0) Definitions

“Personal Data/Information” means information relating to an identified or identifiable natural person. “Processing” means any operation performed on Personal Data. Undefined terms have the meanings given by GDPR, UK GDPR, CPRA, and other applicable privacy laws.

1) Scope

This Privacy Policy explains how we collect, use, share, and protect Personal Data when you use our websites, mobile apps, software, and related services (the “Services”). This Policy does not apply where we act as a Processor for business customers; such processing is governed by our Data Processing Agreement (DPA) and the customer’s written instructions.

2) Roles

Depending on context, we act as a Controller (direct-to-consumer) or a Processor (enterprise features). When we act as a Processor, the DPA prevails in case of conflict with this Policy.

3) Personal Data We Collect

4) How We Use Personal Data

We use Personal Data to:

• provide, maintain, and improve the Services, including stability and performance;
• manage subscriptions, entitlements, account integrity, and fraud prevention;
• ensure security and detect or respond to abuse and incidents;
• comply with legal obligations and enforce agreements;
• communicate product updates, support responses, and policy changes;
• perform de-identified or aggregated analytics and reporting;
• where consented, conduct limited site analytics and, if enabled, remarketing.

Model training. We do not use identifiable Personal Data to train generalized models unrelated to the Services. If we introduce machine learning features, we will document data use and provide controls where applicable.

5) Legal Bases (EEA, UK, Switzerland)

Where GDPR or UK GDPR applies, our processing relies on one or more of contract necessity, legitimate interests (for example, securing and improving the Services), consent (for example, for non-essential cookies or analytics), and legal obligations.

6) Sharing and Disclosures

• Vendors and processors: hosting, telemetry, analytics, crash reporting, security, customer support, and billing, under confidentiality and data protection terms.
• Affiliates: for the purposes described, under protections no less protective than this Policy.
• Legal and safety: to comply with law, respond to lawful requests, and protect rights, safety, and security.
• Corporate transactions: in connection with a merger, acquisition, financing, or asset transfer, subject to appropriate safeguards.
• No sale: we do not sell Personal Data. If “sharing” or cross-context behavioral advertising applies, we provide opt-out mechanisms.

7) International Transfers

If Personal Data is transferred to a country without an adequacy decision, we use valid transfer mechanisms such as the EU Standard Contractual Clauses (and, where applicable, the UK Addendum or IDTA) and apply supplementary measures like encryption or minimization where appropriate.

8) Retention

We retain Personal Data for as long as necessary for the purposes described and to comply with legal obligations, then delete or anonymize it. Illustrative periods include:

• Support communications: typically about 24 months (or shorter as required).
• Crash or diagnostics logs: generally 30-180 days on a rolling basis.
• Subscription or transaction metadata: retained per tax or accounting rules, typically 3-7 years.
• Account data: deleted or anonymized within a reasonable period after closure, subject to legal holds.

9) Security

We implement risk-appropriate technical and organizational measures, including encryption in transit, least-privilege access controls, environment isolation, monitoring, vulnerability management, and business continuity. No system is perfectly secure; please use strong credentials and device security.

10) Your Rights

Depending on your location, you may exercise rights to access, correct, delete, restrict, object, data portability, withdraw consent, and lodge a complaint with a regulator. We verify requests and may require additional information.

11) Children

The Services are not intended for children under 13 (or higher minimum age in your jurisdiction). We do not knowingly collect Personal Data from children under 13. If you believe a child provided data to us, contact legal@entromoonic.com so we can delete it.

12) Third-Party Services and SDKs

Some features integrate third-party SDKs or services such as crash reporting or analytics. Their handling of data is governed by their own policies. You can limit telemetry in the app settings where available.

13) Do Not Track (DNT) and Global Privacy Control (GPC)

Our web properties may not respond to DNT signals. Where required by law, we endeavor to honor GPC signals for opt-out-eligible processing.

14) Automated Decision-Making

Apart from basic fraud or security heuristics (subject to human review upon challenge), we do not engage in solely automated decisions that produce legal or similarly significant effects.

15) Data Subject Requests (DSAR)

To exercise your rights, email legal@entromoonic.com with your country or region and request type. We will verify your identity and respond within the timelines required by applicable law.

16) Enterprise or Processor Disclosures

When acting as a Processor for business customers, we process Personal Data only on documented instructions under the DPA; the customer is responsible for its end-user disclosures. We provide reasonable assistance with data subject requests, security incident notifications, and audits as set out in the DPA.

17) Changes to this Policy

We may update this Policy from time to time. Where required, we will provide reasonable prior notice before changes take effect. Your continued use of the Services after the effective date signifies acceptance of the updated Policy.

18) Contact Us

Questions or requests: legal@entromoonic.com

19) Cookie Statement

20) Appendix A - Service-Specific Notes

Pandefy’s filtering and local VPN primarily operate on-device, processing only what is necessary for rule matching. Where cloud rule updates, threat feeds, or lookups are enabled, we minimize and encrypt transfers and apply retention controls. Region or ISP-specific constraints are surfaced in-product.

21) State-Specific and Regional Disclosures

• California (CPRA): we do not sell Personal Information. For any “sharing” or cross-context behavioral advertising, you may opt out via Cookie Settings or GPC. We offer rights to know or access, delete, correct, limit use of sensitive personal information, opt out of targeted ads, and provide an appeals process. Where required, we will publish annual metrics on privacy requests.
• Virginia, Colorado, Connecticut, Utah: we provide rights to access, delete, portability, and correction (where applicable), plus an appeals process, and disclosures of categories and purposes.
• EU or UK: your GDPR or UK GDPR rights remain unaffected. Where required, we will appoint EEA or UK representatives and a Data Protection Officer and update this Policy accordingly.

22) Contact and Complaints

Privacy questions, rights requests, or complaints: legal@entromoonic.com. If you are dissatisfied with our response, you may contact your local regulator, such as an EEA supervisory authority, the UK Information Commissioner’s Office, or the California Attorney General or CPPA.