# Privacy Policy

**Effective date:** 2026-05-16

## 1. Who we are

Pilgrim ("the Service", "we", "us") is operated by **[YOUR TOV NAME]** ("Operator"), a limited liability company registered in Ukraine, ЄДРПОУ **[XXXXXXXX]**, registered office **[STREET, CITY, POSTAL CODE, UKRAINE]**.

For privacy inquiries: **privacy@pilgrim.app**

## 2. Plain-language summary

Pilgrim is a **free** VPN browser extension. To make it free, Pilgrim shows some display ads on the websites you visit while the extension is installed. Watching those ads earns you free VPN traffic.

- We collect the **minimum data** required to operate the Service.
- We **never sell your personal data**.
- We **never see** the full URL, page content, query parameters, cookies, or form data of the sites you visit.
- You can stop everything by **uninstalling the extension**.

If you don't agree with this Policy, **do not install or use Pilgrim**.

## 3. What we collect

### 3.1 Generated automatically by your device

| Data | What it is | Why we need it |
|---|---|---|
| **Install ID** | A random 32-character identifier generated locally on first install. Not linked to your name, email, or any other identity. | Tracks your free traffic quota and Step balance across sessions. |
| **ECDSA P-256 public key** | A cryptographic key pair generated locally; the **private** key never leaves your device. | We verify that ad-view reports come from your installation, not from a fraudulent script. Prevents abuse. |
| **Country code** (ISO-2) | Derived from your IP address via a third-party geolocation lookup (see §5). | Determines your reward tier — countries with higher advertising rates earn more Steps per ad view. |
| **Consent record** | Timestamp of when you accepted this Policy, the consent text version, and the IP address at that moment. | Legal compliance proof (GDPR art. 7, UA "Про захист персональних даних" ст. 6). |

### 3.2 Generated by your activity while the VPN is active

| Data | What it is | Why we need it |
|---|---|---|
| **Domains visited** | The bare domain name (e.g. `example.com`) of pages you load while the VPN is on. **NOT** the full URL, query parameters, fragments, or page content. | Product analytics: which sites Pilgrim works on, abuse detection, top-domain reporting. |
| **Ad impression events** | When an ad we showed becomes visible: network ID, domain, ad format, viewability metrics (visible time in milliseconds, viewport ratio). | Credits Steps to your balance. Detects fraudulent reports. |
| **Bandwidth used** | Number of bytes downloaded through our proxy. | Deducts from your free quota or Steps balance. |
| **Active-session heartbeat** | A periodic ping while the VPN is active, containing your install ID and country. | Counts active users; powers our public statistics. |

### 3.3 IP address handling

Your IP address is processed **only**:
- Once per 24 hours, sent to **ipapi.co** (a third-party service) to determine your country.
- At the moment you accept this Policy (stored with the consent record for legal proof).
- Implicitly, when our backend receives any request from you, your IP is in the TCP connection. We do not store this IP except for the consent record.

**We never store your full IP address attached to your activity logs or domain history.**

## 4. What we DO NOT collect

- Full URLs, query strings, URL fragments, or anchor positions of pages you visit
- Page content, text, images, or HTML
- Cookies, localStorage, or sessionStorage of websites
- Form input, passwords, or autofill data
- Browsing history outside Pilgrim's active VPN sessions
- Your name, email, phone number, address, or any government identifier
- Browser fingerprint beyond what is publicly visible in HTTP headers
- Cross-site activity correlations

## 5. Third parties we share with

Pilgrim relies on these processors. They each have their own privacy policies; we recommend reading them.

| Processor | Data shared | Purpose | Privacy policy |
|---|---|---|---|
| **Webshare.io Inc.** | Your TCP traffic while VPN is on (encrypted; they cannot read HTTPS bodies but see destination IPs and connection metadata). | Operating the proxy network. | https://www.webshare.io/privacy |
| **ipapi.co** (Kloudend Inc.) | Your real IP address, once per 24h. | Geolocation lookup. | https://ipapi.co/privacy |
| **Our hosting infrastructure** | Anonymized analytics data; install IDs; ECDSA public keys; balances. | Operating the Pilgrim API. | Same as this policy. |

**We DO NOT use**: Google Analytics, Facebook Pixel, advertising trackers, affiliate cookies, or any cross-site tracking technology.

## 6. The ads Pilgrim shows

Pilgrim shows display ads from advertising partners we contract directly with. These ads are served from our own infrastructure and **do not include third-party tracking pixels**. Each ad is shown in a sandboxed iframe that cannot read your browsing context.

We do not target ads based on your activity within Pilgrim. Ads are selected by:
- The country of your IP (broad regional targeting)
- The format/size of the slot
- Random rotation among eligible campaigns

You will **never see** ads on the following categories of sites (Pilgrim does not modify them):
- Premium news publishers we have hard-coded in our blocklist
- Domains belonging to ad networks themselves
- Domains that have opted out via our publisher opt-out registry

## 7. Data retention

| Data | Retention period |
|---|---|
| Install ID, public key, balance | Until you uninstall + 12 months of inactivity, then permanently deleted |
| Domain visit logs | 90 days, then aggregated and individual records deleted |
| Ad impression logs | 30 days |
| Bandwidth usage logs | 30 days |
| Consent record | 7 years from acceptance (legal retention requirement under Ukrainian and EU consumer protection law) |
| Application logs (errors, abuse) | 30 days |

After retention periods, data is deleted automatically.

## 8. Your rights (GDPR / UK GDPR / CCPA / Ukrainian Law)

You have the right to:

- **Access** — request a copy of all data we hold about your install ID
- **Rectify** — correct inaccurate data (limited applicability since we have no personal data)
- **Erase** — request immediate deletion of all data tied to your install ID ("right to be forgotten")
- **Restrict processing** — pause certain processing
- **Data portability** — receive your data in machine-readable format (JSON)
- **Object** — to processing based on legitimate interest
- **Withdraw consent** — uninstall the extension; consent is withdrawn immediately

**How to exercise**: email **privacy@pilgrim.app** with your install ID (visible in the extension popup under "Settings → Diagnostic"). We respond within **30 days**.

**EEA residents**: you have the right to lodge a complaint with your national data protection authority.

**California (CCPA)**: you have the right to know and the right to delete. We do not "sell" personal information as defined by CCPA.

**Ukraine**: you have rights under the Law of Ukraine "Про захист персональних даних" № 2297-VI.

## 9. Legal basis for processing (GDPR Article 6)

- **Consent** (Art. 6(1)(a)) — for showing display ads, recording domain visits for analytics. You give this explicitly via the in-extension consent screen; you can withdraw anytime by uninstalling.
- **Legitimate interests** (Art. 6(1)(f)) — for fraud prevention (ECDSA signing), security, and reliability of the Service. We balanced our interests against your privacy and concluded this is necessary minimum data.
- **Performance of a contract** (Art. 6(1)(b)) — to provide the free VPN you opted into.

## 10. Children

Pilgrim is **not intended for users under 16 years of age**. If we learn we have inadvertently collected data from a user under 16, we will delete it. If you are a parent or guardian and believe your child has used Pilgrim, contact **privacy@pilgrim.app**.

## 11. International data transfers

Our backend infrastructure may be located in the **European Union, the United Kingdom, or the United States**. Webshare.io operates proxy servers globally per your Sanctum selection.

For transfers outside the EEA, we rely on the European Commission's **Standard Contractual Clauses (SCCs)** and, where applicable, additional safeguards reviewed under the Schrems II framework.

## 12. Security

We use industry-standard practices:
- **TLS 1.3** for all data in transit between the extension and our servers
- **AES-256** encryption at rest for stored data
- **ECDSA P-256** signing prevents fake ad-impression reports
- Per-request rate limiting and dedup to block automated abuse
- The Pilgrim extension does **not** require sensitive permissions like access to your bookmarks, history, or downloads

**No system is 100% secure.** Pilgrim is free software provided "as is". If you require privacy protection adequate for high-stakes situations (journalism in authoritarian regimes, whistleblowing, evading state surveillance), please use a paid commercial VPN designed for that purpose.

## 13. Changes to this Policy

We may update this Policy. **Material changes** (new data categories, new third parties, retention extensions) will require renewed consent in the extension before continuing to use Pilgrim.

Minor changes (clarifications, contact info updates) take effect on the "Effective date" above; we publish a 30-day changelog at **https://pilgrim.app/privacy/changelog**.

## 14. Contact

**Email**: privacy@pilgrim.app
**Postal**: [YOUR TOV NAME], [ADDRESS], Ukraine
**ЄДРПОУ**: [XXXXXXXX]

For EEA residents, our representative under GDPR Article 27 is **[TO BE DESIGNATED]** at **eu-rep@pilgrim.app** (pending appointment as we onboard EEA users).