1. Who We Are

Ceres VPN is developed and operated by CL&P Services Ltd, trading as Ceres Labs (“we”, “us”, or “our”), a UK-based company. We create software that allows users to deploy and manage their own private servers.

If you have any questions about this policy, please contact us at: privacy [at] cereslabs.org.

2. Information We Collect

We collect only the minimum data needed to operate and improve our products:

• Purchase Information: We receive purchase confirmation data when you buy or renew a subscription. This allows us to verify your license and unlock paid features.
• User ID: We generate a random internal identifier to associate your license with your server configuration.
• Cloud Provider Credentials (Temporary Processing): For the sole purpose of automating server deployment and configuration, the Application requires temporary access to your third-party cloud provider credentials (e.g., DigitalOcean API Keys/Tokens). **These credentials are processed locally on your device and, when needed passed securely to the respective cloud provider for immediate use. They are never stored, logged, or retained on Ceres Labs' servers or databases after the provisioning task is complete.**
• Secure Proxy Cookies (Optional): If you choose to use the optional Secure Proxy feature, we rely on essential cookies to authenticate your session securely. These cookies are technical in nature, strictly necessary for the functionality of the proxy, and are never used for tracking or advertising purposes.
• Email Address (optional): If you choose to provide your email (for example via a "Get Notified" form on our website), we use it to send updates and product information. You can unsubscribe at any time.
• Product Interaction Data: We may record anonymised data about how features are used (for example, deployment success or failure) to help us improve reliability. This data is not linked to your identity.
• Crash Data: We do not directly collect crash reports. Apple / your OS may collect anonymized crash data if you have opted in to share diagnostics from your system settings.
• Website Analytics (Conditional on Consent): If you consent to analytics cookies, we collect information about how visitors use our website, such as page views, navigation paths, and interactions with content. This data may be linked across pages or sessions using a pseudonymous identifier. Analytics are disabled by default and only enabled after you explicitly consent.

We do not collect names, addresses, or other personal identifiers.

3. How We Use Your Information

We use the information we collect to:

• Verify subscriptions and enable the app’s functionality.
• Maintain and improve the performance and reliability of the app.
• Send optional communications and updates (only if you have consented).

We do not sell or share your data with advertisers or other companies, and we do not use any form of cross-app or targeted tracking.

4. Legal Basis for Processing (GDPR)

Under the UK and EU GDPR, we rely on the following lawful bases for processing your data:

• Contractual necessity – to deliver the app and manage your subscription.
• Consent – for optional marketing communications and for analytics cookies.
• Legitimate interest – to maintain and improve the performance and security of our services, provided this does not override your fundamental rights and freedoms. This does not apply to analytics cookies.

5. Your Rights

You have the right to:

• Request access to the personal data we hold about you.
• Request correction or deletion of your data.
• Withdraw consent for marketing at any time.
• Object to or restrict certain processing activities.
• Lodge a complaint with your local data protection authority if you believe your rights have been violated.
• Withdraw consent at any time without affecting the lawfulness of processing carried out before withdrawal.

To exercise these rights, email privacy [at] cereslabs.org.

You may also withdraw consent for website analytics at any time using the cookie settings available on this site.

6. Data Retention

We retain data only as long as necessary to provide our services:

• License and configuration data are kept while your subscription remains active.
• Marketing contact information is deleted immediately if you unsubscribe.
• Diagnostic and usage data are anonymized and may be retained for performance analysis.

7. Third Party Service Providers

We use a limited number of trusted third-party service providers to operate our services. These providers act as data processors and only process data on our instructions.

• Google – used for Google Tag Manager and website analytics. Analytics cookies are disabled by default and are only activated if you explicitly consent.
• Cloudflare, Inc. – used to provide website security, performance optimisation, and content delivery.
• PostHog Inc. – used for website analytics and product insights. PostHog is only enabled if you explicitly consent to analytics cookies. Analytics data is processed using pseudonymous identifiers.
• Apple Inc. – used for app distribution and subscription management via the Apple App Store.

8. Cookies and Analytics

We do not use analytics or tracking cookies by default. Analytics cookies are only used if you explicitly consent.

We use Google Tag Manager (GTM) to manage analytics and other site scripts. GTM is loaded with all non-essential storage disabled by default using Google’s Consent Mode. This means analytics and advertising cookies are not set unless you give consent.

Basic technical data (such as IP address, browser type, and page URL) may be processed by Google to deliver the GTM script itself. No analytics data is collected unless consent is granted.

Your cookie preferences are stored locally in your browser using localStorage. This is used only to remember your choice and is not shared with us or with third parties.

You can change or reset your consent at any time using the cookie settings link on this site or by clearing your browser storage.

9. Data Transfers

We primarily store and process data within the UK and EEA. Some technical providers, including Cloudflare and Apple, may process limited data in other regions to deliver a secure and reliable service. Where such transfers occur, we rely on appropriate safeguards such as the EU Commission’s Standard Contractual Clauses to ensure protection of personal data.

10. Security

We take reasonable technical and organizational measures to protect your data, including encryption, access controls, and data minimization.

11. Children’s Privacy

Our products are not intended for use by children under the age of 16, and we do not knowingly collect data from minors.

12. Changes to This Policy

We may update this Privacy Policy from time to time. Any significant changes will be communicated through the app or our website prior to taking effect.

12. Contact

CL&P Services Ltd is responsible for handling personal data in accordance with applicable data protection laws. For any questions or concerns about this Privacy Policy or your data rights, contact us at: privacy [at] cereslabs.org.