Application Privacy Policy

1. INTRODUCTION

This privacy policy describes how we collect, use, share, and otherwise process your personal data in connection with your use of:

• Toggle VPN mobile application software (App).
• Any of our services that are accessible through the App (Services).

We guarantee that your internet activity while using Toggle VPN app is not monitored, recorded, logged, stored, or passed to any third party. We do not store bandwidth usage data, traffic logs, IP addresses, or browsing history. From the moment you connect to one of our VPN servers, your internet data becomes encrypted.

Our App is intended for use only by adults (i.e., individuals who are 18 years of age or older, or the age of majority in their country). Children are not permitted to use our Services. We do not knowingly collect personal information from children. If you believe that we might unintentionally collect personal data from or about children, please contact us, and we will take reasonable measures to promptly delete such personal data from our records.

Please read the following carefully to understand our practices regarding your personal data and how we treat it.

2. IMPORTANT INFORMATION AND WHO WE ARE

Toggle Inc. is the data controller and is responsible for your personal information ("Company", "we", "us", or "our" in this Policy).

Contact details

Our full details are:

• Full name of legal entity: Toggle Inc.
• Email address: [email protected]
• Postal address: 131 Continental Drive, Suite 301, Newark, DE 19713-4323
• Telephone number: +1 (760) 512-1393

You have the right to make a complaint at any time to a data protection supervisory body.

Changes to the privacy policy and your duty to inform us of changes

We regularly review this privacy policy.

If we introduce changes to this privacy policy, we will post those changes on this page and notify you via push notification, email, or when you next open the App or log in to your account. You may be required to read and acknowledge the changes to continue your use of the App or the Services.

It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during our relationship with you.

3. WHAT DATA WE MAY COLLECT

We collect only the data that is necessary for the purposes described in this Privacy Policy. We do not gather any more information than we need to provide you with the App and Services. The personal data we collect will depend on the circumstances and your use of the App or the Services.

We collect data in three ways:

• data you provide to us;;
• data we collect automatically;;
• data we collect from our partners..

A. Data you provide to us

If you contact us via e-mail or another direct communication channel, we may collect the following categories of data:

• Contact information you choose to provide us (such as name and email address)
• Data you choose to provide when you request support, such as non-identifying data about your device, operating system, network and connection, selected VPN configuration, subscription details, screenshots or videos of an error, and other technical data.

If you subscribe to our App directly through the Company:

• Data you choose to provide us as your contact information for the purposes of auto-renewal notifications.

B. Data we collect automatically

When you use our App or Services, we may automatically collect the following categories of data:

• account ID;
• IP address.

Note that we do not use such data to learn a person's true identity or contact details, but only to provide you with our App and Services.

C. Data we collect from our partners

Third-party platforms. In case of subscription purchases processed by the Apple App Store or Google Play, we do not access, collect, or store your financial data, such as your credit card number or bank account. You are requested to provide payment details directly to the relevant platform. We may, however, receive limited non-financial data related to the purchase. For example, platforms may notify us if a purchase was successful and provide transaction details such as the transaction ID, purchase token, currency, and purchase date and time ("Purchase Data"). Any post-purchase processes are controlled by the platforms. We encourage you to review the privacy policies and terms of service of the platforms for further information before subscribing to the App.

Third-party payment processor. If you subscribe to our App directly with the Company, we will use Stripe for processing your payments. We receive the following categories of data from Stripe ("Transaction Data"):

• Stripe customer ID;
• transaction data, such as partial bank card details;
• non-identifying data you submitted to Stripe, such as your country-level billing address.

4. WHY WE COLLECT AND USE YOUR PERSONAL DATA

We will only collect and use your personal data when we have a lawful basis to do so. Our lawful basis for each purpose for which we use your personal data is specified below. Most commonly, we will use your personal data in the following circumstances:

• Consent. Where you have freely consented before the processing in a specific, informed, and unambiguous indication of what you want. You can withdraw your consent at any time by contacting us.
• Performance of a contract. Where we need to process your personal data to perform a contract with you or where you ask us to take steps before we enter into a contract with you. Where we rely on the performance of a contract and you do not provide the necessary information, we will be unable to perform your contract.
• Legitimate interests. Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests. We make sure we consider and balance any potential impact on you (both positive and negative) and your rights before we process your personal data for our legitimate interests. You can obtain further information about how we assess our legitimate interests against any potential impact on you in respect of specific activities by contacting us.

5. AUTOMATED DECISION MAKING AND PROFILING

We do not make decisions based solely on automated processing or profiling that produce legal effects concerning you (or have similarly significant effects).

6. CRIMINAL OFFENCE DATA AND SPECIAL CATEGORY DATA

We do not intentionally collect criminal offence data about you. However, we may process data relating to criminal offences in monitoring the use of our App for security purposes, where we suspect you may have committed a crime, such as attempting to make a fraudulent purchase or claim, or circumvent the security of the App or Services. In such circumstances, we will provide that information to law enforcement and/or use it to establish, exercise, or defend a legal claim. In those circumstances, according to the type of activity and purpose, we will rely on legitimate interests (protecting our business, employees, and other users) and legal obligation (where required by legal, judicial, or law enforcement to disclose or process that information).

7. SPECIAL CATEGORIES OF PERSONAL DATA

We do not knowingly collect special categories of personal data such as data revealing racial or ethnic origin, political opinion, religious or philosophical beliefs, or trade union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation.

8. DISCLOSURES OF YOUR PERSONAL DATA

We may disclose your information to certain categories of recipients (for example, cloud storage or third-party payment processor) in order to provide you with our Services and comply with our legal obligations. We share some data with these third parties only when legally permitted or under data processing agreements.

We share your personal data with these third parties only where we have a legal basis as set out above or where such third parties process data on our behalf based on a data processing agreement, which may restrict further subcontracting by such third parties.

We may share your personal data with the following third parties:

• Amazon Web Services, Inc., USA (AWS), our data storage provider. You can find their privacy policy at: https://aws.amazon.com/privacy/.
• Stripe, Inc., USA (Stripe), our third-party payment processing provider. If you subscribe to our App directly with the Company, we will use Stripe for payments, analytics, and other business services. Stripe may collect personal data, including via cookies and similar technologies. The personal data Stripe collects may include transactional data and identifying information about devices that connect to its services. Stripe uses this information to operate and improve the services it provides to us, including for fraud detection, loss prevention, authentication, and analytics related to the performance of its services. You can learn more about Stripe and read its privacy policy at https://stripe.com/privacy.
• regulators, law enforcement, and public authorities where necessary to exercise our rights or comply with a legal obligation.

9. INTERNATIONAL TRANSFERS

Our Services are global by nature, and your data may therefore be transferred to and processed in countries other than your country of residence. Because different countries may have different data protection laws than your own country, we take steps to ensure adequate safeguards are in place to protect your data, as explained in this Policy. Adequate safeguards that our partners may use include transfer of data to the jurisdictions, which are considered by the European Commission to be offering an adequate level of protection for personal data of EU residents, or standard contractual clauses approved by EU Commission, or other methods approved by the relevant regulators in other countries.

Please contact us using the contact details above if you want further information on the specific mechanism used by us when transferring your personal data out of the EEA.

10. DATA SECURITY

Once we have received your information, we will use strict procedures and security features to protect your personal data from loss, unauthorised use, or access. We are continuously developing and implementing administrative, technical, and physical security measures to protect the confidentiality, security, and integrity of the collected data and to prevent accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to the data under our control. This includes, but is not limited to, data encryption and limitation of access to personal information based on a "need-to-know" principle.

We have put in place procedures to detect and respond to personal data breaches and notify you and any applicable regulator when we are legally required to do so.

Where we have given you (or where you have chosen) a password that enables you to access certain parts of our App or Services, you are responsible for keeping this password confidential. We ask you not to share a password with anyone.

All information you provide to us is stored on secure servers provided by AWS (SOC 2 Type II compliant, ISO 27001 compliant), located in jurisdictions, which are considered by the European Commission to be offering an adequate level of protection for personal data of EU residents or standard contractual clauses approved by EU Commission or other methods approved by the relevant regulators in other countries.

Access to our systems is strictly controlled through firewalls, whitelisting of IP addresses, and the application of the principle of least privilege. All access requires strong, complex passwords and mandatory multi-factor authentication.

Any payment transactions carried out by our third-party payment processing provider, Stripe, are encrypted using mutual transport layer security (mTLS) technology and processed as described at https://docs.stripe.com/security.

11. DATA RETENTION

We keep your information only for as long as necessary to provide our App and Services to you and fulfill the purposes described in this Privacy Policy.

Once we no longer have a legal basis to retain your personal data, we will either delete it or, in some circumstances, anonymize it (so that it can no longer be associated with you). We may use anonymized data for research or statistical purposes indefinitely without further notice to you.

Personal information printed on paper will be destroyed by shredding.

12. YOUR LEGAL RIGHTS

You have the following rights under data protection laws in relation to your personal data.

• Access. Request access to and/or a copy of the personal data we process about you (commonly known as a data subject access request). This enables you to check that we are lawfully processing it.
• Correction. Request correction of any incomplete or inaccurate data we hold about you. (We may need to verify the accuracy of the new data you provide to us.)
• Deletion. Request us to delete or remove personal data where there is no good reason for us continuing to process it. You can also ask us to delete or remove your personal data where you have successfully exercised your right to object to processing (see below), where we have processed your information unlawfully or where we need to erase your personal data to comply with the law. (In some cases, we may need to continue to retain some of your personal data where legally required. If these apply, we will notify you at the time of our response.)
• Objection. Object to us processing your personal data where (a) we are relying on legitimate interests as the lawful basis and you feel the processing impacts on your fundamental rights and freedoms, or (b) the processing is for direct marketing purposes. In some cases, we may refuse your objection if we can demonstrate that we have compelling legitimate grounds to continue processing your information, which override your rights and freedoms.
• Restriction. Request that we restrict or suspend our processing of your personal data: if you want us to establish the data's accuracy; where our use of the data is unlawful, but you do not want us to erase it; where we no longer require it, but you need us to hold onto it to establish, exercise, or defend legal claims; or you have objected to our use of your data, but we need to verify whether we have overriding legitimate grounds to use it.
• Data portability. Request we transfer certain of your personal data to you or your chosen third party in a structured, commonly used, machine-readable format. This right only applies to information processed by automated means that we process on the lawful bases of consent or performance of a contract.
• Withdraw consent. Withdraw your consent at any time where we are relying on consent to process your personal data. Please know that this does not affect the lawfulness of any processing carried out before you withdraw your consent, and after withdrawal, we may not be able to provide certain products or services to you. We will advise you if this is the case at the time you withdraw your consent.
• If you are unhappy with how we process your personal data, we ask that you contact us first using the details below so that we have the chance to put it right. However, you also have the right to make a complaint to the regulator at any time.

You can exercise any of these rights at any time by contacting us at [email protected] or via the App.

13. US PRIVACY RIGHTS

This section applies to you if you are a resident of any of the following US States: California, Virginia, Colorado, Connecticut, Texas, Utah, Oregon ("US States"), which have adopted their state privacy acts (together "US Privacy laws").

Below you will find information about your rights, how to exercise them, and how we handle such requests.

• Right to access. You may submit up to two times in a 12-month period, free of charge, a verifiable request to disclose what personal information we collected, used, shared, sold, or disclosed about you in the preceding twelve (12) months.
• Right to delete. You have the right to request that we delete any of your personal information we collected and retained, subject to certain exceptions. Once we receive and verify your consumer request, we will delete your personal information from our records. However, we may deny your deletion request if retaining the information is necessary for us or our service providers under certain circumstances, which will be explained to you at the time of the denial, if any.
• Right to correct. Depending on your state of residency, you have the right to request that we correct the inaccurate personal information that we hold about you, taking into account the nature of the personal information and the purposes of the processing of the personal information.
• Right to data portability. You have the right to obtain your personal data in a portable and, to the extent technically feasible, readily usable format that allows you to transmit your personal data to another controller without hindrance.
• Right to opt-out. Depending on your state of residency, you have the right to opt-out of the processing of the personal data for purposes of (i) targeted advertising or cross-contextual behavioral advertising, (ii) the "sale" and/or sharing of personal data, or (iii) profiling (or solely automated decisions) that produce legal or similarly significant effects concerning you), as defined by the applicable US Privacy laws. However, we note that we do not collect any personal information for any of these purposes.
• Right to be free from discrimination. We may not discriminate against you for exercising any of your rights under US laws, including but not limited to (i) denying you our Services; (ii) charging you different prices or rates for our Services; (iii) providing you a different level or quality of Services; (iv) suggesting that you may receive a different price or rate for Services or a different level or quality of Services.
• Right to limit use and disclosure of sensitive personal information (for California residents). However, we note that we do not collect any sensitive personal information.

We will respond to your request within 45 days. In more complex cases, we may extend our response time by an additional 45 days. We reserve the right not to respond to your request or provide you with personal data, in case we are unable to verify your identity or authority to make such a request.

If you are a Virginia, Colorado, or Connecticut resident, you have the right to appeal our decision to deny your rights request. We do not sell data of our users.

14. CONTACT US

Please contact us if you have any questions about this policy.

If you have questions about data protection or any requests for resolving issues with your personal data, you can contact us at [email protected] or by contacting us via the App.