B) Iconic VPN — Privacy Policy

Version: 1.0 — Effective: [01/01/2026]

Summary (TL;DR)

  • We do not log the websites you visit, your DNS queries while connected to the VPN, your originating IP address after session establishment, or the contents of your traffic.
  • We process minimal “service data” to operate and secure the network (e.g., anonymised/aggregated transfer totals, coarse session timing), and billing/support data necessary to serve you.
  • You have UK GDPR rights (access, rectification, erasure, restriction, portability, objection).

This structure mirrors the no‑activity‑logs positioning and “service data” separation you see in HMA’s privacy materials, adapted to a UK controller and your brand posture. [hidemyass.com]

1. Who we are & contacts
Controller: [Iconic VPN Ltd], [address], email: [[email protected]].
UK DPO (if appointed): [Name / Provider / Contact].
Supervisory authority: You may complain to the ICO (UK).

2. What we don’t collect (VPN)
When connected to Iconic VPN, we do not collect or store: (i) your originating IP address (post‑auth handoff), (ii) DNS queries resolved while connected (we operate private DNS resolvers that do not persist individual query logs), (iii) browsing history or traffic contents, (iv) specific application usage. This aligns with a strict no‑activity‑logs policy.

3. What we do process (service & diagnostics)

  • Service telemetry (VPN): very limited telemetry to plan capacity and prevent abuse, e.g., rounded data transfer totals per account and coarse session timestamps (e.g., date only), associated to an internal identifier.
  • Account data: email address, hashed credentials or token, subscription tier, status.
  • Billing data: managed by our payment processor [Stripe/Adyen/…]; we retain transaction IDs and necessary tax metadata; card data is not stored by Iconic VPN.
  • Support data: messages and attachments you send to support.
  • Website analytics & cookies: see our Cookie Policy.

4. Legal bases
Contract (to provide the service), legitimate interests (security, fraud prevention, product improvement), legal obligation (tax/records), and consent (where required for marketing cookies/communications).

5. Retention

  • Service telemetry: [e.g., 30–90 days], then aggregate or delete.
  • Account/billing: for the life of the subscription + [e.g., 6 years] for statutory/tax obligations.
  • Support tickets: [e.g., 24 months] unless you request earlier deletion, subject to legal holds.

6. International transfers
If we transfer data outside the UK/EEA, we use UK Addendum/SCCs or other adequacy mechanisms.

7. Your rights
Access, rectification, erasure, restriction, portability, objection, and the right to lodge a complaint with the ICO. To exercise rights, contact [[email protected]].

8. Security
We employ encryption in transit, least‑privilege access, monitoring, and regular reviews.

9. Updates
We will post updates here and maintain a Legal Archive with version history.