Privacy Policy

We do not log your VPN activity. Specifically, we do NOT collect, store, or monitor: • Websites you visit or URLs you access • DNS queries made through our VPN tunnel • Content of your internet traffic • Your originating IP address when connected to VPN • Connection timestamps tied to your identity • Browsing history, search queries, or downloads Our VPN servers are configured to process traffic in real-time without writing activity logs to disk. When you disconnect, no record of your online activity remains on our servers.

We collect the minimum information necessary to provide and improve our service: Account Information • Email address: Used for account creation, authentication, and essential service communications. • User ID: A unique identifier assigned to your account for session management and service delivery. Device Information • Hashed Device ID: A one-way hashed identifier used solely for fraud prevention and enforcing simultaneous device limits per your subscription plan. We cannot reverse this hash to identify your physical device. Subscription & Payment Data • Purchase history: Managed entirely through Google Play Billing. We receive transaction confirmations from Google Play to activate your subscription. We do not process or store your payment card details, bank information, or other financial credentials. Usage Data (Non-Browsing) • Bandwidth consumption: Aggregate data transferred (upload + download bytes) per billing cycle for quota enforcement. This data is not linked to specific websites or services you access. • Connection events: Connect/disconnect timestamps and selected server region for service reliability monitoring. These are not linked to your browsing activity. • Session metadata: Active session count for enforcing your plan's simultaneous device limit. Analytics & Diagnostics • App interactions: Screen views, feature usage patterns, and UI interactions collected via Firebase Analytics to improve the user experience. This data is anonymized and aggregated. • Crash logs: Automatic crash reports collected via Firebase Crashlytics, including device model, OS version, and stack traces. • App performance data: App startup time, network latency metrics, and connection success rates for service optimization.

To be explicitly clear, we never collect: • Your browsing history or search queries • The content of your communications (emails, messages, etc.) • Your real IP address in connection with your online activities • DNS requests made while connected to our VPN • Any data that could be used to identify what you do online while using X2VPN

We use your information for the following purposes: • Account management & authentication — Email, User ID (Contract performance) • Subscription delivery — Purchase history, User ID (Contract performance) • Bandwidth quota enforcement — Aggregate bandwidth data (Contract performance) • Device limit enforcement — Hashed Device ID, Session count (Contract performance) • Fraud prevention — Hashed Device ID (Legitimate interest) • App improvement & analytics — App interactions, Performance data (Legitimate interest) • Crash resolution & stability — Crash logs (Legitimate interest) • Optional reward ads — Ad interaction data via AdMob (Consent)

We implement industry-standard security measures to protect your data: • Encryption in Transit: All communications between the App and our servers use TLS 1.3 with certificate pinning (leaf + intermediate CA), preventing man-in-the-middle attacks. • Encryption at Rest: Sensitive data stored on your device (authentication tokens, session data) is encrypted using AES-256-GCM via Android's EncryptedSharedPreferences. • Server Security: Our relay servers are hardened and configured to process VPN traffic without persistent logging. • Access Controls: Access to user account data is restricted to authorized systems only and protected by authentication mechanisms.

X2VPN integrates the following third-party services, each governed by their own privacy policies: Firebase Analytics (Google) Purpose: Anonymous app usage analytics to improve features and user experience. Data shared: Anonymized app interaction events, device type, OS version. Privacy Policy: https://firebase.google.com/support/privacy Firebase Crashlytics (Google) Purpose: Crash reporting and app stability monitoring. Data shared: Crash stack traces, device model, OS version, app version. Privacy Policy: https://firebase.google.com/support/privacy Google AdMob Purpose: Optional reward advertisements that grant bonus bandwidth to free-tier users. Data shared: Advertising ID (only when user opts to watch reward ads), device info for ad targeting. Privacy Policy: https://policies.google.com/privacy User control: Reward ads are entirely optional. You are never required to view ads. Google Play Billing Purpose: Secure subscription purchase processing. Data shared: Purchase tokens and transaction receipts for subscription verification. Privacy Policy: https://policies.google.com/privacy Note: All payment processing is handled by Google Play. We never receive your payment card or bank details.

• Account data: Retained while your account is active. Deleted upon account deletion request. • Session data: Automatically purged after 30 days of inactivity. • Analytics data: Retained in anonymized, aggregated form for up to 14 months (Firebase default). • Crash logs: Retained for up to 90 days for debugging purposes. • Bandwidth usage: Reset each billing cycle. Historical aggregate totals retained for billing purposes.

You have the following rights regarding your data: • Access: Request a copy of the personal data we hold about you. • Deletion: Request deletion of your account and all associated data via the App's account settings. • Correction: Update your account information through the App. • Opt-out of analytics: Disable analytics data collection in the App's settings. • Ad preferences: Choose not to view reward advertisements. To exercise any of these rights, contact us at [email protected]. For EU/EEA Users (GDPR) If you are located in the European Union or European Economic Area, you also have the right to: • Lodge a complaint with your local data protection authority. • Object to processing based on legitimate interests. • Request data portability in a machine-readable format. For California Users (CCPA) If you are a California resident, you have the right to: • Know what personal information we collect and how it is used. • Request deletion of your personal information. • Opt out of the sale of personal information. We do not sell your personal information.

X2VPN is not intended for use by children under the age of 18. We do not knowingly collect personal information from children under 18. If we discover that a child under 18 has provided us with personal information, we will promptly delete it.

We may update this Privacy Policy from time to time. We will notify you of any material changes by: • Posting the updated policy in the App. • Updating the "Last Updated" date at the top of this document. We encourage you to review this policy periodically.

If you have any questions or concerns about this Privacy Policy, please contact us: Email: [email protected] Website: https://x2vpn.com This Privacy Policy is effective as of February 22, 2026.