Privacy
Policy
Last updated: 29 June 2025. This policy explains how Vision Plus & Blue Mineral Ltd collects, uses, and protects your personal data in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
Data Controller
The data controller responsible for your personal data is:
Vision Plus & Blue Mineral Ltd
322 Grenville House, Stratford Road, Shirley, B90 3DN
Email: support@visionplus-mbb.com
Telephone: 020 8103 9044
ICO Registration number: ZA767734
You can verify our ICO registration at ico.org.uk.
Data We Collect
We collect only the personal data that is necessary to provide you with our mobile data SIM service. We do not collect data for marketing, profiling, or advertising purposes.
2.1 Data you provide directly
When you sign up for a SIM through our website, you provide:
| Category | Data items | Why we collect it |
|---|---|---|
| Identity | Full name | Required to create your account and fulfil the contract |
| Contact | Email address, phone number | Service notifications, billing communications, and account support |
| Address | Home / billing address including postcode | Required for Direct Debit setup and billing |
| SIM details | SIM card number (ICCID) | Required to activate and manage your SIM |
| Payment | Bank account / sort code (for Direct Debit) or card token (for card payment) — processed via Stripe. We never store raw card or bank account numbers. | To collect the charges due under your rolling monthly contract |
| Agreement | Record of your acceptance of our Terms & Conditions and the date/time of acceptance | To demonstrate lawful formation of the contract |
2.2 Data collected automatically
Our website hosting provider (Netlify) automatically collects standard server logs when you visit the site, including your IP address, browser type, and the pages you visit. This data is used solely to maintain the security and availability of the service and is not used for marketing or tracking purposes.
2.3 Data we do not collect
We do not collect any special category personal data (such as health, religious, or political data). We do not conduct behavioural profiling or targeted advertising. We do not collect data about children.
Legal Basis for Processing
Under Article 6 of the UK GDPR, we rely on the following lawful bases:
Article 6(1)(b) — Performance of a Contract
Processing your identity, contact, address, SIM, and payment data is necessary to enter into and perform the rolling monthly mobile data contract with you. Without this data, we cannot activate your SIM or charge for the service.
Article 6(1)(c) — Legal Obligation
We may be required to retain certain records (e.g. financial records) to comply with UK tax law and Bacs Direct Debit scheme rules.
Article 6(1)(f) — Legitimate Interests
We process server log data on the basis of our legitimate interests in maintaining the security and availability of the website. We have assessed that this processing does not override your privacy rights.
PECR — Consent (cookies)
Where we use non-essential cookies (Stripe payment cookies), we rely on your consent given via our cookie banner. Essential cookies are set under the "strictly necessary" exemption in PECR Regulation 6(4).
How We Use Your Data
We use your personal data only for the purposes listed below. We will not use your data for any purpose that is incompatible with those purposes without giving you prior notice.
- check_circle SIM activation and account management — creating your account, activating your SIM card on the network, and managing your service.
- check_circle Billing and payment collection — collecting the monthly standing charge and any usage charges via Direct Debit or card through Stripe.
- check_circle Service communications — sending you a registration confirmation email, billing notifications, and any important service updates or changes to our terms.
- check_circle Customer support — responding to your queries and resolving any issues with your account or service.
- check_circle Legal compliance and dispute resolution — retaining records as required by law or to enforce or defend our contractual rights.
- cancel We will never sell your data to third parties, share it for marketing purposes, or use it for automated decision-making that has legal or significant effects on you.
Data Processors & Third-Party Recipients
We engage the following trusted third-party processors to provide our service. Each processor is bound by a data processing agreement and may only process your data on our documented instructions.
Stripe, Inc. — Payment Processing
Privacy policy ↗Data shared: Name, address, email, bank account / card details (for payment setup).
Purpose: Processing Direct Debit mandates and card payment tokens; fraud prevention.
Location: United States (with UK GDPR-compliant data transfer mechanisms — see Section 6).
Resend — Transactional Email
Privacy policy ↗Data shared: Name and email address.
Purpose: Delivering your registration confirmation email.
Location: United States (with UK GDPR-compliant data transfer mechanisms).
Netlify, Inc. — Website Hosting
Privacy policy ↗Data shared: IP address and server log data (collected automatically).
Purpose: Hosting and delivering the website; running our serverless functions that process your sign-up form.
Location: United States (with UK GDPR-compliant data transfer mechanisms).
Mobile Network Provider — SIM Connectivity
Data shared: SIM card number (ICCID), and the minimum data required for SIM activation.
Purpose: Activating your SIM on the mobile network and providing data connectivity.
Location: United Kingdom.
We do not share your personal data with any other third parties. We do not sell personal data.
International Transfers
Some of our processors (Stripe, Resend, and Netlify) are based in the United States and may process your data outside the UK. Where this occurs, we ensure that appropriate safeguards are in place as required by Article 46 UK GDPR. These safeguards currently include:
- Standard Contractual Clauses (SCCs) approved by the UK Information Commissioner (the International Data Transfer Agreement, or IDTA); or
- an adequacy decision made by the UK Secretary of State; or
- the UK–US Data Bridge framework (where applicable).
You can request a copy of the relevant safeguards by contacting us at support@visionplus-mbb.com.
Retention Periods
We keep your personal data only for as long as necessary for the purposes for which it was collected. The table below sets out our standard retention periods.
| Data category | Retention period | Reason |
|---|---|---|
| Account and contract data (name, address, SIM, contact details) | Duration of the contract + 6 years | Statute of limitations for contract claims under UK law |
| Financial / billing records | 6 years from end of the tax year to which they relate | HMRC requirement under the Taxes Management Act 1970 |
| Direct Debit mandate records | 3 years after the mandate ends | Bacs scheme rules |
| Server access logs (IP address etc.) | Up to 90 days | Security monitoring and fraud prevention |
| Support correspondence (emails, calls) | 2 years after resolution | Customer service record-keeping |
| Cookie consent records | 1 year (stored in your browser) | To avoid asking for consent on every visit |
After the applicable retention period, personal data is securely deleted or anonymised.
Your Rights Under UK GDPR
You have the following rights in relation to your personal data. You may exercise any of them free of charge by contacting us at support@visionplus-mbb.com. We will respond within one calendar month of receiving your request.
Right of Access (Article 15)
You can request a copy of the personal data we hold about you (a "Subject Access Request").
Right to Rectification (Article 16)
You can ask us to correct inaccurate personal data we hold about you, or to complete incomplete data.
Right to Erasure (Article 17)
You can ask us to delete your personal data where there is no compelling reason for us to continue processing it.
Right to Restriction (Article 18)
You can ask us to restrict processing of your data in certain circumstances, for example while a dispute about accuracy is resolved.
Right to Portability (Article 20)
Where we process your data on the basis of contract or consent and by automated means, you can ask for a machine-readable copy.
Right to Object (Article 21)
You can object to processing based on our legitimate interests. We must then stop unless we can demonstrate compelling legitimate grounds.
Rights re. Automated Decisions (Article 22)
We do not carry out automated decision-making or profiling that produces legal or similarly significant effects. This right is therefore not engaged.
Right to Withdraw Consent
Where we rely on your consent (e.g. for non-essential cookies), you can withdraw it at any time without affecting the lawfulness of prior processing.
We will respond within one month. If your request is complex or numerous, we may extend this by a further two months, but will tell you within the first month. We will not charge a fee unless a request is manifestly unfounded, excessive, or repetitive.
Security
We take the security of your personal data seriously and have implemented appropriate technical and organisational measures to protect it against unauthorised access, loss, or disclosure. These include:
- TLS encryption for all data in transit between your browser and our website;
- CSRF token validation to protect form submissions;
- HTTPS-only access enforced at the CDN level;
- no storage of raw payment card or bank account numbers (all payment data is tokenised by Stripe);
- access controls limiting who within our organisation can access personal data; and
- use of reputable processors who maintain ISO 27001 or equivalent certifications.
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the Information Commissioner's Office (ICO) within 72 hours and will inform you without undue delay where required by law.
Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or the services we provide. When we make material changes, we will update the "Last updated" date at the top of this page and, where appropriate, notify you by email.
We encourage you to review this policy periodically to stay informed about how we protect your personal data.
Contact Us & Complaints
If you have any questions about this Privacy Policy, wish to exercise your rights, or have concerns about how we handle your personal data, please contact us:
Vision Plus & Blue Mineral Ltd
322 Grenville House, Stratford Road, Shirley, B90 3DN
Email: support@visionplus-mbb.com
Telephone: 020 8103 9044
Right to Complain to the ICO
If you are not satisfied with our response, or you believe we are processing your data in a way that does not comply with UK GDPR, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):
Website: ico.org.uk/make-a-complaint
Telephone: 0303 123 1113
Post: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
We would, however, appreciate the opportunity to deal with your concerns before you approach the ICO, so please do contact us in the first instance.
