Built to UK & EU regulatory standards — and we show our work.
ARIA Mobile complies with UK GDPR, the Data Protection Act 2018, PECR and PCI DSS through our payment partners. This hub documents what we store, where we host it, who processes it on our behalf, and the rights you can exercise at any time.
Encryption everywhere
TLS 1.2+ in transit. AES-256 at rest. Secrets stored in managed key vaults — never in source code.
Least-privilege access
Row-Level Security on every customer table. Admin actions audited. SSO with MFA for the ARIA team.
Hardened infrastructure
Edge-deployed on Cloudflare with WAF, automated patching, isolated dev / staging / production environments.
Verified webhooks
Every payment & provisioning callback is HMAC-verified. Tampered or unsigned requests are rejected and logged.
24/7 monitoring & alerts
Stuck-order detection, founder alerts, automated incident notifications and uptime telemetry published on /trust.
Data residency
Customer data is hosted in EU/UK regions. International transfers use UK Addendum + EU Standard Contractual Clauses.
Data we hold
- Account: name, email, hashed credentials, marketing preferences.
- Orders: plan, price, Stripe reference, ICCID, QR delivery timestamps.
- Activation logs: provisioning attempts, error codes — used to honour our SLA.
- Consent chain: a cryptographically-linked, hash-verified record of every consent action.
Data we don't hold
- · Full payment card details (handled by Stripe — PCI DSS Level 1).
- · The contents of your traffic — ARIA Mobile is data-only and does not inspect packets.
- · Location history beyond what's required for billing & fraud prevention.
- · Marketing profiles sold to third parties — we never sell customer data.
Sub-processors
We engage trusted vendors under contract to deliver the ARIA service. We give you 30 days' notice before adding any new sub-processor with access to personal data.
| Vendor | Purpose | Region |
|---|---|---|
| eSIM Go Ltd | eSIM provisioning, QR generation, carrier integrations | United Kingdom |
| Stripe Payments UK Ltd | Card processing & subscription billing | United Kingdom / European Union |
| Supabase (Lovable Cloud) | Application database, authentication, file storage | European Union |
| Cloudflare Inc. | Edge compute, DNS and DDoS protection | Global (encrypted in transit) |
| Resend / Email provider | Transactional email (QR delivery, receipts, account) | European Union / United States (SCCs) |
Your rights (UK GDPR)
- Access — request a copy of your personal data
- Rectification — correct anything inaccurate
- Erasure — request deletion of your account & data
- Portability — receive your data in a machine-readable format
- Restriction & objection — limit how we process your data
- Withdraw consent — at any time, with no penalty
Submit a request from your account settings or email privacy@ariamobile.co.uk. We respond within 30 days.
Incident response
- Detection: automated alerts on stuck orders, webhook integrity and SSR failures.
- Containment: circuit breakers on provider integrations isolate failures quickly.
- Notification: the ICO is notified within 72 hours of a qualifying personal data breach; affected users are emailed without undue delay.
- Live status: /trust publishes uptime, success rate and webhook integrity in real time.
Talk to our Data Protection team.
Procurement, security questionnaires, DPAs and DSARs — we respond quickly and transparently.