Privacy Policy

1. Who We Are

ChromaSecure VPN ("ChromaSecure", "we", "our", or "us") is a VPN service provider. Our Android application is available on Google Play. This Privacy Policy explains how we collect, use, and protect information when you use our service. For questions, contact us at privacy@chromasecure.com.

2. Information We Collect

We do NOT collect:

• Your browsing history or activity while connected to the VPN
• DNS queries you make
• Your real IP address after connecting
• Connection timestamps or session duration logs
• Bandwidth logs tied to your identity

We DO collect:

• Anonymous device identifier (UID): Generated via Firebase Anonymous Authentication. This is a random string not tied to your name, email, or real identity. It is used solely to manage your subscription plan (Free/Basic/Pro/Business).
• Subscription status: Your current plan and whether it is active, via Google Play. We receive confirmation of purchases but not your payment details.
• Aggregate connection counts: We may count the total number of active VPN connections globally (not per-user) to monitor server load.
• Crash reports: If the app crashes, anonymous diagnostic data may be sent via Google Firebase Crashlytics to help us fix bugs.
• FCM token: A Firebase Cloud Messaging token used to deliver push notifications about service updates. You may opt out in your device settings.

3. How We Use Information

• To authenticate you and apply the correct subscription plan
• To display your VPN session stats within the app (these are stored locally and on your device)
• To send service-critical push notifications (e.g., maintenance, new servers)
• To analyze aggregate crash data and improve app stability
• To comply with legal obligations

4. Data Storage and Security

Minimal account data (anonymous UID, subscription plan) is stored in Google Firebase Firestore, hosted in secure Google Cloud data centres. All data in transit is encrypted using TLS 1.3. All VPN traffic is encrypted using WireGuard® with ChaCha20-Poly1305 cipher.

Firebase is GDPR-compliant and SOC 2 Type II certified. For Firebase's privacy practices, see firebase.google.com/support/privacy.

5. Third-Party Services

• Google Firebase: Anonymous authentication, Firestore database, Cloud Messaging
• Google AdMob: Advertising SDK shown to Free plan users. AdMob may collect device identifiers for ad personalisation. You can opt out via your device's ad settings.
• Google Play: Subscription purchases and billing. Subject to Google's Privacy Policy.

We do not sell or share your personal data with any third parties for marketing purposes.

6. Data Retention

Your anonymous UID and subscription status are retained for as long as you use the service. Session statistics displayed in-app are stored locally on your device and cleared when you uninstall the app. You may request deletion of your Firebase account data by contacting privacy@chromasecure.com.

7. Your Rights (GDPR / CCPA)

Depending on your location, you may have the right to:

• Access the data we hold about you
• Request correction or deletion of your data
• Object to or restrict processing
• Data portability
• Opt out of the sale of personal information (we do not sell personal data)

To exercise any right, email privacy@chromasecure.com with subject "Data Rights Request". We will respond within 30 days.

8. Children's Privacy

ChromaSecure is not directed at children under 13 (or 16 in the EU). We do not knowingly collect personal information from minors. If you believe a minor has provided us information, please contact us and we will delete it promptly.

9. Changes to This Policy

We may update this policy from time to time. Material changes will be communicated via an in-app notification. Continued use of the service after changes constitutes acceptance of the updated policy.

10. Contact

For privacy questions or requests: privacy@chromasecure.com