SpiffyVPN

GDPR Compliance

Our commitment to GDPR compliance and your data rights

Last updated: December 10, 2024

The General Data Protection Regulation (GDPR) is a European Union law that protects the privacy and personal data of EU residents. At SpiffyVPN, we are committed to GDPR compliance and protecting your data rights.

1. Our Commitment to GDPR Compliance

As a VPN service provider, we understand the critical importance of data protection. Even though Voidverse Studios Inc. is based in Canada, we voluntarily comply with GDPR standards for all our users worldwide, not just EU residents.

1.1 Privacy by Design

  • We built our service with privacy as a fundamental principle
  • Data minimization is at the core of our operations
  • We collect only what is necessary to provide our services
  • Strong encryption protects all data in transit and at rest

2. Legal Basis for Processing

Under GDPR, we process your personal data based on the following legal grounds:

2.1 Contract Performance (Article 6(1)(b))

  • Processing necessary to provide VPN services
  • Managing your subscription and account
  • Processing payments
  • Providing customer support

2.2 Legitimate Interests (Article 6(1)(f))

  • Preventing fraud and abuse
  • Improving our services
  • Network security and troubleshooting
  • Analytics for service optimization

2.3 Legal Compliance (Article 6(1)(c))

  • Complying with tax and accounting obligations
  • Responding to lawful government requests
  • Meeting regulatory requirements

2.4 Consent (Article 6(1)(a))

  • Marketing communications (where not based on legitimate interests)
  • Optional cookies and tracking
  • Voluntary surveys and feedback

3. Your Rights Under GDPR

As a data subject, you have the following rights regarding your personal data:

3.1 Right of Access (Article 15)

You have the right to:

  • Know what personal data we process about you
  • Receive a copy of your personal data
  • Learn about the purposes and legal basis for processing
  • Understand how long we retain your data

3.2 Right to Rectification (Article 16)

You can request correction of inaccurate or incomplete personal data.

3.3 Right to Erasure / "Right to be Forgotten" (Article 17)

You can request deletion of your personal data when:

  • The data is no longer necessary for the original purpose
  • You withdraw consent and there's no other legal basis
  • The data has been unlawfully processed
  • Deletion is required for legal compliance

3.4 Right to Restrict Processing (Article 18)

You can request restriction of processing in certain circumstances, such as while we verify the accuracy of your data.

3.5 Right to Data Portability (Article 20)

You can request your personal data in a structured, commonly used format to transfer to another service provider.

3.6 Right to Object (Article 21)

You can object to processing based on legitimate interests or for direct marketing purposes.

3.7 Right to Withdraw Consent

Where processing is based on consent, you can withdraw it at any time.

3.8 Right to Lodge a Complaint

You can file a complaint with your local data protection authority if you believe we've violated GDPR.

4. How to Exercise Your Rights

To exercise your GDPR rights, please contact us using the information provided below. We will respond to your request within one month, though this may be extended to two months for complex requests.

4.1 Required Information

To verify your identity and process your request, please provide:

  • Your registered email address
  • Account username (if applicable)
  • Specific details about your request
  • Proof of identity (for security purposes)

4.2 No Cost

Exercising your rights is generally free. However, we may charge a reasonable fee for excessive or repetitive requests.

5. Data Protection Measures

5.1 Technical Safeguards

  • AES-256 encryption for all VPN traffic
  • Perfect Forward Secrecy (PFS) protocols
  • Secure key management systems
  • Regular security audits and penetration testing
  • Encrypted data storage
  • Secure data transmission (TLS 1.3)

5.2 Organizational Measures

  • Privacy by design principles
  • Regular staff training on data protection
  • Strict access controls and authentication
  • Data processing agreements with vendors
  • Incident response procedures
  • Regular compliance reviews

6. International Data Transfers

As a global VPN service, we may transfer your data internationally to provide our services. We ensure adequate protection through:

6.1 Adequacy Decisions

We prefer to transfer data to countries with adequacy decisions from the European Commission, including Canada.

6.2 Appropriate Safeguards

For transfers to other countries, we implement appropriate safeguards such as:

  • Standard Contractual Clauses (SCCs)
  • Binding Corporate Rules (where applicable)
  • Certification schemes
  • Additional technical and organizational measures

7. Data Retention

We retain personal data only as long as necessary for the purposes outlined in our Privacy Policy:

Data TypeRetention Period
Account informationUntil account deletion
Payment recordsUntil account deletion
Connection logsNot stored
Support communicationsUntil account deletion
Marketing consentUntil withdrawn

8. Data Breach Notification

In the unlikely event of a data breach that poses a risk to your rights and freedoms, we will:

  • Notify the relevant supervisory authority within 72 hours
  • Inform affected individuals without undue delay
  • Provide clear information about the breach and our response
  • Take immediate steps to contain and remediate the breach

9. Automated Decision Making and Profiling

We do not engage in automated decision-making or profiling that would significantly affect you. Any automated processing we use (such as fraud detection) includes human oversight and the ability to challenge decisions.

10. Children's Data

We do not knowingly process personal data of children under 16 (or the lower age set by EU member states). If we discover we have collected such data, we will delete it immediately and notify the relevant authorities if required.

11. Data Protection Officer

While not legally required as a Canadian company, we have designated a Data Protection Officer (DPO) to oversee our GDPR compliance efforts.

Data Protection Officer
Email: support@spiffyvpn.uk
Address: 204-7 Stag Hill Drive, Toronto, Ontario, Canada, M4B 1K7

12. Supervisory Authorities

If you're an EU resident, you can contact your local supervisory authority with any concerns about our data processing. A list of EU supervisory authorities is available at: https://edpb.europa.eu/about-edpb/board/members_en

13. Updates to GDPR Compliance

We regularly review and update our GDPR compliance measures. Material changes will be communicated through our usual channels and reflected in this document.

14. Contact Information

For any GDPR-related questions, requests, or concerns, please contact us:

GDPR Contact Information
Email: support@spiffyvpn.uk
Subject line: "GDPR Request - [Type of Request]"
Address: 204-7 Stag Hill Drive, Toronto, Ontario, Canada, M4B 1K7

We aim to respond to all GDPR-related requests within one month. For complex requests, we may extend this to two months and will inform you of any delay.

← Back to Legal Information Have Questions? Contact Us