Effective date: 17.10.2025
Service: TrackAway VPN (“Service”, “we”, “us”, “our”).
1. Purpose
This Privacy Policy explains what personal data we collect, how we use it, and your rights under applicable data protection laws (EU GDPR, UK GDPR, and Hong Kong PDPO).
2. Data We Collect (minimal)
| Data | Purpose | Retention |
|---|---|---|
| Email address | Account access & support | Until account deletion (plus short technical retention where required for backups/archives) |
| Stripe transaction ID | Payment verification & refunds | Up to 30 days after payment |
We do not collect or store: IP addresses, connection timestamps, bandwidth, browsing or destination addresses, device identifiers, or DNS queries. We do not link payment information with usage activity.
3. Payments
Card payments are processed by Stripe; we do not store full card details and receive only a transaction reference. Depending on the flow, Stripe may act as an independent controller for payment data under its own privacy terms. For crypto payments we receive only the minimum payment confirmation necessary to activate your subscription.
4. How We Use Your Data
- Account creation, access and support
- Payment verification and refund handling (card payments)
- Compliance with lawful requests where legally required and technically possible
We do not sell or “share” personal information for cross‑context behavioral advertising.
5. Legal Bases
We process personal data only when one of the following applies: contract performance (account and payments) and legitimate interests (support, security, fraud prevention, refunds), and legal obligation where applicable.
6. Retention & Deletion
- Email is erased when you delete your account (with limited short-term technical retention for security/backups).
- Transaction IDs older than 30 days are automatically purged.
- You can request deletion at any time via [email protected].
7. Security
Our infrastructure is designed without persistent traffic logs and uses encrypted, RAM‑only or equivalent non‑persistent configurations where operationally feasible. Administrative access is restricted and audited.
8. International Data Transfers
Operational servers are located in the Netherlands, Luxembourg, and the Czech Republic. Where support staff outside the EEA/UK access account data (email), such access constitutes an international transfer. We rely on appropriate safeguards, including EU Standard Contractual Clauses (SCCs) and the UK IDTA/Addendum, as applicable.
9. Your Rights (EEA/UK)
You may request access, rectification, erasure, restriction, portability, or object to processing. You also have the right to lodge a complaint with a supervisory authority. We aim to respond within one month (extendable where permitted). Requests: [email protected].
10. Changes
We may update this Policy; we will post revisions with a new effective date.