🔒 Privacy Policy

1. Data We Collect

1.1. Account Data

• Email address — For authentication and communication
• Account creation date — For service management
• Referral code — If you joined via referral link

1.2. Usage Data

• Traffic volume — To enforce fair usage limits
• Connection timestamps — For troubleshooting
• Device type — For compatibility optimization

1.3. What We DON'T Collect

2. How We Use Your Data

• Provide and maintain the VPN service
• Send important service notifications
• Prevent abuse and fraud
• Improve service quality
• Process referral rewards

3. Data Storage & Security

3.1. Your data is stored on secure servers in the European Union (Germany), complying with GDPR requirements.

3.2. We use industry-standard encryption for all data transfers.

3.3. VPN servers use VLESS + Reality protocol, providing strong encryption and traffic obfuscation.

4. Third-Party Services

We use the following third-party services:

• Paddle — Payment processing (Merchant of Record)
• Hetzner Cloud — VPN server infrastructure (Germany)
• Vercel — Web application hosting
• Brevo — Email delivery service
• Cloudflare — Security and CAPTCHA

5. Lawful Basis for Processing

Under UK GDPR, we process your data based on:

• Contract — To provide the VPN service you requested (Article 6(1)(b))
• Consent — For marketing emails, with your explicit opt-in (Article 6(1)(a))
• Legitimate Interest — For fraud prevention and service improvement (Article 6(1)(f))
• Legal Obligation — To comply with applicable laws (Article 6(1)(c))

6. Your Rights Under UK GDPR

You have the right to:

• Access — Request a copy of your personal data (Article 15)
• Rectification — Correct inaccurate data (Article 16)
• Erasure — Request deletion of your data (Article 17)
• Restrict Processing — Limit how we use your data (Article 18)
• Data Portability — Receive your data in a portable format (Article 20)
• Object — Object to processing based on legitimate interests (Article 21)
• Withdraw Consent — Withdraw consent at any time for consent-based processing

6. Cookies

We use essential cookies only for authentication purposes. No tracking or advertising cookies are used.

7. Data Retention

Account data is retained while your account is active. Upon account deletion, your personal data is removed within 30 days. Anonymous aggregate statistics may be retained indefinitely.

8. International Transfers

Your data may be transferred to and processed in the European Union (Germany) where our VPN servers are located. The EU provides adequate protection under UK GDPR adequacy regulations. For transfers to other countries, we use Standard Contractual Clauses approved by the ICO.

9. Marketing Communications

We only send marketing emails if you have explicitly opted in during registration. You can withdraw your consent at any time by:

• Clicking "Unsubscribe" in any marketing email
• Visiting your account settings
• Contacting us at privacy@holdemvpn.app

10. Complaints

If you're not satisfied with how we handle your data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):