Privacy Policy

Version April, 2024

This policy describes who we are, how we collect, handle and protect your personal data and the privacy rights and choices available to you regarding the access, correction and deletion of your personal data.

For older versions of this document, please visit the legal archive.

This policy does not apply to service data which may be collected by different products, such as an antivirus app, or to the operation of cookies on our website. For information on how we handle website cookies, please visit our Cookies Policy.

The information on our personal data practices may be supplemented by product settings, contractual terms, or notices provided prior to or at the time of data collection.

Who are we?

We are part of Gen™ - a global company with a family of trusted consumer brands. The Controller of your personal data is Avast Software s.r.o., which has its principal place of business at 1737/1A Pikrtova, Prague 4, Czech Republic, 140 00 (referred to as "we," "us," "our," or “HMA” in this policy). If you live in the United Kingdom, Avast’s representative established in the UK is NortonLifeLock UK Limited, 100 New Bridge Street, London, England EC4V 6JA.

What data our VPN processes?

Generally speaking, we need some personal data particularly to provide you our products and services, optimize and improve our products and services, to send you direct marketing, or to comply with our legal obligations. We try to minimize the collection of any data, we aggregate or delete it as soon as possible, and if it is not necessary we don’t collect it at all. We will describe how we process the data in the following sections. But let’s start with what we don’t collect.

Our No Logging Policy - data we don’t send to our servers. Period.

• Originating IP address.
• Any DNS queries while connected. We rely on our own secure DNS servers, so your queries are also protected from exposure to 3rd parties.
• Browsing history.
• Transferred data.

We may collect and process personal data about you in the following situations:

Product functionality

Service Data from our VPN servers

If you use our VPN service, we collect the minimum amount of information needed to provide and operate it, as well as keep it running safely and efficiently. This is the data we collect to make sure our VPN infrastructure works (“Service Data”):

Service Data	What we use it for
Day of connection E.g. We store the date you were connected together with an internal identifier, but not the exact time: timestamps are floored to either 12 am or 12 pm.	To troubleshoot for support and abuse handling. Example: To know the amount of daily active users.
Rounded amount of data transmitted E.g. If a user transferred within the session 364MB, we floor it to 300MB. 1843MB of transferred data is floored to 1000MB. We keep just the first digit of the value together with an internal identifier.	To plan for new network capacity and server improvements. Example: We may deploy more capacity to meet demand and make sure speeds stay up for all users.

We store server’s service data for 35 days, after which time it is deleted on a rolling basis — data created on Jan 3rd, 2020 gets deleted on Feb 7rd 2020, for example.

Service Data from our VPN clients

In order to make sure our VPN clients do their job properly and without errors we have to know how many specific errors we have. This data pertains to interactions taken in the app, and cannot be used to uncover what you’re using the VPN service for.

Client Data	What we use it for
Connection events Events such as the attempt to connect, disconnection, connection error, etc. together with an internal identifier exclusively used for this (“connection event identifier”)	To operate and provide VPN service with high quality. We do not pair any individual user with this data. Example: How many unknown users get the same error?
Application Events Events such as auto-connection, uninstall event, etc. together with an internal identifier (“application event identifier”)	To plan product development and analytics Example: How many users do we have? Is a new client-side feature we introduced popular? Are people uninstalling after our latest release?
Crash reports generated and sent by the user We might collect data like your e-mail, app version or internal identifiers described above.	To help troubleshoot the issue. We don’t send any privacy-sensitive data automatically - you need to explicitly allow sending this back to us and check prior to what data is being sent before you share it with us. Please note that if you provide us together with information above also your personal data, e.g. within an ad hoc crash report that you decide to send to us, we could add this information to the service data and might be able to connect it with you. Example: App is crashing on some specific device. This is how customer care support can help with device-specific issues.

We store client’s service data for 2 years, after which time it is deleted on a rolling basis — data created on Jan 3rd, 2019 gets deleted on Jan 3rd, 2021, for example.

Account creation and management

When you create an account with us (note: this is necessary in order for you to use the VPN service), we will need some information about you. This is the personal data that is created and stored for the management of your account:

Account data	What we use it for
Email address	To send you purchase receipts, communications, and occasional product news
Username (only for legacy versions)	To manage your account and facilitate your login into the service. We do not collect this information anymore. Usernames are used only with older versions of our VPN clients.
Activation code	To activate your subscription
Subscription renewal date	To tell us until when the account is valid

All of the above data is stored for as long as you use our service, as it is necessary for us to provide it. However, your Account Data is not paired with your activity usage. You can request a copy of your account data through support.

Billing and Payment

We rely on third-party payment processors to handle your product purchases. You can find out which provider we are working with for the point of purchase you chose (for example our website, an app store, etc) by looking at your transactional email or receipt.

This is the list of payment processors we cooperate with and their privacy policies:

• 2Checkout/Verifone - https://www.2checkout.com/legal/privacy/
• Google Play - https://policies.google.com/privacy?hl=en-US
• Apple iTunes - https://www.apple.com/legal/privacy/en-ww/

These providers are in the position of independent controllers and may collect a variety of information about you to complete the purchase. All of them are PCI-compliant or the equivalent and are prohibited from using your personal data for anything but facilitating your payment and subscription management or as otherwise described in their applicable terms of service and privacy policy.

Some of that billing data may be shared with us in order to detect and prevent fraud, help with customer support, or used as a record of your payment for accounting, taxation, and invoicing purposes. This data is what we call “billing data” and it includes your name, address, email address, the product (subscription you purchased) and for how long, and payment information.

Your payment provider will process your credit card number, but it is not shared with us.

On our side, billing data is stored for as long as you continue to use our service, and for up to 10 years after that because of our legal obligations. If legal obligations change, or we need to resolve disputes and enforce our agreements, we may be obliged to keep this data longer than that.

Communication

If you contact us by email, it will be stored for 24 months, unless required by law or other exceptional circumstances. We do this to speed up our turn around on support and to follow up.

If you are a user of our service or you have subscribed on our website, we will send you commercial communications through this channel in the form of newsletters, or blog notifications. Please note, if you don’t want to be on our mailing list, you may use the “Unsubscribe” link available in every communication we send you.

Third-party tools used for analytics

To analyze application events from our VPN clients in order to understand how our services function, or how stable or successful they are, we rely on our own analytics tools as much as possible. Here are the third-party tools we use, how we use them, and their privacy policies:

Google Firebase Analytics on iOS and Android

Firebase helps us to understand how people interact with certain aspects of our service. While Firebase normally relies on Android Advertising ID or iOS Identifier for Advertisers, this is not the case of our service because we’ve opted to use our own identifiers instead.

As this tool is not necessary for service functioning, you can opt-out of providing us with this de-identified application performance data in our application settings.

Google Fabric Crashlytics on iOS and Android

This Google tool helps us to improve application stability, pinpoint things that don’t work, and improve your experience. Its implementation doesn’t contain any information that can personally identify you.

Both Firebase Analytics and Crashlytics are subject to Google’s privacy policies

For which purposes we process your personal data?

Personal data is information that relates to an identified or identifiable natural person, such as the personal data necessary to provide you with our service, to create and manage your account, to handle your product purchases, to communicate with you, to optimize and improve our service, and to comply with our legal obligations.

More specifically, we use your personal data for the following purposes relying on the following legal bases:

On the basis of fulfilling our contract with you or entering into a contract with you on your request, in order to:

• Handle the purchase of our service in cooperation with our payment processors;
• Provide the download, activation, and performance of our service;
• Keep our products or services up-to-date, safe and free of errors;
• Verify your identity and entitlement to a paid service, when you contact us for support or access our services;
• Update you on the status of your orders and licenses;
• Manage your subscriptions and user accounts; and
• Provide you with technical and customer support.

On the basis of your consent, in order to:

• Subscribe you to a newsletter, if you are not a user of our product;

On the basis of legal obligations, we process your personal data when it is necessary for compliance with a legal tax, accounting, anti-money laundering, legal order, or other obligation to which we are subject.

On the basis of our legitimate interest, we will use your personal data for:

• Communications about possible security, privacy and performance improvements and products that supplement or improve your purchased service and to optimize the content and delivery of this type of communication;
• Product development, research and to implement product features and improvements;
• Analytics, using both internal and third-party tools, to evaluate and improve the performance and quality of our service and websites and to understand usage trends, user acquisitions, and conversions.
• Security of our systems and applications;
• Internal administrative processes (e.g. finances, audit, business intelligence, legal & compliance, information security, etc.); and
• Establishing, exercising or defending our legal rights.

Where and for how long we store your personal data?

Where we store your data

When you use our service, you may be using servers located in a variety of different countries. However, there is a difference between use and storage. What little information that gets generated by your use of our infrastructure does not get stored outside of the EU region.

There may be some instances where, as a matter of necessity, we need to transfer data outside of these two jurisdictions. When we process the data within our group, regardless of where we are, we always implement the same level of data protection afforded by the GDPR to all personal data we process. Where we cooperate with third parties which are involved in data processing, we legally bind any party we deal with to adhere to those high levels of protection with adequacy decision or standard contractual clauses approved by the European Commission, and to ensure your rights are protected in accordance with this Privacy Policy.

The intra-group transfers within the Gen Digital Group are covered by the EU-U.S. Data Privacy Framework, UK Extension to the EU-U.S. Data Privacy Framework and Swiss-U.S. Data Privacy Framework as set forth by the U.S. Department of Commerce regarding the transfer of personal information from the European Economic Area (EEA), the United Kingdom, and Switzerland to the United States. Check here to access the Gen Digital Inc. Data Privacy Framework Notice.

In all cases, we follow generally accepted standards and security measures to protect the personal data submitted to us, both during transmission and once we receive it. We always strive to protect your data to the maximum extent we can.

How long we store your data

Concerning storage or retention periods, the specific terms applicable to the various types of data used for various purposes are noted in their respective sections. After these periods elapse, we will delete this data and no longer use it for that specific purpose.

These retention periods may be longer where it is necessary for us to comply with our legal obligations or legal orders, resolve disputes, and enforce our agreements, including in the court of law.

To whom we disclose your personal data?

As a rule, we do not disclose any information to other commercial parties, with the following exceptions:

Gen Group

As we are part of the Gen Group, information may be shared with members of the Gen Group in order to execute on the provisions of this service, for direct marketing, business operations or to help our product development. In all cases, they are subject to the terms of this Privacy Policy.

Service providers

It may be necessary to share some data with selected parties to deliver the service you require — such as with a payment card provider who we use to process your credit card transaction or to perform analytics via third-party analytics tools. These parties are listed in the relevant sections of this Privacy Policy.

In particular, we use Salesforce to provide us the CRM platform (see their privacy information including appropriate safeguards for cross-border transfers).

Mergers, acquisitions and corporate restructurings

Like any other consumer brand, we too go through our own cycle of growth, expansion, streamlining and optimization. Our business decisions and market developments therefore affect our structure. As a result of such transactions, and for maintaining a continued relationship with you, we may transfer your Personal Data to a related affiliate.

If we are involved in a reorganization, merger, acquisition or sale of our assets, your Personal Data may be transferred as part of that transaction. We will notify you of any such deal and outline your choices in that event, when applicable. Information including personal data relating to our business may be shared with other parties in order to evaluate and conclude the transaction. This would also be the case if we were required by law to make such changes.

State authorities and legal requirements

In the event we are served with valid subpoenas, warrants, or other legal documents, or where applicable law compels us to comply, or when we are required to defend the rights or property of the Gen Group, including the security of our products and services, and the personal safety, property, or other rights of our customers and employees — we may share your personal data for these purposes as collected above.

What rights do you have?

Subject to applicable laws, you have the following rights:

• Delete: Right to delete or erasure (“right to be forgotten”) of personal data we have collected from or about you in cases stipulated by law, e.g., if there is no legally recognized title on our part for further processing of your personal data (incl. protection of our legitimate interests and rights).
• Access:  Right to know and access the personal data we have collected about you, to receive a copy of your personal data as well as other information about our data processing practices.
• Correct: Right to rectify, correct, update, or complement inaccurate or incomplete personal data we have about you.
• Restrict: Right to restrict the way we process your personal data in certain situations (e.g. if you are contesting the accuracy of your personal data; the processing is unlawful and you request the restriction of its use instead of deletion; we no longer need the personal data for the purposes of the processing, but they are required by you for the establishment, exercise or defence of legal claims; there is a pending verification whether our legitimate grounds override your interests).
• Withdraw Consent: Right to withdraw your consent to process your personal data. The withdrawal of consent shall not affect the lawfulness of processing based on your consent before its withdrawal.
• Object: Right to object to our processing of your personal data based on legitimate interest on grounds relating to your particular situation and we are required to assess the processing in order to ensure compliance with all legally binding rules and applicable regulations. In case of direct marketing, we shall cease processing personal data for such purposes after the objection.
• Object to Automated Individual Decision-Making: Right to object to our processing of your personal data in case of automated individual decision-making.
• Equal Service: Right not to receive discriminatory treatment for the exercise of your privacy rights, subject to certain limitations.
• Opt-Out: Right to Opt-Out of the sale of personal data, or the Right to Opt-Out of sharing of personal data for cross contextual advertising. U.S. residents can opt out of personalized advertising as set forth here: Do Not Sell or Share My Personal Information.
• Portability of Personal Data: Right to obtain a portable copy of your personal data processed by automated means on the basis of consent or where it is necessary for the purpose of conclusion and performance of a contract.
• Lodge a Complaint: Right to lodge a complaint with a supervisory authority if you are not satisfied with the way we have handled your personal data, or any privacy request, or other request that you have raised with us.

To exercise your rights under applicable law or to raise any other questions, concerns, or complaints please contact us here.

The fulfilment of data subject rights listed above will depend on the category of personal data and the processing activity. In all cases, we strive to fulfil your request.

We will action your request within one month of receiving a request from you concerning any one of your rights as a data subject. Should we be inundated with requests or particularly complicated requests, the time limit may be extended to a maximum of another two months.

Where requests we receive are manifestly unfounded or excessive, in particular because of their repetitive character, we may either: (a) charge a reasonable fee taking into account the administrative costs of providing the information or communication or taking the action requested; or (b) refuse to act on the request.

Please note, consistent with our privacy by design, privacy by default and minimization practices, we may not be able to identify you in connection with the service data collected by our VPN. If such a situation occurs, please go to your product settings and explore your options.

How do we protect your personal data?

We maintain administrative, technical, and physical safeguards for the protection of your personal data.

Administrative safeguards

Access to the personal data of our users is limited to authorized personnel who have a legitimate need to know based on their job descriptions, for example, employees who provide technical support to end users, or who service user accounts. In the case of third-party contractors who process personal data on our behalf, similar requirements are imposed. These third parties are contractually bound by confidentiality clauses, even when they leave. Where an individual employee no longer requires access, that individual's credentials are revoked.

Technical safeguards

We store your personal data in our database using the protections described above. In addition, we utilize up-to-date firewall protection for an additional layer of security. We use high-quality antivirus and anti-malware software, and regularly update our virus definitions. Third parties who we hire to provide services and who have access to our users' data are required to implement privacy and security practices that we deem adequate.

Physical safeguards

Access to user information in our database by Internet requires using an encrypted VPN, except for email which requires user authentication. Otherwise, access is limited to our physical premises. Physical removal of personal data from our location is forbidden. Third-party contractors who process personal data on our behalf agree to provide reasonable physical safeguards.

Contact Us

If you have any questions or feedback regarding these terms, you can contact us at dpo@hidemyass.com. HMA has also appointed a Data Protection Officer who can be contacted at dpo@hidemyass.com.

Changes to this policy

We reserve the right to revise or modify this Privacy Policy. In addition, we may update this Privacy Policy to reflect changes to our data practices. If we make any material changes we will notify you by email (sent to the e-mail address specified in your account), product notification or by means of a notice on this website prior to the change becoming effective. We encourage you to periodically review this page for the latest information on our privacy practices.

Cookies Policy

This policy relates to our website www.hidemyass.com and other websites related to HideMyAss! brand.

What Are Cookies and How We Use Them

Cookies are small text files that are placed on your computer or device by websites that you visit or HTML-formatted emails you open to make our websites work, or to make them work more efficiently, to understand the effectiveness of our emails, and confirm that you received the necessary communications. You can find more about cookies here.

We use cookies, and other similar technologies such as pixel tags and web beacons (collectively “cookies”), to:

• Enable the proper functioning of our websites and the proper delivery of legitimate electronic communications;
• Tailor information presented to you based on your browsing preferences, such as language and geographical region;
• Collect statistics regarding your website usage (such as which parts of our websites people have visited);
• Provide us with business and marketing information such as measuring the effectiveness of campaigns and getting insights into user interactions and user base as a whole so we can improve our communications and products; and
• In some cases, to enable a third party to deliver future advertising for our Services to you when you visit certain websites owned by third parties.

How We Use Third-party Cookies

Cookies may also be placed on our websites by third parties to deliver tailored information and content that may be of interest to you, such as promotions or offerings, when you visit third-party websites after you have left ours. We do not permit these third parties to collect personal data about you (e.g., email address) other than that collected using such cookies unless such data is provided to the third party in their role as a service provider acting solely on our behalf.

How You Can Manage Cookies

You can manage the cookie setting through the cookie banner displayed when you visit our websites. After you set the cookies according to your preferences, you can still easily access and change these settings at any time by clicking on the “Cookie Preferences” in the footer of our websites.

Another way in which you can communicate your cookie preferences to us is to change the cookie settings in your browser. In some browsers you can set up rules to manage cookies on a site-by-site basis, giving you more fine-grained control over your privacy. We do note, however, that not all browsers across all platforms may support this functionality.

Browser manufacturers provide help pages relating to cookie management in their products. Please see below the relevant links to the main browsers:

• Google Chrome
• Internet Explorer
• Mozilla Firefox
• Safari (Desktop)
• Safari (Mobile)
• Android Browser
• Opera
• Opera Mobile

For other browsers, please consult the documentation that your browser manufacturer provides.

You can opt out of interest-based targeting provided by participating ad servers through:

• http://optout.aboutads.info/ by Digital Advertising Alliance
• http://www.youronlinechoices.com/ by European Interactive Digital Advertising Alliance

In addition, on your iPhone, iPad or Android, you can change your device settings to control whether you see online interest-based ads in the following manner:

• iOS devices: go to Settings > Privacy > Advertising > enable Limit Ad Tracking. Please note that if you use more than one device, you need to opt-out separately in each device.
• Android devices: Please follow the instructions set forth at https://support.google.com/ads/answer/2662922?hl=en. Please note that if you use more than one device, you need to opt-out separately in each device.

Please note that if you disable cookies, our websites may not function properly or at all or your access to our websites and their features may be affected or restricted.

Do-Not-Track Signals and Similar Mechanisms

Some mobile and web browsers transmit “do-not-track” signals. Because of differences in how web browsers incorporate and activate this feature, it is not always clear whether users intend for these signals to be transmitted, or whether they are even aware of them. We currently do not respond to these signals.

Categories of cookies

The cookies we use include “session” cookies that are erased when you leave our websites, or they may be “persistent" cookies that remain on your computer or device after you leave the site, in preparation for your next visit to our websites.

Necessary (essential) cookies

Necessary cookies help make a website usable by enabling basic functions like page navigation and access to secure areas of the website. The website cannot function properly without these cookies.

Preference cookies

Preference cookies enable a website to remember information that changes the way the website behaves or looks, such as your preferred language or the region that you are in. De-selecting these cookies may result in improper functionality and setting of the website.

Performance cookies

Performance cookies help us improve our website by analyzing how visitors use it and interact with it. De-selecting these cookies may result in poorly-designed content and slow site performance.

Marketing cookies

Marketing cookies are used to track visitors across websites. The intention is to display ads that are relevant and engaging for the individual user and thereby more valuable for publishers and third party advertisers. De-selecting these cookies may result in seeing advertising that is not as relevant to you.

Targeting cookies

These cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies

These cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.