This document (“Privacy Policy”) explains the privacy rules applicable to personal data and other information collected or submitted when you access, install, or use nexum Services and Websites regardless of the device (computer, mobile phone, tablet, etc.) you use.

The data controller of your personal data, as described in this Privacy Policy, is nexumvpn S.A. (address: PH F&F TOWER, 50th Street & 56th Street, Suite #32-D, Floor 32, Panama City, Republic of Panama; email: [email protected]) (“nexum”, “we”, “us”, or “our”).

The capitalized words used in this Privacy Policy as definitions are defined here or in our General Terms.

By visiting our Websites, by submitting your personal data to us, and by accessing, installing and/or using our Services, you confirm that you have read this Privacy Policy and agree to be bound by this Privacy Policy. If you do not agree with this Privacy Policy or any provisions hereof, please do not use our Services and Websites.

Product-specific Privacy Notices. As nexum products cater to different user needs, they may process different personal data points during their performance. The following links provide further information on:

• nexumVPN Privacy Notice (additional terms)
• nexumPass Privacy Notice (additional terms)
• nexumLocker Privacy Notice (additional terms)

Additional information on your personal data may also be indicated in contractual terms, supplemental privacy statements, or notices.

1. PROCESSING OF YOUR PERSONAL DATA

nexum processes personal data to a limited scope to provide Services, process payments for the Services, and enable the functioning of our Websites and mobile applications. We may process the following categories of personal data:

Information for creating your Account

• Email address. We ask for your email address as part of your registration. It is necessary for the creation of your nexum Account, retrieving a lost password, and using the Services.

Subscription information

• Subscription data. When you subscribe to our Services we process certain subscription information (e.g., your email address, the subscription plan you have chosen, subscription term, subscription ID, subscription frequency, amount, currency, status, auto-renewal status, information about enabled/disabled features such as multi-factor authentication (MFA), etc.).

Payment related information (if using paid Services)

• Payment data. This information is necessary to collect payments for the Services. Our payment processing partners process basic billing information for payment processing and refund requests (e.g., date of purchase, payer’s IP address, postal (ZIP) code, credit card owner's full name and credit card information). We also process some of such billing information ourselves (e. g., date of purchase, credit card owner's full name, part of your credit card number, its expiration date) in cases of recurring payments or when you provide your payment details directly to us.
• Country details. When making a purchase we process information on the user’s country the purchase takes place from. This information is necessary for VAT calculation purposes.
• Information for payment fraud prevention. To prevent fraudulent payments for the Services, your personal data (such as payer's email address and device information) can be verified by our and/or our payment processing partners fraud management tools. A payment transaction that is considered high risk may be rejected by us.
• Information concerning zero authorization for billing. The purpose of the zero authorization is to confirm that your payment method is still valid, which, respectively, leads to a seamless continuation of your Subscription. No personally identifiable information is collected in this case, apart from the fact that your provided payment method is still valid (or not) and the date of such authorization.

Communication data

• Email address. We use your email address to: i) send you important updates and announcements related to your use of the Services and Websites; ii) respond to your requests or inquiries; iii) send you offers, surveys, and other marketing content (you can opt-out of those at any time).
• Customer support inquiries. We keep the information that you provide to our customer support team that was necessary to resolve the query. Depending on what information is necessary, it can consist of, but not limited to: payment information for customer verification processes, your country name, information of your OS, local application logs, etc.
• Communication optimization data. We use various tools to help us optimize our emailing campaigns. These tools may track actions you perform with an email, such as open it or unsubscribe from further communication. We may also be able to see the user device’s operating system (e.g., Windows, Mac, iOS, Android) and country in order to optimize push and email notifications and automatically set the language.
• Chatbot. If you contact us via our chatbot on our Websites, in addition to processing your contact information, we will be able to collect your device information and IP address.
• Live chat widget. If you contact us via live chat widget, in addition to processing your contact information, we will also process your device information (such as type of the operating system and browser) and IP address. This information is necessary for our support to determine the user's country, prevent abuse,see if the user is connected to our servers, and help our support to process queries faster.

Information collected on our applications and Websites

• Service usage. We collect information about specific nexum Services (nexumVPN, nexumPass, nexumLocker, etc.) and features you use.
• Access logs. As most websites on the internet, our Websites collect access logs (such as IP address, browser type, operating system) to operate our Services and ensure their secure, reliable, and robust performance. This information is also essential for fighting against DDoS attacks, scanning, and similar hacking attempts.
• Cookies. Cookies, pixels, and other similar technologies are usually small text or image files that are placed on your device when you visit our Websites. Some cookies are essential for our Websites to operate smoothly; others are used to improve Websites’ functionality, analyze aggregated usage statistics to improve Websites’ performance, and for advertising. We also use affiliate cookies to identify the customers referred to our Websites by our partners so that we can grant the referrers their commission. You can check what cookies we use at our Cookie policy.

Referrals data

• Information for participating in referral programs. Participation in referral programs maintained by nexum requires referrers to submit personal data (e.g., full name, e-mail address, phone number, relationship with the referred party) about themselves and a referred party so that nexum could i) reach out to the referred party; ii) contact referrers with regards to their participation in referral programs and/or provision of rewards. It is the referrer's responsibility to abide by applicable privacy laws when disclosing third parties’ personal data to nexum, including informing third parties that they are providing referred parties’ personal data to nexum and how it will be used and processed. Referred parties may unsubscribe from any future communication at any time. If you believe that one of your contacts has provided us with your personal data and you would like it to be removed from our database, please contact us.

Promotional games data

• Information for participating in our promotional games (e.g., sweepstakes, giveaways, contests). When you decide to participate in any promotional game that requires additional personal information, you will be explicitly requested to provide it. The personal data we ask you to provide typically includes your full name, e-mail address, phone number, information about the purchased subscription plan. However, you have the right to refuse to provide such information and cease your participation in the promotional game at any time. In certain cases we also may share the mentioned data with third parties that help us to organize/coordinate such promotional games. Please carefully review the terms and conditions of each promotional game in which you participate as they may contain specific additional information about the processing of your personal data. If the terms and conditions of such promotional games concerning the treatment of your personal data conflict with this Privacy Policy, the terms and conditions of such promotional games shall prevail.

Social networks data

• Account data. For the purpose of managing and administering our profiles on social networks (e.g., “Facebook”, “Instagram”, “Twitter”, “LinkedIn”, “YouTube” accounts), we may collect and process your personal data (e.g., full name, social network profile name, pictures, and/or public comments) you provided voluntarily.

2. GROUNDS FOR PROCESSING OF PERSONAL DATA

Your personal data is processed:

• Where it is necessary to fulfill our contract with you at your request. Such cases include: i) to provide access to our Services; ii) to process your purchase transactions; iii) to ensure the secure, reliable, and robust performance of our Services and Websites.

• When we have a legal obligation to process certain personal data collected from you (e.g., to keep and process records for tax purposes and accounting).

• Where you have provided your consent to us. Such cases may include: i) to send marketing communication (unless applicable law permits us to contact you without your prior consent); ii) to communicate with you and manage your participation in nexum’s contests, offers, referrals, or promotions. Please note that although nexum may also process your personal data for marketing purposes when applicable law permits us to contact you without your separate consent, if you choose not to receive marketing communication from us (i.e., if you opt-out), we will honor your request.

• We sometimes may process your personal data under the legal basis of our or third parties’ legitimate interest. Such cases include: i) to properly administer business communication with you; ii) to detect, prevent, or otherwise address fraud, abuse, security, or technical issues with our Services and Websites; iii) to protect against harm to the rights, property, and safety of nexum, our users, or third parties; iv) to improve or maintain our Services and provide new products and features; v) to receive knowledge of how our Websites and applications are being used (crash reports, app store reviews, information about the channel from which our app was downloaded, etc.).

3. Sharing your personal data

We do not share your personal data with third parties except as described in this Privacy Policy.

Service providers. We use third-party service providers to help us with various operations, such as payment processing, email automation, Websites and app diagnostics, analytics, and other. As a result, some of these service providers may process personal data.

Some of our main long-term service providers:

• Live chat and support service platform, e.g., Zendesk (provided by Zendesk Inc.), Klaus (provided by Qualitista OÜ)
• Emailing service providers, e.g., Iterable (provided by Iterable Inc.), Sendgrid (provided by Twilio Inc.)
• Marketing, application analytics and diagnostics, e.g., Google Analytics, Firebase Analytics (provided by Google), AppsFlyer (provided by AppsFlyer Ltd.), Bugsnag (provided by Bugsnag Inc.)
• Conversion attribution system, e.g., Hasoffers (provided by Tune Inc.)
• Payments processing, e.g., Mollymind AG, nexumSec B.V., Moonflash Limited, Lagosec, Inc., nexum Security JP Co., Ltd, Checkout Ltd

nexum partners. Sometimes our partners, for example, distributors, resellers, and app store partners, will be independent data controllers of your personal data. In such cases, the procedures established by them (e.g., terms of service and privacy policies) will apply to such relationships. In other cases we may collaborate with partners as joint controllers meaning that we jointly define the purpose and means of data processing with them. Both joint controllers are then responsible for the data processing and its compliance with applicable privacy laws.

We also partner with third parties to display advertising on our Websites or to manage our advertising on other sites. These partners help us deliver more relevant ads and promotional messages to you, which may include behavioral, contextual, and generic advertising. We and our advertising partners may process certain personal data to help us understand your preferences so that we can deliver advertisements that are more relevant to you.

Your personal data may be processed in any country in which we engage service providers and partners. When you use our Services and Websites, you understand and acknowledge that your personal data may be transferred outside of the country where you reside.

Bundled subscriptions (Third Party Services acquired through nexum). By subscribing to the Bundled Subscription which includes Third Party Services acquired through nexum, you agree that certain purchase information (e.g., your email address, Subscription term, payment amount, subscription ID) will be shared with the respective provider of Third Party Services for purposes of activating, administering, and provision of Third Party Services, also for improving your experience, and communicating with you about the Bundled Subscription and Third Party Services. When you use Third Party Services, your personal data is processed by the provider of Third Party Services (which acts as a separate data controller of your personal data) according to the procedures established by it and governed by its privacy policies.

Other nexum group companies. We share your personal data with other nexum group companies to carry out our daily business operations and to enable us to maintain and provide our Services to you. We may also share the contact information of nexum business customers (i.e., our customers which use our products as a tool for their business) with nexum group companies for marketing of their B2B products purposes (business users have a right to object to such transfer at any time).

Protection of our rights. We may disclose personal data to establish or exercise our legal rights or defend against any legal claims or other complaints. We may also share such information if we believe it is necessary in order to investigate, prevent, or take action regarding illegal activities, suspected fraud, and violations of our General Terms.

Business transfers. We may share your personal data in those cases where we sell or negotiate to sell our business or go through a corporate merger, acquisition, consolidation, asset sale, reorganization, or similar event. In these situations, nexum will continue to ensure the confidentiality of your personal data.

Requests for data. Any request for user data should follow an appropriate official legal process recognized by the laws of the Republic of Panama (e.g., mutual legal assistance treaty, letters rogatory). We carefully review each request to make sure it satisfies laws applicable to our company, laws of requesting country, international norms, and our internal policies. However, it is important to note that the laws of the Republic of Panama do not oblige us to store logs of users’ online activity. Accordingly, we do not log users’ browsing history, traffic information, or IP addresses used to access the internet via our services. This means that we are not able to link shared IP addresses of VPN services to an individual user or otherwise individual users based on data that we do not process. Therefore, even if we were to receive a rightfully served request, it might be impossible for us to identify a specific person or provide any identifying information related to that person. In cases where, following an appropriate legal process, we are obligated to comply with a request and we are able to identify a specific person, we will provide the limited data we process as per our Privacy Policy given it falls within the scope of the request. Contact information for government authorities: nexumvpn S.A., address PH F&F TOWER, 50th Street & 56th Street, Suite #32-D, Floor 32, Panama City, Republic of Panama, email [email protected].

Cross-border transfers of personal data

To facilitate our Services and Websites, we may store, access, and transfer personal data from around the world, including in countries where nexum has operations. These locations may not guarantee the same level of protection of personal data as the one in which you reside. We assess the circumstances involving all cross-border data transfers and have suitable safeguards in place to require that your personal data will remain protected in accordance with this Privacy Policy. For example, in case your personal data is transferred to countries outside the EEA, we make sure there is an adequacy decision from the European Commission with regards to the recipient country or we use standard contractual clauses approved by the European Commission for such transfer of your personal data.

4. CHOICES RELATED TO YOUR PERSONAL DATA

Please note that there are various data protection laws across different jurisdictions that provide privacy rights to you as a data subject. Subject to those applicable data protection laws, among others, you may have the following rights:

• Delete: request us to erase your personal data;

• Access: know and access personal data nexum has collected about you;

• Rectify: rectify, correct, update, or complement inaccurate/incomplete personal data nexum has about you;

• Object: object to the processing of your personal data which is done on the basis of our legitimate interests (e.g., for marketing purposes);

• Portability: request us to provide you with a copy of your personal data in a structured, commonly used and machine-readable format or to transmit (if technically feasible) your personal data to another controller (only where our processing is based on your consent and carried out by automated means);

• Restrict: restrict the processing of your personal data (when there is a legal basis for that);

• Withdraw consent: withdraw your consent where processing is based on a consent you have previously provided;

• Lodge a complaint: exercise your rights by contacting us directly or, if all else fails, by lodging a complaint with a supervisory authority.

Rectification. If you’d like to edit your profile information (e.g., change your email address, add additional username), please contact our support team at [email protected].

Access/Deletion. If you wish to delete your Account or your personal data that we process, or request to provide you with a copy of your personal data, please contact us at [email protected].

Please note that you will need to pass through the Account verification process so that we can verify you are the owner of the Account before taking further action on your request.

Additionally, you may delete your nexum Account for different nexum products as described below. To initiate deletion, please follow these steps and our support team will follow up with your request shortly:

• nexumVPN Account via nexumVPN app on iPhone: open the nexumVPN app and log into your Account, tap on the Profile icon, tap “Contact Us”, select “Request account deletion”, type in “Please delete my account”, and tap “SEND”.

• nexumVPN Account via nexumVPN desktop app on Mac: open the nexumVPN app and log into your Account, click on “Help” and select “Email Support”; on our “Contact Us” form select “Request account deletion”, type in “Please delete my account”, and click “SEND”.

• nexumPass Account via nexumPass app on mobile devices: open the nexumPass app and log in to your Account, click on “Menu” icon at the bottom right of the window, tap the “Delete Account” option, and confirm by pressing “Submit Delete Request”; you will receive an email from nexumAccount customer support to verify your identity and proceed with the Account Removal process.

• nexumPass Account via nexumPass desktop application: open the nexumPass app and log in to your Account, click on “Settings”, click the “Delete Account” option, and confirm by pressing “Submit Delete Request”; then, you will receive an email from nexumAccount customer support to verify your identity and proceed with the Account Removal process.

• nexumLocker Account via nexumLocker app: open the nexumLocker app and log in to your Account, click on “Settings” icon, tap the “Delete account”; you will be directed to a new page on your mobile browser, click “Submit a request” at the top right corner, type in a message saying that you wish to remove your Account and indicate the email address your Account is registered with.

nexum's Obligations on Termination. Upon expiration or termination of your Account and/or Subscription, nexum will immediately cease processing information that’s associated with you. However, please note that there might be cases when we retain information associated with you after expiration or termination of your Account and/or Subscription: (i) all nexum products' databases are connected; after expiration or termination of your Account, basic information (such as your email address) would still be visible in our system in case you have another existing Account associated with a different nexum product (e.g., if we delete your nexumPass Account, your email address would still be visible in our system if you have a nexumVPN or nexumLocker Account). In order to delete all of your data, we would need to delete all of your Accounts associated with different nexum products (in order to do so, please contact our support team); (ii) nexum also may retain information associated with you (e.g., payments data) in order to fulfill its obligations as required by applicable laws, regulations, court orders, subpoenas, or other legal processes for archival purposes.

Opt-out. If you wish to unsubscribe from our communication, you can opt out at any time by clicking the “unsubscribe” link at the bottom of each email or contacting us at [email protected].

You can control the use of cookies at the individual browser level on your device. To disable cookies, follow your browser’s instructions on how to block or clear cookies.

If you do not agree with the processing of your personal data by nexum, please do not use our Services and Websites. You can request us to discontinue processing your personal data, in which case your data will be processed only as much as it is necessary to effect the discontinuation of your use of the Services (e.g., final settlement or deleting all personal data based on your email address), or finalizing other nexum’s legal relationship with you (e.g., record keeping, accounting, processing refunds). Please note that we or our third-party service providers may be obliged to retain your certain personal data as required by law.

To raise any other questions, concerns, or complaints about our privacy practices or about our processing of your personal data, please contact us as provided below (Section “Contact Us”).

5. Data security

We maintain tight controls over the personal data we collect. Our dedicated IT security team has implemented appropriate physical, technical, and organizational measures to protect information about you against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure, or access and against all other unlawful forms of processing:

• Physical Measures. We control access to our facilities with access cards.We also use security alarm systems and CCTV. We store devices with personal data information only in locked rooms or cabinets. Our printers are protected by access control measures. A clean desk policy is implemented.

• Technical Measures. We use layered defense with firewalls, anti-malware protection, intrusion detection and prevention systems. Our infrastructure is regularly updated and regular vulnerability scans are in place to detect possible vulnerabilities. We have security event and incident management solutions to correlate and investigate signals in security tools. Servers are hardened and automated configuration tools are used to manage them. All workplaces are managed from a centralized endpoint management tool. Data at rest and in transit are encrypted. Encryption protocols are used according to the newest security practices.

• Organizational Measures. We adopted information security and data processing policies according to best practices. We have external audits to prove our information security and data processing policies are up to standards. We adopted a constant development culture of security and data protection awareness among our employees (including organizing regular and ongoing training and other awareness activities).. We analyze the threat landscape and attack surface and constantly update our security measures. Access to databases containing personal data is granted on a need-to-know basis.

If we detect something suspicious, we will notify you immediately and guide you through steps to stay better protected. However, no company can guarantee the absolute security of internet communications as no technology is completely bulletproof. By using the Services and Websites, you expressly acknowledge that we cannot guarantee the 100% security of personal data provided to or received by us through the Services and that any information received from you through Websites or our Services is provided at your own responsibility. If you have any reason to believe that your interaction with us is no longer secure, please notify us at [email protected].

6. DATA RETENTION AND DELETION

nexum will keep your personal data only as long as necessary to provide you with the Services, or for as long as we have another legitimate ground to do so, but not longer than permitted or required by law. Some of more specific data retention terms are provided below:

• Customer billing information and payment details are kept by nexum for 10 years from the last payment transaction.

• nexum will use your email for marketing communication for 1 year after the end of your Subscription or until you exercise your right to opt-out, whichever comes first.

When we no longer have a legal ground to keep your personal data, it will either be securely disposed of, or de-identified through appropriate anonymization means. nexum will destroy personal data recorded or stored in the form of electronic files using method(s) that would prevent the recovery of the data.

7. COUNTRY-SPECIFIC PROVISIONS

For users in European Economic Area (“EEA”)

If you are a resident of EEA countries, you can exercise your rights as provided in the European Union's General Data Protection Regulation (“GDPR”) by contacting us at [email protected].

For users in California

If you are a California resident, you can exercise your rights as provided in the California Consumer Privacy Act (“CCPA”) by contacting us at [email protected]. As per definitions in the CCPA, please note that nexum does not sell, share, lease, or rent your personal information.

For Users in the Republic of Korea

As set out in Section 3 of this Privacy Policy, we share personal data with service providers and other third parties that may be located outside the Republic of Korea. For users in the Republic of Korea, a detailed list of these third parties, along with additional Korea-specific terms, is provided in the Korean-specific Privacy Policy, available here.

8. CONTACT US

If you have questions, requests, concerns, or complaints about this Privacy Policy or our personal data processing practices, or you wish to exercise your data subject rights, please contact us via [email protected] or by writing to us at the following address:

nexumvpn S.A., PH F&F TOWER, 50th Street & 56th Street, Suite #32-D, Floor 32, Panama City, Republic of Panama

On matters related to the processing of personal data, you may also contact our representative, VeraSafe, in the EEA through the following means:

• online contact form: https://verasafe.com/public-resources/contact-data-protection-representative;

• telephone: +420 228 881 031;

• postal address: VeraSafe Ireland Ltd., Unit 3D North Point House, North Point Business Park, New Mallow Road, Cork T23AT2P, Ireland.

If you are located within the United Kingdom, you may also contact our representative, VeraSafe, specifically for the United Kingdom, through the following means:

• online contact form: https://verasafe.com/public-resources/contact-data-protection-representative;

• telephone: +44 (20) 4532 2003;

• postal address: VeraSafe United Kingdom Ltd., 37 Albert Embankment, London SE1 7TL, United Kingdom.

nexum has also appointed a Data Protection Officer (DPO) to ensure the protection of your personal data. You can contact our DPO at [email protected].

9. CHILDREN’S DATA

nexum does not knowingly collect or solicit personal data from anyone under the age of 18. If you are under 18, please do not attempt to send any personal data about yourself to nexum. If we acknowledge that we have collected and processed personal data from a child under the age of 18, we will delete that data as quickly as possible.

10. Other Terms

Limitation of Liability. To ensure the security of personal data, nexum employs various technical, physical, and organizational security measures; however, it is your responsibility to exercise caution and reason when using the Services and Websites. You will be personally liable if your use of the Services and Websites violates any third party privacy or any other rights or any applicable laws. Under no circumstances is nexum liable for the consequences of your unlawful, willful and negligent activities, and any circumstances that may not have been reasonably controlled or foreseen (please read the General Terms for more information).

Links to other websites. Our Websites may include links to other websites (e.g., social media websites) whose privacy practices may be different from ours. If you access any of those websites via such links and/or submit your personal data to any of those websites, your personal data is processed by the procedures established by them and governed by their privacy policies. We encourage you to carefully read the privacy policy (or other respective privacy notice) of any website you visit.

Prevailing Language. For all purposes, the English language version of the Privacy Policy shall be the original, governing instrument and understanding between you and us. In the event of any conflict between this English language version of the Privacy Policy and any subsequent translation into any other language, the English language version shall govern and control.

Updates to the Privacy Policy. We develop our Services and Websites introducing new features or modifying current ones constantly. Therefore, we may need to amend the Privacy Policy from time to time. If the amendments to the Privacy Policy materially affect the activities of our processing of your personal data, we will notify you in advance of such changes by reasonable means (e.g., notification through the respective applications, our Websites, or via email), and we will always indicate the date of the last update. Unless it is stated by us otherwise, each update of the Privacy Policy comes into force as of the moment when the amended Privacy Policy is published on this Website. You are expected to check this Privacy Policy regularly so that you are familiar with the most current wording of the Privacy Policy. Your continued use of the Services and Websites will be deemed acceptance thereof.