Legal

Privacy Policy

Last updated: March 6, 2025

1. Who We Are

LowKeyVPN is a service operated by Floppy LLC, a California limited liability company. References to "we," "us," or "our" mean Floppy LLC. This Privacy Policy explains how we collect, use, and protect your personal information when you use LowKeyVPN.

2. Information We Collect

Account information: When you create an account, we collect your email address and a hashed (bcrypt) version of your password. We never store your password in plain text.

Payment information: We use Stripe to process payments. We do not store your credit card number, CVV, or full card details. Stripe provides us with a customer ID and subscription status. See Stripe's Privacy Policy.

VPN usage data: We track aggregate data usage (bytes transferred) per billing period to enforce plan limits. We do not log your browsing activity, DNS queries, IP addresses you connect to, or the content of your traffic.

Connection metadata: Our VPN servers do not retain logs of when you connected, your originating IP address, or which sites you visited. Server logs are flushed periodically and are not tied to your account.

Device and app data: Our apps do not collect device identifiers, crash reports to third parties, or analytics data beyond what is necessary to deliver the VPN service.

3. How We Use Your Information

  • To create and manage your account
  • To process payments and manage your subscription
  • To provision and deliver VPN access (Outline server keys)
  • To send transactional emails (receipts, password resets, billing alerts)
  • To enforce data usage limits and plan entitlements
  • To respond to support requests

We do not sell your personal information. We do not use your information for advertising. We do not share your information with third parties except as described below.

4. Third-Party Services

  • Stripe — payment processing. Subject to Stripe's Privacy Policy.
  • Outline / Jigsaw — open-source VPN infrastructure. No user-identifying data is shared with Jigsaw.
  • DigitalOcean — server hosting. VPN traffic passes through DigitalOcean servers. No user-identifying logs are retained.
  • Resend / email provider — transactional email delivery.

5. California Privacy Rights (CCPA / CPRA)

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

  • Right to Know: You may request disclosure of the categories and specific pieces of personal information we have collected about you.
  • Right to Delete: You may request deletion of your personal information, subject to certain exceptions.
  • Right to Correct: You may request correction of inaccurate personal information.
  • Right to Opt-Out of Sale: We do not sell personal information. No opt-out is necessary.
  • Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights.

To exercise these rights, email privacy@lowkeyvpn.com with "California Privacy Request" in the subject line. We will respond within 45 days.

Do Not Sell or Share My Personal Information: We do not sell or share personal information with third parties for cross-context behavioral advertising.

Sensitive Personal Information: We do not collect sensitive personal information as defined by CPRA (e.g., precise geolocation, financial account numbers, contents of communications).

6. Data Retention

We retain your account information for as long as your account is active or as needed to provide services. If you delete your account, we will delete your personal information within 30 days, except where retention is required by law (e.g., financial records required for tax purposes, which we retain for 7 years).

7. Security

We implement industry-standard security practices including bcrypt password hashing, HTTPS-only transmission, JWT session tokens, and encrypted VPN tunnels. No method of transmission over the internet is 100% secure. If you believe your account has been compromised, contact us immediately at privacy@lowkeyvpn.com.

8. Children's Privacy

LowKeyVPN is not directed to children under 13. We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, contact us and we will delete it promptly.

9. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or by posting a notice on our website. Continued use of the service after changes become effective constitutes acceptance of the updated policy.

10. Contact

Floppy LLC
California
privacy@lowkeyvpn.com