THEVPNMATRIX
    Privacy Policy

    Privacy Policy

    How we collect, use, and protect your information

    Information We Collect

    Types of data we collect and how we collect it

    1. Automatically Collected Technical Data

    When you visit our website, we automatically collect certain technical information necessary for the website to function:

    • IP Address: Collected in server access logs for security and abuse prevention. IP addresses may be retained for up to 90 days.
    • Browser and Device Information: Browser type, version, operating system, device type
    • Anonymous Aggregate Usage Data: Page views, referrers, route-level navigation, and Core Web Vitals performance metrics collected through Vercel Analytics and Speed Insights without analytics cookies
    • Optional Event Analytics: If you enable analytics consent, feature, quiz, comparison, and affiliate-link events may be collected through PostHog using anonymous browser or session identifiers
    • Referrer Information: The website that referred you to our site
    • Timestamp Data: Date and time of your visit

    Legal Bases (GDPR/UK GDPR): Legitimate interest (Article 6(1)(f)) for security, abuse prevention, website functionality, and anonymous aggregate metrics; consent (Article 6(1)(a)) for optional PostHog event analytics and related browser storage.

    2. Cookies and Similar Technologies

    We use cookies and local storage technologies. For detailed information, please see our Cookie Policy.

    • Essential cookies for website operation (session management, security)
    • No analytics cookies used for our anonymous aggregate Vercel page-view and performance metrics
    • Optional event analytics browser storage only if you enable analytics consent
    • Preference cookies to remember your settings (theme, cookie preferences)
    • Affiliate tracking cookies may be set by VPN providers or affiliate networks after you click through to their sites

    3. Information You Provide Voluntarily

    When you contact us via social media:

    • Social Media Handle: If you contact us via Instagram, we may receive your username
    • Name: If you provide it in your message
    • Message Content: The content of your message
    • Additional Information: Any other personal information you choose to include

    Legal Basis (GDPR): Consent (Article 6(1)(a)) when you initiate contact, or legitimate interest (Article 6(1)(f)) for responding to inquiries.

    Retention: Social media communications are retained for up to 24 months after the last correspondence, or as required by applicable law.

    4. Subscription and Payment Information

    If you subscribe to premium features through our website:

    • Subscription Plan Information: Selected plan, subscription status, dates
    • Payment Information: Processed by third-party payment processors (we do not store full credit card numbers)
    • Billing Information: Billing address if required by payment processor

    Legal Basis (GDPR): Contract performance (Article 6(1)(b)) for subscription services.

    Third-Party Processors: Payment processing is handled by secure third-party payment gateways with their own privacy policies. We only receive confirmation of payment status, not full payment details.

    What We Do NOT Collect

    • We do not require account registration for basic website access
    • We do not collect social media account information
    • We do not collect health information or special category data (GDPR Article 9)
    • We do not track users across other websites (no cross-site tracking)
    • We do not sell personal data to third parties
    • We do not use personal data for marketing communications (unless you explicitly opt-in)

    How We Use Your Information

    Purposes of Processing

    We use your personal information for the following purposes:

    • Website Operation: To provide, maintain, and improve our website functionality and user experience
    • Security: To detect and prevent fraud, abuse, security incidents, and protect our users and services
    • Communication: To respond to your inquiries, comments, or requests when you contact us
    • Anonymous Aggregate Analytics: To understand page views, referrers, SEO/AEO/GEO traffic signals, and route-level performance using Vercel Analytics and Speed Insights without analytics cookies
    • Optional Event Analytics: If you consent, to understand quiz usage, comparison interactions, outbound VPN provider clicks, and affiliate-link performance using PostHog
    • Affiliate Attribution: To disclose, route, and measure referrals when you click VPN provider affiliate links, enabling us to earn commissions
    • Subscription Management: To manage premium subscriptions, process payments, and provide subscribed features
    • Legal Compliance: To comply with applicable laws, regulations, and legal processes
    • Preference Storage: To remember your settings (theme, language, cookie preferences)

    Legal Basis for Processing (GDPR Article 6)

    • Legitimate Interest (6(1)(f)): Anonymous aggregate Vercel page-view and performance metrics, website security, abuse prevention, responding to inquiries, and affiliate relationship administration
    • Consent (6(1)(a)): Optional PostHog event analytics and any non-essential cookies or similar browser storage governed by the cookie banner
    • Contract (6(1)(b)): Processing necessary for subscription services you've requested
    • Legal Obligation (6(1)(c)): Compliance with applicable laws and regulations

    Our Privacy Commitment

    • We process only the minimum data necessary for the stated purposes
    • We do not sell, rent, or trade your personal information to third parties
    • We do not use your data for marketing unless you explicitly opt-in
    • We do not track you across other websites
    • We anonymize or pseudonymize data where possible

    Data Protection & Security

    Technical Safeguards

    • Encryption in Transit: HTTPS/TLS 1.2+ encryption (TLS 1.3 where supported)
    • Access Controls: Restricted access to authorized personnel with multi-factor authentication
    • Security Monitoring: Regular security audits and vulnerability assessments
    • Dependency Management: Routine patching and automated vulnerability alerts during development
    • Backup Systems: Version-controlled infrastructure with regular secure backups
    • Incident Response: Procedures for detecting, reporting, and responding to data breaches

    Data Retention Policies

    We retain personal data only for as long as necessary to fulfill the purposes outlined in this policy:

    • Server Access Logs: IP addresses retained for up to 90 days for security purposes
    • Essential Cookies: Session duration only (deleted when browser closes)
    • Anonymous Aggregate Analytics Data: Vercel page-view and performance metrics retained according to our Vercel project settings; we do not store visitor-level analytics profiles in our own systems
    • Optional Event Analytics Data: PostHog browser storage remains until you withdraw consent or clear browser data; event retention follows our analytics provider/project retention settings
    • Preference Cookies: Until manually cleared or expired (typically 12 months)
    • Email Communications: Up to 24 months after last correspondence, or as required by law
    • Subscription Data: For duration of subscription plus 7 years for tax/legal compliance
    • Affiliate Tracking: Attribution windows typically 30-90 days

    After retention periods expire, data is securely deleted or anonymized.

    Data Breach Notification

    In the event of a data breach that poses a risk to your rights and freedoms, we will:

    • Notify the relevant supervisory authority within 72 hours (GDPR Article 33)
    • Notify affected users without undue delay if the breach poses a high risk (GDPR Article 34)
    • Provide clear information about the nature of the breach and steps being taken
    • Follow applicable breach notification laws (including CCPA requirements where applicable)

    Data Sharing & Third-Party Processors

    Third-Party Service Providers

    We use trusted third-party service providers to help operate our website. These processors are contractually obligated to protect your data:

    Hosting & Infrastructure

    Our website is hosted on cloud infrastructure providers. They process IP addresses and access logs as necessary for hosting services.

    Analytics and Performance Providers

    We use Vercel Analytics and Vercel Speed Insights for anonymous aggregate page-view and performance measurement. This layer:

    • • Does not use analytics cookies
    • • Does not give us names, email addresses, account IDs, or full IP addresses in analytics reports
    • • Collects aggregate metrics such as page views, referrers, device type, browser type, country or region, and Core Web Vitals
    • • Keeps only standard UTM campaign parameters and strips all other query strings and URL fragments before analytics events are sent
    • • Is used for site performance, SEO/AEO/GEO measurement, and editorial prioritisation, not behavioural advertising

    If you enable analytics consent, we also use PostHog for optional event analytics such as quiz, comparison, and affiliate-link events. PostHog may use browser storage or anonymous session identifiers, and it remains off unless you opt in through the cookie banner.

    Vercel Analytics Privacy InformationPostHog Privacy Information

    Payment Processors

    For subscription payments, we use secure payment gateways. We do not store full payment card details. Payment processors have their own privacy policies.

    Affiliate Networks

    When you click VPN provider links, affiliate networks may set tracking cookies after you arrive on their sites to attribute purchases. If you have enabled optional analytics consent, we may also record the outbound affiliate-link click in PostHog for aggregate link performance reporting.

    Our Commitment

    • We do not sell, rent, or trade your personal information
    • We only share data with third parties necessary for website operation, with appropriate safeguards
    • All third-party processors are contractually bound to protect your data
    • We conduct due diligence on third-party processors to ensure they meet privacy and security standards

    International Data Transfers

    Some of our service providers may be located outside the European Economic Area (EEA) or your country of residence. When we transfer data internationally:

    • We use appropriate safeguards, such as Standard Contractual Clauses (SCCs) approved by the European Commission
    • We ensure processors are certified under adequacy decisions where applicable (e.g., UK Extension to EU-US Data Privacy Framework)
    • We verify that data transfers comply with GDPR Chapter V requirements and applicable local laws

    Children's Privacy

    Age Restrictions

    Our website is not intended for children under the age of 13 (under 16 in the EU/UK). We do not knowingly collect personal information from children without appropriate parental consent.

    • COPPA Compliance (US): We comply with the Children's Online Privacy Protection Act (COPPA)
    • GDPR Article 8: For children under 16 in the EU/UK, we require verifiable parental consent
    • If you are a parent/guardian: If you believe your child has provided us with personal information, please contact us immediately on @thevpnmatrix

    If we discover that we have collected personal information from a child without appropriate consent, we will delete that information promptly.

    Your Rights & Choices

    GDPR Rights (EU/UK Users)

    Under the General Data Protection Regulation (GDPR) and UK GDPR, you have the following rights:

    • Right of Access (Article 15): Request a copy of personal data we hold about you
    • Right to Rectification (Article 16): Correct inaccurate or incomplete data
    • Right to Erasure (Article 17): Request deletion of your personal data ("right to be forgotten")
    • Right to Restrict Processing (Article 18): Limit how we use your data
    • Right to Data Portability (Article 20): Receive your data in a structured, machine-readable format
    • Right to Object (Article 21): Object to processing based on legitimate interests; optional event analytics is consent-based and can be withdrawn through the cookie preferences

    CCPA Rights (California Users)

    Under the California Consumer Privacy Act (CCPA) and CPRA, you have the following rights:

    • Right to Know: Request disclosure of categories and specific pieces of personal information collected
    • Right to Delete: Request deletion of personal information (subject to certain exceptions)
    • Right to Opt-Out: Opt-out of the "sale" or "sharing" of personal information (we do not sell data)
    • Right to Non-Discrimination: We will not discriminate against you for exercising your rights
    • Right to Correct: Request correction of inaccurate personal information
    • Right to Limit Use: Limit use of sensitive personal information

    How to Exercise Your Rights

    To exercise any of your rights, please contact us:

    • Contact: Reach out to us on @thevpnmatrix
    • Subject Line: Include "Privacy Request" and specify which right you're exercising
    • Verification: We may need to verify your identity before processing your request
    • Response Time: We will respond within 30 days (one month under GDPR, or as required by local law)

    You can also manage cookie preferences using our cookie consent banner or browser settings. For cookie-specific requests, see our Cookie Policy.

    Right to Lodge a Complaint

    If you believe we have not adequately addressed your privacy concerns, you have the right to lodge a complaint with your local data protection authority:

    Cookies & Tracking

    We use minimal cookies and browser storage to provide essential website functionality and, where you consent, optional event analytics:

    Essential Cookies

    Required for website functionality

    Anonymous Metrics

    Aggregate Vercel page-view and performance metrics without analytics cookies

    Optional Event Analytics

    PostHog feature and affiliate-link events only after analytics consent

    Preferences

    Remember your settings and consent choices

    You can manage cookie preferences in your browser settings or using our cookie consent banner.

    Note: Vercel Analytics and Speed Insights run as anonymous aggregate measurement without analytics cookies. Optional PostHog event analytics, marketing cookies, and additional non-essential storage remain off unless you enable the relevant preference or we introduce new features and collect fresh consent.

    Data Controller Information

    Who We Are

    Cosmocodex Ltd (trading as The VPN Matrix) is the data controller responsible for processing your personal information.

    Contact Information:

    Updates to This Policy

    We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or website functionality. Material changes will be communicated by:

    • Updating the "Last Updated" date at the top of this policy
    • Posting a prominent notice on our website homepage
    • Sending email notifications to users who have provided email addresses (for significant changes)

    We encourage you to review this Privacy Policy periodically. Continued use of our website after changes constitutes acceptance of the updated policy.

    Questions About Privacy?

    If you have questions about this Privacy Policy, wish to exercise your rights, or have privacy concerns, please contact us:

    Contact: @thevpnmatrix

    Last Updated: June 19, 2026

    This Privacy Policy is designed to comply with:

    • • General Data Protection Regulation (GDPR) - EU/UK
    • • California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA)
    • • Children's Online Privacy Protection Act (COPPA) - US
    • • Other applicable privacy laws and regulations

    Related Policies: Cookie PolicyTerms of ServiceAffiliate Disclosure

    Cookie Preferences

    We use essential storage and anonymous aggregate site metrics. Optional event analytics only run if you opt in.

    Learn more
    Questions or concerns?

    Contact us via X, Substack, or see our Cookie Policy for full details.