Privacy Policy
Effective: March 15, 2026
1. Data Controller
DataCork AG, registered in Canton Zug, Switzerland, is the data controller for Conduit VPN-as-a-Service. Contact: privacy@datacork.com.
2. Data We Collect
We collect the minimum data necessary to operate the service:
- Account data: Email address, display name, API key hashes (not plaintext keys).
- Billing data: Stripe customer ID, subscription status, payment provider references. We do not store credit card numbers.
- Usage metrics: Request counts, bandwidth consumed (bytes), connection timestamps. Used for billing and plan enforcement.
- Audit logs: API key creation/revocation, account changes, IP addresses of API requests.
3. Data We Do NOT Collect
- VPN traffic content or payloads
- DNS queries routed through VPN tunnels
- Websites visited or applications used
- Connection logs beyond billing-necessary metadata
- Device fingerprints or tracking identifiers
4. Legal Basis (GDPR Art. 6)
We process data based on: (a) contract performance (providing VPN service), (b) legitimate interest (security, fraud prevention), and (c) legal obligation (Swiss FADP, applicable EU law).
5. Data Retention
- Account data: retained while account is active, deleted within 30 days of account deletion.
- Usage metrics: aggregated after 90 days, raw data deleted after 12 months.
- Audit logs: retained for 24 months (compliance requirement).
- Payment records: retained for 10 years (Swiss accounting law).
6. Data Storage & Transfer
Primary infrastructure is hosted on AWS (us-east-1). VPN exit nodes are operated on third-party VPS providers globally. All data at rest is encrypted with AES-256. All data in transit is encrypted with TLS 1.3.
We do not transfer personal data to jurisdictions without adequate data protection unless required by the service (VPN exit node in requested country).
7. Your Rights
Under GDPR and Swiss FADP, you have the right to:
- Access your personal data
- Rectify inaccurate data
- Delete your account and data
- Export your data in machine-readable format
- Object to processing
- Lodge a complaint with a supervisory authority
To exercise these rights, email privacy@datacork.com.
8. Third-Party Processors
- Stripe: Payment processing (PCI DSS compliant)
- AWS: Infrastructure hosting (SOC 2, ISO 27001)
- Vultr/Linode/Hetzner: VPN exit node hosting
9. Cookies
We do not use cookies, tracking pixels, or third-party analytics on datacork.com. The API uses stateless authentication (API keys, not sessions).
10. Changes
We will notify registered users via email of material changes to this policy. The effective date above reflects the latest revision.