Privacy Policy

1. Introduction

Welcome to Siru ("Company", "we", "our", "us"). We are a company registered in the Netherlands and committed to protecting your privacy in accordance with the General Data Protection Regulation (GDPR) and applicable Dutch data protection law.

This Privacy Policy explains what personal data we collect, why we collect it, how we use it, with whom we share it, and what rights you have over it. It applies to all visitors and users of our website and services.

Data Controller:
Siru
Lucellestraat 72-1
1055 JC Amsterdam
Netherlands
Email: kassim@siru.world

By using our services, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with its terms, please do not use our website or services.

2. Information We Collect

We collect information that you provide directly to us and information that is automatically collected when you use our services.

• Personal Information: When you register for an account, make a purchase, or contact us, we collect information such as your name, email address, and billing information (including payment card details processed by our payment provider).
• Usage Data: We automatically collect certain technical information when you visit our website, including your IP address, browser type and version, operating system, pages visited, time and date of your visit, time spent on pages, referring and exit URLs, and other diagnostic data.
• Cookies and Tracking Technologies: We use cookies, web beacons, pixels, and similar tracking technologies to enhance your experience, analyze usage patterns, and deliver relevant content. Please see Section 6 for full details on our cookie practices and your choices.

3. Lawful Basis for Processing

Under the GDPR, we must have a lawful basis for processing your personal data. We rely on the following legal bases:

• Consent (Article 6(1)(a) GDPR): We rely on your freely given, specific, informed, and unambiguous consent for analytics tracking (e.g., Google Analytics, Microsoft Clarity), marketing cookies, and sending you our newsletter. You may withdraw your consent at any time — see Section 9 for how.
• Contract Performance (Article 6(1)(b) GDPR): Processing is necessary for the performance of a contract with you. This covers processing your order, handling payment, and delivering your eSIM.
• Legitimate Interests (Article 6(1)(f) GDPR): We process certain data on the basis of our legitimate interests, including fraud prevention, security monitoring, and improving the reliability of our services. We have conducted a balancing test and determined that our interests do not override your rights and freedoms.

4. How We Use Your Information

We use the information we collect for the following purposes:

• To provide, maintain, and improve our services and platform.
• To process transactions, send order confirmations, and deliver eSIMs.
• To communicate with you about your account, purchases, and support requests.
• To send newsletters or promotional messages where you have consented.
• To analyze usage patterns and optimize our website and user experience.
• To prevent fraud, abuse, and other harmful activity, and to ensure the security of our services.
• To comply with legal obligations applicable to us as a Dutch company.

We do not sell your personal information to third parties.

5. Data Processors

We engage the following third-party service providers ("data processors") who process personal data on our behalf. Each processor is bound by a Data Processing Agreement (DPA) or equivalent contractual safeguards:

• Stripe (United States) — Payment processing. Stripe processes your billing details to complete transactions. Stripe is PCI-DSS compliant. See stripe.com/privacy.
• Supabase (United States) — Database and authentication infrastructure. Supabase stores your account data and order history. See supabase.com/privacy.
• Google Analytics (United States) — Website analytics. Google Analytics collects anonymized usage data to help us understand how visitors use our site. See policies.google.com/privacy.
• Microsoft Clarity (United States) — Behavioral analytics (heatmaps, session recordings). Clarity helps us identify usability issues. See Microsoft Privacy Statement.
• Vercel (United States) — Website hosting and edge analytics. Vercel hosts our application and provides request-level analytics. See vercel.com/legal/privacy-policy.
• Tawk.to (United States) — Live chat support. Tawk.to processes chat conversation data when you use the support widget. See tawk.to/privacy-policy.

6. Cookies and Tracking Technologies

We use a consent management banner to request your permission before placing non-essential cookies. You can change your preferences at any time by clicking the "Cookie Settings" link in the footer of our website.

We use the following categories of cookies and tracking technologies:

• Necessary: These cookies are essential for the website to function and cannot be disabled. They include your theme preference (light/dark mode), your shopping cart contents, and your authentication session token.
• Analytics (requires consent): Used to measure and analyze how visitors interact with our website. We use Google Analytics, Microsoft Clarity, and Vercel Analytics for this purpose. These services may set their own cookies or use pixel-based tracking.
• Marketing (requires consent): Tawk.to live chat sets cookies to maintain chat session state and may record conversation data for quality and support purposes.

7. Data Retention

We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by law. Our specific retention periods are:

• Order and transaction records: 7 years from the date of the transaction, in compliance with Dutch tax law (Belastingdienst record-keeping requirements).
• Account data: Retained for the duration of your account. Upon a verified deletion request, we will delete or anonymize your account data within 30 days, except where retention is required by law.
• Newsletter subscribers: Retained until you unsubscribe. Each marketing email contains a one-click unsubscribe link.
• Abandoned cart data: Retained for 30 days, after which it is automatically deleted.
• Analytics data:Retained according to each analytics provider's default data retention settings. For Google Analytics this is typically 14 months. You may also consult each provider's privacy policy for details.

8. International Data Transfers

As a Dutch company, your personal data is processed within the European Economic Area (EEA) where possible. However, several of our data processors (listed in Section 5) are based in the United States, which means your data may be transferred to and processed in a country outside the EEA.

Where such transfers occur, we ensure they are subject to appropriate safeguards as required by Chapter V of the GDPR. In particular, we rely on Standard Contractual Clauses (SCCs) adopted by the European Commission to provide an adequate level of protection for your personal data transferred to the United States.

You may request a copy of the relevant transfer safeguards by contacting us at kassim@siru.world.

9. Your Rights Under GDPR

As a data subject under the GDPR, you have the following rights with respect to your personal data:

• Right of Access (Article 15): You have the right to obtain confirmation of whether we process your personal data and, if so, to receive a copy of it.
• Right to Rectification (Article 16): You have the right to request correction of inaccurate or incomplete personal data we hold about you.
• Right to Erasure / 'Right to be Forgotten' (Article 17): You may request deletion of your personal data where it is no longer necessary for the purpose it was collected, where you withdraw consent, or where the processing is unlawful.
• Right to Data Portability (Article 20): Where processing is based on consent or contract and carried out by automated means, you may request your data in a structured, commonly used, machine-readable format.
• Right to Restriction of Processing (Article 18): You may request that we restrict processing of your data in certain circumstances, for example while a dispute about accuracy is resolved.
• Right to Object (Article 21): You have the right to object to processing based on legitimate interests, including profiling. We will cease such processing unless we demonstrate compelling legitimate grounds that override your interests.
• Right to Withdraw Consent (Article 7(3)): Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of processing prior to withdrawal. You can manage cookie consent via our consent banner and opt out of newsletters via the unsubscribe link in any email.
• Right to Lodge a Complaint: If you believe we have not handled your personal data in accordance with the GDPR, you have the right to lodge a complaint with the Dutch supervisory authority:
  Autoriteit Persoonsgegevens (AP)
  Bezuidenhoutseweg 30, 2594 AV Den Haag
  Website: autoriteitpersoonsgegevens.nl

To exercise any of these rights, please contact us at kassim@siru.world. We will respond to your request within one month, as required by the GDPR (Article 12). We may need to verify your identity before processing your request.

10. Children's Privacy

Our services are not directed at children under the age of 16. In line with the GDPR standard (Article 8) and Dutch law, we do not knowingly collect personal data from children under 16 without verifiable parental or guardian consent. If you believe we have inadvertently collected data from a child under 16, please contact us immediately at kassim@siru.world and we will take prompt steps to delete such data.

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or for other operational reasons. When we make material changes, we will update the "Last updated" date at the top of this page and, where required by law, notify you by email or via a prominent notice on our website prior to the changes taking effect.

We encourage you to review this Privacy Policy periodically to stay informed about how we protect your information.

12. Contact Us

If you have any questions, concerns, or requests relating to this Privacy Policy or our data practices, please contact us:

• General inquiries: kassim@siru.world
• Customer support: support@siru.world
• Postal address:
  Siru
  Lucellestraat 72-1
  1055 JC Amsterdam
  Netherlands

We aim to respond to all privacy-related inquiries within 30 days.

13. EU Regional Addendum

This addendum provides additional information for individuals in the European Union and European Economic Area, pursuant to the GDPR (Regulation (EU) 2016/679).

Supervisory Authority: As a company established in the Netherlands, our lead supervisory authority for GDPR purposes is the Autoriteit Persoonsgegevens (AP), the Dutch Data Protection Authority.

Autoriteit Persoonsgegevens
Bezuidenhoutseweg 30
2594 AV Den Haag
Netherlands
Website: autoriteitpersoonsgegevens.nl
Telephone: +31 (0)70 888 85 00

Legal Framework: Our data processing activities are governed by:

• Regulation (EU) 2016/679 (General Data Protection Regulation — GDPR)
• Uitvoeringswet Algemene verordening gegevensbescherming (UAVG) — the Dutch implementation act
• ePrivacy Directive (2002/58/EC) and its Dutch implementation (Telecommunicatiewet, Article 11.7a) regarding cookies and electronic communications

Cross-Border Transfers: Transfers of personal data to third countries (including the United States) are made on the basis of Standard Contractual Clauses (SCCs) as approved by the European Commission under Article 46(2)(c) GDPR. Copies of applicable SCCs are available upon request.

Automated Decision-Making: We do not make any decisions about you that are based solely on automated processing (including profiling) and that produce legal or similarly significant effects (Article 22 GDPR).