Privacy
Policy.

1. Scope of this Policy

This Policy applies to:

• the Colitu VPN website;
• Colitu VPN desktop and mobile applications;
• Colitu VPN account registration and login;
• subscription, billing, and checkout flows;
• customer support communications;
• service diagnostics, security, and abuse-prevention systems;
• any other product or service that links to this Policy.

This Policy does not apply to third-party websites, applications, payment processors, identity providers, app stores, or services that we do not control.

2. Our privacy commitment

Colitu VPN is designed to protect privacy and security. We aim to collect only the data that is necessary to provide, secure, operate, improve, and bill for the service.

We do not sell your personal data.

We do not use your VPN activity for advertising.

We do not log the content of your VPN traffic.

We do not monitor the websites you visit through the VPN.

We do not keep records of your browsing history through the VPN.

We do not keep records of the content of your communications through the VPN.

We do not keep records of DNS queries in a way that identifies your browsing activity, unless a specific technical configuration requires temporary security processing as described in this Policy.

3. Important distinction: account data vs VPN activity data

Some data is required to run a paid VPN service. This includes account, payment, subscription, device, support, security, and operational data.

This is different from VPN activity data.

Account and service data may include your email address, account ID, subscription status, payment status, invoice metadata, device count, support messages, login events, and limited technical diagnostics.

VPN activity data would include browsing history, traffic content, websites visited, files downloaded, communications content, or a record of what you do online through the VPN. Colitu VPN does not intentionally collect or store this type of activity data.

4. Personal data we may collect

We may collect the following categories of data:

A. Account data: email address; display name or full name if provided; hashed password if you create a password-based account; Google account identifier and email address if you use Google sign-in; account creation date; account status; subscription status; device allocation and device limit information; account preferences; language and region preferences.

B. Authentication and security data: login timestamps; authentication method; password reset events; session identifiers; anti-abuse and fraud-prevention signals; approximate IP address used to access the account dashboard or API; device/browser information used for account security; failed login attempts; security event logs.

C. Billing and payment data: payments may be processed by third-party payment providers. We do not store full card numbers unless explicitly stated by a payment provider integration that securely supports tokenized storage. We may receive and store payment status, subscription plan, billing period, currency, invoice ID, payment provider customer ID, transaction reference, VAT/tax information where required, billing country, refund status, or chargeback status.

D. VPN service data: to operate the VPN service, we may process limited technical data such as server selected, approximate connection region, device authorization status, subscription entitlement, temporary connection metadata required to establish or maintain the VPN session, bandwidth or service capacity metrics in aggregated or non-identifying form, and error codes or technical diagnostics needed to keep the service reliable. We do not use this data to build a browsing profile.

E. Device data: because each subscription currently includes 1 device unless otherwise stated, we may process a device identifier generated by the app or account system, device name if you provide it, platform type such as Windows, macOS, Linux, Android, or iOS, app version, activation status, last account-level device check-in time, and device limit status.

Future feature note: additional device add-ons may be introduced later through the account panel for an extra fee. Until that feature is released, the default device limit remains the one shown at checkout and in the account dashboard.

F. Support data: if you contact us, we may process your email address, your name if provided, support messages, attachments you submit, diagnostic information you choose to share, ticket status, and support history.

G. Website and cookie data: we may collect pages visited on our website, approximate region, browser type, device type, referrer, cookie identifiers, analytics events if analytics are enabled, and consent preferences. Where required by law, non-essential cookies or similar technologies should only be used after consent.

H. Communications data: we may process transactional emails, service notices, security notices, billing notices, support replies, and product update messages where permitted by law.

5. Data we do not collect as VPN activity logs

When you use Colitu VPN, we do not intentionally collect or store:

• browsing history;
• websites visited through the VPN;
• content of VPN traffic;
• content of communications;
• files transferred through the VPN;
• search queries made through third-party websites;
• long-term DNS query logs tied to your identity;
• activity profiles based on VPN usage.

6. Legal bases for processing

Where the GDPR applies, we rely on the following legal bases:

A. Contract: we process account, subscription, device, authentication, and service data to provide the VPN service you requested.

B. Legitimate interests: we process limited data for security, fraud prevention, abuse prevention, service reliability, debugging, product improvement, and enforcement of our Terms.

C. Legal obligation: we may process and retain data where required for tax, accounting, corporate, regulatory, legal, or compliance obligations.

D. Consent: we rely on consent for optional cookies, optional marketing communications, and certain optional diagnostics where required.

E. Vital or public interest: these bases are rarely used, but may apply in exceptional situations where legally recognized.

7. How we use data

We use data to:

• create and manage accounts;
• authenticate users;
• provide VPN access;
• enforce device limits;
• process payments and invoices;
• provide customer support;
• detect fraud, spam, abuse, and security threats;
• troubleshoot apps and infrastructure;
• maintain service reliability;
• send transactional notices;
• comply with legal obligations;
• respond to lawful requests;
• improve website and app experience;
• localize content and language preferences.

8. Google sign-in

If you choose to register or log in using Google, we may receive basic information from Google, such as your email address, name, profile identifier, and authentication token or confirmation needed to verify your identity.

Google sign-in must create or authenticate the user account through the Colitu API. The database of record for user accounts must remain in the API/database layer, not in the frontend.

Users must be able to use Google sign-in for both registration and login if the backend supports it.

9. Payments and third-party processors

Payment information may be processed by external payment providers. These providers may act as independent controllers or processors depending on the integration and applicable law.

We may share only the information necessary to process payments, confirm subscription status, issue invoices, prevent fraud, process refunds or chargebacks, and comply with tax and accounting rules.

Do not store full card numbers in the Colitu database unless a compliant, tokenized, PCI-safe payment integration explicitly requires it and legal/security review approves it.

10. Sharing of data

We may share data with:

• hosting and infrastructure providers;
• payment processors;
• authentication providers such as Google;
• email delivery providers;
• analytics providers if enabled;
• customer support tools;
• professional advisors;
• law enforcement, courts, regulators, or public authorities where legally required;
• anti-abuse or security providers where necessary.

We do not sell personal data.

11. Legal requests

Because Colitu Networks OÜ is registered in Estonia, legal requests should be directed to: legal@colitu.xyz

We review legal requests before responding. We aim to disclose only the data we are legally required to provide. Because we do not keep VPN activity logs, we generally cannot provide browsing history, traffic content, or records of websites visited through the VPN.

12. Abuse reports

Abuse reports should be sent to: abuse@colitu.xyz

We may investigate abuse reports to protect the service, users, infrastructure, and third parties. Investigation may involve account-level, payment-level, security, or infrastructure data, but does not mean that we maintain browsing history or traffic content logs.

13. Retention

We retain data only for as long as necessary for the purposes described in this Policy.

General retention principles:

• account data is retained while your account is active;
• billing and invoice data may be retained for tax and accounting obligations;
• support records may be retained to resolve disputes and improve service;
• security logs are retained for a limited period unless needed for fraud, abuse, or legal investigation;
• deleted account data is removed or anonymized unless retention is required by law;
• backups may retain deleted data for a limited technical period before automatic rotation.

Where practical, we use deletion, anonymization, or aggregation when identifiable data is no longer needed.

14. International transfers

We may use providers located outside Estonia or the European Economic Area. Where personal data is transferred internationally, we use appropriate safeguards where required, such as adequacy decisions, Standard Contractual Clauses, contractual protections, technical measures, and vendor due diligence.

15. Security

We use reasonable technical and organizational measures to protect personal data, including:

• encrypted transport where appropriate;
• access controls;
• authentication controls;
• logging and monitoring for security;
• least-privilege access where practical;
• secure software development practices;
• infrastructure hardening;
• backup and recovery measures;
• incident response processes.

No system is completely secure. Users are responsible for keeping account credentials confidential and maintaining the security of their own devices.

16. Your rights

Depending on your location and applicable law, especially under the GDPR, you may have the right to:

• access your personal data;
• request correction;
• request deletion;
• request restriction of processing;
• object to processing;
• request data portability;
• withdraw consent;
• complain to a supervisory authority;
• object to direct marketing;
• request information about processing.

To exercise privacy rights, contact: privacy@colitu.xyz

We may need to verify your identity before fulfilling a request.

17. Account deletion

Users should be able to request account deletion by contacting: privacy@colitu.xyz or through the account dashboard if the feature is implemented.

Account deletion may not immediately delete data that must be retained for legal, tax, accounting, fraud-prevention, dispute-resolution, or security reasons.

18. Children

Colitu VPN is not intended for children under the age required to enter into a binding contract or consent to data processing in their jurisdiction. We do not knowingly collect personal data from children. If you believe a child has provided personal data to us, contact privacy@colitu.xyz.

19. Cookies and similar technologies

The website may use cookies or similar technologies for:

• essential website functionality;
• authentication;
• security;
• language preferences;
• analytics if enabled;
• performance monitoring;
• consent management.

Non-essential cookies should be disabled until the user consents where required by law.

20. Changes to this Policy

We may update this Privacy Policy from time to time. If changes are material, we may notify users through the website, account dashboard, email, or app notice. The updated version will show a new effective or last updated date.

21. Contact

For privacy questions: privacy@colitu.xyz

For support: support@colitu.xyz

For legal notices: legal@colitu.xyz

For abuse reports: abuse@colitu.xyz

Colitu Networks OÜ

Harju maakond, Tallinn, Kesklinna linnaosa, Tornimäe tn 5, 10145, Estonia

Registry number: 16948217

VAT number: EE102748391