Privacy Policy — Ciphra VPN for iOS & macOS

What This App Is

Ciphra VPN, operated by CIPHRA SOFTWARE from Vancouver, Canada, routes your internet traffic through our servers using an encrypted tunnel (the VpnHood protocol) to protect your privacy. The VPN connection exists solely to provide this service.

This Privacy Policy explains what data the Ciphra VPN app for iPhone, iPad, and Mac collects, what it does not collect, how we use it, and how it is stored. We believe in transparency and want you to understand exactly how your data is handled.

Data We Do Not Collect (No-Logs)

We do not collect, log, inspect, store, or sell:

your browsing history or the websites/services you visit;
your DNS queries;
the contents of your VPN traffic;
your real (originating) IP address.

We have no logs that could link your online activity back to you.

Data We Do Collect

To keep the service running and to improve the app, we collect a limited amount of anonymized, non-personal data. We never ask for your name, and this data is tied only to a randomly-generated identifier — not to your real-world identity.

1. Service & Server-Health Data

Which server endpoint you connect to, the destination country/city, the protocol used, and whether a connection succeeded or failed.
Server performance metrics and connection error diagnostics used to monitor and maintain service health. This is de-personified; we do not store it against your originating IP address.

2. Anonymous App Analytics & Diagnostics

Collected only if you consent (see "Your Consent" below), via our own self-hosted analytics system. This includes:

app version, operating-system version, device locale, and a random, non-identifying app/device identifier;
in-app screen and dialog views, and which features you use;
subscription and payment events (plan, transaction identifier, payment method, success/failure) — never your card or banking details;
crash reports and error diagnostics.

Payment Note:

Subscriptions on iPhone, iPad, and Mac are purchased and billed by Apple through the App Store. We never receive or store your card, bank, or Apple ID payment credentials.

How We Use This Data

We use this data solely to: operate and secure the VPN; monitor service and server health; diagnose errors and failed connections; measure feature adoption and user retention; and improve the product and our marketing.

We do not use this data to build advertising profiles or to track you across other companies' apps or websites.

Your Consent

On first launch, the app asks whether you consent to anonymous analytics and diagnostics collection. No such data leaves your device unless you accept. You can change this choice at any time in the app under Settings → Privacy.

Sharing

We do not sell, rent, or share any of this data with third parties. The only billing intermediary is Apple, which processes your App Store subscription under Apple's own privacy policy.

Where It Is Stored & For How Long

All analytics and server-health data is stored privately on our own servers (a dedicated server hosted with OVHcloud in France) on our self-hosted analytics instance. It is automatically deleted after 90 days.

Analytics & diagnostics: automatically deleted after 90 days.
Server access and connection metadata: deleted or anonymized after 30 days.
Account and subscription references: kept while your account is active and deleted or anonymized within 30 days after a verified deletion request, except where we must retain limited records to comply with law (for example, tax, accounting, or dispute obligations).
Aggregated or anonymized statistics: may be kept longer because they no longer identify you.

Legal Bases for Processing

Where the EU GDPR, UK GDPR, or similar laws apply, we rely on the following legal bases depending on the context:

Contract: to authenticate your device, provide VPN access, and verify and manage your App Store subscription.
Legitimate interests: to keep the service secure and reliable, prevent abuse and fraud, debug errors, and monitor service and server health without overriding your rights and freedoms.
Consent: for anonymous app analytics and diagnostics, which are collected only after you accept on first launch and can be withdrawn at any time.
Legal obligation: to comply with tax, accounting, consumer protection, sanctions, security, dispute, or lawful request obligations.

If we rely on legitimate interests, you may object as described in the rights section below.

Your Rights

Because we hold no information identifying you personally, we generally cannot link stored data to an individual. Depending on where you live, including under GDPR and UK GDPR Articles 15 to 21, you may still have the following rights:

Access (Article 15): request confirmation that we process your personal data and receive a copy of that data.
Rectification (Article 16): ask us to correct inaccurate or incomplete personal data.
Erasure (Article 17): ask us to delete personal data where the law requires or permits deletion.
Restriction (Article 18): ask us to limit processing while a request, objection, or dispute is reviewed.
Notification (Article 19): ask us to notify relevant recipients of rectification, erasure, or restriction where required.
Portability (Article 20): receive data you provided to us in a structured, commonly used, machine-readable format where applicable.
Objection (Article 21): object to processing based on legitimate interests and object at any time to direct marketing.
Withdraw consent: withdraw consent at any time where processing is based on consent, including by turning analytics off under Settings → Privacy, without affecting processing that was lawful before withdrawal.

To exercise these rights, contact [email protected]. Users in the EEA/UK have rights under the GDPR/UK GDPR; CIPHRA SOFTWARE acts as data controller. We may need to verify your request and will respond within one month where GDPR or UK GDPR applies, unless an allowed extension is needed. You may also complain to your local data protection authority.

Canada (PIPEDA & BC PIPA)

CIPHRA SOFTWARE operates from Vancouver, Canada and handles personal information in accordance with the Personal Information Protection and Electronic Documents Act (PIPEDA) and British Columbia's Personal Information Protection Act (PIPA). You may request access to or correction of your personal information by contacting [email protected], and you may raise unresolved concerns with the Office of the Privacy Commissioner of Canada. Where we send commercial electronic messages, we do so in accordance with Canada's Anti-Spam Legislation (CASL): we obtain consent where required, identify ourselves, and include an unsubscribe option in every such message.

California Privacy Rights (CCPA/CPRA)

If you are a California resident, the California Consumer Privacy Act, as amended by the CPRA, gives you the right to know what personal information we collect; to request access to, deletion of, or correction of that information; to opt out of any "sale" or "sharing" of personal information; and not to be discriminated against for exercising these rights. We do not sell your personal information, and we do not share it for cross-context behavioral advertising. To exercise your California rights, contact [email protected].

EU/UK Representative (Article 27)

CIPHRA SOFTWARE is operated from Vancouver, Canada. Where EU GDPR Article 27 or UK GDPR Article 27 applies because we offer services to individuals in the EEA or the United Kingdom, we will maintain an EU and/or UK representative as required.

Requests or notices intended for our Article 27 representative may be sent to [email protected]. We will route them to the appropriate appointed representative where required and will publish representative name and address here when the appointment applies to your jurisdiction.

Encryption

At Ciphra VPN, we use industry-leading encryption standards to protect your data at every stage. Data is encrypted both in transit and at rest using strong cryptographic protocols.

Encryption in Transit

Communications between the app and our servers are protected using TLS 1.3, ensuring that your data cannot be intercepted or tampered with during transmission.
VPN traffic is secured using strong, industry-standard encryption.

Encryption at Rest

Data stored on our servers is encrypted using strong, industry-standard encryption, making it inaccessible to unauthorized parties.
Access to stored data is strictly limited to authorized administrators and is monitored through audit logs.

Children

The app is not directed to children under 13, and we do not knowingly collect data from them. If you believe a child has provided us with data, contact [email protected] and we will delete it.

Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors.

In-App Notification: important changes will be highlighted in the application.
Website Notice: updates will be posted on this page.
We'll provide at least 30 days' notice for material changes.

Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our privacy practices, we're here to help.

CIPHRA SOFTWARE

Business Location: Vancouver, Canada

Email: [email protected]

Response Time: We aim to respond within 24 hours.