Privacy Policy

Last updated: · CONSILIORA NEXUS CONSULTING LTD

1. Introduction

Mix VPN is a virtual private network service for iOS operated by CONSILIORA NEXUS CONSULTING LTD ("Consiliora", "we", "us", or "our"), a company registered in the Republic of Cyprus under registration number HE468919, with registered address at Franklinou Rousvelt, 170, 2nd floor, Omonoia, 3048, Limassol, Cyprus.

Consiliora is the data controller of the personal data processed in connection with the Mix VPN iOS application and the website mixvpn.consiliora.org (together, the "Service"). This Privacy Policy explains what personal data we collect, how we use it, how we protect it, and what rights you have.

This Privacy Policy is issued in accordance with Regulation (EU) 2016/679 (the "GDPR"), the Cyprus Law 125(I)/2018, the California Consumer Privacy Act as amended by the California Privacy Rights Act ("CCPA/CPRA"), and other applicable data protection laws. It also reflects Apple App Store Review Guideline 5.4 applicable to VPN applications.

2. Our Core Commitment — No-Log VPN

We do not monitor, record, log, store, or share your online activity while you use the Mix VPN service. We do not log the websites you visit, the content you access, your DNS queries, the apps you use through the tunnel, or the originating and destination IP addresses of your traffic. We cannot associate specific online activity with a specific user.

The operation of the VPN tunnel is fully automated. Our servers are configured so that traffic passing through them is not written to any persistent log that could be used to reconstruct user activity.

3. Apple App Store Guideline 5.4 Commitment

In accordance with Apple App Store Review Guideline 5.4, Consiliora explicitly commits that Mix VPN does not sell, use, or disclose any user data to third parties for any purpose, other than to a limited set of vendors acting strictly as our data processors to enable the operation of the Service (see Section 6). Such processors act only on our documented instructions, are bound by written data processing agreements, and are contractually prohibited from using the data for their own purposes.

4. What We Do and Do Not Collect

We draw a clear line between data we deliberately do not collect and the limited operational data we must process to run the Service.

4.1 What We Do NOT Collect or Log

Websites you visit or any URLs accessed through the VPN
DNS queries or their responses
Originating IP address at the moment of connection (beyond what is strictly necessary to establish a session and which is not stored)
Destination IP addresses of the traffic you send through the tunnel
Content of your communications or data transmitted through the tunnel
Bandwidth usage attributable to an identifiable user account in a persistent log
Browsing history, search queries, or downloaded files

4.2 Account and Subscription Data

If you create an account or purchase a subscription, we process the minimum information needed to manage your entitlement:

Email address, where you voluntarily provide it (for example, to recover access or receive important service notices)
Purchase receipt and subscription status received from Apple (including transaction identifier, product identifier, purchase and expiration dates, trial and renewal status, refund and cancellation events)
A pseudonymous account identifier we generate to link your subscription status to your app installation

Payments are processed by Apple through the App Store. We do not receive or process your payment card details, bank account information, or other payment credentials.

4.3 Technical and Diagnostic Data

To operate the Service and diagnose issues, we process limited technical information, which may in some cases be considered personal data:

Device type and model, operating system version, and app version
Country of access (derived from the IP address and not stored together with identifying information)
Crash reports and diagnostic events, which help us identify defects in the application
Non-content performance signals such as connection success/failure rates and latency, used in aggregate
Language and time-zone settings of the device

4.4 Aggregate Server Performance Data

We monitor the performance and load of our VPN servers in aggregate (for example, total active sessions per server, average latency, error rates). This information is not linked to an individual user and is used solely to recommend the best-performing server and to plan capacity.

4.5 Communications With Us

If you contact our support team, we process your email address and the content of your messages in order to respond to your request.

4.6 Refund and In-App Purchase Data

In the event of a refund request for an in-app purchase, we may provide Apple with limited information about the user's in-app purchase activity as permitted by Apple's guidelines, including time since app installation, total app usage time, a pseudonymous account identifier, whether the in-app purchase was consumed, whether it included a trial period, the total amount spent, and the total amount refunded. This information is used solely to evaluate refund requests and prevent fraud.

5. Purposes of Processing and Legal Bases

For users in the European Economic Area, the United Kingdom, and other jurisdictions requiring a legal basis under similar laws, we rely on the following grounds under Article 6 of the GDPR:

Providing the Service (VPN connection, account management, subscription fulfillment): performance of a contract with you (Art. 6(1)(b)).
Operating, securing, and maintaining the Service; diagnosing and fixing defects; preventing fraud and abuse: our legitimate interest (Art. 6(1)(f)) in running a secure and reliable Service, balanced against your rights.
Complying with legal, accounting, tax, and regulatory obligations: legal obligation (Art. 6(1)(c)).
Responding to your support inquiries: performance of a contract (Art. 6(1)(b)) and/or our legitimate interest in providing customer service.
Establishing, exercising or defending legal claims: legitimate interest (Art. 6(1)(f)) or legal obligation (Art. 6(1)(c)).
Any optional non-essential processing (such as analytics beyond what is strictly necessary): your consent (Art. 6(1)(a)), which you may withdraw at any time without affecting the lawfulness of prior processing.

We do not carry out automated decision-making, including profiling with legal or similarly significant effects, based on the personal data we process through the Service.

6. Service Providers and Disclosures

We engage a limited number of vendors as data processors to help us operate the Service. These vendors include, by category:

Cloud infrastructure and VPN server hosting providers
Subscription and in-app purchase management tools
Mobile analytics and attribution services used to measure basic installation and retention metrics
Crash reporting and diagnostic tools
Customer support and email service providers

Each processor is bound by a written data processing agreement that requires them to process data only on our instructions, maintain appropriate security, and process no data for their own purposes. A current list of the categories of processors and the general regions in which they operate can be requested from us at any time.

We may also disclose personal data:

To competent authorities where required by applicable law, court order, or a legally binding request, but only to the extent such requirements can be reconciled with our no-log architecture (we cannot produce data we do not have);
To an acquirer or successor in the event of a merger, acquisition, reorganization, or sale of all or part of our business, subject to appropriate confidentiality safeguards and continued application of this Policy;
Where strictly necessary to protect the rights, property, or safety of Consiliora, our users, or others, including to prevent fraud or abuse of the Service.

We do not sell personal information, we do not share personal information with third parties for cross-context behavioural advertising, and we do not use user data to build advertising profiles.

7. International Data Transfers

Because the Service is global, some of our processors and VPN servers are located outside the European Economic Area, including in jurisdictions that have not been recognised by the European Commission as providing an adequate level of data protection.

Where such transfers take place, we rely on appropriate safeguards under Article 46 of the GDPR, including transfers to jurisdictions covered by a European Commission adequacy decision, the Standard Contractual Clauses approved by the European Commission (together with supplementary technical and organizational measures where needed), or another lawful transfer mechanism. You may request a copy of the safeguards applied to a specific transfer by contacting us.

8. Data Retention

We retain personal data only for as long as is necessary for the purposes for which it was collected, applying the following general retention rules:

Account and subscription data: for the duration of your active account and for up to 24 months after the last active subscription, to allow reactivation, resolve disputes, and handle refund and chargeback windows. Longer retention may apply where required by accounting or tax law.
Purchase and billing records: for the period required by applicable tax and accounting law (typically 6 years in Cyprus).
Crash reports and diagnostic events: up to 90 days, after which they are deleted or aggregated into non-identifying form.
Aggregate server performance metrics: stored in non-identifying form for as long as needed to operate and improve the Service.
Support correspondence: up to 24 months after the case is closed, unless a longer period is needed for legal claims.
VPN session data: not retained (see Section 2).

Once a retention period ends, data is securely deleted or anonymized so that it can no longer be linked to you.

9. Data Security

We implement technical and organisational measures designed to protect personal data against unauthorized access, disclosure, alteration, or destruction. These measures include encryption in transit, access controls and least-privilege principles for employees, segregation of production systems, regular security review, and contractual security obligations on our processors. No method of transmission over the Internet or electronic storage is completely secure; we cannot guarantee absolute security.

10. Your Rights

10.1 Rights Under GDPR (EEA/UK Users)

Subject to the conditions and limitations set out in applicable law, you have the following rights:

Right of access — to confirmation and a copy of the personal data we hold about you.
Right to rectification — to correct inaccurate or incomplete data.
Right to erasure ("right to be forgotten") — to request deletion of your personal data in certain circumstances.
Right to restriction of processing — in certain circumstances.
Right to data portability — to receive your personal data in a structured, commonly used, machine-readable format.
Right to object — to processing based on our legitimate interests, including the right to object to direct marketing at any time.
Right to withdraw consent — where processing is based on consent, at any time and without affecting the lawfulness of prior processing.

10.2 Rights Under CCPA/CPRA (California Residents)

If you are a California resident, you have the right to know what personal information we collect, use, and disclose; the right to delete certain personal information; the right to correct inaccurate personal information; and the right to limit the use and disclosure of sensitive personal information. We do not sell or "share" personal information for cross-context behavioural advertising within the meaning of the CCPA/CPRA, and we do not use sensitive personal information for purposes other than those permitted by the CCPA/CPRA. You also have the right not to receive discriminatory treatment for exercising your privacy rights.

10.3 How to Exercise Your Rights

To exercise any of these rights, contact us at support@consiliora.org. We will respond within the time periods required by applicable law (generally within one month under the GDPR and within 45 days under the CCPA/CPRA). We may need to verify your identity before processing your request. You may designate an authorised agent to make a request on your behalf, as permitted by applicable law.

11. Right to Lodge a Complaint

If you believe that our processing of your personal data infringes the GDPR or other applicable data protection law, you have the right to lodge a complaint with a supervisory authority. Our lead supervisory authority is:

Office of the Commissioner for Personal Data Protection of the Republic of Cyprus
Iasonos 1, 1082 Nicosia, Cyprus
Postal address: P.O. Box 23378, 1682 Nicosia, Cyprus
Email: commissioner@dataprotection.gov.cy
Website: www.dataprotection.gov.cy

You may also lodge a complaint with the supervisory authority of the EU Member State where you are habitually resident, where you work, or where the alleged infringement took place.

12. Apple App Tracking Transparency (ATT)

On iOS, applications must request permission before tracking your activity across other companies' apps and websites. Mix VPN does not engage in cross-app or cross-site tracking for advertising purposes and does not use identifiers for tracking as defined by Apple. If, in the future, any feature of the Service requires such tracking, we will request your explicit permission through the ATT prompt and will honour your choice.

13. Children's Privacy

Mix VPN is not directed to and is not intended for use by individuals under the age of 18. We do not knowingly collect personal data from individuals under 18. If we become aware that we have inadvertently collected personal data from a minor, we will delete it promptly. If you believe a minor has provided us with personal data, please contact us at support@consiliora.org.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, the Service, or applicable law. The "Last updated" date at the top of this page indicates when it was last revised. Where changes are material, we will take reasonable steps to bring them to your attention, including through an in-app notice or an email where we have your address, a reasonable time before they take effect. Your continued use of the Service after the effective date of the updated Policy constitutes your acceptance of it.

15. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data processing practices, please contact us:

CONSILIORA NEXUS CONSULTING LTD
Registration #HE468919
Franklinou Rousvelt, 170, 2nd floor
Omonoia, 3048, Limassol, Cyprus
Email: support@consiliora.org