PrivateByRight VPN — operated by Javna Limited
Effective Date: 9 April 2026 Last Updated: 9 April 2026
1.1. This Privacy Policy ("Policy") explains how Javna Limited, a company incorporated in England and Wales under company registration number 16142888, with its registered office at 46 Gainsborough Avenue, Tilbury, RM18 8LR, United Kingdom ("Javna", "we", "us", or "our"), trading as PrivateByRight VPN, collects, uses, shares, and protects your personal data when you use our Service.
1.2. This Policy applies to all interactions with us, including through:
(collectively, the "Service")
1.3. We are the data controller responsible for your personal data under the UK General Data Protection Regulation ("UK GDPR"), the Data Protection Act 2018, and, where applicable, the EU General Data Protection Regulation ("EU GDPR").
1.4. Our core commitment: We are a privacy-first VPN provider. We do not log your browsing activity, DNS queries, traffic data, connection timestamps, originating IP addresses, or bandwidth usage. This Policy is designed to be transparent about what minimal data we do collect and why.
2.1. For all data protection enquiries, requests, or complaints, you may contact us at:
Javna Limited (trading as PrivateByRight VPN) Email: support@privatebyright.com Support Centre: https://support.privatebyright.com Postal Address: 46 Gainsborough Avenue, Tilbury, RM18 8LR, United Kingdom
2.2. You also have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK's supervisory authority for data protection:
3.1. We do not collect, store, log, or process any of the following data at any time:
Data TypeCollected?Browsing history or visited URLsNoDNS queriesNoTraffic data or content of communicationsNoConnection timestamps or session durationsNoYour originating (source) IP address when connected to the VPNNoAssigned VPN IP address linked to your identityNoBandwidth usage or data transfer volumes per userNoFiles downloaded or uploadedNo
3.2. Our VPN servers operate on a RAM-only architecture wherever technically feasible, meaning data is automatically erased when a server is powered down or restarted. This infrastructure is designed to ensure that even in the event of physical server seizure, no user activity data can be extracted.
3.3. Our no-logs policy is subject to independent third-party security audit. When completed, audit results and the auditor's findings will be published in our Transparency Reports at www.privatebyright.com/transparency-hub.
3.4. We maintain a warrant canary as part of our Transparency Reports to communicate whether we have or have not received certain types of government requests.
We collect a limited set of data necessary to provide, maintain, and improve the Service. Below is a comprehensive description of all data categories we collect:
DataPurposeLegal BasisEmail addressAccount creation, authentication, service communications, billing notificationsPerformance of contract (Art. 6(1)(b) UK GDPR)Hashed passwordAccount authenticationPerformance of contractAccount creation dateAccount administrationPerformance of contractSubscription plan and statusService provisioning and entitlement managementPerformance of contract
DataPurposeLegal BasisPayment method type (e.g., card brand, last 4 digits)Billing administration, fraud preventionPerformance of contract; legitimate interestBilling history and invoice recordsAccounting, tax compliance, dispute resolutionPerformance of contract; legal obligation (Art. 6(1)(c))Country of billing addressTax calculation, regulatory complianceLegal obligation
Important: Full payment card details (card number, CVV, expiration date) are never stored on our servers. All payment processing is handled by Stripe, Inc., our PCI DSS-compliant payment processor. Stripe's handling of your payment data is governed by the Stripe Privacy Policy.
DataPurposeLegal BasisSupport tickets and correspondenceProviding customer support, resolving issuesPerformance of contract; legitimate interestEmail address used for support enquiriesResponding to your requestsPerformance of contract
DataPurposeLegal BasisAggregate server load statistics (non-identifiable)Infrastructure capacity planning and optimisationLegitimate interest (Art. 6(1)(f))Anonymous crash reports (opt-in only)Application stability and bug resolutionConsent (Art. 6(1)(a))Application version and operating system typeCompatibility support and update deliveryLegitimate interest
This diagnostic data is never linked to your account, email address, IP address, or any other personally identifiable information. Where crash reports are collected, they are only sent with your explicit opt-in consent and can be disabled at any time within the Application settings.
DataPurposeLegal BasisPage views, referral source, session duration (aggregated)Website performance analysis and improvementConsent (via cookie consent banner)Device type, browser type, screen resolution (aggregated)Website optimisationConsent (via cookie consent banner)
All website analytics are processed in accordance with Section 8 (Cookies and Tracking Technologies) below. Analytics data is collected only after you provide consent through our cookie consent banner and is processed in aggregate form.
5.1. We use the data described in Section 4 for the following purposes only:
5.2. We do not use your data for:
6.1. Under the UK GDPR and EU GDPR, we rely on the following legal bases for processing your personal data:
Legal BasisApplicationPerformance of a contract (Art. 6(1)(b))Processing necessary to provide the Service you have subscribed to, manage your account, and fulfil our contractual obligationsLegal obligation (Art. 6(1)(c))Processing required to comply with tax, accounting, and regulatory obligations under UK lawLegitimate interests (Art. 6(1)(f))Processing necessary for our legitimate interests in operating, securing, and improving the Service, provided these interests are not overridden by your rights. Our legitimate interests include: fraud prevention, service security, infrastructure optimisation, and responding to support enquiriesConsent (Art. 6(1)(a))Where you have given explicit consent, such as opting in to crash reports or accepting analytics cookies. You may withdraw consent at any time (see Section 10)
7.1. We do not sell, rent, trade, or otherwise commercially share your personal data with any third party.
7.2. We may share limited personal data with the following categories of recipients, solely for the purposes described in this Policy:
ProviderPurposeData SharedStripe, Inc.Payment processingPayment method details, billing address country, transaction amountsInfrastructure providers (hosting, CDN)Service delivery and website hostingAggregate technical data only; no personally identifiable user activity dataEmail service providerTransactional email delivery (account confirmations, billing receipts, security alerts)Email address, name (if provided)
All service providers are bound by data processing agreements that require them to process data only on our instructions, implement appropriate security measures, and not use the data for their own purposes.
7.3. We may disclose personal data if we are required to do so by law, regulation, legal process, or enforceable governmental request, including:
7.4. In the context of our no-logs policy, we are technically unable to provide any browsing activity, traffic data, DNS queries, connection timestamps, or IP address data in response to any legal request, because we do not collect or store such data. Any legal requests we receive and our responses are documented in our Transparency Reports.
7.5. In the event of a merger, acquisition, reorganisation, bankruptcy, or sale of all or a portion of our assets, your personal data may be transferred to the successor entity. We will notify you of any such transfer and any changes to this Policy that may result.
Cookies are small text files placed on your device when you visit a website. They serve various purposes including remembering your preferences, analysing website usage, and enabling certain functionalities.
We categorise cookies on our websites as follows:
CategoryPurposeConsent Required?Strictly NecessaryEssential for website functionality, security, and access to secure areas (e.g., session authentication, CSRF protection, cookie consent preferences)No (exempt under UK PECR)AnalyticsHelp us understand how visitors interact with our websites by collecting aggregated, pseudonymised data (e.g., pages visited, time on site, referral source)YesFunctionalRemember your preferences and settings (e.g., language, region, theme) to provide a more personalised experienceYes
8.4. When you first visit our websites, a cookie consent banner will be displayed allowing you to accept or reject non-essential cookies. You may change your preferences at any time through the cookie settings accessible in the footer of our websites or by clearing your browser cookies.
8.5. We do not use any third-party advertising, retargeting, or cross-site tracking cookies.
We respect the Do Not Track (DNT) browser setting. When DNT is enabled, we will not load non-essential analytics cookies regardless of your prior consent.
9.1. Javna Limited is based in the United Kingdom. Our VPN server infrastructure spans 60+ countries worldwide, including countries outside the UK and European Economic Area (EEA).
9.2. VPN traffic data is not transferred internationally because we do not collect, log, or store any VPN traffic data, browsing activity, or connection metadata (see Section 3).
9.3. Your account data and billing data may be processed in the following regions:
9.4. Where personal data is transferred outside the UK or EEA, we ensure that appropriate safeguards are in place in accordance with Articles 46 of the UK GDPR and EU GDPR, including:
9.5. You may request a copy of the safeguards we rely on for international transfers by contacting us at support@privatebyright.com.
10.1. Under the UK GDPR (and, where applicable, the EU GDPR), you have the following rights with respect to your personal data:
RightDescriptionRight of Access (Art. 15)Request a copy of the personal data we hold about youRight to Rectification (Art. 16)Request correction of inaccurate or incomplete personal dataRight to Erasure (Art. 17)Request deletion of your personal data ("right to be forgotten"), subject to legal retention requirementsRight to Restriction (Art. 18)Request that we restrict processing of your personal data in certain circumstancesRight to Data Portability (Art. 20)Receive your personal data in a structured, commonly used, machine-readable format and transmit it to another controllerRight to Object (Art. 21)Object to processing of your personal data based on legitimate interestsRight to Withdraw Consent (Art. 7(3))Withdraw consent at any time where processing is based on consent, without affecting the lawfulness of processing before withdrawalRight Not to be Subject to Automated Decision-Making (Art. 22)Not to be subject to decisions based solely on automated processing, including profiling, that produce legal or similarly significant effects. We do not engage in automated individual decision-making.
10.2. How to Exercise Your Rights. To exercise any of your rights, please contact us at:
10.3. We will respond to your request within one (1) month of receipt. This period may be extended by a further two months where necessary, taking into account the complexity and number of requests. We will inform you of any such extension within one month of receipt of the request.
10.4. We may request verification of your identity before processing your request to prevent unauthorised access to your data.
10.5. Exercising your rights is free of charge, except where requests are manifestly unfounded or excessive, in which case we may charge a reasonable fee or refuse to act on the request, providing reasons for our decision.
11.1. We retain your personal data only for as long as is necessary to fulfil the purposes for which it was collected, as described in this Policy, and as required by applicable law.
Data CategoryRetention PeriodBasisAccount data (email, hashed password)Duration of account + 30 days after account deletion requestService provision; reasonable account recovery windowPayment and billing records7 years from the date of the transactionUK tax and accounting obligations (Companies Act 2006, HMRC requirements)Support correspondence2 years from resolution of the support enquiry, or duration of account, whichever is longerLegitimate interest in quality assurance and dispute resolutionAnonymous crash reports90 daysApplication improvementAggregated analytics data26 months from collection (or shorter if configured)Website improvementCookie consent preferences12 months from the date of consent (then re-prompted)PECR compliance
11.2. Upon expiration of the applicable retention period, personal data is securely deleted or irreversibly anonymised.
11.3. VPN activity data is not retained because it is never collected in the first place.
12.1. We implement appropriate technical and organisational measures to protect your personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access, including:
12.2. While we implement industry-standard security measures, no method of transmission over the internet or method of electronic storage is completely secure. We cannot guarantee absolute security of your data.
13.1. The Service is not directed at children under the age of sixteen (16). We do not knowingly collect personal data from children under 16.
13.2. If we become aware that we have collected personal data from a child under 16, we will take steps to delete that data as soon as reasonably practicable.
13.3. If you believe that a child under 16 has provided us with personal data, please contact us immediately at support@privatebyright.com.
14.1. Our Service and websites may contain links to third-party websites, applications, or services that are not operated or controlled by Javna. This Privacy Policy does not apply to any third-party services.
14.2. We are not responsible for the privacy practices or content of third-party services. We encourage you to review the privacy policies of any third-party service before providing them with your personal data.
14.3. The inclusion of a link to a third-party service does not imply endorsement by Javna.
15.1. We may update this Privacy Policy from time to time to reflect changes in our practices, the Service, or applicable law.
15.2. Material changes will be communicated to you via email to the address associated with your account and/or by prominent notice within the Service at least thirty (30) days before they take effect.
15.3. Non-material changes (such as formatting, clarifications, or typographical corrections) may be made without advance notice and will be reflected by an updated "Last Updated" date at the top of this Policy.
15.4. Your continued use of the Service after the effective date of any changes constitutes your acceptance of the updated Policy. If you do not agree with the changes, you should discontinue use of the Service and delete your account.
15.5. Previous versions of this Privacy Policy are available upon request by contacting support@privatebyright.com.
Javna Limited is registered with the Information Commissioner's Office (ICO) as a data controller. Our processing of personal data is carried out in accordance with the UK GDPR and the Data Protection Act 2018.
If you are located in the European Economic Area, the EU GDPR applies to our processing of your personal data. Your rights under the EU GDPR are described in Section 10 of this Policy.
Our use of cookies and similar technologies complies with the Privacy and Electronic Communications Regulations 2003 (PECR), as described in Section 8 of this Policy.
If you are a California resident, you may have additional rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA). Specifically:
To exercise your CCPA/CPRA rights, please contact us at support@privatebyright.com.
We endeavour to comply with applicable data protection laws in all jurisdictions where we operate. If you have questions about your rights under the laws of your jurisdiction, please contact us at support@privatebyright.com.
17.1. Where required by the UK GDPR (Article 35), we conduct Data Protection Impact Assessments (DPIAs) for processing activities that are likely to result in a high risk to the rights and freedoms of individuals.
17.2. DPIAs are conducted prior to the introduction of new data processing activities and are reviewed periodically.
If you have any questions, concerns, or requests regarding this Privacy Policy or our data protection practices, please contact us:
Javna Limited (trading as PrivateByRight VPN) Company Registration Number: 16142888 Registered Address: 46 Gainsborough Avenue, Tilbury, RM18 8LR, United Kingdom
Email: support@privatebyright.com Support Centre: https://support.privatebyright.com Website: https://www.privatebyright.com
Supervisory Authority: Information Commissioner's Office (ICO) Website: https://ico.org.uk Telephone: 0303 123 1113
By using PrivateByRight VPN, you acknowledge that you have read and understood this Privacy Policy.