# Privacy Policy

**Effective date:** 2026-05-23

## 1. Who we are

Piligrim ("the Service", "we", "us") is operated by **Madfish Solutions Inc.** ("Operator"), a company incorporated in the **British Virgin Islands**, BVI Company Number **2069355**, registered office **Intershore Chambers, P.O. Box 4342, Road Town, Tortola, VG1110, British Virgin Islands**.

For privacy inquiries: **info@madfish.solutions**

## 2. Plain-language summary

Piligrim is a **free** VPN browser extension. To make it free, Piligrim shows some display ads on the websites you visit while the extension is installed. Watching those ads earns you free VPN traffic.

- We collect the **minimum data** required to operate the Service.
- We **never sell your personal data**.
- We **never see** the full URL, page content, query parameters, cookies, or form data of the sites you visit.
- You can stop everything by **uninstalling the extension**.

If you don't agree with this Policy, **do not install or use Piligrim**.

## 3. What we collect

### 3.1 Generated automatically by your device

| Data | What it is | Why we need it |
|---|---|---|
| **Install ID** | A random 32-character identifier generated locally on first install. Not linked to your name, email, or any other identity. | Tracks your free traffic quota and Step balance across sessions. |
| **ECDSA P-256 public key** | A cryptographic key pair generated locally; the **private** key never leaves your device. | We verify that ad-view reports come from your installation, not from a fraudulent script. Prevents abuse. |
| **Country code** (ISO-2) | Derived from your IP address via a third-party geolocation lookup (see §5). | Determines your reward tier — countries with higher advertising rates earn more Steps per ad view. |
| **Consent record** | Timestamp of when you accepted this Policy, the consent text version, and the IP address at that moment. | Lawful-basis proof under the BVI Data Protection Act 2021 (Schedule 1 principles), GDPR art. 7, and equivalent regimes. |

### 3.2 Generated by your activity while the VPN is active

| Data | What it is | Why we need it |
|---|---|---|
| **Domains visited** | The bare domain name (e.g. `example.com`) of pages you load while the VPN is on. **NOT** the full URL, query parameters, fragments, or page content. | Product analytics: which sites Piligrim works on, abuse detection, top-domain reporting. |
| **Ad impression events** | When an ad we showed becomes visible: network ID, domain, ad format, viewability metrics (visible time in milliseconds, viewport ratio). | Credits Steps to your balance. Detects fraudulent reports. |
| **Bandwidth used** | Number of bytes downloaded through our proxy. | Deducts from your free quota or Steps balance. |
| **Active-session heartbeat** | A periodic ping while the VPN is active, containing your install ID and country. | Counts active users; powers our public statistics. |

### 3.3 IP address handling

Your IP address is processed **only**:
- Once per 24 hours, sent to **ipapi.co** (a third-party service) to determine your country.
- At the moment you accept this Policy (stored with the consent record for legal proof).
- Implicitly, when our backend receives any request from you, your IP is in the TCP connection. We do not store this IP except for the consent record.

**We never store your full IP address attached to your activity logs or domain history.**

## 4. What we DO NOT collect

- Full URLs, query strings, URL fragments, or anchor positions of pages you visit
- Page content, text, images, or HTML
- Cookies, localStorage, or sessionStorage of websites
- Form input, passwords, or autofill data
- Browsing history outside Piligrim's active VPN sessions
- Your name, email, phone number, address, or any government identifier
- Browser fingerprint beyond what is publicly visible in HTTP headers
- Cross-site activity correlations

## 5. Third parties we share with

Piligrim relies on these processors. They each have their own privacy policies; we recommend reading them.

| Processor | Data shared | Purpose | Privacy policy |
|---|---|---|---|
| **Webshare.io Inc.** | Your TCP traffic while VPN is on (encrypted; they cannot read HTTPS bodies but see destination IPs and connection metadata). | Operating the proxy network. | https://www.webshare.io/privacy |
| **ipapi.co** (Kloudend Inc.) | Your real IP address, once per 24h. | Geolocation lookup. | https://ipapi.co/privacy |
| **Our hosting infrastructure** (Switzerland / Bern) | Anonymized analytics data; install IDs; ECDSA public keys; balances. | Operating the Piligrim API and ad server. | Same as this policy. |

**We DO NOT use**: Google Analytics, Facebook Pixel, advertising trackers, affiliate cookies, or any cross-site tracking technology.

## 6. The ads Piligrim shows

Piligrim shows display ads from advertising partners we contract directly with. These ads are served from our own infrastructure and **do not include third-party tracking pixels**. Each ad is shown in a sandboxed iframe that cannot read your browsing context.

We do not target ads based on your activity within Piligrim. Ads are selected by:
- The country of your IP (broad regional targeting)
- The format/size of the slot
- Random rotation among eligible campaigns

You will **never see** ads on the following categories of sites (Piligrim does not modify them):
- Premium news publishers we have hard-coded in our blocklist
- Domains belonging to ad networks themselves
- Domains that have opted out via our publisher opt-out registry

## 7. Data retention

| Data | Retention period |
|---|---|
| Install ID, public key, balance | Until you uninstall + 12 months of inactivity, then permanently deleted |
| Domain visit logs | 90 days, then aggregated and individual records deleted |
| Ad impression logs | 30 days |
| Bandwidth usage logs | 30 days |
| Consent record | For as long as you continue to use the Service, plus 12 months after uninstall (kept solely to prove the lawful basis for any past processing if challenged) |
| Application logs (errors, abuse) | 30 days |

After retention periods, data is deleted automatically.

## 8. BVI Data Protection Act 2021 — compliance statement

The Operator is established in the British Virgin Islands and is a "data controller" within the meaning of the **Data Protection Act, 2021** (No. 12 of 2021) of the British Virgin Islands ("BVI DPA"). We process personal data in accordance with the seven data-protection principles set out in Schedule 1 of the BVI DPA:

1. **Lawfulness, fairness and transparency** — see §9 below for our lawful bases.
2. **Purpose limitation** — data is collected only for the purposes set out in §3 and not further processed in any manner incompatible with those purposes.
3. **Data minimisation** — the schema in §3 is the **complete** set of fields we collect; nothing else.
4. **Accuracy** — you can request rectification per §10; given we hold no personal identifiers, accuracy is normally limited to country code and consent record.
5. **Storage limitation** — see §7 for retention periods.
6. **Integrity and confidentiality** — see §12 for our security measures.
7. **Accountability** — these obligations are demonstrable in code: the extension's source paths handling each data category are documented in our public architecture notes.

**Cross-border transfers under §28 of the BVI DPA**: data is transferred to processors in the EEA (Switzerland, where our ad server and API are hosted), the United States (Webshare.io, ipapi.co) and routed globally per your Sanctum selection. We rely on the adequacy of those jurisdictions where applicable and on Standard Contractual Clauses or equivalent contractual safeguards otherwise.

**Supervisory authority**: complaints concerning our processing may be lodged with the **Office of the Information Commissioner of the British Virgin Islands** (https://www.bvi.gov.vg/).

## 9. Your rights (BVI DPA / GDPR / UK GDPR / CCPA)

You have the right to:

- **Access** — request a copy of all data we hold about your install ID
- **Rectify** — correct inaccurate data (limited applicability since we have no personal data)
- **Erase** — request immediate deletion of all data tied to your install ID ("right to be forgotten")
- **Restrict processing** — pause certain processing
- **Data portability** — receive your data in machine-readable format (JSON)
- **Object** — to processing based on legitimate interest
- **Withdraw consent** — uninstall the extension; consent is withdrawn immediately

**How to exercise**: email **info@madfish.solutions** with your install ID (visible in the extension popup under "Settings → Diagnostic"). We respond within **30 days**.

**BVI residents**: you have the right to lodge a complaint with the Office of the Information Commissioner of the BVI.

**EEA residents**: you have the right to lodge a complaint with your national data protection authority.

**California (CCPA)**: you have the right to know and the right to delete. We do not "sell" personal information as defined by CCPA.

## 10. Legal basis for processing

- **Consent** (BVI DPA Sched. 1 Principle 1; GDPR Art. 6(1)(a)) — for showing display ads, recording domain visits for analytics. You give this explicitly via the in-extension consent screen; you can withdraw anytime by uninstalling.
- **Legitimate interests** (GDPR Art. 6(1)(f); equivalent BVI lawful-basis analysis) — for fraud prevention (ECDSA signing), security, and reliability of the Service. We balanced our interests against your privacy and concluded this is necessary minimum data.
- **Performance of a contract** (GDPR Art. 6(1)(b)) — to provide the free VPN you opted into.

## 11. Children

Piligrim is **not intended for users under 16 years of age**. If we learn we have inadvertently collected data from a user under 16, we will delete it. If you are a parent or guardian and believe your child has used Piligrim, contact **info@madfish.solutions**.

## 12. International data transfers

Our backend infrastructure is hosted primarily in **Switzerland (Bern)**. Webshare.io operates proxy servers globally per your Sanctum selection. ipapi.co is operated in the United States.

For transfers from the EEA we rely on the European Commission's **Standard Contractual Clauses (SCCs)** and, where applicable, the Swiss adequacy decision and additional safeguards reviewed under the Schrems II framework. For transfers from the BVI we comply with §28 of the BVI DPA.

## 13. Security

We use industry-standard practices:
- **TLS 1.3** for all data in transit between the extension and our servers
- **AES-256** encryption at rest for stored data
- **ECDSA P-256** signing prevents fake ad-impression reports
- Per-request rate limiting and dedup to block automated abuse
- The Piligrim extension does **not** require sensitive permissions like access to your bookmarks, history, or downloads

**No system is 100% secure.** Piligrim is free software provided "as is". If you require privacy protection adequate for high-stakes situations (journalism in authoritarian regimes, whistleblowing, evading state surveillance), please use a paid commercial VPN designed for that purpose.

## 14. Changes to this Policy

We may update this Policy. **Material changes** (new data categories, new third parties, retention extensions) will require renewed consent in the extension before continuing to use Piligrim.

Minor changes (clarifications, contact info updates) take effect on the "Effective date" above; we publish a 30-day changelog at **https://piligrim.surf/privacy/changelog**.

## 15. Contact

**Email**: info@madfish.solutions
**Postal**: Madfish Solutions Inc., Intershore Chambers, P.O. Box 4342, Road Town, Tortola, VG1110, British Virgin Islands
**BVI Company Number**: 2069355
