PRIVATE INTERNET ACCESS PRIVACY POLICY

IMPORTANT NOTE: The summaries here at the top of each section (in green) are for easy referencing; they are not meant to have any legal effect or in any way substitute the text of the Privacy Policy, which should be read and understood in full detail.

• Overview: As Private Internet Access (PIA) continues to be the most transparent, open, and privacy-focused online security retailer on the market, we want you to know exactly how we process and use your data in order to achieve our core objective of a) providing the best possible service while b) making sure that all of your data is handled with the highest possible standards of privacy.

This privacy policy (“Privacy Policy” or “Policy”) explains the privacy practices of PIA Private Internet Access, Inc., (collectively, “We,” “Us,” “Data Controller,” “Company,” or “PIA”) and applies to users (“User(s)” or “You”) of PIA’s services, including, among other things, the PIA VPN service (“Service”) and PIA website at www.privateinternetaccess.com (“Website”).

The processing of personal data, such as the email address or payment information of a user, shall always be in line with the General Data Protection Regulation (GDPR) and in accordance with any country-specific data protection regulations applicable to PIA. By means of this data protection declaration and Privacy Policy, we are informing the general public of the nature, scope, and purpose of the personal data we collect, use, and process. Furthermore, users are informed, by means of this Privacy Policy, of the rights to which they are entitled.

As the data controller for personal data, we administer the strictest policies in safeguarding your privacy and security. By agreeing to these policies written herein, you signify your acceptance of, and agree to be bound by, this Policy as interpreted in line with the Terms of Service, the Cookie Policy, and the Digital Millennium Copyright Act (DMCA) policy which are hereby incorporated as references (the DMCA policy, Terms of Service, and the Privacy Policy are sometimes referred to collectively as the “Policies") into this Privacy Policy.

TABLE OF CONTENTS

• Personal Information We Collect
  • Non-Personal Data
• Uses of Personal Data Collected by Us
  • VPN Users
  • Website Registration
• Disclosure of Personal Data
  • Law Enforcement Requests
  • Data Retention
• CalOPPA Statement
  • CCPA Statement
  • COPPA Disclosure
  • Rights of the Data Subject
• Maintaining the Security of Your Private Information
• Changes to this Privacy Policy
• Name and Address of Data Protection Officer
• Conclusion

PERSONAL INFORMATION WE COLLECT (“PERSONAL DATA”)

• Summary of this section: We collect as little personal information as possible – only what’s needed to activate your account and allow you to experience our world-class service. We need two things to sign you up for a subscription: 1) an email address, and 2) payment. That’s it. Once we get that, your account will be active and ready to use. We also collect as little anonymized data as possible – only what’s needed to gather overall usage metrics (not user metrics) so we can continue providing and improving our service. We DO NOT collect or store browsing history, connected content, user IPs, connection time stamps, bandwidth logs, DNS queries, or anything like that. We collect and retain zero user logs. We were founded on a message of “Your Privacy Is Our Policy”, and we take pride in the fact that we are the most transparent, honest, and trustworthy VPN provider out there.

• Please note that we do retain general location info for the purposes of paying sales tax in the US. This information is willingly provided by the user at checkout when paying with non-anonymous methods – and since the user’s general location is already included when paying with non-anonymous methods, this is a non-issue. That said, because Private Internet Access is a true friend to the privacy community (and the cryptocurrency community!), we’ve implemented a system where we cover the cost of sales tax for all crypto payments – meaning that we a) pay the sales tax of crypto users, and b) don't ask for, know about, or store location information when a user pays with crypto, making paying with crypto a truly anonymous (anonymous to PIA at least!) way to enjoy using our VPN service.

“Personal Data” means any information that relates to or may be associated with an identifiable person. The Personal Data we collect will vary depending on your use of PIA’s Website or Service, as follows:

From VPN Users:

• Email address for the purposes of account management and protection from abuse.
• Payment data for the purposes of processing payments as required by our third-party payment processors. Note that we neither know nor save your full credit card details.
• State or territory and zip code for tax analysis.

From Emails & Visitors to the PIA Website:

• Information included in any submissions on the 'Contact Us' page.

• The email address of any emails we receive.
• Cookie identifiers (see our Cookie Policy).

NON-PERSONAL DATA

“Non-personal Data” is not associated with or linked to any Personal Data. Any usage metric collected while using the Service is irreparably separated from the account user. Thus, Non-personal Data does not allow for the identification of any individual person. Non-personal Data we collect includes:

From All VPN Users:

• Anonymized overall parameters needed for product delivery and optimization (server uptime, global number of users, bandwidth capacity, etc.).

From VPN Users Who Opt-in & Willingly Send Reports:

• Anonymized connection events, protocol used, device identifiers (platform, app type/version), and connection source (whether manual or automated).

• Debugging information (app settings and necessary system information).

From Emails & Visitors to the PIA Website:

• Anonymized Google Analytics data.
• Internationalization and localization (i18n).

• System information.
• Server consumption.

USES OF PERSONAL DATA COLLECTED BY US

• Summary of this section: We need to know where to send account management correspondence, and we need to be able to receive your subscription fee. Your email address and payment can be as personal as you want them to be (and, as mentioned above, our anonymous payment methods are truly anonymous). We also need to get you access to our product in the most convenient and safest way possible. In general, we don’t need to know anything other than the fact that you love using our product so much that you’re willing to pay for our service and appropriately correspond with us.

VPN USERS

We collect your email address to send you subscription information, payment confirmation, customer correspondence, and PIA promotional offers (to the extent that you accept a subscription to our marketing list). Additionally, if residing in the US, we may collect your state and zip code to ensure compliance with our statutory tax obligations and for fraud detection.

Furthermore, we collect certain kinds of payment data to manage client signups, payments, and cancellations. We process the above data in compliance with various legal processes in order to comply with statutory and contractual obligations.

The above-mentioned Personal Data is not, at any point, associated with any kind of activity done by the user inside any Private Internet Access Service (VPN, Antivirus, or otherwise) – absolutely none of this usage data is recorded, logged, or stored in any way, shape, or form. All collected Personal Data remains completely separated from VPN or Antivirus usage, ensuring complete privacy when using our Service.

WEBSITE REGISTRATION

You have the option to register on the PIA website by inserting your username and password into the appropriate fields. The Personal Data entered there is collected and stored exclusively for internal use by PIA. When registering on our website, we store the payment method, login ID, and date and time of the registration. The storage of this data takes place against the backdrop that this is the only way to prevent the misuse of our Services, and, if necessary, to make it possible to investigate committed offenses. In short, the storage of this minimal amount of data is necessary to secure the data controller. This data is not passed on to third parties except as stated herein. Through registering on PIA’s website, you may exercise your rights as indicated below, through the website.

The registration of your data is intended to enable the data controller to offer the data subject contents or Services that may only be offered to registered users.

DISCLOSURE OF PERSONAL DATA

• Summary of this section: PIA’s raison d'etre is to provide our users with the most high-privacy online security products possible; and as such, we strive to do all we can to protect the privacy rights of our customers as they continue to use our service. We keep minimal personal data. We will NEVER share any of the data we have on our users with anyone, anything, or any entity unless doing so is absolutely necessary for us to keep providing our award-winning service. We DO NOT collect or store browsing history, connected content, user IPs, connection time stamps, bandwidth logs, DNS queries, or anything like that. We collect and retain zero user logs. In terms of what we do share – 1) service-level identifiers with our customer service infrastructure partner, Deskpro; 2) payment information with our payment partners, Stripe, Amazon Payments, BitPay, and PayPal; and 3) legally appropriate requested information – importantly, as can be seen in our transparency reports, while we are required to comply with valid subpoena requests from law enforcement, we are never able to provide law enforcement with any useful personal data because we never stored any in the first place. Note that all countries, including the most “privacy-friendly” ones (and we consider the USA to be one), operate under a similar legally compelling requirement. Every VPN provider in the world is required to comply with their country’s law and jurisdictional requests for information; as we are a US company, we are merely compelled to comply with a request, but we are not legally required to store user logs, so we don’t – that's why we’re never able to produce anything useful for any part of any investigation. Simply put, we share the tiny amount of personal data we collect with a few third parties that help us run our service better.

We do not now, nor have ever, nor ever will, share, sell, rent, or trade any user’s Personal Data with third parties other than as disclosed within this Privacy Policy. While we may disclose collected Personal Data to necessary members in our group of companies (across our ultimate holding company and all its subsidiaries) insofar as is reasonably necessary to continue our Service in line with this Policy, we regard our commitment to user privacy as paramount.

Furthermore, we may share your personal information with third-party service providers so that we may continue to improve our Service. In particular, in order to assist you if you have questions while using our website, or to assist you regarding your order and provide comprehensive customer support, we offer the possibility of online chat where, you will be requested to provide Personal Data such as a name and email. When a user visits the Private Internet Access online chat page, we use Deskpro to assist our customer service coordination. Deskpro stores in its own database: a visitor_id (a unique identifier randomly generated when someone visits the page, stored in their cookies), what browser the user used to log in, the country of the user, and the date visited. Name, account ID, and email address may be collected and stored if this information is provided for support tickets submitted to Private Internet Access. We may also use Deskpro as a medium for communications, either through email or through direct messages within the Deskpro platform. As such, any messages sent via live online chat, tickets, or emailed to [email protected] will be stored on Private Internet Access servers. We may use this data collected via Deskpro in order to improve customer experience. Your data may be internally analyzed to understand trends in customer behavior, demographics, and selections. We will never sell information to any third parties. Deskpro maintains its own separate Privacy Policy that is separate from Private Internet Access and can be located at https://www.deskpro.com/legal/privacy/.

Additionally, PIA itself does not process any orders or payments. We work exclusively with the payment processors Stripe, Amazon Payments, BitPay, and PayPal. You can find information about the payment services providers' privacy policies and practices at https://stripe.com/us/privacy (Stripe), https://pay.amazon.com/help/201212430 (Amazon), https://bitpay.com/about/privacy/ (BitPay), and https://www.paypal.com/us/webapps/mpp/ua/privacy-full (PayPal). Each payment processor’s Privacy Policy governs the collection and use of the information collected during the checkout process, and while we have found each third-party Privacy Policy to be in accordance with our strict privacy standards, we recommend you review each applicable Privacy Policy prior to placing an order or providing any kind of information, personal or otherwise.

If you select to subscribe to our Marketing list, we may share your data with such selected third parties that will administer the list. Such third parties will contractually agree to uphold the same standards as we hold your Personal Data. To find more about this, you can visit our current third-party mailing partners here. Opt-out at any time by clicking here.

LAW ENFORCEMENT REQUESTS

Additionally, although we will comply with all valid subpoena requests, our legal team scrutinizes each and every legal request that we receive for compliance with both the "spirit" and “letter” of the law. For invalid or overly broad subpoenas, we will first question and attempt to narrow the scope of any subject matter sought. PIA will not participate with any law enforcement request that is unconstitutional or illegal. Moreover, when it is possible and a valid option, we will provide the user an opportunity to object to any requested disclosures.

Civil or law enforcement requests are allowed to be sent to [email protected]. If there’s a request that requires mailing or a courier, that information is allowed to be sent to:

PIA Private Internet Access Inc.
Attn: Legal Department
9200 E Mineral Ave #100
Centennial, CO 80112
United States

While PIA agrees to accept service of law enforcement requests based on the methods listed, PIA does NOT waive any legal rights based on this accommodation.

DATA RETENTION

We reserve the right to rectify, replenish, or remove incomplete or inaccurate information at any time and at our own discretion as detailed above. Please note that unless you instruct us otherwise, we retain the information we collect for as long as needed to provide our Service, as well as to comply with our legal obligations, resolve disputes, and enforce our agreements.

CalOPPA STATEMENT

• Summary of this section: The State of California requires us to write very specific language related to our Privacy Policy. It’s a bit of a legalese jungle, but here’s the gist: If you live in California and want to request what data we have for you, you're allowed to request it once per year by sending an email to [email protected]. And in general, you have the right to own your data. So if you have any questions about the things you’re reading in this Privacy Policy or you want more detail about what information we have or how we use it, or if you want to request that we destroy all of your data (keeping in mind that we may not be able to offer you our services if we do that), you can send an email to [email protected].

CALIFORNIA CONSUMER PRIVACY ACT (“CCPA”) STATEMENT

Pursuant to California Civil Code Section 1798.83, if you live in the State of California and your business relationship with us is mainly for personal, family, or household purposes, you may ask PIA about the information we release to other organizations for their marketing purposes. To make such a request, please send an email to [email protected] with “CCPA privacy request” as the subject. You are allowed under California law to request this information one time each calendar year. We will email you a list of categories of Personal Data we may have revealed to any third parties in the last calendar year, along with their names and addresses. Not all Personal Data shared in this form is included under Section 1798.83 of the California Civil Code. Please also see this California-specific privacy notice for more details related to your rights as a California resident under the CCPA.

By default, PIA does not share your Personal Data with any third parties aside from the disclosures already made in this Privacy Policy. However, if you wish to inquire into how PIA does not share our users’ Personal Data with third parties for direct marketing purposes, you may contact our Data Protection Officer (DPO) at [email protected].

COPPA DISCLOSURE - About Children’s Online Privacy

The Children’s Online Privacy Protection Act (COPPA) was passed to give parents increased control over what information is collected from their children online and how such information is used. The law applies to websites and services directed to, and which knowingly collect information from, children under the age of 13. Our online Services are not directed to children under the age of 13 nor is information knowingly collected from them. For additional information on COPPA protections, please see the FTC website at: https://www.consumer.ftc.gov/articles/0031-protecting-your-childs-privacy-online

RIGHTS OF THE DATA SUBJECT

Your principal rights under data protection law in relation to your Personal Data are:

• (a) the right to access any information which is provided to you through your account.
• (b) the right to rectification.
• (c) the right to erasure.
• (d) the right to restrict processing.

• (e) the right to object to processing.
• (f) the right to data portability.
• (g) the right to complain to a supervisory authority.
• (h) the right to withdraw consent.

We provide you with the ability to exercise the above rights along with certain choices and controls in connection with our treatment of your Personal Data. To exercise your rights through your account please contact our DPO at:

Dr. Venetia Argyropoulou
PIA Private Internet Access, Inc.
9200 E Mineral Ave #100
Centennial, CO 80112
United States (347)586-9467 (Ext. 904)
[email protected]

In the event that you make such a request, note that we may require certain information from you in order to verify your identity and locate your data, and the process of locating and deleting your data may take a sizable amount of time and effort. Data privacy and related laws in your jurisdiction may provide you with different or additional rights related to the data we collect from you, which may also apply.

MAINTAINING THE SECURITY OF YOUR PRIVATE INFORMATION

• Summary of this section: We have strict data-privacy protocols and procedures that include storing personal data in an encrypted form and notifying you if we need to store your personal data outside of the United States.

Only key employees of PIA and PIA’s Group with a need to administer or process Personal Data are granted access to the servers and information where Personal Data is stored. Furthermore, Personal Data is always maintained in a highly encrypted form.

We collect information globally, and we primarily store that information in the United States. If we transfer the storage of your Personal Data from the United States, we will request your consent.

CHANGES TO THIS PRIVACY POLICY

• Summary of this section: We reserve the right to adjust the contents of this Privacy Policy as needed without your approval if we deem fit. If there’s anything substantive that fundamentally changes our approach to user privacy or handling of user data, we will make every effort to clearly and effectively communicate that change. Again, as a fundamental rule, neither PIA nor anyone at Kape Technologies logs or stores any kind of substantiative Personal Data, user browsing data, or individual connection data other than what has been outlined here, nor do we share any personal or usage information with third parties for marketing purposes. The minimal usage data we do collect is completely anonymized, separated from personal identifiers, and necessary to keep our services operating. As a testament to our honesty, integrity, and transparency, this can be independently verified by examining the code of our 100% open-source applications and clients (found here).

If we decide to make changes to our Privacy Policy, at our sole discretion, such changes and updates will be effective immediately upon the display of the revised Privacy Policy. Thus, we encourage you to check this Privacy Policy regularly for updates, so that you are fully informed on how your data is collected and used. The date this Privacy Policy was last modified is reflected at the bottom of the page under the heading “Last revised”. Your continued use of the Services following the display of such amendments constitutes your acknowledgement and consent to such amendments to the Privacy Policy and your agreement to be bound by the terms of such amended policy.

If we make material changes to this Privacy Policy, we will notify you through the account or the Website or the in-app Service, and we will make our best efforts to notify you via email or by means of a notice on our home page prior to the change becoming effective.

NAME AND ADDRESS OF DATA PROTECTION OFFICER

For any further information, you may contact:

Dr. Venetia Argyropoulou
PIA Private Internet Access, Inc.
9200 E Mineral Ave #100
Centennial, CO 80112
United States (347)586-9467 (Ext. 904)
[email protected]

CONCLUSION

Private Internet Access has 10+ years of experience in leading the VPN industry with a strict no-usage-logs policy, world-class server infrastructure, and 100% open-source software. Above all else, PIA prioritizes user privacy, security, and freedom from unnecessary, unethical, and illegal surveillance.

Last revised: September 7^th, 2022