GloConnect ("GloConnect," "we," "us," or "our") provides eSIM and mobile connectivity services that allow travelers and global users to access cellular data across multiple countries through digital SIM profiles. This Privacy Policy describes how we collect, use, share, and protect your personal information when you visit our website, create an account, purchase or activate an eSIM, or otherwise interact with our services (collectively, the "Services").

Because GloConnect operates internationally, this Policy is designed to comply with the principles of the EU General Data Protection Regulation (GDPR), the UK GDPR, the California Consumer Privacy Act (CCPA/CPRA), Canada's PIPEDA, Brazil's LGPD, and other applicable data protection laws. Where local law provides greater protection, that law applies.

By using the Services, you acknowledge that you have read and understood this Privacy Policy. If you do not agree, please do not use the Services.

1. Information We Collect

We collect information in three ways: information you provide directly, information collected automatically, and information from third parties.

1.1 Information You Provide

1. Account information: full name, email address, phone number, country of residence, and password.
2. Identity verification information: where required by local telecommunications regulations, we may collect government-issued identification details, passport number, date of birth, or nationality.
3. Payment information: billing address, payment card details, and transaction history. Card numbers are processed by our PCI-DSS compliant payment processors and are not stored on GloConnect servers.
4. Communications: messages, support tickets, survey responses, and feedback you submit to us.
5. Marketing preferences: subscription choices and consent records.

1.2 Information Collected Automatically

1. Device and technical data: device model, operating system, IMEI, EID (eSIM identifier), IP address, browser type, language preferences, and time zone.
2. Usage data: data consumption volumes, session timestamps, plan activations, top-ups, tethering activity, and feature interactions. Usage data is also processed to administer our Fair Use Policy described in our Terms and Conditions.
3. Connectivity data: country and network operator your device connects to, signal status, and connection quality indicators.
4. Cookies and similar technologies: as described in our Cookie Policy, including essential cookies, analytics cookies, and (with consent) marketing cookies.
5. Approximate location: derived from IP address and the network you connect to. We do not collect GPS-precise location unless you explicitly enable it within an app feature that requires it.

1.3 Information From Third Parties

1. Mobile network operator (MNO) partners that provide the underlying cellular service, who share activation, usage, and roaming records necessary to deliver and bill for connectivity. MNO partners typically process only minimal technical identifiers (such as IMSI, MSISDN, and IP address) and do not receive your name, email, payment details, or the content of your communications.
2. Payment processors and fraud-prevention providers that share transaction outcomes, risk scores, and chargeback data.
3. Identity verification services, where used to comply with Know Your Customer (KYC) requirements in regulated jurisdictions.
4. Authentication providers if you choose to sign in via a third-party account (such as Apple, Google, or Facebook), limited to the information you authorize them to share.
5. Marketing and analytics partners that provide aggregated audience insights.

1.4 California Sensitive Personal Information Disclosure

For users in California, we disclose that we collect the following categories of "sensitive personal information" as defined by the California Privacy Rights Act (CPRA): government-issued identifiers (such as passport numbers, where collected for KYC); account log-in credentials; precise geolocation (only where you explicitly enable it for app features that require it); and payment card information (collected and processed by our PCI-DSS compliant payment processors). We collect this information only to process transactions, comply with applicable laws, prevent fraud, and provide the Services. We do not use or disclose sensitive personal information for purposes that would require a right to limit under CPRA Section 1798.121.

2. How We Use Your Information

We process personal data for the purposes set out below. The legal bases on which we rely under GDPR/UK GDPR are noted in brackets.

1. Providing the Services: creating and managing your account, provisioning eSIM profiles, processing top-ups, and enabling roaming across partner networks [performance of a contract].
2. Billing and payments: charging for plans, issuing refunds, detecting payment fraud, and maintaining financial records [contract; legal obligation].
3. Customer support: responding to inquiries, troubleshooting connectivity issues, and managing complaints [contract; legitimate interests].
4. Fair use administration: monitoring aggregate and individual data consumption, tethering, and session patterns to enforce our Fair Use Policy, protect network integrity, and ensure equitable service for all users [contract; legitimate interests].
5. Regulatory compliance: meeting telecommunications licensing, anti-fraud, sanctions screening, tax, and lawful-interception obligations in jurisdictions where we operate [legal obligation].
6. Security and fraud prevention: detecting unauthorized account access, abuse of the Services, and protecting our network integrity [legitimate interests; legal obligation].
7. Service improvement: analyzing aggregated usage patterns, debugging, and improving Service quality [legitimate interests].
8. Marketing communications: sending you news, offers, and travel-connectivity tips, subject to your consent and opt-out preferences [consent; legitimate interests where permitted].
9. Legal claims: establishing, exercising, or defending legal claims [legitimate interests; legal obligation].

3. How We Share Your Information

We do not sell your personal information. We share data only as described below.

3.1 Mobile Network Operators and Connectivity Partners

To provide cellular service, we transmit your IMEI, EID, and identifiers required for network authentication to our MNO partners worldwide. Roaming activity is shared between operators in line with standard telecommunications protocols. Usage data may also be shared with MNO partners to administer their own fair use, network management, and regulatory obligations.

3.2 Service Providers

We engage vetted vendors to provide hosting, payment processing, customer support, analytics, fraud screening, email delivery, and identity verification. These providers are contractually bound to use your data only for the purposes we authorize and to apply appropriate security safeguards.

3.3 Legal and Regulatory Disclosures

We may disclose information when required by law, court order, regulatory authority, or lawful government request, including for national security, anti-money-laundering, sanctions enforcement, or lawful interception purposes in the country where service is rendered.

3.4 Corporate Transactions

If GloConnect is involved in a merger, acquisition, financing, reorganization, or sale of assets, personal information may be transferred as part of that transaction, subject to confidentiality protections.

3.5 With Your Consent

We may share information for any other purpose disclosed to you and to which you consent.

4. International Data Transfers

GloConnect operates globally, and your information may be processed in countries other than your country of residence, including jurisdictions whose data protection laws differ from your own. When we transfer personal data internationally we rely on appropriate safeguards, which may include:

1. European Commission Standard Contractual Clauses (SCCs) and the UK International Data Transfer Addendum;
2. Adequacy decisions issued by relevant authorities;
3. Binding contractual commitments with our processors and MNO partners; and
4. Supplementary technical and organizational measures, including encryption in transit and at rest.

You may request a copy of the safeguards applied to transfers of your data by contacting us using the details in Section 12.

5. Data Retention

We keep personal data only for as long as needed to fulfill the purposes described in this Policy, comply with legal obligations, resolve disputes, and enforce our agreements. Typical retention periods are:

1. Account records: for the life of your account plus up to 24 months after closure.
2. Billing and tax records: 7 years, or longer where required by local tax law.
3. Connectivity and traffic data: 6 to 24 months, depending on the data-retention obligations of the country of use.
4. Fair use monitoring data: 12 months from collection, except where retained longer for fraud investigation or legal claims.
5. Identity verification records: as required by applicable KYC and anti-money-laundering rules, typically 5 to 7 years.
6. Marketing data: until you withdraw consent or object.
7. Support communications: 3 years after the last interaction.

When personal data is no longer needed, we delete, anonymize, or aggregate it.

6. Your Rights and Choices

Depending on where you live, you may have the following rights regarding your personal information:

1. Access: request confirmation of whether we hold your data and obtain a copy.
2. Rectification: ask us to correct inaccurate or incomplete data.
3. Erasure: ask us to delete your data, subject to legal retention obligations.
4. Restriction: ask us to limit how we process your data.
5. Portability: receive your data in a structured, commonly used, machine-readable format.
6. Objection: object to processing based on our legitimate interests or for direct marketing.
7. Withdraw consent: where processing is based on consent, you may withdraw it at any time without affecting prior processing.
8. Non-discrimination: you will not be denied service for exercising your privacy rights.
9. Do Not Sell or Share / Limit Use of Sensitive Personal Information: California, Colorado, Connecticut, Virginia, and other US-state residents may exercise these rights even though we do not sell personal information as that term is generally understood.
10. Lodge a complaint: with your local data protection authority. EU/EEA users may also contact the supervisory authority in their country of residence.

To exercise any right, contact us at privacy@gloconnect.com or through the privacy request form available on our website. We will respond within the time required by applicable law (typically 30 days under GDPR; 45 days under CCPA, extendable once). We may need to verify your identity before fulfilling your request.

7. Cookies and Tracking Technologies

Our website uses cookies and similar technologies to make the Services work, remember your preferences, measure performance, and (with consent) deliver relevant marketing. You can manage your preferences through our cookie banner or your browser settings. Disabling certain cookies may affect site functionality. Full details are available in our Cookie Policy.

8. Security and Data Breach Notification

We implement reasonable technical and organizational measures designed to protect personal information against loss, misuse, unauthorized access, disclosure, alteration, and destruction. These include TLS encryption in transit, encryption at rest for sensitive fields, access controls, role-based permissions, logging, and regular security reviews.

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the competent supervisory authority without undue delay and, where required by applicable law, inform affected individuals. No method of transmission or storage is completely secure, and we cannot guarantee absolute security. You are responsible for keeping your account credentials confidential.

9. Children's Privacy

The Services are not directed to children under 16, and we do not knowingly collect personal data from children under 16 without verifiable parental consent. If you believe a child has provided us with personal data, please contact us so we can delete it.

10. Automated Decision-Making

We use automated processes for fraud detection, identity verification, risk scoring, and fair use monitoring. These systems may decline transactions, throttle data speeds, or restrict account access. You may request human review of any decision that produces a significant effect on you by contacting privacy@gloconnect.com.

11. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email, in-app notice, or a prominent posting on our website at least 30 days before the changes take effect, unless a shorter period is required by law. The "Last Updated" date at the top reflects the most recent revision.

12. Contact Us

For any privacy-related question, request, or concern, please contact:

GloConnect Privacy Team

Email: privacy@gloconnect.com

Postal mail: GloConnect, Attn: Privacy Officer, [Company Registered Address]

EU Representative (if applicable): [Name and Address of EU Representative]

UK Representative (if applicable): [Name and Address of UK Representative]

Data Protection Officer: dpo@gloconnect.com