Privacy Policy

1. Introduction and Data Controller

FlashProxy B.V. ("FlashProxy", "we", "us", "our") is the data controller responsible for your personal data. FlashProxy B.V. is registered in the Netherlands under Chamber of Commerce (KvK) number 93923198.

This Privacy Policy explains how we collect, use, store, and protect your personal data when you use the FlashProxy website at flashproxy.io and our related services (collectively, the "Services"). It applies to all visitors, registered users, and customers of FlashProxy.

If you have any questions about this Privacy Policy or our data practices, you can contact us at contact@flashproxy.io.

2. Information We Collect

2.1 Account Information

When you create an account, we collect your email address, display name, and account credentials. Authentication is managed via Firebase Authentication.

2.2 Payment Information

Payment transactions are processed by our payment providers (Paddle and TheDex). We receive and store the following payment-related data:

• Transaction IDs
• Payment amounts
• Payment method type
• Partial card details (last four digits, card type, expiry)

We do not store full card numbers or CVVs.

2.3 Technical and Device Information

When you visit our website, we automatically collect the following technical information:

• IP address
• Browser type and version
• Browser rendering characteristics (a hash of display and graphics capabilities used to identify your device)
• Operating system
• Screen resolution
• Timezone and language settings

2.4 Session and Security Data

We use a persistent session cookie and related technologies to maintain session continuity and protect against payment fraud. This includes:

• A unique session identifier stored in a cookie
• Associations between session identifiers and account information
• Device characteristics linked to sessions

See Section 5 (Cookies and Similar Technologies) for full details.

2.5 Usage Data

We collect usage data including page views, feature usage within the dashboard, and service configuration data.

2.6 Identity Verification (KYC) Data

When identity verification is required, we collect the following:

• Full legal name
• Current residential address
• Photographs of a valid government-issued photo ID (front and back). Accepted documents include passports, national identity cards, and driver's licenses.
• A short selfie video of you holding your ID document next to your face

These documents are submitted via email to contact@flashproxy.io and transferred to secure, encrypted, access-restricted storage within Google Workspace. Documents are deleted from email systems after transfer to secure storage. Access to KYC documents is strictly limited to authorized FlashProxy personnel on a need-to-know basis.

3. How We Use Your Information

3.1 Service Delivery

• To provide, maintain, and improve our proxy services
• To process payments and manage your account

3.2 Security and Fraud Prevention

We use your data to detect and prevent payment fraud, chargeback abuse, and unauthorized account usage. We link technical identifiers (IP addresses, session cookies, device characteristics, payment identifiers) to build security profiles that help identify users who engage in payment fraud across multiple accounts. This processing is essential to protect our service and legitimate customers from financial fraud.

3.3 Communication

To send service-related notifications, support responses, and (with your consent) promotional materials.

3.4 Legal Compliance

To comply with applicable laws, respond to legal requests, and enforce our Terms of Service.

3.5 Identity Verification

We use KYC data solely to verify your identity for fraud prevention, to comply with account security requirements, and to respond to payment disputes. KYC data is not used for marketing, profiling, or any purpose unrelated to account verification and security.

4. Legal Basis for Processing

Under GDPR Article 6, we rely on the following legal bases for processing your personal data:

4.1 Contract Performance (Art. 6(1)(b))

Processing your account data, payment data, and usage data is necessary to deliver the services you purchased.

4.2 Legitimate Interest (Art. 6(1)(f))

We process technical identifiers, session data, and security data for fraud prevention. Our legitimate interest is protecting our business and customers from payment fraud.

We have conducted a balancing test and determined that:

1. We have a strong legitimate interest in preventing fraud;
2. The processing is necessary as there is no less intrusive way to detect cross-account chargeback patterns;
3. The impact on data subjects is proportionate — we collect limited technical identifiers, do not profile browsing behavior, apply bounded retention periods, and provide a support review process for affected users.

This assessment is consistent with GDPR Recital 47, which explicitly recognizes fraud prevention as a legitimate interest.

4.3 Consent (Art. 6(1)(a))

For promotional communications only. You may withdraw consent at any time.

4.4 Identity Verification (Art. 6(1)(a) and Art. 6(1)(f))

Processing of KYC data is based on:

• Consent (Art. 6(1)(a)): You explicitly consent to the processing of your identity documents by voluntarily submitting them for verification.
• Legitimate Interest (Art. 6(1)(f)): We have a legitimate interest in verifying the identity of users to prevent fraud, abuse, and unauthorized use of our services. This is consistent with GDPR Recital 47.

You may withdraw your consent at any time by contacting us. However, withdrawal of consent may result in the suspension or termination of your account if identity verification is required.

Special Category Data Notice: Selfie videos and photographs of identity documents may contain biometric-adjacent data. We do not use automated biometric processing — all verification is performed manually by authorized personnel. These documents are processed under Art. 9(2)(a) GDPR with your explicit consent.

5. Cookies and Similar Technologies

5.1 Session Cookie (__session)

We set a persistent first-party cookie called __session on your device. This cookie contains a unique identifier used to maintain your session and protect against payment fraud.

It is classified as a strictly necessary security cookie under Article 5(3) of the ePrivacy Directive and does not require consent. This cookie does not track your browsing activity across other websites.

• Duration: Persistent (long-lived)
• Purpose: Session continuity and fraud prevention

5.2 Local Storage

We store a backup of the session identifier in your browser's local storage under the key _s_persist to maintain session continuity if cookies are cleared. This serves the same strictly necessary security purpose as the session cookie.

5.3 No Advertising or Analytics Cookies

We do not use any advertising, marketing, or third-party analytics cookies. We do not participate in cross-site tracking or behavioral advertising.

6. Data Sharing and Third Parties

6.1 Payment Processors

Paddle (paddle.com) processes card payments. TheDex processes cryptocurrency payments. These providers receive payment details necessary to complete transactions and are subject to their own privacy policies.

6.2 Infrastructure Providers

Firebase (Google Cloud) provides authentication and data storage services. Server hosting providers support our proxy infrastructure. These providers process data on our behalf under data processing agreements.

6.3 No Sale of Data

We do not sell, rent, or trade your personal data to any third party for their own purposes.

6.4 Legal Requirements

We may disclose information if required by law, regulation, legal process, or governmental request.

7. Data Retention

7.1 Account Data

Retained for the duration of your account plus 2 years after account closure.

7.2 Transaction Data

Retained for 7 years as required by Dutch tax and commercial law.

7.3 Security Data

• Session associations and fraud prevention data are retained for 6 months from the last activity.
• Security flags associated with active fraud cases are retained until the case is resolved plus 2 years.
• Security event logs are retained for 2 years.

7.4 Communication Data

Support correspondence is retained for 2 years after resolution.

7.5 Identity Verification Data

KYC documents and associated identity data are retained for the duration of your active account plus 12 months after account closure or termination. After the retention period, all identity documents are permanently deleted from our systems.

You may request earlier deletion of KYC data by contacting us, subject to any legal obligations requiring us to retain certain records.

8. Your Rights

Under GDPR Chapter III, you have the following rights regarding your personal data:

• Right of Access (Art. 15) — You have the right to obtain confirmation of whether we process your personal data and to access that data.
• Right to Rectification (Art. 16) — You have the right to have inaccurate personal data corrected.
• Right to Erasure (Art. 17) — You have the right to request deletion of your personal data.
• Right to Restriction of Processing (Art. 18) — You have the right to request restriction of processing in certain circumstances.
• Right to Data Portability (Art. 20) — You have the right to receive your data in a structured, commonly used, machine-readable format.
• Right to Object (Art. 21) — You have the right to object to processing based on legitimate interests, including fraud prevention processing.

To exercise any of these rights, contact us at contact@flashproxy.io. We will respond within 30 days.

Note: Certain data may be exempt from erasure requests where retention is required by law or necessary for the establishment, exercise, or defence of legal claims (including fraud prevention).

9. International Data Transfers

Your data may be processed by service providers located outside the European Economic Area. Where this occurs, we ensure appropriate safeguards are in place, including Standard Contractual Clauses approved by the European Commission.

10. Data Security

We implement appropriate technical and organizational measures to protect your data, including encrypted data transmission (TLS), access controls, and secure infrastructure.

No method of electronic storage is 100% secure, and we cannot guarantee absolute security.

11. Children

Our Services are not directed to individuals under 18 years of age. We do not knowingly collect personal data from children. If we become aware that we have collected data from a child, we will delete it promptly.

12. Changes to This Policy

We may update this Privacy Policy periodically. We will notify registered users of material changes via email. Continued use of our Services after changes constitutes acceptance.

13. Contact and Supervisory Authority

For questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact us:

You have the right to lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) at https://autoriteitpersoonsgegevens.nl.

14. Browser Extension

The FlashProxy Browser Extension does not collect, store, or transmit any personal data to external servers. Specifically:

• Proxy Credentials: Your proxy usernames, passwords, and server configurations are stored locally in your browser using Chrome's secure storage API. This data never leaves your device and is not transmitted to FlashProxy or any third party.
• IP Address Display: The extension fetches your current IP address from ipinfo.io solely to display your connection status within the extension interface. This information is used for display purposes only and is not stored or transmitted elsewhere.
• WebRTC Protection: The extension modifies browser WebRTC settings to prevent IP leaks. This is done locally and no data is collected.
• Website Content: The extension routes web traffic through your configured proxy servers. We do not intercept, read, store, or analyze any website content or browsing activity.

All data stored by the extension remains locally on your device within Chrome's secure storage. Uninstalling the extension will remove all locally stored data.