Privacy Policy

Last updated: May 24, 2026 · Effective date: May 24, 2026

This Privacy Policy explains what information ShadowLink Secure VPN ("ShadowLink", "we", "us") collects when you use the iOS app (the "App") and our related services (collectively, the "Service"), how we use that information, and the choices you have.

The short version. We collect the minimum required to operate an account-based VPN: your email, an internal user ID, basic connect/disconnect events, and crash & performance diagnostics. We do not sell your data, do not log your browsing history, and do not track you across other apps or websites.

1. Who we are

The Service is operated by the ShadowLink team. For any privacy question or request, contact us at AppleDev@uap.io.

2. How the VPN works

When you tap Connect, the App establishes an encrypted tunnel between your device and a ShadowLink server. While the tunnel is active, your device's internet traffic is routed through that server before reaching its destination. Traffic is encrypted on your device before it leaves it. When you tap Disconnect, traffic resumes flowing directly through your carrier or Wi-Fi network and the tunnel terminates.

3. Information we collect

3.1 Information you provide

Email address — required to create and sign in to your ShadowLink account, and to send one-time passwords (OTP) for password changes.

3.2 Information generated by your use of the Service

User ID — an internal identifier linking your device session to your account.
Product interaction — high-level connect/disconnect events, the server you selected, and basic session metadata (start time, duration, byte counts). We use this to operate the tunnel and detect abuse. We do not log the websites you visit, DNS queries, or the contents of your traffic.
Crash data — when the App crashes, a diagnostic report (stack trace, OS version, device model) is generated to help us fix the bug.
Performance data — connection setup time and throughput samples. These remain on your device unless you choose to submit a diagnostics report.

3.3 What we do NOT collect

Browsing history, search history, or DNS queries
The contents of your network traffic
Precise or coarse location
Contacts, photos, messages, or other user content
Health, financial, or biometric information
Advertising identifiers (IDFA) — the App does not request App Tracking Transparency because it does not track you

4. How we use information

Data	Purpose	Legal basis (GDPR)
Email	Account creation, sign-in, OTP, security notifications	Performance of contract
User ID	Identify your sessions to your account	Performance of contract
Product interaction	Operate the tunnel, prevent abuse	Legitimate interest
Crash data	Diagnose and fix bugs	Legitimate interest
Performance data	Improve connection quality	Legitimate interest

None of the data we collect is used for analytics profiling, personalization, or advertising.

5. Sharing

We do not sell, rent, or trade your information. We share data only with:

Infrastructure providers that host our servers and database, acting as data processors under contract and only to the extent needed to operate the Service.
Authorities, where we are compelled by a valid legal request. Because we do not log your browsing activity or traffic content, the data available in response to such requests is limited to account metadata.

6. Retention

Account data (email, user ID): retained for as long as your account is active. Deleted within 30 days after account deletion.
Session metadata (connect/disconnect events): retained for up to 30 days, then deleted or aggregated.
Crash reports: retained for up to 90 days.

7. Your rights

Depending on where you live (EEA, UK, California, and other jurisdictions), you may have the right to access, correct, export, or delete the personal data we hold about you, and to object to or restrict certain processing. To exercise any of these rights, or to delete your account, email AppleDev@uap.io from the address associated with your account. We respond within 30 days.

8. Children

The Service is not directed to children under 13 (or the equivalent minimum age in your country). We do not knowingly collect personal data from children. If you believe a child has provided us data, contact us and we will delete it.

9. International transfers

Our servers operate in multiple regions. When you connect, your traffic is routed through the region you select. Account data may be processed in regions outside your home country; where required, we rely on appropriate safeguards (such as Standard Contractual Clauses) for cross-border transfers.

10. Security

Traffic between your device and our servers is encrypted in transit. Passwords are stored hashed. Access to production systems is restricted to authorized personnel. No service is perfectly secure; if you suspect unauthorized access to your account, contact us immediately.

11. Changes to this policy

We may update this Privacy Policy from time to time. Material changes will be reflected in the "Last updated" date above and, where appropriate, notified through the App or by email.

12. Contact

Privacy questions, data requests, or account deletion: AppleDev@uap.io.