Privacy
This Policy describes what data the Panda Defender Service collects, how it is used, who it may be shared with, and what rights users have. By using the Service, you confirm that you have read and understood this Policy.
1. Who is the operator
The Service is a personal project. The operator is a private individual (the «operator») without the status of a legal entity. Contacts for personal-data inquiries are listed on the contact page.
2. What data we collect
2.1. Registration data
- Email and password — the password is stored only as a cryptographic hash; even the operator cannot recover the original.
- Telegram ID and username — when signing in via Telegram. Your phone number is neither requested nor passed to the Service.
- Preferred interface language.
2.2. Technical data
- IP address and user-agent — recorded in access logs for security (preventing password brute-force, spam, attacks). Kept for no longer than 30 days.
- Cookies — to maintain the login session and remember the language and theme (see the «Cookies» section below).
2.3. Service data
- Purchase and payment history: amounts, dates, payment method, transaction ID (txid/invoice id) — for accounting and support.
- Time of last activity and actions in the user cabinet.
- Configuration metadata: server country, validity period, peer ID — for proper operation of the service.
2.4. What we do NOT collect
- The contents of traffic passing through the VPN/proxy.
- Browsing history or users' DNS queries.
- Real phone numbers, passport details, or biometrics.
- Payment details (card number, CVV) — these are handled exclusively by payment providers on their side.
3. Why we collect data
- Authentication — so you can sign in to your account.
- Payments and balance accounting — to deliver paid services correctly.
- Security — detection and prevention of abuse (fraud, password brute-force, breach of the Terms of Service).
- Service notifications — e.g., about expiring configurations or payment confirmations. You can opt out in profile settings.
- Support — processing of support requests.
- Analytics — aggregated, without identifying individual users (active users count, popular plans, etc.).
4. Legal bases for processing
We process your data on the following bases:
- Performance of contract — data without which the service cannot be delivered (account, balance, operation history);
- User consent — voluntarily provided data (email for notifications, etc.);
- Legitimate interests — for security and abuse prevention;
- Legal obligations — where data processing is required by applicable law.
5. Third-party subprocessors
For the Service to operate we use the following external services, which may receive a limited set of data as needed for their functions:
- Payment providers — process payments. Receive: amount, transaction ID (invoice ID, txid). They do not receive email/password/contact details. Bank card details never pass through our infrastructure — they are handled solely by the payment provider.
- Proxy supplier — an external service we buy proxy servers from. Receives: country, type, and duration of order. Does not receive user-identifying data.
- CDN provider — DDoS protection and static caching. Can see the IP address and HTTP request headers.
- Hosting providers — server hosting. The hoster sees that a VM is running but has no access to user data.
Each subprocessor has its own privacy policy. We do not share data with third parties for marketing purposes.
6. Cookies
The site uses the following cookies:
session— technical cookie that keeps you signed in (HttpOnly, SameSite=Lax);theme— selected theme (light/dark);lang— selected interface language.
Advertising and tracking cookies are not used at this time. If contextual advertising (e.g., Google AdSense) is added in the future, this Policy will be updated with an explicit notice.
7. Retention period
- Account data — for as long as your account exists.
- Payment history — up to 3 years for resolving possible financial disputes and confirming that services were rendered.
- Access logs (IP/user-agent) — no longer than 30 days.
- Service metadata of configurations — while the configuration is active, plus a grace period of up to 30 days.
8. Cross-border data transfers
Data may technically be transferred through third-party infrastructure (CDN/DDoS protection, hosting, email service) located outside the operator's country of residence. Transfer happens only to the extent necessary for the Service to operate and is governed by the respective providers' privacy policies.
9. Your rights
Regarding your personal data, you have the right to:
- Access — find out what data is stored about you;
- Correct — fix outdated data via profile settings or by contacting support;
- Delete — request deletion of your account and associated data, except for data we are required to keep by law (e.g., payment history);
- Withdraw consent — for specific types of processing (e.g., email notifications);
- Get a copy — request export of your data in machine-readable format.
Submit such requests via contacts. Response time — up to 30 days from receipt of the request.
10. Security
We apply reasonable technical and organisational measures to protect your data:
- HTTPS/TLS for all traffic between the browser and the server;
- password hashing using modern algorithms;
- restricted administrative access to the database;
- regular updates of system components.
No system is fully secure. In the event of an incident affecting your data, we will notify you within a reasonable period via email or Telegram.
11. Minors
The Service is not intended for persons under 18, or under the age of majority in the user's country. We do not specifically ask users for their age, but if we learn that an account belongs to a minor, that account will be deleted.
12. Changes to the Policy
The Policy may be updated. The current version is always published on this page with the update date. We will try to notify you of material changes in advance via email or the Telegram bot.
13. Contact
For any matters concerning personal-data processing and your rights, contact us via the contact page or via the Service's Telegram bot.