Privacy Policy

This is the privacy policy which applies to the business of Enigma Incorporated Ltd, a company incorporated in England and Wales, number 12515127 and its subsidiary, Enigma US Ltd, a company formed in Nevada, United States of America (together, “we” or “us” or “Enigma”) relating to the provision of products/devices or VPN services to our customers. We have a separate privacy policy for our consultancy businesses.

We are a Data Controller and Processor under UK law derived from the General Data Protection Regulation (EU) 2016/679 (“GDPR”). This Privacy Policy describes how we use your personal information and for which purpose. There may be times when we use your information for reasons not set out herein, in which case we will clearly explain the reason(s) for doing so.

Our main aim is to strive to collect the minimum amount of data required to operate our business or provide a service. We do not sell your data.

We explicitly do not collect or store the following data:

  • Any information about the applications, services or websites used by our customers
  • Users’ IP addresses visiting our websites
  • Users’ IP addresses upon service connection
  • DNS Queries whilst connected

Any collection and use of your personal information will depend on the particular relationship and arrangements in place between us. Of the limited collected or stored data, would only use or share information where it is necessary for us to meet our legitimate interests, as we describe below.

Security

We believe protection of personal data is a fundamental right. Access to information held by us is restricted and we have systems and procedures in place to protect information and keep it confidential. We monitor and revise the appropriateness of these security measures on a regular basis.

We process personal data in relation to:

  • Using our website to undertake comparison tests
  • Opening an account with us
  • Purchasing services and/or products

What type of personal data is collected and processed by us, and on what basis?

We limit the collection of personal data to information which we can process pursuant to a lawful basis, namely a contractual necessity, a legal obligation or to meet our legitimate interests. We seek to limit data collection as follows:

Account Data

  • Name,
  • Email address,
  • Contact details for marketing, communications, purchase receipts and occasional product news
  • Email confirmed
  • Confirmation that your email address is valid
  • Paid user
  • Provide paid users with unlimited data
  • Paid user expiry date
  • Provide paid listed

We note that we do not use or store customer’s payment information, these are held by our third party banking providers.

Operational Data

We do collect and store some “Operational Data” required to operate our services. This is data that we collect and store when we collect and store when you connect to our network, such as:

  • OS Version (e.g. iOS 7)
  • Enigma product version (e.g. PC version 2.1.1)
  • Active this month (e.g. 1 or 0), upgraded to paid subscription, online ad referrals
  • Total data used this month (e.g. 22.34 GB)

What do we use it for?

  • User support, troubleshooting and product planning
  • Customer satisfaction, support, network demand planning, granting free user data
  • Operational events (e.g. created an account, complete bonus, made a payment, upgraded to paid subscription, online ad referrals, etc)
  • Troubleshooting account and payment related issues and tracking where sales come from

We note that such events are not related to the time, activity or usage of Enigma products

Personal and Financial Data Collected at Payment

Making a purchase on any service will result in personal data being exchanged with our payment processors. We currently do not accept payment by Bitcoin or other cryptocurrencies as this would involve the collection of additional personal data including additional checks on whether individuals are politically exposed persons (PEPs) or a close relative thereof.

Payment card transactions – payment information is processed securely through our third party payment providers. Such providers may store personal data (associated with such financial transactions) outside of your jurisdiction.

When you pay with a payment card, we may obtain the following payment data:

  • Cardholder last name (e.g. Smith)
  • Date of card use (e.g. 2022/01/01)
  • Last four numbers of credit card (e.g. 4567)
  • Card Billing address
  • Card Expiry
  • Session information (e.g. device type, operating system, IP address at time of payment)

What do we use it for?

  • to operate, evaluate and improve our business,
  • to carry out auditing, accounting and other internal functions,
  • to prevent credit card fraud,
  • to carry out security maintenance over Enigma’s systems, and
  • to monitor compliance with applicable laws and regulations.

Enigma can securely log-in and view the data stored by our third party payment providers, albeit such viewable information is limited as described above. We adopt all available security and available multi-factor authentication measures.

Whilst processing this information does not override your rights, we have a legitimate interest in using it as it could potentially assist Enigma to further develop our business.

Direct marketing procedures are currently limited to periodic updates sent to a very and limited distribution list of business Ccontacts. Recipients of these emails are given the opportunity to opt-out from distribution lists so that their information is not used for such a purpose. The use of personal data for regular updates is targeted and proportionate in accordance with the guidelines issued by the Information Commissioner’s Office regarding the GDPR provision of “legitimate interest”.

Cookies and Persistent Trackers

In building our websites and apps, we have tried to limit the use of cookies in your browser.

Unlike many of our competitors, we do not use any tracking tools for any purposes.

How do we obtain Personal Data?

We collect personal data in a number of ways:

  • information provided directly from an customer and/or an end user,
  • information received from third-party providers in relation to services, including but not limited to fraud prevention or employment or other background checks,
  • data collected automatically from our systems when someone visits our website,
  • from publicly available sources, such as company websites, press and online search engines.

Transferring Information Overseas

Personal data is stored on our systems based in the United Kingdom, the EU, Canada and USA.

Electronically stored information may be transferred outside your jurisdiction. When such transfers take place, we ensure to transfer the information to:

  • a country or organisation which has been categorised as adequate by the European Commission or UK authorities and/or meets the same standards of data protection as the UK, or
  • an organisation pursuant to a contract between us and the third-party on terms that contain data privacy provisions approved by the European Commission or UK authorities.

Sharing Information with Third Parties

We only share personal data with third parties pursuant to the legitimate interests described above.

We do not sell or buy personal data.

However, we may be required to share information with other entities by law, in connection with any legal proceedings or in response to an enforcement action or investigation carried out by an authority or regulator (which, we would remind our customers, is effectively on a limited basis due to the levels of data we receive and/or store).

We would not transfer such information to third parties for their own marketing purposes without requesting your express consent. We may send to third-party providers who operate services that help us with: customer support, email, hosting, protecting and securing our infrastructure and data, DDoS prevention, payment processing, as well as understanding website analytics, app analytics, account and payment related service usage.

How long will the information be stored?

We retain data for as long as it is considered necessary for the purpose for which it was collected, subject to the applicable laws and regulations. The retention period is determined on the type of information, the nature of the activity and the rules and regulations applicable at the time. In general, we have policies and procedures in place to retain records for up to seven years.

We may have to retain personal data for longer periods, especially where Enigma has been ordered to withhold destruction of the information by the Courts or an authority or agency.

What are your rights?

Should you wish to contact us in relation to any of your rights under the GDPR, you can contact our support team quoting GDPR in the subject heading.

Irrespective of the nature of your GDPR request, we will respond to you within 30 days of receipt of your initial notification to confirm whether we can take any action. If we believe that we have good grounds not to meet your request, we will notify you and explain the reasons for not doing so.

The right to access your data: If you would like to receive a copy of the personal information that we hold on you, you can contact us as per the above instructions. We may need to verify your identify before we can take any further steps in response to your request.

The right to rectify your data: If you believe that Enigma holds inaccurate information on you, you can request us to rectify and update it. We may have to withhold the processing of your personal data until the new information has been verified and updated on Enigma’s systems.

The right to erase your data: If you believe that Enigma is processing your data unlawfully, at a time when it no longer needs to or for the purpose for which it was provided, you can request for your personal data to be erased. However, this request is not absolute under the GDPR and depending on the circumstances, Enigma may not be able to meet your request.

The right to restrict the processing of your data: You may wish to ask Enigma to limit the processing of your data if you believe that the information is being unlawfully processed and/or we no longer need it for a particular purpose. This request is not absolute under the GDPR and Enigma’s ability to meet it will depend on the circumstances.

The right to data portability: You have the right to receive a copy of the personal data that we hold on you, and/or ask us to transfer your personal data to someone else. Either way, we will seek to provide you with the information on a portable format which is safe and machine-readable.

The right to object to the processing of your data and/or direct marketing: You have the right to object to the processing of your personal data by us. However, please note that this right is not absolute under the GDPR. It is therefore subject to certain record-keeping requirements. Applicable laws and regulations may restrict our ability to meet any request to stop processing your information. However, you retain an absolute right to ask us to stop processing your information for direct marketing purposes. Should wish you to notify us of such a request, please contact us using the details set out above. In the event that we rely on your permission to use your information for a particular purpose, you retain the right to withdraw your consent at any time.

The right to withdraw your consent: As set out in this Privacy Policy and depending on the nature of our relationship with you, we rely on our legitimate interests in order to process personal information. We do not rely on express consents as a lawful basis for processing your information. We may therefore not be in a position to meet a request to stop processing it. However, should you wish to withdraw your permission in relation to our periodic market or investment updates, please email us your request and we will stop using your data for the purpose of direct marketing.

The right to lodge a complaint with the regulator: Should you wish to complain about the way we use your personal data or handled your request pursuant to your rights under the GDPR, please contact our Data Compliance Officer in the first instance. He will investigate the matter and aim to address your concerns within 30 days of receipt of your complaint. You can also lodge a complaint with the Information Commissioner’s Office (ICO). For more information, please visit ico.org.uk.

Residents of California and Nevada

Residents of California – We do not share information that identifies you personally with non-affiliated third parties for our own marketing use without your permission.

California Consumer Privacy Act – If you are a resident of California, you may exercise your rights to personal data by contacting our support team quoting “California Consumer Privacy Act” in the subject heading to request access to, receive (port), seek rectification, or request erasure of personal data held about you. For the purposes of the California Consumer Privacy Act, we do not “sell” your personal data.

Residents of Nevada – We do not sell information that identifies you personally with non-affiliated third parties. We do not sell or trade personal data for commercial purposes.

 Changes to our Privacy Policy

We may need to change our privacy policy from time to time and all updates will be posted online. Your continued use of our products/devices and/or services after the effective date of such changes constitutes your acceptance of such changes. This privacy policy is effective from 1 August 2024.

Contact Information

If you have any questions in relation to this Privacy Policy or how Enigma processes personal data, please contact our Data Compliance Officer via the support team.