CYBER/SANCTUARY [ memevpn · secure-tunnel ]
DOWNLOAD
Cyber Sanctuary :: Privacy Policy

Privacy Policy

DOCUMENT
DOC-CS-PRIV-2026-001
EFFECTIVE
2026-04-20
REVISION
v1.0.0
CLASSIFICATION
UNRESTRICTED

Last reviewed: 2026-04-20

This Privacy Policy describes how Cyber Sanctuary Labs (“Cyber Sanctuary,” “memevpn,” “we,” or “us”) collects, uses, discloses, and protects information when you use our applications, websites, and services (collectively, the “Service”).

We built Cyber Sanctuary because we wanted a VPN we could trust. That means the product had to be engineered so that even we cannot betray it. This document explains how.

Operating philosophy

A zero-logs policy is only as strong as the code that enforces it. Our VPN servers operate from RAM-only, read-only disk images, with kernel-level audit rules that prevent writing session data to persistent storage. We cannot comply with a request for traffic we never had the ability to retain.

What we collect

We collect the minimum information required to create an account, process payment, and maintain service quality. In practice, that means:

  • Account information — an email address and a salted, hashed password.
  • Billing information — processed by our payment partner (see §06). We receive a billing country, a subscription tier, and a renewal state. We do not store card numbers on our systems.
  • Aggregate service telemetry — total bandwidth consumed across the fleet, aggregated to 1-minute buckets, with no user identifiers. This helps us provision capacity.
  • Support correspondence — messages you send us, retained as long as necessary to resolve the issue.

What we refuse to collect

We do not collect, and have deliberately engineered our infrastructure not to receive:

  • Browsing history, DNS queries, or destination addresses
  • Connection timestamps linked to a user account
  • Originating IP addresses that persist past the end of a session
  • Session identifiers that can be correlated to traffic metadata
  • Device fingerprints, advertising IDs, or behavioral profiles

How we use what we collect

We use the information in §02 exclusively for:

  • Authenticating your account and enforcing subscription state
  • Sending transactional email (receipts, password resets, security alerts)
  • Responding to support requests you initiate
  • Capacity planning in aggregate, without per-user analysis
  • Detecting and preventing fraud and abuse of the network

We do not sell, rent, or trade personal information. We do not use it for advertising.

Retention windows

  • Account records retained while the account is active, plus 30 days after deletion for recovery.
  • Billing records retained for 7 years where required by tax law; we receive only the fields listed in §02.
  • Support tickets retained 365 days from the last message.
  • Session metadata never retained (not written to disk).
  • Aggregate telemetry retained 90 days, anonymous by construction.

Third-party processors

We disclose personal information only to the following processors, each under a written data-processing agreement:

  • Payment processing — Stripe, Inc. and the Apple / Google in-app purchase pipelines for billing.
  • Transactional email — Postmark for account emails.
  • Infrastructure — bare-metal colocation providers in multiple jurisdictions. Providers host our hardware; they do not operate our software.

We do not use advertising, marketing, or analytics third parties on our apps.

Government requests & warrants

We publish a transparency report every 90 days listing the number of law enforcement requests received, the jurisdictions they came from, and our response. When we receive a valid legal request, we can only provide what we have — which for VPN traffic is nothing.

We will challenge overbroad requests, gag orders we believe are unlawful, and any request for user metadata unrelated to account authentication.

International transfers

Cyber Sanctuary Labs is incorporated outside the Five Eyes, Nine Eyes, and Fourteen Eyes jurisdictions. Personal information may be processed in any country where we operate. For transfers from the EEA, UK, or Switzerland we rely on the Standard Contractual Clauses and supplementary technical measures including end-to-end encryption in transit and at rest.

Security measures

  • All production traffic is TLS 1.3 with certificate pinning on mobile clients.
  • Account passwords are stored as argon2id hashes.
  • VPN servers run from read-only root with verified-boot images.
  • Access to production systems requires hardware-key multi-factor authentication.
  • Independent security audits are performed annually; findings published at /transparency.

Children

Cyber Sanctuary is not directed to children under 13 (or 16 in the EEA and UK), and we do not knowingly collect personal information from them. If you believe a child has provided us with personal information, please email us and we will delete it.

Your rights

Depending on your jurisdiction (including under GDPR, UK GDPR, CCPA/CPRA, LGPD, and similar laws) you may have rights to:

  • Access the personal information we hold about you
  • Correct inaccurate information
  • Delete your account and associated data
  • Port your information to another service
  • Object to or restrict certain processing
  • Withdraw consent where processing is based on consent
  • Lodge a complaint with your data-protection authority

To exercise any of these rights, email privacy@cybersanctuary.example.

Cookies & site analytics

This marketing website sets a single strictly-necessary cookie to remember your theme preference. We use no third-party analytics, no advertising pixels, and no cross-site trackers. Our mobile and desktop clients do not use cookies at all.

Changes to this policy

We will notify account holders by email at least 30 days before any material change takes effect. Prior versions remain available at /transparency for comparison.

Contact

Privacy inquiries: privacy@cybersanctuary.example
Data Protection Officer: dpo@cybersanctuary.example
Postal: Cyber Sanctuary Labs, PO Box 404, Georgetown, Cayman Islands.

PGP fingerprint available at /keys/privacy.asc.