Privacy Policy

Overview

VeloGuardian is a network security platform that provides secure VPN, web filtering, DNS filtering, anti-malware, and botnet protection. This privacy policy explains what data we collect and how it is used across all VeloGuardian products and services.

Data Controller

The data controller responsible for your personal data under the EU General Data Protection Regulation (GDPR) is:

VeloGuardian OÜ
Sepapaja tn 6, 15551 Tallinn, Harju maakond, Estonia
Estonian Business Register: 17491150
Email: privacy@veloguardian.com

As an Estonian company operating under European Union law, VeloGuardian processes personal data in accordance with the GDPR and the Estonian Personal Data Protection Act.

Legal Basis for Processing

Under Article 6 of the GDPR, every processing activity must rest on a lawful basis. Ours are:

• Provision of the Services — performance of contract. Account creation, authentication, VPN connection establishment, and delivery of the features in your subscription plan are necessary to perform the contract you entered into when you signed up.
• Subscription and billing — performance of contract for managing your subscription, and compliance with a legal obligation for tax and accounting record-keeping under the Estonian Accounting Act. Card numbers, bank account details, and other payment-instrument data are handled directly by our payment processors and never reach VeloGuardian's systems.
• Customer support — legitimate interest in resolving your enquiries and improving the Services.
• Security and fraud prevention — legitimate interest in protecting our infrastructure and customers from abuse.
• Service-related communications (security advisories, billing, material policy changes) — performance of contract.
• Marketing communications (newsletters, promotional emails) — consent, which you can withdraw at any time via the unsubscribe link in every email.

Information We Collect

Account Data

When you log in, the app sends your username and password to VeloGuardian's secure servers to authenticate your identity. Credentials are transmitted over HTTPS and are never stored in plaintext on your device.

If you sign in with Apple (or another supported social provider), we receive your email address and, only when you choose to share it, your name. We store your name as a display name to personalise your account. Sharing your name is optional — you can sign in without it, and accounts that use an Apple private-relay email work the same way.

Security Configuration

Your security and VPN profiles are synced from our servers and stored locally on your device to establish secure connections.

Network Traffic

When connected, your internet traffic is routed through VeloGuardian's secure network. We do not log, inspect, or store the contents of your network traffic.

Threat Protection

VeloGuardian's filtering services (web, DNS, anti-malware, and botnet protection) process traffic metadata to block threats in real time. This metadata is not stored or shared.

How We Use Your Information

We use the information we collect solely to provide and maintain the VeloGuardian service:

• Authenticating your identity and managing your account
• Establishing secure VPN connections
• Applying your security profile and filtering policies
• Blocking malicious traffic in real time

Data Retention

We hold personal data only for as long as we need it. We follow a minimum-retention policy:

• Account data (email, name, hashed password, subscription status) — for as long as your account is active. After you delete your account, the account record is erased immediately and removed from rolling backups within 30 days.
• Subscription and accounting records — subscription identifiers, billing dates, and amounts required by the Estonian Accounting Act are held by our payment processors (Stripe, Apple, Google) on our behalf for the statutory 7-year period and remain accessible to us for tax-audit purposes. We do not retain a separate copy of these records on our own servers after you delete your account, and we never see or store card numbers, bank account details, or any other payment-instrument data.
• Customer support correspondence — up to 90 days after the case is closed, then permanently deleted.
• VPN traffic, DNS queries, browsing history — never logged. We do not record or store information about what you do while connected.
• Authentication tokens and security profiles — stored on your device using platform-native secure storage; cleared on logout or app uninstall.
• Security audit logs — while your account is active, we keep a minimal log of security-relevant events (registrations, logins, password changes) for fraud and abuse prevention under our legitimate interest (GDPR Art 6(1)(f)). When you delete your account, every audit-log entry that identifies you is scrubbed of your email and any other identifying fields at the moment of deletion, leaving only an anonymous event-and-timestamp record. We do not retain identifying audit logs for deleted accounts.

After applicable retention periods, data is permanently deleted or irreversibly anonymised.

Subprocessors and Third Parties

VeloGuardian does not include any third-party analytics, tracking, or advertising SDKs in its applications. We rely on a small number of carefully selected service providers ("subprocessors") to operate the Services. Each is bound by a data processing agreement requiring GDPR-equivalent protections.

Because you transact with them directly when you purchase or manage a subscription, we name our payment processors:

• Stripe Payments Europe Ltd. (Ireland) — web purchases. Governed by Stripe's privacy policy.
• Apple Inc. and Google LLC — in-app purchases on iOS, macOS, and Android, governed by the respective platform terms.

Beyond the payment layer, we use a handful of trusted vendors in the following categories:

• Subscription receipt validation — for cross-platform subscription state.
• Infrastructure and hosting — for our website, API, and VPN servers.
• Content delivery and DNS — for our website and API perimeter.
• Transactional and support email — for the email we send to you.

A current list of named subprocessors in each category is available on request to privacy@veloguardian.com.

We do not sell, rent, or trade personal data. We may disclose data only where required by a valid legal process under Estonian or EU law, and we will challenge any request that exceeds what the law permits.

International Transfers

We process personal data primarily within the European Economic Area. Where a subprocessor is established outside the EEA (notably the United States), transfers are governed by the European Commission's Standard Contractual Clauses (SCCs) and, where applicable, supplementary technical and organisational measures. The list above identifies which subprocessors involve transfers outside the EEA.

Cookies

Our website uses only strictly necessary cookies required for security, session management, and basic site functionality. We do not set advertising, analytics, or tracking cookies, and our applications do not embed third-party SDKs that would do so.

Automated Decision-Making

We do not use your personal data for automated decision-making or profiling that produces legal or similarly significant effects (Article 22 GDPR).

Children's Data

Our Services are not directed at children. You must be at least 18 years old, or the age of legal majority in your country of residence, to create an account. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us at privacy@veloguardian.com and we will delete it.

Data Breaches

In the event of a personal data breach likely to result in a risk to your rights and freedoms, we will notify the Estonian Data Protection Inspectorate within 72 hours of becoming aware of it, as required by Article 33 of the GDPR. Where the breach is likely to result in a high risk, we will also inform affected users without undue delay.

Your Rights Under GDPR

As a data subject under European Union law, you have the following rights regarding your personal data:

• Right of access — obtain a copy of the personal data we hold about you
• Right to rectification — correct inaccurate or incomplete data
• Right to erasure ("right to be forgotten") — request deletion of your personal data
• Right to restriction — limit how we process your data
• Right to data portability — receive your data in a structured, machine-readable format
• Right to object — object to processing based on legitimate interests
• Right to withdraw consent — at any time, where processing is based on consent

To exercise any of these rights, contact us at privacy@veloguardian.com. We will respond within 30 days as required by GDPR.

You also have the right to lodge a complaint with the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon) or the data protection authority in your EU country of residence. A directory of national authorities is maintained by the European Data Protection Board at edpb.europa.eu.

VPN Service

VeloGuardian uses the operating system's VPN service to create a secure, encrypted tunnel for your internet traffic. The app requires VPN permission from the operating system to protect your connection.

Data Sharing

VeloGuardian does not sell, share, or disclose any user data to third parties.

Governing Law

This privacy policy is governed by the laws of the Republic of Estonia and the European Union. Any disputes arising from this policy are subject to the jurisdiction of the Estonian courts, without prejudice to your statutory right as an EU consumer to bring proceedings in your country of residence.

Changes

This privacy policy may be updated from time to time. Changes will be reflected in the "Last updated" date at the top of this page.

Contact Us

If you have questions about this privacy policy, please reach out to us at privacy@veloguardian.com.