Privacy Policy

ROKKODE is the operator of the Services and is generally the controller of personal data that we collect about Buyers and their authorized users for the purposes described in this Privacy Policy.

2.1 Business to business service

The Services are designed for business customers. Your end users are not our customers under this Privacy Policy.

2.2 We do not collect end user identity data for eSIM issuance

For standard procurement and fulfillment through the Services, we do not require end user personal data such as name, email address, phone number, passport number, or identity documents.

2.3 eKYC may be required for certain products or jurisdictions

Some eSIM products or jurisdictions may require identity verification. Where required, verification may be performed using an external verification provider. ROKKODE does not collect, store, or verify end user identity documents or end user identity data for eKYC purposes. Any end user information submitted for eKYC is handled by the verification provider under its own privacy policy and terms.

We collect personal data from you, from your authorized users, and automatically when you use the Services. The categories below may include business contact data.

3.1 Account and profile data

• Business name and registration details
• Company address and country
• Name, role, and business contact details of account administrators and authorized users
• Login credentials and authentication data
• Account settings and preferences

3.2 Billing and payment data

• Billing contact name and business contact details
• Billing address and tax related data, if provided
• Payment method details processed by our payment processors (for example, card transactions and bank transfer references)
• Invoices, payment status, and account balance data

Note: We typically receive limited payment information. Sensitive payment data is generally processed by payment processors, not stored by ROKKODE.

3.3 Transaction and operational data

• Orders placed, order identifiers, timestamps, and status
• Purchased product identifiers, quantities, and pricing metadata
• Delivery artifacts made available to you through the Services, such as QR codes or URLs
• Refund requests and outcomes
• Communications and support tickets related to Orders or the Services

3.4 Technical, device, and usage data

• API usage logs, request metadata, and response metadata
• IP address, device identifiers, browser type, operating system, and approximate location derived from IP address
• Security logs and audit logs
• Performance metrics and error logs

3.5 Communications

• Messages you send to us, including support requests, emails, and feedback
• Call records or meeting notes if you engage with sales or support, where permitted by law and disclosed to you

3.6 Cookies and similar technologies

We may use cookies and similar technologies in the dashboard and marketing pages to support authentication, security, preferences, analytics, and performance. See Section 9.

We use personal data for the following purposes:

• To provide and operate the Services, including account creation, authentication, order processing, delivery, refunds, and support
• To process payments, manage balances, issue invoices, and perform accounting operations
• To maintain security, prevent fraud and abuse, and enforce our terms
• To monitor performance, troubleshoot issues, and improve reliability and features
• To communicate with you about service notices, updates, security alerts, and support responses
• To comply with legal obligations and respond to lawful requests
• To perform internal business operations, such as analytics and reporting that relate to marketplace health and operations

We do not sell personal data.

Where the GDPR applies, we process personal data on the following legal bases under Article 6:

• Performance of a contract: to provide the Services, authenticate users, process Orders and payments, deliver eSIM artifacts, manage refunds, and provide support
• Legitimate interests: to secure and improve the Services, prevent fraud and abuse, ensure network and information security, measure and optimize performance, and manage business operations (we balance these interests against your rights)
• Legal obligation: to comply with applicable laws, accounting rules, and lawful requests
• Consent: where required, such as for certain non essential cookies or similar tracking technologies

If you have questions about our legitimate interests assessments, contact us using Section 13.

We may disclose personal data in the following circumstances:

6.1 Service providers

We share personal data with vendors that help us operate the Services, such as cloud hosting, logging, analytics, customer support tooling, email delivery, and security services.

6.2 Analytics

We use Google Analytics to understand how users interact with our website and dashboard and to improve performance. Google may collect information such as device and browser data, IP address, and usage events through cookies and similar technologies, subject to your cookie choices and Google terms and policies.

6.3 Payment processors and banking partners

We share billing and transaction data with payment processors and banking partners to process card payments and bank transfers and to manage invoicing and reconciliation.

6.4 Suppliers and fulfillment partners

To fulfill Orders and manage product availability, we may share limited order level information with Suppliers or upstream fulfillment partners. This typically includes Buyer business identifiers and order metadata needed for provisioning, troubleshooting, reconciliation, fraud prevention, and refund verification. It does not include end user identity data for standard procurement because we do not collect it.

6.5 eKYC providers, if required

If identity verification is required for certain products, you or your end user may be directed to a third party verification provider. The verification provider processes end user data under its own terms. ROKKODE does not receive identity documents or end user identity data for verification.

6.6 Legal and compliance

We may disclose personal data if required by law, regulation, legal process, or lawful governmental request, or to protect the rights, security, and integrity of ROKKODE, Buyers, Suppliers, and the public.

6.7 Corporate events

If we are involved in a merger, acquisition, financing, reorganization, or sale of assets, personal data may be transferred as part of that transaction subject to appropriate safeguards.

The Services may be provided using infrastructure and vendors located in multiple countries. As a result, personal data may be transferred to and processed in countries other than where you are located.

Where the GDPR applies and personal data is transferred outside the EEA, UK, or Switzerland (as applicable), we will implement appropriate safeguards, such as:

• adequacy decisions where available
• Standard Contractual Clauses (SCCs) and, where relevant, supplementary measures
• other lawful transfer mechanisms permitted under applicable law

We retain personal data for as long as necessary to:

• provide the Services
• maintain business records for accounting and audit
• resolve disputes and enforce agreements
• comply with legal obligations

Retention periods vary by data category. For example, billing records are typically retained longer than short lived technical logs. We may anonymize or aggregate data so that it no longer identifies individuals, and retain it for analytics and reporting.

We use cookies and similar technologies for:

• Essential functions, such as login sessions and security controls
• Preferences, such as language and interface settings
• Analytics and performance measurement, including Google Analytics
• Fraud prevention and abuse detection

You can control cookies through your browser settings. If you disable certain cookies, parts of the dashboard may not function properly.

Where required by law, we will present cookie choices for non essential cookies. If you use those choices, your selection will apply to that browser or device unless you clear cookies.

We implement reasonable administrative, technical, and organizational measures designed to protect personal data against unauthorized access, disclosure, alteration, and destruction.

No method of transmission or storage is completely secure. You are responsible for safeguarding your account credentials and API keys.

If the GDPR applies to you, you may have the right to:

• Access: obtain confirmation of whether we process personal data about you and receive a copy
• Rectification: correct inaccurate or incomplete personal data
• Erasure: request deletion of personal data in certain circumstances
• Restriction: request that we restrict processing in certain circumstances
• Objection: object to processing based on legitimate interests in certain circumstances
• Portability: receive personal data you provided to us in a structured, commonly used, machine readable format and transmit it to another controller, where applicable
• Withdraw consent: where we rely on consent, withdraw it at any time (this does not affect processing before withdrawal)
• Lodge a complaint: file a complaint with your local supervisory authority

We may need to verify your identity and authority to act for your organization. Some requests may be limited where we have lawful grounds to refuse, such as legal obligations or the need to establish, exercise, or defend legal claims.

The Services are not intended for children and are offered for business use. We do not knowingly collect personal data from children.

For privacy questions or requests, contact:

We may update this Privacy Policy from time to time. If changes are material, we will provide notice through the dashboard, email, or other reasonable means. The updated version will be effective as of the Last updated date above.