Privacy Policy

Version: 2.0
Last updated: 2026-05-27
Effective: on the date you first create an account, accept these Terms, or use the Service after this Version is posted.

This Privacy Policy explains what Personal Data the VPN Manager desktop application, licence server, website, and storefront (together, the "Service") collect about you, the Operator, why we collect it, how long we keep it, who we share it with, what we do not collect, and your rights. By creating an account and accepting our Terms of Service, you consent to the collection and use described here, where consent is the applicable lawful basis.

This Policy is published by VPN Manager ("we", "us", "our"), registered at [Address on file]. For privacy questions, contact support@vpnmanager.app.

Contents

1. Quick summary

1. Who we are; who is the controller

1. Account information

1. Licence and plan data

1. Payment and billing data

1. Device, network, and anti-abuse signals

1. Crash, bug, and error reports

1. Product analytics

1. Cookies, local storage, and tracking technologies

1. Consent records

1. Your End Users' Personal Data (you are the controller)

1. Children's data

1. How we use the data and our legal basis

1. Who we share data with

1. International data transfers

1. Data retention

1. Your data-protection rights and how to exercise them

1. Your rights as a California / Colorado / Virginia / Connecticut / Texas / other US-state resident

1. Security and breach notification

1. Automated decision-making and profiling

1. Changes to this Policy

1. Contact, complaints, and supervisory authorities

1. Definitions

1. Change history

1. Quick summary

• We collect what we need to run the Service: account info, licence data, payment references (Stripe), fingerprinted error reports, product analytics, device / network signals for anti-abuse, security logs, and consent records.

• We do not sell or share Personal Data for cross-context behavioural advertising.

• We do not see, route, log, or store the contents of any VPN traffic that passes through your servers — those servers are yours.

• We support all standard data-subject rights: access, rectify, erase, port, restrict, object, withdraw consent.

• Our licence server is currently hosted in the United States. Transfers from the EEA / UK / Switzerland are made under the 2021 Standard Contractual Clauses and the UK IDTA / Addendum.

2. Who we are; who is the controller

For Personal Data about you, the Operator, we are the controller. For Personal Data about your End Users, you are the controller and we are the processor (see §11).

3. Account information

When you create an account we collect:

• Your email address.

• A salted password hash (we never see or store your plaintext password).

• Account timestamps (created, last login, password-change history).

• Your licence and trial status.

• Login attempts (success / failure, time, IP address, User-Agent) for security, fraud, and brute-force protection.

4. Licence and plan data

When you start a trial or purchase a plan we collect:

• The licence code issued and its signed token.

• The plan (e.g. 10 GB, 50 GB, Unlimited) and the data cap.

• The machine ID / device fingerprint of the installation that activated the licence.

• Heartbeat / activation IP addresses and timestamps.

• Add-on entitlements (e.g. storefront, bot builder) and their expiry.

5. Payment and billing data

Card and bank-transfer payments are processed by Stripe, Inc. as an independent controller. We do not see, store, or process raw payment-card data. From Stripe we receive and retain:

• The Stripe payment reference (e.g. pi_…, ch_…, sub_…).

• The amount, currency, and date of each charge.

• The masked card brand / last-four digits where Stripe surfaces them.

• The billing email, country, and postal code (where required for tax compliance).

• Refund and chargeback events.

Stripe's own privacy notice is at https://stripe.com/privacy.

6. Device, network, and anti-abuse signals

Free trials are valuable, so we collect and compare a small set of device and network signals to detect duplicate or fraudulent trials. Where practical we store these as one-way hashes rather than raw values. The signals include:

| Signal | Example | Purpose |
| --- | --- | --- |
| Public IP at signup / activation / heartbeat | 203.0.113.42 | Detect multiple trials from one network; security throttling |
| Network identifier | Hashed Wi-Fi SSID or default-gateway info | Recognise the same network across signups |
| Hardware identifier | One-way hash of the device's MAC address or hardware ID | Recognise the same device without storing the raw value |
| Composite device fingerprint | Hash of stable device attributes (OS, locale, time zone, screen, etc.) | Tie repeated trial attempts to one machine |

We use these signals solely to enforce trial limits, prevent fraud, and protect the integrity of paid plans for honest Operators. If our checks incorrectly flag you, email support@vpnmanager.app and we will review.

7. Crash, bug, and error reports

When the desktop application encounters an error or crash, it can send a diagnostic report to our licence server at /v1/errors/capture. Each report typically contains:

• The error type, message, and stack trace.

• The application version, operating system, and platform details.

• The component or action running at the time of the error.

• A fingerprint / hash used to group identical errors so we can prioritise the most common ones.

We make reasonable efforts to avoid collecting secrets, credentials, or VPN-traffic content in error reports. If a report unintentionally includes Personal Data, we will treat it under this Policy.

8. Product analytics

The application can send product-analytics events to our licence server at /v1/events/capture. Each event typically contains:

• The event name (e.g. a feature opened, an action completed) and a timestamp.

• The application version and coarse platform information.

• A pseudonymous identifier so events from one install can be counted as one user without revealing who you are in aggregate metrics.

Analytics help us understand which features are used, measure reliability, and decide what to improve. They are on by default and can be turned off in application settings. We do not use analytics to monitor the contents of any VPN traffic.

9. Cookies, local storage, and tracking technologies

The website and the desktop application use a small number of cookies and local-storage entries:

• Strictly necessary: session, CSRF, login state.

• Functional: language, theme, last-viewed plan.

• Analytics: a first-party pseudonymous ID for the product-analytics described in §8.

We do not use third-party advertising cookies. We honour the Global Privacy Control (GPC) browser signal as a valid opt-out of any non-essential tracking.

10. Consent records

When you accept the Terms and this Policy at signup we record:

• The version of the documents you accepted.

• The timestamp.

• The IP address the acceptance came from.

This is our auditable record that you consented to the processing described here.

11. Your End Users' Personal Data (you are the controller)

If you use the Service to sell or grant VPN access to your own customers, any Personal Data you collect from them is controlled by you, not us. We process such data only as a processor on your documented instructions and only to the extent needed to provide the Service to you (for example, issuing per-customer licence tokens, supporting your storefront, or surfacing connection metadata back to you). You are responsible for your own customer-facing privacy notice, your own lawful basis, and your own response to your End Users' subject-rights requests. A data-processing agreement that meets GDPR Art. 28 is available on request at support@vpnmanager.app.

12. Children's data

The Service is intended for adults. The minimum age to register is 18 (or 16 in the EEA / UK / Switzerland with parental or guardian consent). We do not knowingly collect Personal Data from anyone under 13. If you believe a child has provided Personal Data to us, email support@vpnmanager.app and we will delete it. The UK Age-Appropriate Design Code applies to services likely to be accessed by children; we operate on the basis that our service is not, and we will not market or design it to attract children.

13. How we use the data and our legal basis

| Purpose | Categories of data used | Lawful basis (GDPR Art. 6) |
| --- | --- | --- |
| Provide the Service (accounts, licensing, plan enforcement) | Account info, licence data, device fingerprint | (b) Contract performance |
| Process payments | Payment references | (b) Contract / (c) Legal obligation for tax records |
| Detect and prevent fraud and trial abuse | Anti-abuse signals (§6) | (f) Legitimate interest in protecting the Service |
| Diagnose and fix bugs | Error reports | (f) Legitimate interest / (a) Consent if non-essential |
| Improve the product | Product analytics | (a) Consent / (f) Legitimate interest |
| Security (brute-force, abuse, intrusion detection) | Login attempts, IPs | (f) Legitimate interest / (c) Legal obligation |
| Compliance with law | All categories as required | (c) Legal obligation |
| Communicate with you | Email, account info | (b) Contract / (f) Legitimate interest / (a) Consent for marketing |
| Enforce the Terms and defend legal claims | All categories as needed | (f) Legitimate interest |

Where we rely on legitimate interest, you have a right to object (§17).

14. Who we share data with

We do not sell or rent Personal Data. We share it only with:

• Stripe, Inc. — payment processing.

• Hosting and infrastructure providers that operate our licence server and website (current location: United States; provider details available on request).

• Email delivery providers — only when we send you account or licence emails.

• Domain / TLS / CDN providers — only as needed to operate our public endpoints.

• Professional advisers (accountants, lawyers) bound by confidentiality.

• Law enforcement, regulators, or other parties where we are required by law, court order, or in defence of legal claims.

• An acquirer in a merger, acquisition, or sale of all or substantially all of our assets, subject to standard confidentiality protections and continued application of this Policy or an equivalent policy.

We require service providers acting as processors to bind themselves to confidentiality, to use the data only on our instructions, and to maintain security at least as strict as our own.

15. International data transfers

Our licence server and website are currently hosted in the United States. If you are in the EEA, the UK, or Switzerland, your Personal Data will be transferred outside your country to be processed by us and by the service providers above.

For transfers from the EEA we rely on the European Commission's 2021 Standard Contractual Clauses (Implementing Decision 2021/914), modules as applicable, together with supplementary technical and organisational measures we determine are appropriate. For transfers from the UK we use the UK International Data Transfer Agreement or the UK Addendum to the EU SCCs. For transfers from Switzerland we use the SCCs as adapted by the FDPIC.

A copy of the executed clauses is available on request to support@vpnmanager.app.

16. Data retention

| Category | Retention |
| --- | --- |
| Account information | While the account is active; deleted (or anonymised) within 30 days of account deletion, subject to legal / accounting retention. |
| Licence and plan data | While the licence is active; up to 7 years afterwards for tax / accounting / dispute records. |
| Payment references | Up to 7 years from the date of the charge for tax and audit purposes (US / EU / UK statutory minimums). |
| Crash / error reports | Up to 90 days, then pruned on a rolling basis; aggregated counts may be kept longer. |
| Product analytics | Up to 13 months at the event level; aggregated metrics indefinitely. |
| Device / network anti-abuse signals | While needed to enforce trial limits and investigate abuse (typically 12 months), then pruned. |
| Login attempts / security logs | Up to 12 months, then pruned. |
| Consent records | While the account exists, plus a reasonable defence-of-claims period. |
| DMCA / copyright notices | While needed to operate the safe-harbour repeat-infringer policy. |

Where law requires shorter or longer retention, that law controls.

17. Your data-protection rights and how to exercise them

Subject to applicable law and reasonable identity verification, you may:

• Access the Personal Data we hold about you.

• Rectify inaccurate or incomplete data.

• Erase ("right to be forgotten") your data, subject to records we are required to keep.

• Restrict processing while a dispute about it is resolved.

• Object to processing based on legitimate interest (we will stop unless we show overriding grounds).

• Port your data in a structured, commonly-used, machine-readable format.

• Withdraw consent at any time, without affecting prior processing.

To exercise any right, email support@vpnmanager.app with the words "Privacy Request" in the subject line and tell us which right(s) you want to exercise. We will respond within 30 days under GDPR / UK GDPR (extendable by two further months for complex requests, with notice) or 45 days under US-state laws (extendable once by 45 days, with notice). There is no fee for the first request in any rolling 12-month period; manifestly unfounded or excessive requests may be charged a reasonable fee or refused.

You also have the right to lodge a complaint with a supervisory authority in the EEA / UK / Switzerland, in particular in the Member State of your habitual residence, place of work, or place of the alleged infringement.

18. Your rights as a California / Colorado / Virginia / Connecticut / Texas / other US-state resident

If you are a resident of California, Colorado, Connecticut, Delaware, Florida, Indiana, Iowa, Kentucky, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Rhode Island, Tennessee, Texas, Utah, Virginia, or any other US state with a comprehensive privacy law, you have the following rights:

• Right to know / access what categories of Personal Data we collect, the categories of sources, the business purposes, and the categories of third parties we share with.

• Right to delete Personal Data we have collected from you, subject to legal exceptions.

• Right to correct inaccurate Personal Data.

• Right to data portability.

• Right to opt out of the sale or sharing of Personal Data (we do not sell or share) and of targeted advertising (we do none).

• Right to opt out of certain profiling that produces legal or similarly significant effects (we do none).

• Right against retaliation for exercising any of these rights — we will not deny service, raise prices, or downgrade quality.

We honour the Global Privacy Control (GPC) signal as a valid opt-out request for any in-scope processing. Where state law requires opt-in consent for sensitive Personal Data (e.g. Colorado, Connecticut, Virginia), we obtain that consent before processing.

Notice of financial incentive. We do not offer any financial incentive in exchange for the collection, retention, sale, or sharing of Personal Data.

Authorised agent. A California (or other state) resident may use an authorised agent to make a request; we will verify both the agent's authority and the resident's identity before responding.

"Shine the Light" (Cal. Civ. Code §1798.83). We do not disclose Personal Data to third parties for their own direct-marketing purposes.

19. Security and breach notification

We protect data with measures including:

• Password hashing with salting (never plaintext storage).

• Encrypted transport (HTTPS / TLS) for all licence-server endpoints.

• Brute-force and rate-limit protection on authentication endpoints.

• Access controls and least-privilege internal access to production data.

• Periodic backups and integrity checks.

• A WAL-mode SQLite store with indexed hot columns and idempotent migrations.

No system is perfectly secure, but we work to keep your data safe. If we become aware of a Personal Data breach that is likely to result in a risk to your rights and freedoms, we will notify the competent supervisory authority within 72 hours of becoming aware of the breach, and we will notify affected users without undue delay where the breach is likely to result in a high risk to them. For US-state breach-notification statutes, we will notify within the timeframes those statutes require.

20. Automated decision-making and profiling

We do not subject you to any decision based solely on automated processing — including profiling — that produces legal or similarly significant effects on you. The anti-abuse signals in §6 may flag an account for human review, but a human reviews the decision before action is taken. If you believe an automated flag has affected you unfairly, email support@vpnmanager.app for review.

21. Changes to this Policy

We may update this Policy from time to time. Material changes will take effect 30 days after we post the new version on the website and email a notice to the address on your account; non-material changes may take effect immediately. We will keep prior versions available on request. Your continued use of the Service after the effective date means you accept the updated Policy. Where applicable law requires fresh consent for a new processing purpose, we will obtain it before that purpose begins.

22. Contact, complaints, and supervisory authorities

For any privacy question, request, or complaint, contact us first at:

> VPN Manager
> [Address on file]
> Email: support@vpnmanager.app (subject line: "Privacy Request")

You also have the right to lodge a complaint with the data-protection supervisory authority in your country. For example: the UK ICO (ico.org.uk), the Irish DPC (dataprotection.ie), the French CNIL (cnil.fr), the German BfDI plus the relevant Land authority, the Italian Garante (gpdp.it), the Canadian OPC (priv.gc.ca), the Brazilian ANPD (gov.br/anpd), the South African Information Regulator, the Singapore PDPC (pdpc.gov.sg), the Japanese PPC (ppc.go.jp), the Australian OAIC (oaic.gov.au), or the California Privacy Protection Agency (cppa.ca.gov).

23. Definitions

• "Personal Data" — any information relating to an identified or identifiable natural person, as defined under applicable data-protection law (GDPR Art. 4(1), CCPA §1798.140, etc.).

• "Controller" — the entity that determines the purposes and means of processing.

• "Processor" — the entity that processes Personal Data on behalf of the controller.

• "Service" — has the meaning given in the Terms of Service.

• "End User" — your customer (i.e. a person to whom you provide VPN access using the Service).

• "Sensitive Personal Data" — data that reveals racial or ethnic origin, political opinions, religion, trade-union membership, genetic data, biometric data for unique identification, health, sex life, sexual orientation, precise geolocation, citizenship / immigration status, or neural data, as those categories are defined under GDPR Art. 9 or the relevant US-state law.

• "Supervisory Authority" — a public authority responsible for monitoring the application of a data-protection law (e.g. the ICO in the UK, the CNIL in France, the CPPA in California, the ANPD in Brazil).

24. Change history

| Version | Date | Summary |
| --- | --- | --- |
| 1.0 | 2026-04-01 | Initial published Privacy Policy (preserved as the inline privacyPage in website/src/views.js). |
| 2.0 | 2026-05-27 | Restructured for multi-jurisdiction coverage; added explicit lawful-basis table, US-state privacy rights (CA / CO / VA / CT / TX and others), GPC commitment, 72-hour breach SLA, SCCs / IDTA reference, retention table, automated-decision-making clause, supervisory-authority list, controller / processor split for End User data (Art. 28 DPA on request), definitions, change history. |