Privacy Policy

Effective Date: 2024-08-07

This Privacy Policy outlines the rules and regulations regarding the collection and use of personal data and other information when accessing, installing, or using SecureSurf Services and Websites on any device. SecureSurf is the data controller responsible for handling your personal data, and you can contact us at apps@securesurfai.com

By visiting our Websites, submitting your personal data to us, or using our Services, you acknowledge that you have read this Privacy Policy and agree to its terms. If you do not agree, please refrain from using our Services and Websites.

During the use of our Services and Websites, we may collect personal identification information, device information, usage information, and communications data. This information is collected to provide and maintain our Services, enhance and improve our offerings, and communicate.

Additional information regarding the processing of your personal data can be found in contractual terms, supplemental privacy statements, or notices.

Additional information about the processing of your personal data may also be provided in contractual terms, supplemental privacy statements, or notices.

1. PROCESSING OF YOUR PERSONAL DATA

SecureSurf processes personal data to a limited extent in order to provide our Services, process payments, and ensure the functionality of our Websites and mobile applications. We may process the following categories of personal data:

Information for creating your Account:

• Email address: We require your email address during registration to create your SecureSurf Account, facilitate password retrieval, and enable the use of our Services.

Subscription information:

• Subscription data: When you subscribe to our Services, we process relevant subscription information such as your email address, chosen subscription plan, duration, ID, frequency, amount, currency, status, auto-renewal status, and enabled/disabled features such as multi-factor authentication (MFA).

Payment related information (if using paid Services):

• Payment data: This information is necessary for collecting payments for our Services. Our payment processing partners process basic billing information (e.g., date of purchase, payer's IP address, postal code, credit card owner's full name and information) for payment processing and refund requests. In certain cases, we also process this billing information internally (e.g., date of purchase, credit card owner's full name, partial credit card details, expiration date) for recurring payments or when payment details are provided directly to us.
• Country details: When a purchase is made, we process information about the user's country of purchase for VAT calculation purposes.
• Information for payment fraud prevention: To prevent fraudulent payments, we may verify personal data such as payer's email address and device information using fraud management tools. If a transaction is deemed high-risk, we may reject it.
• Information regarding zero authorization for billing: Zero authorization is used to confirm the validity of your payment method, ensuring a seamless continuation of your subscription. No personally identifiable information is collected apart from the validation of the payment method and the date of authorization
• Information related to A/B price testing: Results and insights obtained from price testing may be used to optimize pricing strategies, improve service offerings, and enhance user experience. This may involve collecting data on behavior, preferences, or responses to pricing strategies.

Communication data:

• Email address: We use your email address for important updates and announcements related to your use of our Services and Websites. It is also used to respond to your inquiries and to send you offers, surveys, and other marketing content. You have the option to opt-out of receiving such communications.
• Customer support inquiries: We retain information provided by you to our customer support team to help resolve queries. This may include payment information for customer verification, country information, operating system details, and local application logs.
• Communication optimization data: We utilize various tools to optimize our email campaigns. These tools track email actions such as opening and unsubscribing. We may also gather information on the user's device operating system and country to optimize push and email notifications and set language preferences.
• Chatbot: If you contact us through our chatbot on our Websites, we may collect device information and IP address in addition to your contact details.
• Live chat widget: When contacting us via the live chat widget, we process your contact information along with device information (such as operating system and browser type) and IP address. This information is necessary for our support team to determine your country, prevent abuse, check if you're connected to our servers, and expedite query resolution.
• Email address:

Information collected on our applications and Websites:

• Service usage: We collect information about specific SecureSurf Services and features you use, such as SecureSurf, SecureSurfPass, SecureSurfLocker, etc.
• Access logs: Our Websites collect access logs such as IP address, browser type, and operating system to operate our Services, ensure their secure and reliable performance, and protect against DDoS attacks and hacking attempts.
• Cookies: Our Websites utilize cookies, pixels, and similar technologies. These small files are placed on your device to enhance website functionality, analyze aggregated usage statistics for performance improvement, and for advertising purposes. We also use affiliate cookies to identify customers referred to our Websites by partners for commission purposes. You can review the cookies we use in our Cookie policy

Referrals data:

• Information for referral programs: Participation in referral programs requires referrers to provide personal data (e.g., full name, email address, phone number, relationship with the referred party) about themselves and the referred party. This allows us to reach out to the referred party and contact referrers regarding participation and rewards. Referrers are responsible for complying with privacy laws when disclosing third parties' personal data to SecureSurf. Referred parties can unsubscribe from further communication at any time. If you believe that a contact has provided us with your personal data and wish to have it removed from our database, please contact us.

Promotional games data:

• Information for participating in promotional games: When participating in promotional games such as sweepstakes, giveaways, or contests that require additional personal information, you will be asked to provide it explicitly. This may include your full name, email address, phone number, and details about the purchased subscription plan. However, you have the right to refuse providing such information and stop participating in the promotional game at any time. In certain cases, we may share this data with third parties who assist in organizing and coordinating promotional games. Please carefully review the terms and conditions of each promotional game you participate in as they may contain specific information about the processing of your personal data. If the terms and conditions of a promotional game conflict with this Privacy Policy regarding your personal data, the promotional game's terms and conditions will prevail.

Social networks data:

• Account data: We may collect and process your personal data, such as full name, social network profile name, pictures, and public comments, when managing and administering our profiles on social networks (e.g., Facebook, Instagram, Twitter, LinkedIn, YouTube). This data is provided voluntarily by you.

2. GROUNDS FOR PROCESSING OF PERSONAL DATA

We process your personal data based on the following legal grounds:

• Contractual necessity: We process personal data when it is necessary to fulfill our contract with you, such as providing access to our Services, processing purchase transactions, and ensuring the secure and reliable performance of our Services and Websites.
• Legal obligations: We may process certain personal data to comply with legal obligations, such as keeping records for tax and accounting purposes.
• Consent: In some cases, we may process your personal data based on your consent. This includes sending marketing communications (unless permitted by applicable law), and managing your participation in contests, offers, referrals, or promotions. If you choose to opt-out of receiving marketing communications, we will respect your decision.
• Legitimate interests: We may process personal data based on our legitimate interests or the legitimate interests of third parties. This includes proper administration of business communication, detecting and preventing fraud or abuse, ensuring the security of our Services and Websites, protecting the rights and safety of SecureSurf, our users, or third parties, improving and maintaining our Services, and gaining insights into the usage of our Websites and applications.

Please note that we always strive to balance our legitimate interests with your rights and freedoms

3. SHARING YOUR PERSONAL DATA

We do not share your personal data with third party.

Your personal data may be processed in any country in which we engage service providers and partners. When you use our Services and Websites, you understand and acknowledge that your personal data may be transferred outside of the country where you reside.

Protection of our rights. We may disclose personal data to establish or exercise our legal rights or defend against any legal claims or other complaints. We may also share such information if we believe it is necessary in order to investigate, prevent, or take action regarding illegal activities, suspected fraud, and violations of our General Terms.

• Business transfers: In the event that we sell our business or undergo a corporate merger, acquisition, consolidation, asset sale, reorganization, or similar event, we may share your personal data. Rest assured, during such transfers, SecureSurf will maintain the confidentiality of your personal data.
• Requests for data: Any requests for user data must follow an official legal process recognized by the laws of the Republic of Panama, such as a mutual legal assistance treaty or letters rogatory. We carefully review each request to ensure compliance with our internal policies, applicable laws, and international norms. It is important to note that Panama's laws do not require us to store logs of users' online activity. As a result, we do not collect or store information about users' browsing history, traffic data, or IP addresses used to access the internet via our services. Therefore, even if we receive a properly served request, it may be impossible for us to identify a specific individual or provide any identifying information related to that person. In cases where, through an appropriate legal process, we are required to comply with a request and can identify a specific person, we will provide the limited data we process as outlined in our Privacy Policy and within the scope of the request.
• Contact information for government authorities: Should government authorities need to contact us, they can reach SecureSurf via email at inquiries@securesurfai.com.

Cross-border transfers of personal data

To enable our Services and Websites, we may need to store, access, and move personal data across borders. This could include countries where SecureSurf operates that may not provide the same level of protection for personal data as your country of residence. We carefully consider and implement appropriate safeguards to ensure your personal data is protected in accordance with our Privacy Policy. For example, if we transfer your personal data to countries outside the European Economic Area, we ensure there is an adequacy decision from the

European Commission for the recipient country or we use standard contractual clauses approved by the European Commission for such transfers.

4. OPTIONS REGARDING YOUR PERSONAL DATA

It is important to be aware that various data protection laws in different jurisdictions grant privacy rights to individuals as data subjects. Subject to the applicable data protection laws, you may have the following rights:

• Deletion: You can request that we delete your personal data.
• Access: You have the right to know and access the personal data collected about you by SecureSurf.
• Rectification: If your personal data is inaccurate or incomplete, you can request for it to be rectified, corrected, updated, or supplemented by SecureSurf.
• Objection: You can object to the processing of your personal data if it is done on the basis of our legitimate interests (e.g., for marketing purposes).
• Portability: If our processing of your personal data is based on your consent and carried out by automated means, you can request us to provide you with a structured, commonly used, and machine-readable copy of your personal data, or if technically feasible, transmit it to another controller.
• Restriction: You have the right to request the restriction of the processing of your personal data when there is a legal basis for doing so.
• Withdraw Consent: .If our processing is based on your consent, you have the right to withdraw that consent.
• Complaint: You can exercise your rights by directly contacting us or, if necessary, lodging a complaint with a supervisory authority.
• Rectification: If you need to make changes to your profile information such as updating your email address or adding a new username, please reach out to our support team at support@securesurfai.com.
• Access/Deletion: If you would like to delete your Account or request a copy of your personal data that we process, please contact us at privacy@securesurfai.com. Please be aware that in order to ensure the security of your Account, we will need to verify your identity before taking any further action on your request.

Furthermore, you can delete your SecureSurf Account by following the steps outlined below. Once you initiate the deletion process, our support team will promptly assist you with your request:

• SecureSurf Account via SecureSurf app on iPhone/Android: Open the SecureSurf app, log into your Account, tap on the Profile icon, select "Contact Us", choose "Request account deletion", enter "Please delete my account" as the message, and tap "SEND".
• SecureSurf Account via SecureSurf website: Open the SecureSurf website, log into your Account, click on "Help", select "Email Support", fill out the "Contact Us" form, choose "Request account deletion", enter "Please delete my account" as the message, and click "SEND".
• SecureSurf's Responsibilities upon Termination: When your Account and/or Subscription expires or is terminated, SecureSurf will immediately stop processing any information associated with you. However, please be aware that there may be instances where we retain information linked to you even after the expiration or termination of your Account and/or Subscription

Here are the situations where we may continue to retain your information:

• 1. Interconnected Databases: Our databases for all SecureSurf products are interconnected. Therefore, if you have another existing Account associated with a different SecureSurf product, basic information like your email address may still be visible in our system even after we delete your SecureSurfPass Account. To completely delete all of your data, you will need to contact our support team to delete all Accounts connected to different SecureSurf products.
• 2. Compliance with Legal Requirements: SecureSurf may retain information associated with you, such as payment data, to fulfill our obligations as required by applicable laws, regulations, court orders, subpoenas, or other legal processes. This retention may be for archival purposes.

Please note that in all other respects, we will cease processing any of your information upon the expiration or termination of your Account and/or Subscription

• Opt-out: If you no longer wish to receive communications from us, you have the option to unsubscribe at any time by clicking the "unsubscribe" link located at the bottom of each email or by contacting us at privacy@securesurfai.com.
• Cookie Control: You can manage the use of cookies on your device at the individual browser level. To disable cookies, please refer to your browser's instructions on how to block or clear cookies.

If you do not agree with SecureSurf processing your personal data, please refrain from using our Services and Websites. You can request us to stop processing your personal data, and in such cases, we will only process your data to the extent necessary to fulfill the discontinuation of your use of the Services (e.g., settling outstanding matters or deleting personal data associated with your email address) or to conclude any other legal relationships between you and SecureSurf (e.g., record-keeping, accounting, processing refunds). Please be aware that we or our third-party service providers may be required to retain certain personal data as mandated by law.

For any other questions, concerns, or complaints regarding our privacy practices or the processing of your personal data, please contact us using the information provided in the "Contact Us" section.

5. DATA SECURITY

We have implemented stringent measures to safeguard the personal data we collect. Our dedicated IT security team has put in place physical, technical, and organizational controls to protect your information against accidental or unlawful destruction, loss, alteration, unauthorized access, disclosure, or processing.

Here are the key security measures we have implemented:

• Physical Measures: We control access to our facilities using access cards. Our premises are equipped with security alarm systems and CCTV surveillance. Devices containing personal data are stored in locked rooms or cabinets. Access to printers is restricted through access control measures. We enforce a clean desk policy to minimize risks.
• Technical Measures: We employ a layered defense strategy that includes firewalls, anti-malware protection, and intrusion detection and prevention systems. Our infrastructure is regularly updated, and we conduct vulnerability scans to identify and address any potential weaknesses. We utilize security event and incident management solutions to analyze and investigate security alerts. Our servers undergo hardening, and automated configuration tools are employed for management. Data at rest and in transit are encrypted using up-to-date encryption protocols.
• Organizational Measures: We adhere to best practices by having information security and data processing policies in place. We undergo external audits to validate the effectiveness of our security and data processing policies. We foster a culture of continuous development and awareness among our employees regarding security and data protection. This includes regular training and other awareness activities. We continually analyze the threat landscape and our attack surface, making updates to our security measures as needed. Access to databases containing personal data is strictly based on a need-to-know basis.

While we remain vigilant and take immediate action if we detect something suspicious, it is important to note that no company can guarantee absolute security for internet communications, as no technology is entirely bulletproof. By using our Services and Websites, you acknowledge that we cannot provide a 100% guarantee of the security of personal data transmitted through the Services. Any information you provide to us through our Websites or Services is done so at your own risk. If you suspect any security concerns with your interactions with us, please inform us immediately at privacy@securesurfai.com.

6. DATA RETENTION AND DELETION

We retain your personal data for as long as necessary to provide you with our Services or as long as we have a legitimate reason to do so, in compliance with applicable laws. Specific data retention periods are outlined below:

• Customer billing information and payment details are kept by SecureSurf for a period of 10 years from the date of the last payment transaction
• If you have subscribed to receive marketing communications from us, we will use your email address for such purposes for a period of 1 year after the termination of your Subscription or until you exercise your right to opt-out, whichever occurs first.

Once we no longer have a legal or legitimate basis to retain your personal data, we will securely dispose of it or render it de-identified through appropriate anonymization methods. Personal data stored in electronic files will be destroyed in a manner that ensures the data cannot be recovered.

7. COUNTRY-SPECIFIC PROVISIONS

For Users in the European Economic Area (EEA):

• If you are a resident of EEA countries, you have rights under the General Data Protection Regulation (GDPR). To exercise these rights, please contact us at privacy@securesurfai.com.

For Users in California:

• If you are a California resident, you have rights under the California Consumer Privacy Act (CCPA). To exercise these rights, please contact us at privacy@securesurfai.com. Please note that SecureSurf does not sell, share, lease, or rent your personal information, as defined under the CCPA.

For Users in the Republic of Korea:

• As mentioned in Section 3 of this Privacy Policy, we may share personal data with service providers and other third parties located outside the Republic of Korea. For users in the Republic of Korea, we provide a detailed list of these third parties, along with additional privacy terms specific to Korea, in our Korean-specific Privacy Policy, which you can access here.

8. CONTACT US

If you have any questions, requests, concerns, or complaints regarding this Privacy Policy or our processing of personal data, or if you wish to exercise your rights as a data subject, please reach out to us at privacy@securesurfai.com or by sending a written request to the following address:

9. CHILDREN'S DATA

SecureSurf does not knowingly collect or solicit personal data from individuals under the age of 18. If you are under 18, please refrain from providing any personal data to SecureSurf. If we become aware that we have collected and processed personal data from a child under 18 years of age, we will promptly delete that data.

10. OTHER TERMS

Limitation of Liability: SecureSurf takes extensive measures to ensure the security of personal data through technical, physical, and organizational safeguards. However, it is important for you to exercise caution and use the Services and Websites responsibly. You are personally responsible for any violations of third-party privacy rights or any applicable laws that may arise from your use of the Services and Websites. SecureSurf cannot be held liable for the consequences of your unlawful, willful, or negligent activities, or for circumstances that were beyond reasonable control or foreseeability. For more details, please refer to the General Terms.

Updates to the Privacy Policy: We continually develop and enhance our Services and Websites by introducing new features or making changes to existing ones. As a result, it may be necessary for us to update the Privacy Policy periodically. If any amendments to the Privacy Policy significantly impact our processing activities of your personal data, we will provide advance notice of such changes by reasonable means (such as through the respective applications, our Websites, or via email). We will always indicate the date of the last update.

Unless otherwise stated by us, each updated version of the Privacy Policy becomes effective when it is published on this Website. It is important for you to regularly review this Privacy Policy to ensure that you are familiar with its current terms. By continuing to use our Services and Websites, you are deemed to accept any changes to the Privacy Policy.

GENERAL REMARKS

SecureSurf operates under a strict no-logs policy for its Services. This means that while using SecureSurf Services, your internet activity is not monitored, recorded, logged, stored, or shared with any third party. We do not retain information such as used bandwidth, traffic logs, IP addresses, or browsing data. As soon as a SecureSurf user connects to one of our VPN servers, their internet data becomes encrypted.

ADDITIONAL PERSONAL DATA PROCESSED WHEN PROVIDING SECURESURF SERVICES

In addition to the information outlined in the Privacy Policy, we process the following data when you use SecureSurf Services:

Technical information:

• Statistical server load information: We monitor server performance, including CPU usage, RAM usage, and server network usage, to recommend the most suitable servers to our users.
• Username and timestamp of the last session status: This information is used to limit the number of concurrent active user sessions and is automatically deleted within 15 minutes after a session is terminated.
• Connectivity information: To prevent abuse and address unfair chargebacks, we register whether a user has used the SecureSurf Service within the last 30 days. This information does not include personally identifiable information, except for the indication of whether the SecureSurf Service was used during the mentioned period.
• Interaction data: Advanced tools are employed to detect irregular patterns in users' activity when new sessions are initiated, in order to safeguard against abuse and detect prohibited activities like scraping. No personally identifiable information is collected, except for the indication of whether irregular patterns were detected within the user's activity

Information collected on the SecureSurf website:

• Social media platforms and widgets: Our website may feature social media buttons (e.g., Facebook, Twitter, LinkedIn) to facilitate content sharing. These features may collect your IP address, pages visited, and may use cookies to ensure their proper functioning.

Information collected on our applications:

• In-app event information: Our application collects anonymized information about Account activity. The processed data is specific to a device and does not identify individual users. This data is necessary for: (i) assessing application functionality (e.g., successful registration or login, server connection); (ii) analyzing user interaction (e.g., usage of interface items, user interest in notifications); and (iii) identifying app performance and update issues (e.g., crash error reports). You can opt-out of the collection of in-app information at any time through the SecureSurf app

settings. In-app event information includes:

• General event information: The application that sent the event, event time, categorization, and limited routing information.
• Device information: TDevice operating system, architecture, type, model, brand, unique device identifier, city, country, and time zone.
• Application information: Application name, version, source, enabled/disabled features, network type, public internet service provider information, current VPN connection status, A/B testing details (if applicable), user preferences.
• Account information: Status of active/inactive subscriptions for SecureSurf products, current and past active/inactive plans, trial information.

Please note that a unique device identifier randomly generated by the customer cannot be linked to their email or user ID.

• Device information: Within our application, we may collect certain device information automatically. This may include the device model, operating system version, and other similar non-identifying details. We use this information to monitor, develop, and analyze the usage of SecureSurf Services. Additionally, when utilizing the Quick Connect feature, our application may detect the city of your device (this detection is conducted locally and is not logged in our systems).
• Device identifiers: In certain cases, we may record your device's identifier for marketing or analytics purposes. These identifiers are unique to your device and are assigned by the operating system manufacturer. You can reset them at any time through your device's settings. Instructions for managing identifiers can be found in the respective policies for different devices: Advertising & Privacy on iOS devices and Managing your Google Settings on Android devices.
• Enabled features: Understanding which product features are enabled on your application allows us to provide you with more relevant information. This ensures that you do not receive in-app notifications about SecureSurf features that are already enabled.

THREAT PROTECTION FEATURE

SecureSurf offers a Threat Protection feature that blocks ads, trackers, malicious websites, and malware. The data processed for users of this feature is necessary for its provision and continuous improvement

Statistics: We process statistics about the use of the Threat Protection feature, such as the date of the last update of the malicious items' list and the number of blocked entries. This helps us enhance user experience and the feature itself. You can opt-out of such statistical processing at any time through the SecureSurf app settings.

URL scanning: The Threat Protection feature matches URLs against known databases to block ads, trackers, phishing attempts, and malicious websites. We do not know which specific user interacted with a particular URL or website. The data processed includes the URL and its status (e.g., blocked).

Initial file scanning: During the initial scan of newly downloaded files, we process the following:

• Scan status: We process information to determine if a file is malicious and if the scanning process was performed accurately.
• URLs: We collect URL information to identify the source of downloaded files and detect malicious websites
• Connection information: Limited data, such as country, time zone, and internet service provider name, helps us assess the quality of the connection, which is vital for the Threat Protection feature.
• Cloud-based threat detection: Only available to users who have enabled it, this feature uploads files to the cloud for deep scanning to detect malware. Only executable files are uploaded, and we cannot associate any file with a specific user. Scanned files are stored for service improvement purposes.
• Vulnerable app detection: This feature informs users of potential app vulnerabilities without gathering personal data. Analyzed data is anonymous and unrelated to specific users, focusing on service quality and trends. This feature utilizes the National Vulnerability Database (NVD) API without endorsement or certification

OTHER SERVICES/FEATURES BY SECURESURF

Meshnet: This feature enables point-to-point connections and routing of online traffic through user devices. The following information is processed: connection and permission details, device OS version, hashed device ID, and user email address. For file sharing, we also process anonymized data on file transfers, sizes, and document types (extensions).

Dedicated IP service: When purchasing a dedicated IP address, your email and account information will be linked to that specific IP address. Please note that once your subscription period ends, the IP address may be reused for other users.

Smart DNS: The Smart DNS service replaces the DNS address from your internet service provider. Your IP address needs to be stored on our systems while the SmartDNS service is activated. No new IP address is provided.

Dark Web Monitor feature: When enabled, this feature scans the web for any appearance of your email address in detected personal data breaches. For this, we share hashed email addresses with our third-party service provider. Your email address is not used or stored by the third-party other than assisting you in monitoring data breaches. Generated results are erased once the feature is disabled.