PRIVACY POLICY

Effective date: Jan 31, 2024

This Privacy Policy explains how VPN Lumos (further will be referred as “we” or “us”) collects, stores, uses and protects your personal data in connection with your use of our website quiz.vpnlumos.com and our application VPN Lumos™ (together referred to as the “Services”). This policy also explains the rights you have in respect of your personal data and the practices we implement to protect your privacy.

1. Personal data that we collect

Personal data that you provide:

• Your account details. This includes your name, email, your age, account credentials, subscription details, transaction history.

• Communication information. If you communicate with us, we collect your name, contact information, and contents of any messages you send.

• Social Media Information. We have pages on social media sites like Instagram. When you interact with our social media pages, we will collect the personal data that you choose to provide to us. Additionally, the companies that host our social media pages may provide us with aggregate information and analytics about our social media activity.

Personal data that we receive automatically from your use of the Services:

• Log data. It means the information that your browser automatically sends whenever you use our website, or whenever you access VPN Lumos application. It includes the IP address, browser type, date and time of your access.

• Usage details. It includes the features you use and your actions within the Services, as well as your time zone, country, dates and times of access, operating system information.

• Device information. It includes model and type of your device, unique device identifiers, and operating system information.

• Details about your in-app purchases. This may include, for example, details of the time you made certain purchases and your subscription details.

• Cookies. We use cookies on our website to operate and administer the Services and improve your experience there.

• Analytics. We may use analytics service providers that help us analyze how users interact with the Services to enhance your experience.

All the information above is your personal data, and we call it this way throughout the privacy policy.

2. Purposes of processing

We process your personal data for the following purposes:

• To administer, maintain, improve and/or analyze our Services.

• To develop new features.

• To prevent misuse of our Services and to ensure the security of our IT systems, architecture, and networks.

• To check if your age allows you to use VPN Lumos application.

• To monitor aggregated metrics such as total number of users, traffic, and demographic patterns.

• To provide you with support and respond to your inquiries.

• To send you service emails, including security alerts or transaction confirmations.

• Upon your consent, where required, to find audiences similar to our users. For this processing we may share, among others, details of your VPN Lumos application use (e.g., the fact that you work out with VPN Lumos application), your device information, and details of your subscription purchase with our third-party advertising partners like AppsFlyer.

• To enforce our rights and to defend from possible claims.

• To anonymize your personal data.

Aggregated or de-identified information. We may aggregate or de-identify your personal data to conduct research, or to analyze general behavior of the users to generate general user statistics that can be shared with third parties, published, or otherwise made generally available.

3. Legal basis for processing (for EEA, UK or Swiss users)

Our legal bases include:

• Performance of a contract with you when we provide, maintain, and improve our Services. This may include processing of your account details, log data and device information.

• Our legitimate interests in protection our Services from abuse, fraud, or security risks, or when we develop, improve, or promote our Services. This may include processing of your account details, the data you choose to provide, social media information, log data, use data, and device information.

• Your consent when we ask for your consent to process your personal data for a specific purpose that we communicate to you. You have the right to withdraw your consent at any time.

• Compliance with our legal obligations when we use your personal data to comply with applicable law or when we protect our or our affiliates’ or users’ rights or safety.

4. Personal data retention

We retain your personal data for as long as your account is active or for as long as it is necessary for the purposes of its collection and processing (e.g., for resolving disputes for safety and security reasons, or for complying with our legal obligations).

If you choose to deactivate your account, we retain your personal data for no longer than one month in case you decide to re-activate the Services. We also retain some of your information as necessary to comply with our legal obligations, to resolve disputes, and/or to enforce our agreements.

We may also anonymize your personal data (so that it can no longer be associated with you) for research or statistical purposes, as well as for the purpose of Services improvement and development. In this case, we may use this information indefinitely without further notice to you.

5. What are your data protection rights?

We want to make sure that you are fully aware of all your data protection rights and the ways you can exercise them. These rights may differ across countries.
If you are EEA or UK resident, you have the right to:

• Access your personal data. You can ask us for confirmation that we process your personal data with the information related to its processing.

• Ask to transfer your personal data.You can request that we provide you with your personal data that we collect on the basis of your consent in a structured, commonly-used and machine-readable format. Apart from that, you can ask us to give those data to another party directly, where it’s technically feasible.

• Request correction of your personal data. You can ask us to correct your personal data if you believe that it is inaccurate.

• Request deletion of your personal data. You may ask us to delete your personal data upon your withdrawal of the consent to processing, or if you believe that such processing is unlawful, or if your personal data must be deleted for compliance with a legal obligation under the EU, EU member state or UK law. Please note that deletion of your personal data may affect your use of our Services.

• Request restriction of your personal data processing. You can request a restriction of your personal data processing if you contest the accuracy of your personal data (which inaccuracy is verified by us).

• Object to processing of your personal data.You can object to the processing of your personal data where we rely on legitimate interests as the legal basis for processing.

• Withdraw your consent to personal data processing where we rely on the consent as the legal basis for processing.

• Lodge a complaint with data protection authority.You have the right to lodge a complaint with a local data protection authority in the country of your residence, where you work or where an alleged infringement of the applicable data protection law took place. Please see a list of EU member states’ supervisory authorities here, and the UK’s supervisory authority (ICO) here.

If you are resident of California, Virginia, Colorado, Utah, or Connecticut, you have the right to:

• Request the categories of personal data collected about you. We will provide, where relevant and required by law, the types of data we collect.

• Request the categories of sources from which your personal data is collected. We will provide, where relevant and required by law, the types of tools and organizations we use to collect data.

• Request the commercial purpose for collecting your personal data. We will provide, where relevant and required by law, the purposes to collect data.

• Request the categories of third parties to whom personal data is disclosed, and the categories of personal data disclosed. We will provide, where relevant and required by law, information regarding the other organizations that may receive your personal data.

• Request the specific pieces of personal data collected about you. We will provide, where relevant and required by law, your personal data.

• Request that personal data collected about you be deleted. We may keep personal data for legal reasons but will accommodate deletion requests when required. Please be aware that erasing some personal data may affect your ability to use our Services.

• Request that your inaccurate personal data be corrected. If you believe your personal data is not correct you may provide personal data to replace the erroneous data.

• Request that we do not sell or share your personal data. Each state may interpret a “sale” of personal data differently, however, if you are a resident of the states above or Nevada and request that your personal data not be sold, we will honor that request. Individuals in California may request their information not be shared with any third party.

How to exercise the rights:
If you wish to exercise any of your rights, please contact us at [email protected] and describe your request. No formal language is needed here, just a plain request and description of the circumstances if needed.

If you make a request, we will act on it within one month. If we need any more time to help you exercise any of your rights, we will let you know.

If your request is vague or unclear, we may engage into a conversation with you to understand your request better. We may also refuse to act on manifestly unfounded and excessive requests.

We can ask you to prove your identity while exercising your data protection rights. This is made to ensure that you are indeed entitled to receive certain information and that no rights of third parties are violated by your.If we can’t verify your request, we will not act on your request.
If we can’t verify your request, we will not act on your request.

You may submit a request through an authorized agent. If you do so, the agent must present signed written permission to act on your behalf and you may be required to independently verify your identity.

6. Security measures

We take the protection of your personal data very seriously and take all reasonable and appropriate measures to protect them from loss, theft, misuse and unauthorized access, disclosure, alteration, and destruction.

Among others, we utilize the following information security measures to protect your personal data:

• a. Encryption of your personal data in transit and in rest.

• b. Systematic vulnerability scanning and penetration testing.

• c. Protection of data integrity.

• d. Organizational and legal measures. For example, our employees have different levels of access to your personal data and only those in charge of data management get access to your personal data and only for limited purposes required for the operation of the application. We impose strict liability on our employees for any disclosures, unauthorized accesses, alterations, destructions, misuses of your personal data.

Please understand that no security system is perfect and, as such, we cannot guarantee the absolute security of the Services, or that your information won’t be intercepted while being transmitted to us. In case your personal data got compromised due to a security breach, we will act promptly to identify the cause and take all reasonable steps to remedy the breach. We will inform you of the incident, if necessary, in connection with the applicable legislation. If you want to report a security incident related to our Services, please contact us at [email protected].

7. Children’s privacy

We are committed to protecting the privacy of children. We do not knowingly collect personal data of any person under the age of 13 (of 16 years old for the residents of the European Union). If you are aware of anyone under 13 (or 16 years old for the residents of the European Union) using the Services, please contact us at [email protected] we will take required steps to delete such information and (or) delete the account.

8. Sharing of your personal data

We may use external service providers to process your personal data on our behalf. When we do so, we have appropriate agreements in place to protect such data. In the case of international transfers, we always make sure that additional safeguard mechanisms are in place (for example, by adding Standard Contractual Clauses).

Currently we share your personal data with the following service providers:

• Infrastructure & security
Amazon Web Services, Inc. (USA)
Auth0, Inc. (USA)

• Email & in-app communication
SurveyMonkey, Inc. (USA)
TypeForm (Spain)

• Analytics tools
Amplitude, Inc. (USA)
AppsFlyer, Inc. (USA)

• Customer support:
Zendesk, Inc. (USA)

• Payments
Apple, Inc. (USA)
Stripe, Inc. (USA)

• Subscriptions management:
Adapty, Inc. (USA)
AppHud, Inc. (USA)

9. Changes to our privacy policy

The date this privacy policy was last reviewed is indicated at the top of the page. We may modify or update this privacy policy from time to time. Some changes do not require your consent: for example, when we add a new purpose of processing that is compatible with the existing purposes, or the new processing activity that falls under the users’ reasonable expectation. However, if the changes made may pose risk to your rights and freedoms (for example, by including a new purpose of the processing that is not compatible with the existing purposes of processing, a new legal basis, or a new category of personal data to be collected or a new data subject, all of which are not reasonably expected by the users), we will ask for your consent to those changes separately from this privacy policy. If you did not receive a request for your consent to the changes or refused to give consent, those changes will not apply to you. That fact can negatively affect some of our Services provided to you if those Services inevitably include consent to the changes.

CALYPSO MOBI OÜ

Address: Estonia, Tallinn, Lasnamae linnaosa, Sepapaja tn 6, 11415

Email: [email protected]

Our DPO: [email protected]