Effective Date: 4 April 2026  |  Last Updated: 4 April 2026

1. Introduction

Cog Camo VPN is operated by CogWorks, a sole proprietorship trading under the name CogWorks ("we", "us", "our"). CogWorks operates the Cog Camo VPN service (the "Service") comprising the CogCamo VPN desktop application, Android application, and supporting backend infrastructure.

This Privacy Policy explains what personal data we collect, the lawful basis on which we process it, how we use and protect it, and the rights available to you under the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and, where applicable, the EU General Data Protection Regulation (EU GDPR) and the California Consumer Privacy Act (CCPA).

By accessing or using the Service you acknowledge that you have read and understood this Privacy Policy.

2. Data Controller

The data controller responsible for your personal data is:

CogWorks (sole proprietorship, trading as Cog Camo VPN)
Email: contact@notacog.studio

3. Personal Data We Collect

3.1 Account Data (provided by you)

• Email address — used for account creation, verification, password resets, trial notifications, and support correspondence.
• Hashed password — your password is one-way hashed using bcrypt before storage; we never store or have access to your plaintext password.

3.2 Authentication & Session Data

• Session token (hashed) — a cryptographic session token is generated on login and stored as a SHA-256 hash in our database. The plaintext token is held only on your device.
• Token issuance timestamp — used to enforce session expiry.
• VPN UUID — a unique identifier assigned to your account for the VPN protocol; it contains no personally identifiable information.

3.3 Audit Log Data (automatically collected)

• Timestamp, event type, email, and IP address — recorded for security events (login, registration, password reset, logout, account deletion). These logs are used solely for abuse prevention and security incident response.

3.4 Data We Do NOT Collect

• We do not log your browsing activity, DNS queries, traffic destinations, traffic contents, or connection timestamps while using the VPN tunnel.
• We do not monitor, record, or inspect any data passing through the VPN tunnel.
• We do not sell, rent, or share your personal data with third parties for marketing purposes.
• We do not use cookies, analytics frameworks, or advertising trackers in our applications.

4. Lawful Basis for Processing

We process your personal data on the following lawful bases under Article 6(1) UK GDPR:

• Contract (Art. 6(1)(b)) — processing is necessary to provide the Service you have requested (account management, VPN access).
• Legitimate interests (Art. 6(1)(f)) — security logging and rate limiting to protect the Service and its users from abuse.
• Consent (Art. 6(1)(a)) — where you have explicitly consented to receiving communications beyond those strictly necessary for the Service.

5. How We Use Your Data

• To create and manage your account.
• To authenticate you and maintain active sessions.
• To provision and deprovision your VPN access across our server infrastructure.
• To send transactional emails (verification, password reset, trial expiry, support tickets, account deletion).
• To detect and prevent fraud, abuse, and unauthorised access through security audit logs.
• To enforce rate limits and protect the Service from denial-of-service attacks.

6. Data Sharing & Third Parties

We share personal data only where strictly necessary to operate the Service:

• Zoho Corporation — transactional email delivery (Zoho Mail API). Subject to Zoho's Privacy Policy.
• Infrastructure providers — our VPN servers are hosted by Scaleway (Warsaw) and Oracle Cloud Infrastructure (Frankfurt). These providers process data as part of hosting but do not have access to your account data or VPN traffic contents.

We do not sell your personal data. We will disclose personal data only if required by law, a valid court order, or other legally binding regulatory request.

7. International Data Transfers

Your data may be processed on servers located in the European Economic Area (Poland), the European Union (Germany), and the United Kingdom. Where data is transferred outside the UK, we ensure appropriate safeguards are in place in compliance with UK GDPR, including standard contractual clauses or adequacy decisions where applicable.

8. Data Retention

• Account data — retained for the duration of your account. Deleted promptly upon account deletion.
• Audit logs — retained for up to 12 months for security purposes, then permanently deleted.
• Pending registrations — automatically purged within 30 minutes if email verification is not completed.
• Password reset tokens — expire after 1 hour and are marked as used or purged.

9. Data Security

We implement the following technical and organisational measures to protect your data:

• All client–server communication is encrypted using TLS 1.2 or higher.
• Passwords are hashed using bcrypt with per-user salts.
• Session tokens are hashed using SHA-256 before database storage.
• VPN traffic is encrypted using the VLESS protocol with REALITY TLS fingerprinting.
• Access to server infrastructure is restricted by SSH key authentication with strict host key verification.
• Sensitive files on the server are protected with restrictive file permissions (owner-only read/write).
• Rate limiting is applied to authentication endpoints to mitigate brute-force attacks.

10. Your Rights

Under the UK GDPR and, where applicable, the EU GDPR, you have the following rights:

• Right of access — request a copy of the personal data we hold about you.
• Right to rectification — request correction of inaccurate data.
• Right to erasure — request deletion of your data (available via the "Delete Account" feature or by contacting us).
• Right to restrict processing — request that we limit how we process your data in certain circumstances.
• Right to data portability — receive your data in a structured, machine-readable format.
• Right to object — object to processing based on legitimate interests.
• Right to withdraw consent — where processing is based on consent, you may withdraw it at any time.

To exercise any of these rights, please contact us at contact@notacog.studio. We will respond within 30 days.

10.1 Additional Rights for California Residents (CCPA)

If you are a California resident, you have the right to: (i) know what personal information we collect and how it is used; (ii) request deletion of your personal information; (iii) opt out of the sale of personal information (we do not sell personal information); and (iv) non-discrimination for exercising your privacy rights.

11. Children's Privacy

The Service is not directed at individuals under the age of 18. We do not knowingly collect personal data from children. If we become aware that we have collected data from a child, we will delete it promptly.

12. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email or through the Service. The "Last Updated" date at the top of this document indicates the most recent revision.

13. Complaints

If you are not satisfied with how we handle your personal data, you have the right to lodge a complaint with the UK Information Commissioner's Office (ICO):

https://ico.org.uk/make-a-complaint/

14. Contact Us

For any questions regarding this Privacy Policy or our data practices:

CogWorks (sole proprietorship, trading as Cog Camo VPN)
Email: contact@notacog.studio
Website: https://notacog.studio