1. Introduction
Serica LLC ("Serica," "we," "our," or "us") operates SericaVPN. This Privacy Policy explains what personal data we collect, why we collect it, how we use it, and your rights regarding that data.
We are committed to data minimization. We collect only what is necessary to provide the service, and we never sell your data to third parties.
The most important thing: we do not log your VPN traffic, browsing history, DNS queries, connection timestamps, IP addresses, or bandwidth usage. Our no-logs policy is the foundation of the service.
2. Data We Collect and Why
2.1 Account Data
| Data element | Why we collect it | Legal basis (GDPR) | Retention |
|---|---|---|---|
| Email address | Account creation, login, support communications, renewal notices | Contract performance | Until account deletion + 30 days |
| Password (hashed) | Authentication. Stored as bcrypt hash, never in plaintext | Contract performance | Until account deletion |
| Account creation date | Subscription management, fraud prevention | Contract performance / Legitimate interests | Until account deletion + 30 days |
2.2 Payment Data
| Data element | Why we collect it | Legal basis (GDPR) | Retention |
|---|---|---|---|
| Payment method (last 4 digits, card brand) | Displaying saved payment method in dashboard | Contract performance | Until removed by user or account deletion |
| Billing address | Tax compliance and fraud prevention | Legal obligation / Contract performance | 7 years (tax records) |
| Transaction records | Accounting, dispute resolution, legal compliance | Legal obligation | 7 years |
Note: We do not store full card numbers, CVVs, or bank account credentials. All payment processing is handled by our PCI-DSS compliant payment processor. We receive and store only tokenized references.
2.3 Subscription Data
| Data element | Why we collect it | Legal basis (GDPR) | Retention |
|---|---|---|---|
| Plan name and price | Service delivery, billing | Contract performance | Duration of subscription + 7 years (billing records) |
| Subscription start/end dates | Access control, renewal processing | Contract performance | Duration of subscription + 30 days |
| Billing cycle | Renewal scheduling | Contract performance | Duration of subscription |
2.4 VPN Provisioning Data
| Data element | Why we collect it | Legal basis (GDPR) | Retention |
|---|---|---|---|
| Number of active device slots used | Enforcing simultaneous connection limits | Contract performance | Real-time only. Not persisted after session ends |
| VPN configuration credentials (keys) | Authenticating VPN connections | Contract performance | Until revoked by user or account deletion |
| Server region selections | Displaying your active connections in the dashboard | Contract performance | Stored locally in your dashboard only; cleared when session ends |
What we do NOT log: source IP address, destination IP address, DNS queries, URLs visited, browsing history, session start/end times, session duration, bandwidth used, or any content of your traffic.
2.5 Authentication Sessions
| Data element | Why we collect it | Legal basis (GDPR) | Retention |
|---|---|---|---|
| Session token (hashed) | Maintaining your logged-in state in the web dashboard | Contract performance | Until logout or 30-day inactivity expiry |
| Browser user-agent (for security) | Detecting session anomalies and suspicious access | Legitimate interests (security) | Duration of session |
2.6 Support Tickets
| Data element | Why we collect it | Legal basis (GDPR) | Retention |
|---|---|---|---|
| Ticket content and correspondence | Resolving your support request | Contract performance / Legitimate interests | 2 years after ticket close |
| Attachments (e.g. screenshots) | Diagnosing technical issues | Contract performance | 2 years after ticket close |
| Email address (from ticket submission) | Sending replies | Contract performance | 2 years after ticket close |
2.7 Website Analytics
| Data element | Why we collect it | Legal basis (GDPR) | Retention |
|---|---|---|---|
| Anonymized page views and navigation paths | Understanding how visitors use our marketing website to improve it | Legitimate interests (analytics are anonymized and self-hosted) | 13 months, then aggregated |
We use self-hosted Matomo with IP anonymization enabled. No data is sent to third-party analytics providers. You can opt out via our cookie settings or by enabling Do Not Track.
2.8 Security and Abuse Logs
| Data element | Why we collect it | Legal basis (GDPR) | Retention |
|---|---|---|---|
| Failed login attempts (rate-limited) | Preventing brute force attacks on accounts | Legitimate interests (security) | 72 hours, then automatically purged |
| Abuse reports received | Investigating and responding to reports of AUP violations | Legal obligation / Legitimate interests | 1 year |
3. Data We Never Collect
- VPN connection logs (source IP, destination IP, timestamps)
- DNS queries made through the VPN
- Websites or services accessed through the VPN
- Bandwidth consumed per session
- Your real IP address when connected to the VPN
- Device identifiers, hardware fingerprints, or MAC addresses
- Information from third-party data brokers
4. How We Share Your Data
We do not sell, rent, or trade your personal data. We share data only in these limited circumstances:
4.1 Service Providers
We engage carefully selected processors to operate the service:
- Payment processor: Processes payments; receives only what is necessary for transaction completion. Subject to PCI-DSS compliance.
- Email provider: Delivers transactional emails (receipts, password resets, support replies). Receives your email address and the content of the message.
- Cloud infrastructure: Hosts our servers. Providers do not have access to decrypted customer data.
All processors are bound by data processing agreements (DPAs) and may only use your data as directed by us.
4.2 Legal Obligations
We may disclose data if required to do so by valid legal process, such as a court order, subpoena, or similar instrument served in accordance with applicable law. Due to our no-logs architecture, we typically cannot provide information about VPN activity because we do not have it.
We will notify you of any legal request for your data unless prohibited by law (e.g., a gag order).
4.3 Business Transfers
If Serica LLC is acquired or merges with another entity, your data may be transferred as part of that transaction. We will notify you before your data becomes subject to a materially different privacy policy, and you will have the option to delete your account.
5. Data Security
We protect your data with industry-standard measures:
- All data in transit encrypted with TLS 1.3
- Passwords stored as bcrypt hashes (never in plaintext)
- VPN servers operate in RAM-only mode. No data written to disk
- Strict access controls: employees access customer data only when necessary for support
- Regular third-party security audits
- Automated vulnerability scanning and incident response procedures
No system is perfectly secure. In the event of a data breach that poses a risk to your rights, we will notify you and applicable regulators within 72 hours as required by GDPR Article 33.
6. International Data Transfers
Serica LLC is incorporated in the United States. If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, your data may be transferred to and processed in the United States.
We conduct such transfers in compliance with applicable law. Where required, we rely on the EU–US Data Privacy Framework or Standard Contractual Clauses (SCCs) as the lawful transfer mechanism.
7. Your Rights
Depending on your location, you may have the following rights:
7.1 Rights Under GDPR (EEA Residents)
- Access: Request a copy of the personal data we hold about you
- Rectification: Correct inaccurate or incomplete data
- Erasure ("right to be forgotten"): Request deletion of your data, subject to legal retention obligations
- Restriction: Ask us to pause processing in certain circumstances
- Portability: Receive your data in a machine-readable format
- Objection: Object to processing based on legitimate interests
- Withdraw consent: Where processing is based on consent, withdraw it at any time
- Lodge a complaint: With your national supervisory authority
7.2 Rights Under CCPA (California Residents)
- Know what personal information we collect and how we use it
- Delete personal information (with limited exceptions)
- Opt out of the sale of personal information. We do not sell personal information
- Non-discrimination for exercising privacy rights
7.3 Exercising Your Rights
Submit requests to legal@sericavpn.com. We respond within 30 days (GDPR) or 45 days (CCPA). We may need to verify your identity before fulfilling the request. There is no charge for reasonable requests.
8. Data Retention Summary
We retain personal data only as long as necessary for the purpose for which it was collected, or as required by law. When you delete your account, all personal data is permanently erased within 30 days, except billing records which are retained for 7 years to meet tax and legal obligations.
9. Children's Privacy
Our service is not directed to children under the age of 16. We do not knowingly collect personal data from children. If you become aware that a child has provided us with personal data, please contact us and we will delete it promptly.
10. Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email and update the "Last Updated" date. For significant changes, we may request renewed consent where legally required.
Continued use of the service after changes constitutes acceptance of the updated policy.
11. Contact and Data Controller
Data Controller:
Serica LLC
1209 Mountain Road PL NE, Suite H
Albuquerque, NM 87110, USA
Privacy inquiries: legal@sericavpn.com
We respond to all privacy inquiries within 72 business hours.