Privacy Policy — Ciphra VPN | How We Protect Your Data

Introduction

Welcome to Ciphra VPN, operated by CIPHRA SOFTWARE from Vancouver, Canada. We are committed to protecting your privacy and ensuring the security of your personal information. This Privacy Policy explains how Ciphra VPN ("we," "us," or "our") collects, uses, processes, and protects your information when you use our VPN service.

Ciphra VPN is a VPN service that allows users to register, manage subscriptions and access VPN servers securely. We believe in transparency and want you to understand exactly what data we collect and how we use it to provide you with the best possible service.

Information We Collect

To provide our VPN service effectively and manage your account, we collect the following limited information:

Account Information

User Token: A unique identifier assigned to your account for authentication purposes

Subscription Information

Subscription Status: Whether you have a free or paid subscription
Subscription Expiry Date: When your current subscription period ends

Limited Operational Information

Server Access Logs: Basic service logs used to ensure service quality, troubleshoot reliability issues, and prevent abuse
Connection Timestamps: When you connect and disconnect from our servers
Bandwidth Usage: Amount of data transferred to manage capacity, reliability, and subscription limits

                            Activity Data We Do Not Collect:
                            Payment Information
Your browsing history or website visits
Content of your internet traffic
DNS queries or requests
Your real IP address once connected to our VPN

                        

How We Use Your Information

We use the collected information solely for the following purposes:

Service Provision

Providing secure VPN access to our servers
Authenticating your account and managing login sessions

Subscription Management

Processing subscription upgrades, downgrades, and renewals
Enforcing subscription limits and features
Sending important account and billing notifications

Security and Compliance

Preventing fraud and unauthorized access
Monitoring for abuse and ensuring fair usage
Complying with legal obligations where required

Service Improvement

Analyzing usage patterns to improve performance
Troubleshooting technical issues
Optimizing server capacity and locations

Cookies and Telemetry

We use cookies, local storage, and similar technologies to keep the website and service working, remember language and account flow choices, understand how visitors find our pages, improve reliability, and protect the service from abuse.

What We Use

Essential storage: Authentication tokens, language preference, checkout or redemption state, and similar values needed to provide the service or complete actions you request.
First-party visitor cookie: The ciphra_vid cookie assigns a random visitor ID for website telemetry and expires after up to 365 days unless you clear it earlier.
Campaign and referral telemetry: UTM values and referrer data may be kept in local storage so we can understand which campaigns or pages led users to Ciphra VPN.
Self-hosted telemetry: We may send page visit, download click, visitor ID, UTM, referrer, and basic browser technical metadata to telemetry.ciphravpn.com for analytics, capacity planning, reliability, and abuse prevention.

                            What Telemetry Does Not Include
                            We do not use cookies or telemetry to inspect VPN traffic content, DNS queries, browsing history, or the websites you visit through the VPN.
We do not sell telemetry data.
We do not use telemetry for automated decisions with legal or similarly significant effects.

                        

Your Choices

You can block or delete cookies and local storage in your browser. Where processing is based on consent, you may withdraw consent at any time by changing browser settings or contacting us at support@ciphravpn.com. Blocking essential storage may affect login, language selection, payment, redemption, or account features.

In-App Analytics (Windows & Android Apps)

The sections above describe data handling on this website. The Ciphra VPN apps for Windows and Android additionally use a separate, anonymous analytics system that is independent of the website cookies described above. (Privacy for the iPhone, iPad, and Mac apps is described in our Apple Privacy Policy.)

What the App Collects

Only if you consent — the app asks on first launch — and via our own self-hosted analytics system, the app collects anonymized, non-personal data tied only to a randomly generated identifier, never your name or real-world identity:

app version, operating-system version, device locale, and a random, non-identifying app/device identifier;
in-app screen and dialog views, and which features you use;
subscription and payment events (plan, transaction identifier, payment method, success/failure) — never your card or banking details;
crash reports and error diagnostics;
service and server-health data (which endpoint you connect to, destination country/city, protocol, and whether a connection succeeded or failed), de-personified and not stored against your originating IP address.

What the App Does Not Do

We do not use this data to build advertising profiles or to track you across other companies' apps or websites, and we do not sell, rent, or share it with third parties.

Your Consent and Storage

No analytics data leaves your device unless you accept on first launch. You can change this choice at any time in the app under Settings → Privacy. This data is stored on our own servers — a dedicated server hosted with OVHcloud in France — and is automatically deleted after 90 days.

Legal Bases for Processing

Where the EU GDPR, UK GDPR, or similar laws apply, we rely on the following legal bases depending on the context:

Contract: to create or authenticate your account, provide VPN access, manage subscriptions, process checkout or redemption flows, and provide support.
Legitimate interests: to keep the service secure and reliable, prevent abuse and fraud, debug errors, plan capacity, maintain aggregated analytics, and improve product performance without overriding your rights and freedoms.
Consent: for non-essential cookies, analytics, marketing communications, or other processing where consent is required by applicable law.
Legal obligation: to comply with tax, accounting, consumer protection, sanctions, security, dispute, or lawful request obligations.

If we rely on legitimate interests, you may object as described in the rights section below.

Data Subject Rights

Depending on where you live, including under GDPR and UK GDPR Articles 15 to 21, you may have the following rights:

Access (Article 15): request confirmation that we process your personal data and receive a copy of that data.
Rectification (Article 16): ask us to correct inaccurate or incomplete personal data.
Erasure (Article 17): ask us to delete personal data where the law requires or permits deletion.
Restriction (Article 18): ask us to limit processing while a request, objection, or dispute is reviewed.
Notification (Article 19): ask us to notify relevant recipients of rectification, erasure, or restriction where required.
Portability (Article 20): receive data you provided to us in a structured, commonly used, machine-readable format where applicable.
Objection (Article 21): object to processing based on legitimate interests and object at any time to direct marketing.
Withdraw consent: withdraw consent at any time where processing is based on consent, without affecting processing that was lawful before withdrawal.

To exercise these rights, contact support@ciphravpn.com. We may need to verify your request and will respond within one month where GDPR or UK GDPR applies, unless an allowed extension is needed. You may also complain to your local data protection authority.

Canada (PIPEDA & BC PIPA)

CIPHRA SOFTWARE operates from Vancouver, Canada and handles personal information in accordance with the Personal Information Protection and Electronic Documents Act (PIPEDA) and British Columbia's Personal Information Protection Act (PIPA). You may request access to or correction of your personal information by contacting support@ciphravpn.com, and you may raise unresolved concerns with the Office of the Privacy Commissioner of Canada. Where we send commercial electronic messages, we do so in accordance with Canada's Anti-Spam Legislation (CASL): we obtain consent where required, identify ourselves, and include an unsubscribe option in every such message.

California Privacy Rights (CCPA/CPRA)

If you are a California resident, the California Consumer Privacy Act, as amended by the CPRA, gives you the right to know what personal information we collect; to request access to, deletion of, or correction of that information; to opt out of any "sale" or "sharing" of personal information; and not to be discriminated against for exercising these rights. We do not sell your personal information, and we do not share it for cross-context behavioral advertising. To exercise your California rights, or to opt out, contact support@ciphravpn.com or use the "Do Not Sell or Share My Personal Information" link in our footer.

Data Retention

We keep personal data only for as long as necessary for the purposes described in this policy, unless a longer period is required or permitted by law.

Account, Subscription, and Support Data

Active account data: kept while your account or token remains active.
Inactive account data: deleted or anonymized after 2 years of inactivity unless we must keep it longer for legal, security, accounting, or dispute reasons.
Deleted account data: deleted or anonymized within 30 days after a verified deletion request, except for records we must retain by law or for legitimate security and dispute purposes.
Subscription and transaction references: kept while needed to provide paid features and for up to 7 years where required for tax, accounting, chargeback, or compliance obligations.
Support messages: kept for up to 24 months after resolution, unless a longer period is needed to handle abuse, disputes, or legal obligations.

Operational Logs, Cookies, and Telemetry

Server access and connection logs: deleted or anonymized after 30 days.
Security and abuse-prevention logs: kept for up to 90 days, or longer if needed to investigate active abuse, fraud, attacks, or legal claims.
ciphra_vid cookie: expires after up to 365 days unless you delete it earlier.
Local storage values: kept until you clear browser storage, replace the value, or stop using the relevant account, language, checkout, redemption, or campaign flow.
Aggregated or anonymized statistics: may be kept longer because they no longer identify you.

Data Sharing and Disclosure

Your privacy is paramount to us. We do not sell or rent your personal information. We share information only when needed to operate the service, process payments through providers you choose, respond to support requests, prevent abuse, or comply with applicable legal obligations.

Browsing Activity:

We do not log your browsing history, DNS queries, traffic content, or the sites you visit. Limited operational metadata is handled according to the retention periods described above.

EU/UK Representative (Article 27)

CIPHRA SOFTWARE is operated from Vancouver, Canada. Where EU GDPR Article 27 or UK GDPR Article 27 applies because we offer services to individuals in the EEA or the United Kingdom, we will maintain an EU and/or UK representative as required.

Requests or notices intended for our Article 27 representative may be sent to support@ciphravpn.com. We will route them to the appropriate appointed representative where required and will publish representative name and address here when the appointment applies to your jurisdiction.

Representative Contact Channel

EU Representative: Contact via support@ciphravpn.com pending publication of local representative details.

UK Representative: Contact via support@ciphravpn.com pending publication of local representative details.

Encryption

At Ciphra VPN, we use industry-leading encryption standards to protect your data at every stage. All user data, including authentication tokens, device IDs, and connection logs, is encrypted both in transit and at rest using strong cryptographic protocols.

Encryption in Transit

All communications between your device and our servers are protected using TLS 1.3, ensuring that your data cannot be intercepted or tampered with during transmission.
VPN traffic is secured using strong, industry-standard encryption, which is recognized as one of the most secure encryption standards available.

Encryption at Rest

User data stored on our servers is encrypted using strong, industry-standard encryption, making it inaccessible to unauthorized parties.
Access to encrypted data is strictly limited to authorized administrators and is monitored through audit logs.

Key Management

Encryption keys are managed securely and rotated regularly to minimize risk.
We follow best practices for key storage and access control.

Your Security:

We continually review and update our encryption practices to ensure your data remains protected against evolving threats.

Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors.

How We Notify You

In-App Notification: Important changes will be highlighted in the application
Website Notice: Updates will be posted on our website

Your Choices

Continued use of our service after changes indicates acceptance
If you disagree with changes, you may delete your account
We'll provide at least 30 days notice for material changes

We encourage you to review this Privacy Policy periodically to stay informed about how we protect your information.

Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our privacy practices, we're here to help.

CIPHRA SOFTWARE

Business Location: Vancouver, Canada

Email: support@ciphravpn.com

Response Time: We aim to respond within 24 hours