Privacy Policy
We do not store activity logs, we do not track visited websites, and we do not share data with third parties. ZloY VPN was built to protect your privacy — this is our core principle.
1. What data we collect
ZloY VPN collects the minimum set of data necessary for the service to function. We do not collect information about your internet activity, DNS requests, or traffic. Here is what is actually required:
| Data | Purpose | Storage |
|---|---|---|
| Account registration, authentication, password recovery | While account is active | |
| Password (hash) | Authentication. Stored as bcrypt hash, original is never saved | While account is active |
| Subscription plan | Determining available features and limits | While account is active |
| Subscription expiry | Controlling access validity period | While account is active |
| VLESS UUID key | Generating a unique connection key for the Xray server | While key is active |
| Device name | Easy identification of connected devices in the dashboard | While key is active |
- Browsing history — we cannot see which websites you visit
- DNS requests — DNS traffic is not logged or analyzed
- Traffic by site — total traffic is shown only to you in the dashboard for informational purposes
- IP addresses of visited resources — we do not know which servers you connect to through the VPN
- Session start and end times — sessions are not logged
- Traffic content — all transmitted and received content is inaccessible to us
2. Payment data
Subscription payment is processed through the Capitalist.net payment system using cryptocurrency (USDT, BTC, ETH, TON, LTC). We do not receive or store your crypto wallet, bank card, or payment account details directly. All payment processing happens on the payment provider's side.
Only the following payment data is stored in our database:
- Order number (orderId) — internal transaction identifier
- Amount and currency — to verify payment matches the selected plan
- Payment status (pending, paid, expired) — for automatic subscription activation
This data is needed exclusively for correct payment processing and resolving possible support inquiries.
3. How we use your data
Collected data is used strictly for the following purposes:
- Authentication — verifying credentials when logging into the dashboard and API
- Subscription management — controlling the active plan, expiry date, automatic extension upon payment
- Access key generation — creating unique VLESS keys for connecting to servers
- Payment processing — linking orders to accounts for subscription activation after payment
- Support communication — ability to restore account access via email
- Notifications — informing about subscription status, expiry warnings
We do NOT use your data for targeted advertising, behavioral analytics, selling to third parties, or any other purposes beyond those listed above.
4. Zero-Log policy
ZloY VPN maintains a strict no-logging policy (Zero-Log). This means:
Xray server level: Xray servers (VLESS + Reality) are not configured to log user traffic. Xray configuration has logging of connections, disconnections, and transmitted data disabled. Servers process traffic as a transit proxy without recording per-session statistics.
API server level: The Node.js API server only maintains technical logs of the application itself — errors, start/stop events, webhook requests from the payment system. These logs contain no information about user traffic.
Infrastructure level: We do not use analytics tools (Google Analytics, Yandex.Metrica, etc.) to track user behavior. The site does not set third-party analytics cookies.
In the event of an official request from government agencies or law enforcement of any jurisdiction, we will be physically unable to provide data about user activity because this data is not collected and not stored.
5. Third-party data sharing
We do NOT transfer, sell, or make your personal data available to third parties except in the following cases:
- Payment provider (Capitalist.net) — for payment processing. The payment system receives only data necessary for the transaction (amount, currency, order number)
- Legal requirement — if directly required by applicable law of the country of registration. In such case, we will provide only the minimum necessary data (email, registration and payment dates). Traffic data cannot be provided — it does not exist
6. Data storage and security
All data is stored on secured servers using the following security measures:
- PostgreSQL — relational database with user-level access control
- bcrypt — passwords are stored as cryptographic hashes with salt, reverse conversion is impossible
- JWT tokens — authentication via JSON Web Tokens with short lifetime (15 minutes) and refresh tokens
- HTTPS — all data exchange between your device and the server is encrypted via TLS protocol
- Helmet.js — HTTP header protection against common web attacks (XSS, clickjacking, MIME-sniffing)
- CSP — Content Security Policy restricts loading third-party scripts and resources
- Rate limiting — API request rate limiting to protect against brute force attacks
You can request deletion of your account and all associated data at any time by contacting support.
7. Cookies and local storage
The ZloY VPN website uses minimal storage technologies on your device:
- localStorage — stores JWT access and refresh tokens to maintain authentication between sessions. Also stores the selected interface language. This data never leaves your device and is used only for interacting with our API
- Third-party cookies — not used. We do not embed analytics scripts, ad networks, or third-party trackers
8. Your rights
You have the following rights regarding your data:
- Access — you can view all your account data in the dashboard (email, plan, expiry date, connected devices)
- Correction — you can update your email and password through the dashboard
- Deletion — you can request complete account and data deletion via support
- Export — you can request a copy of your data in a machine-readable format
- Withdraw consent — you can stop using the service and request data deletion at any time
9. VLESS + Reality protocol
ZloY VPN uses the VLESS protocol with Reality technology. This means:
- No protocol metadata — unlike traditional VPN protocols (OpenVPN, WireGuard), VLESS does not add identifying headers to traffic. Traffic appears as a regular HTTPS connection to a legitimate website
- Reality TLS — Reality technology uses a real TLS certificate of the target site. Even deep packet inspection (DPI) cannot distinguish VPN traffic from normal HTTPS
- No protocol-level encryption overhead — VLESS relies on transport-level TLS encryption (AES-256-GCM), providing the same level of protection as HTTPS
The technical architecture of the protocol additionally enhances your privacy compared to traditional VPN solutions.
10. Changes to this policy
We may update this Privacy Policy from time to time. Material changes will be communicated to you via a notification in the dashboard or by email. We recommend checking this page periodically for changes. The date of the last update is shown at the beginning of this document.
11. Contact
If you have questions about our privacy policy or wish to access, correct, or delete your data, contact us:
Email: support@pixel24x7.life
Website: vpn.pixel24x7.life
We aim to respond to all data-related inquiries within 48 hours.