CloakID Privacy Policy
Last Updated: August 23, 2025
1. Introduction
Welcome to CloakID. This Privacy Policy explains how CloakID (“we,” “us,” or “our”) collects, uses, and protects your personal data when you use our Trusted Browsing Service (the “Service”). Our commitment to privacy is not just a legal obligation but a core part of our product.
-
Data Controller: CloakID is the Data Controller for your personal data, meaning we determine the purposes and means of processing.
-
Data Protection Officer (DPO): Our designated DPO is Svetoslav Nikolov, CEO. You can contact the DPO at [email protected]. To manage the potential conflict of interest arising from the CEO’s dual role, CloakID maintains and regularly reviews a formal DPO Conflict of Interest Management Policy to ensure all data protection obligations are met with full independence and integrity.
2. Summary of Key Points (The First Layer)
We believe in radical transparency. Here’s a brief, plain-language summary of our data practices. For full details, please read the sections below.
-
We Do Not Store Your Browsing History: The core of our service processes your browsing traffic, but we are designed to forget. The full URLs of websites you visit are only processed in-memory to provide the service and are deleted after the request is completed.
-
We Minimize Data: We only collect and log the absolute minimum data necessary for our service to function securely and reliably. We hash all target domains before logging to prevent the storage of your browsing history.
-
You Are in Control: We operate on the principle of explicit, opt-in consent for any non-essential data processing.
-
We Do Not Sell Your Data: We never have, and we never will. Our business model is subscription-based, not surveillance-based.
3. The Personal Data We Process
This table provides a complete and transparent record of all data processing activities undertaken by the Service, as required by GDPR.
| Data Category | Specific Data Points Collected | Purpose of Processing | Lawful Basis | Data Retention Period | Third-Party Sub-processors |
|---|---|---|---|---|---|
| Account Data | Email address, Password (hashed & salted), Subscription tier | User authentication, Account management, Service-related communications | Performance of a Contract | For the lifetime of the account + 1 year | N/A |
| Payment Data | Transaction ID, Subscription status, Billing cycle dates | Processing payments, Managing subscriptions | Performance of a Contract | As required by financial regulations (typically 7 years) | Billwerk+ |
| Browsing Data | Full URL of requested websites (in-memory only), Hashed target domain (logged) | Providing the core anti-fingerprinting and proxy service | Explicit Consent | In-memory only (deleted after request completion) | Hetzner (Infrastructure) |
| Operational Data | IP Address, Request timestamps, Data transfer volume | Network security, Performance monitoring, Abuse detection | Legitimate Interest | 90 days (rolling) | Hetzner (Infrastructure) |
| Support Data | User communications, Ticket details | Responding to user inquiries and providing customer support | Legitimate Interest | For the lifetime of the account + 1 year | Zendesk (or selected help desk) |
| Protection Statistics Data (Optional) | Pseudonymous user identifier, Hashed top-level domain | To provide the user with an accurate, de-duplicated Protection Statistics Dashboard | Explicit, Granular, Opt-In Consent | 24 hours (rolling) | Grafana (Telemetry Service) |
4. Lawful Basis for Processing
Our processing of your personal data is grounded in a valid lawful basis under GDPR. For processing your Browsing Data, the only basis we use is your explicit, informed, unambiguous, and freely given consent, which you provide when you sign up for and use our Service. For other data, we rely on the performance of our contract with you or our legitimate interests in maintaining a secure and functional service.
5. Data Sharing and Third-Party Sub-processors
We use a limited number of trusted third-party services to help us operate. We have verified the GDPR compliance of each vendor and have a Data Processing Agreement (DPA) in place where required. These sub-processors are listed in the table above.
6. Data Retention
We practice data minimization and storage limitation. We only keep your personal data for as long as necessary to fulfil the purposes for which it was collected, as detailed in the table above.
7. International Data Transfers
Our primary infrastructure is located within the European Union. If any data is transferred outside the EU, we ensure that legal safeguards, such as Standard Contractual Clauses, are in place to protect your data.
8. Your Data Protection Rights
Under GDPR, you have fundamental rights over your data. We have engineered our service to honor these rights. You have the right to:
-
Access: Request a copy of all personal data we hold about you.
-
Rectification: Correct any inaccurate data, such as your email address.
-
Erasure (“Right to be Forgotten”): Request the complete and irreversible deletion of your account and all associated data.
To exercise these rights, please contact our support team or DPO. We will respond to all requests within one month.
9. Cookie Policy
Our website and Service may use essential cookies for functionality like authentication. We will provide a detailed Cookie Policy and obtain separate consent for any non-essential cookies.
10. Security Measures
We process your data with integrity and confidentiality as a core principle. We implement and maintain appropriate technical and organizational security measures, such as encryption and access controls, to protect your data against unauthorized processing, loss, or damage.
11. Changes to This Policy
We may update this policy from time to time. We will notify you of any material changes and ensure the latest version is always available in our public Trust Center.
For questions about this Privacy Policy, contact our Data Protection Officer at privacy@cloakid.net.