Privacy Policy

1. Introduction

OctoSEC AS ("OctoVPN," "we," "us," or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our VPN services, website, and applications (collectively, the "Services").

We are a Norwegian company headquartered in Kristiansand, Norway, and we operate under Norwegian and EU/EEA data protection laws, including the General Data Protection Regulation (GDPR) and the Norwegian Personal Data Act (Personopplysningsloven).

2. Data Controller

The data controller responsible for your personal data is:

3. Our Zero-Logs Policy

This means: We cannot provide information about your VPN usage to any third party because we simply do not have it. Our infrastructure is designed to not retain this data, and we have no ability to match users with their activities on our network.

4. Information We Do Collect

While we maintain a strict zero-logs policy for VPN usage, we do collect minimal information necessary to provide our Services:

4.1 Account Information

When you create an account, we collect:

• Email address: Used for account authentication, service communications, and support
• Username: Used for account identification
• Encrypted password: Stored using industry-standard hashing algorithms

4.2 Payment Information

Payments are processed by Stripe, our third-party payment processor. We do not store your complete credit card numbers or payment details on our servers. We only retain:

• Transaction identifiers for billing purposes
• Subscription status and plan type
• Payment method type (e.g., "Visa ending in 1234")
• Billing country (for tax compliance)

4.3 Technical Information

For service operation and security, we may process:

• Aggregate server load statistics (not linked to individual users)
• Service uptime and performance metrics
• Anonymous crash reports from our applications

4.4 Support Communications

When you contact our support team, we may retain communications to provide assistance and improve our Services.

4.5 Website Analytics

Our website uses privacy-focused analytics to understand how visitors interact with our site. We do not use cookies for tracking, and analytics data is aggregated and anonymized.

5. How We Use Your Information

We use the information we collect to:

• Provide, maintain, and improve our Services
• Process transactions and send related information
• Send administrative messages, updates, and security alerts
• Respond to your comments, questions, and support requests
• Detect, prevent, and address technical issues and abuse
• Comply with legal obligations

6. Legal Basis for Processing (GDPR)

Under the GDPR, we process your personal data based on the following legal grounds:

• Contract Performance: Processing necessary to provide our Services to you
• Legal Obligation: Processing required to comply with applicable laws
• Legitimate Interests: Processing for our legitimate business interests, such as fraud prevention and service improvement, where these interests are not overridden by your rights
• Consent: Where you have given explicit consent for specific processing activities

7. Data Sharing and Disclosure

We do not sell, trade, or rent your personal information to third parties. We may share information only in the following circumstances:

7.1 Service Providers

We work with trusted third-party service providers who assist us in operating our Services:

• Stripe: Payment processing (subject to Stripe's Privacy Policy)
• Infrastructure providers: Server hosting and network services

These providers are contractually obligated to protect your data and may only use it for the specific services they provide to us.

7.2 Zero-Logs Means Zero Data

Due to our strict zero-logs policy, we do not collect or store any VPN usage data. This means we have no data about your browsing activity, connection times, IP addresses, or any other information that could identify your online activities.

Norwegian law does not require VPN providers to retain user activity logs, and we have designed our infrastructure to ensure we simply do not have this data to share with anyone.

7.3 Business Transfers

In the event of a merger, acquisition, or sale of assets, your information may be transferred. We will provide notice before your personal data becomes subject to a different privacy policy.

8. Data Retention

We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected:

• Account data: Retained while your account is active and for a reasonable period thereafter for legal and business purposes
• Payment records: Retained as required by tax and accounting laws (typically 5-7 years)
• Support communications: Retained for up to 2 years after resolution
• VPN usage data: Not retained (zero-logs policy)

9. Your Rights (GDPR)

Under the GDPR, you have the following rights regarding your personal data:

• Right of Access: Request a copy of the personal data we hold about you
• Right to Rectification: Request correction of inaccurate personal data
• Right to Erasure: Request deletion of your personal data ("right to be forgotten")
• Right to Restrict Processing: Request limitation of processing your data
• Right to Data Portability: Receive your data in a structured, machine-readable format
• Right to Object: Object to processing based on legitimate interests
• Right to Withdraw Consent: Withdraw consent at any time where processing is based on consent

To exercise these rights, please contact us at post@octosec.io. We will respond to your request within 30 days as required by GDPR.

You also have the right to lodge a complaint with the Norwegian Data Protection Authority (Datatilsynet) or your local supervisory authority.

10. International Data Transfers

Our servers are located in various countries to provide optimal performance. When your data is transferred outside the EU/EEA, we ensure appropriate safeguards are in place, including:

• EU Standard Contractual Clauses
• Adequacy decisions by the European Commission
• Other legally approved transfer mechanisms

11. Security

We implement appropriate technical and organizational measures to protect your personal data, including:

• Encryption of data in transit and at rest
• Regular security assessments and updates
• Access controls and authentication measures
• Employee training on data protection

While we strive to protect your information, no method of transmission over the Internet is 100% secure. We cannot guarantee absolute security.

12. Children's Privacy

Our Services are not intended for individuals under 18 years of age. We do not knowingly collect personal information from children. If you become aware that a child has provided us with personal data, please contact us, and we will take steps to delete such information.

13. Third-Party Links

Our Services may contain links to third-party websites or services. We are not responsible for the privacy practices of these third parties. We encourage you to read the privacy policies of any third-party services you access.

14. App Store Compliance

Our mobile applications are distributed through the Apple App Store and Google Play Store. In addition to this Privacy Policy, use of our apps is subject to the respective store's terms and privacy policies:

• Google Privacy Policy
• Apple Privacy Policy

15. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the new Privacy Policy on our website and updating the "Last updated" date. We encourage you to review this Privacy Policy periodically.

16. Contact Us

If you have any questions about this Privacy Policy or our data practices, please contact us: