security measures are generally carried out on the basis of our legitimate interests and/or legal obligations where applicable.

You may withdraw consent at any time, but this does not affect processing already carried out lawfully before withdrawal.

6. Sharing of Personal Data

We may share personal data with:

Mobile network operators, roaming partners, and telecom infrastructure providers to provide connectivity
Payment processors, subscription billing providers, banks, and fraud-screening providers, including where card-payment and billing information is processed in connection with a transaction
Business verification, compliance, and fraud-screening vendors where relevant
Hosting providers, cloud infrastructure providers, data storage providers, customer support tools, CRM tools, analytics providers, and communication tools
Professional advisers, auditors, insurers, and legal counsel
Regulators, law enforcement bodies, courts, and competent authorities where required by law
Buyers, investors, or successors in connection with a merger, financing, acquisition, restructuring, or asset sale, subject to appropriate safeguards

We require service providers acting on our behalf to process personal data under appropriate contractual and security obligations where required by law.

7. International Transfers

Because OneSIM operates internationally, your personal data may be transferred to and processed in countries outside the European Economic Area, including countries in which our network partners, cloud and infrastructure providers, customer-support providers, analytics providers, fraud-prevention providers, business-verification or compliance providers where relevant, and payment processors operate.

Where required by law, we use appropriate safeguards for such transfers, such as:

Adequacy decisions
Standard contractual clauses
Other lawful transfer mechanisms recognized under applicable data protection law

Further details about relevant categories of recipients, international transfer routes, and, where applicable, our current sub-processor or recipient list may be made available in supplementary privacy materials, a vendor list, or upon request, subject to security and confidentiality considerations.

8. Data Retention

We keep personal data only for as long as reasonably necessary for the purposes described in this Privacy Policy, including to provide the Services, comply with legal obligations, resolve disputes, enforce agreements, and maintain security and fraud records.

Our standard retention approach is as follows, unless a longer period is required or permitted by law, needed for the establishment, exercise, or defence of legal claims, or justified by fraud, abuse, or security investigations.

Account profile and contract data: for the duration of the customer relationship and for a post-termination period consistent with applicable limitation periods, contractual recordkeeping needs, and legal obligations
Billing, invoicing, payment, tax, and accounting records: for the period required by applicable tax, accounting, and audit laws
Business verification, transaction-review, and compliance records: for the period required by applicable legal, regulatory, sanctions, anti-fraud, or anti-money laundering requirements
Customer support correspondence and complaint records: typically up to 24 months after closure unless linked to an active dispute or legal obligation
Security logs, authentication logs, and fraud-prevention records: typically up to 24 months, subject to extension where reasonably necessary for security, abuse prevention, or investigations
Service usage, provisioning, and technical diagnostics records: retained for the period reasonably necessary to operate, secure, analyse, troubleshoot, bill, and support the Services, and then deleted, anonymised, or aggregated where feasible
Marketing consent and suppression records: retained for as long as needed to demonstrate compliance with consent/opt-out obligations

We may retain anonymised or aggregated information for analytics, service improvement, financial modelling, and business planning where that information no longer identifies you.

9. Automated Decision-Making and Safeguards

We may use automated tools to detect fraud, payment abuse, sanctions risks, unusual usage patterns, or security threats.

In some cases, these tools may help us decide whether to accept an order, provision a Service, require additional verification, restrict an account, or block a transaction. Where a decision producing legal effects or similarly significant effects (such as rejection of a purchase or permanent account suspension) is based solely on automated processing, we will do so only where permitted by applicable law and will provide the safeguards required by law.

Where applicable, those safeguards may include the right to request human review, express your point of view, and contest the decision. To exercise those rights, contact us at privacy@oneconnect.world.

10. Your Rights

Where the GDPR or similar laws apply, you may have the right to:

Request access to your personal data
Request rectification of inaccurate or incomplete data
Request erasure in certain circumstances
Request restriction of processing
Object to processing based on legitimate interests
Withdraw consent where processing is based on consent
Request data portability where applicable
Lodge a complaint with a supervisory authority

To exercise your rights, contact us at privacy@oneconnect.world. We may ask you to verify your identity before responding.

If you are not satisfied with our response, you may lodge a complaint with the Cyprus Commissioner for Personal Data Protection or the supervisory authority in your place of residence, work, or the place of the alleged infringement.

11. Security

We implement reasonable technical and organizational measures designed to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or unauthorized access.

However, no transmission or storage system is completely secure, and we cannot guarantee absolute security.

12. Children

The Services are not intended for children, and we do not knowingly collect personal data from individuals who are under the age required to lawfully use the Services. If you believe a child has provided personal data to us, contact us so that we can take appropriate action.

13. Cookies and Similar Technologies

We may use cookies, pixels, SDKs, and similar technologies to operate the website, remember preferences, measure traffic, improve user experience, and support marketing.

Strictly necessary cookies may be used without consent where permitted by law because they are required for core website functionality, security, network management, fraud prevention, or to provide a service you explicitly request.

Analytics, performance, advertising, and similar non-essential cookies or technologies will be used only with your consent where required by law. You can manage your preferences through our cookie banner or consent management tools, and you can also control cookies through your browser settings.

Further details are set out in our Cookie Policy.

14. Third-Party Links and Services

Our website or Services may contain links to third-party websites, applications, or services. We are not responsible for the privacy practices of those third parties, and you should review their policies separately.

15. Changes to this Privacy Policy

We may update this Privacy Policy from time to time. When we make material changes, we will publish the updated version and revise the "Last updated" date. Where required by law, we will provide additional notice.