Vylos -- Privacy Policy Addendum
Effective Date: April 10, 2026
This Privacy Policy Addendum ("Addendum") supplements the CBN Ventures Privacy Policy available at cbnventures.io/privacy (the "General Policy"). This Addendum applies specifically to the Vylos application ("App"). Where this Addendum is silent, the General Policy governs.
By downloading, installing, or using Vylos, you agree to both the General Policy and this Addendum.
1. Overview
Vylos does not collect, transmit, or store personal information on any server. All data created or imported within the App remains on your device. The App does not maintain user accounts, does not communicate with CBN Ventures servers, and does not include analytics, telemetry, or crash reporting of any kind.
Vylos does not operate VPN servers. The App configures your device's built-in VPN capabilities using the WireGuard protocol. CBN Ventures has no visibility into your VPN traffic, browsing activity, or network connections.
2. Data Stored on Your Device
The following data is stored locally on your device and is never transmitted to CBN Ventures or any third party:
| Category | What Is Stored | Where | Purpose |
|---|---|---|---|
| VPN configurations | Private keys, server addresses, peer settings | iOS Keychain | Establish VPN connections |
| Vylos settings | Split DNS rules, on-demand activation rules | iOS Keychain | Extended tunnel configuration |
| App preferences | Language, appearance, icon theme, protection method | On-device app preferences | Personalize the App |
| Bandwidth statistics | Per-tunnel received and transmitted byte counts with timestamps | On-device shared app storage | Display usage charts in the App |
| Application logs | Timestamped operational event logs | On-device shared app storage | On-device troubleshooting |
| TOTP secret | Base32-encoded authentication key | iOS Keychain (this device only) | App protection via authenticator app |
| Notification preferences | Per-event on/off flags | On-device shared app preferences | Control local notification delivery |
3. Data Not Collected
Vylos does not collect any of the following:
- Browsing history or website visits
- DNS queries or resolutions
- VPN traffic content or metadata
- IP addresses (yours or your VPN server's)
- Device identifiers, advertising IDs, or hardware fingerprints
- Location data (beyond the momentary WiFi network name used during on-demand rule setup, which is not stored or transmitted)
- Personal information such as names, email addresses, or phone numbers
- Usage analytics, session data, or behavioral patterns
4. Device Permissions
The App may request the following device permissions. Each is used for a single, specific purpose:
Camera -- Requested only when you choose to import a tunnel configuration via QR code. The camera feed is used to read the QR code content. No images or video are captured, stored, or transmitted.
Location -- Requested only when you set up an on-demand activation rule that references a specific WiFi network. The App reads the current WiFi network name (SSID) to assist with configuration. The network name is not stored beyond the on-demand rule you create, and is never transmitted.
Face ID / Touch ID -- When app protection is enabled using system authentication, the App uses Apple's LocalAuthentication framework to verify your identity. The App receives only a success or failure result. No biometric data -- including fingerprints, facial geometry, or iris scans -- is collected, accessed, processed, or stored by the App. All biometric processing occurs within the device's Secure Enclave, managed entirely by Apple's operating system.
Notifications -- The App uses local notifications only to inform you of VPN state changes (such as connection failures or network changes). No remote push notification services are used. Notification content is generated on your device and is not transmitted anywhere.
5. Third-Party Services and SDKs
Vylos uses only Apple-provided system frameworks and the open-source WireGuardKit library (licensed under MIT).
The App does not integrate any third-party analytics, advertising, tracking, or data collection SDKs. The App does not sell, share, rent, or disclose any data to third parties for any purpose.
6. Data Import and Export
You may import VPN configurations into the App using .conf files (WireGuard standard), .vylos files (Vylos format with extended settings), .zip archives containing any combination of these formats, or QR codes.
You may export tunnel configurations as .zip archives and application logs as text files. All import and export operations occur locally on your device. When you use the system share sheet to send exported data, the destination is determined by your choice -- CBN Ventures does not receive or intercept exported data.
7. MDM and Managed Configuration
Organizations that deploy Vylos through Mobile Device Management (MDM) may apply restriction keys to control feature availability within the App. These keys affect whether users can create manual tunnels, access settings, or use the App on jailbroken devices.
MDM restriction keys are read-only inputs to the App. No data is sent from the App to the MDM server or the deploying organization. The App does not report device status, usage patterns, or configuration details back to any MDM system.
8. Data Retention and Deletion
| Data | Retention Period | How to Delete |
|---|---|---|
| Tunnel configurations | Until you delete them | Delete individual tunnels within the App |
| Bandwidth statistics | 30 days | Automatically rotated; also removed when the associated tunnel is deleted |
| Application logs | Rotating (current file and one previous file) | Automatically rotated; exportable from Settings |
| TOTP secret | Until you reset it | Reset app protection in Settings |
| App preferences | Indefinite | Uninstall the App |
Uninstalling Vylos removes all data stored by the App, including Keychain entries, on-device preferences, shared app storage files, and cached data. Since no data is stored on any server, uninstallation results in complete data removal.
9. Children's Privacy
Vylos does not knowingly collect personal information from children under the age of 13, as defined by the Children's Online Privacy Protection Act (COPPA), or from users under the age of 18, as defined by the New York Child Data Protection Act.
Since the App does not collect personal information from any user regardless of age, no age verification or parental consent mechanism is required. If you believe a child has provided personal information through the App, please contact CBN Ventures using the contact information in the General Policy. Upon verification, any such information will be promptly deleted.
10. International Users
Vylos is available worldwide through the Apple App Store. Regardless of your location, all data created or imported within the App remains on your device. No data is transmitted to CBN Ventures or any third party, and no cross-border data transfers occur.
Since the App does not collect, process, or store personal data on any server, the obligations that typically arise under international privacy frameworks -- such as the European Union General Data Protection Regulation (GDPR), the United Kingdom General Data Protection Regulation (UK GDPR), the Canadian Personal Information Protection and Electronic Documents Act (PIPEDA), the Brazilian General Data Protection Law (LGPD), or other applicable data protection laws -- are addressed inherently by the App's local-only architecture.
Users in all jurisdictions retain the rights afforded to them under their local privacy laws, including the right to access, delete, and export their data. These rights are exercisable directly on your device through the App's built-in features, as described in Section 13 (Your Rights). No request to CBN Ventures is necessary because no data is held externally.
If your jurisdiction imposes specific requirements regarding the use of VPN software or encryption technology, you are responsible for ensuring your use of the App complies with those requirements. CBN Ventures makes no representation that the App is lawful to use in all countries or regions.
11. Security
Vylos implements the following security measures to protect your data:
- Keychain encryption -- VPN configurations and authentication secrets are stored in the iOS Keychain, which provides hardware-backed encryption using the device's Secure Enclave.
- TOTP protection level -- The TOTP authentication secret is stored with the highest applicable Keychain protection class, accessible only when the device is unlocked and restricted to the originating device.
- WireGuard encryption -- All VPN traffic is encrypted using the WireGuard protocol, which employs modern cryptographic primitives including ChaCha20, Poly1305, Curve25519, and BLAKE2s.
- No external transmission -- No sensitive data is transmitted to CBN Ventures or any third party. All data processing occurs on your device.
These measures are consistent with the security safeguard requirements of the New York SHIELD Act (General Business Law Section 899-bb), appropriate to the nature and scope of the App as a local-only application with no server-side data processing.
12. Data Breach Notification
In the unlikely event of a security incident that compromises private information of New York residents, CBN Ventures will provide notification in accordance with New York General Business Law Section 899-aa. This includes notification to affected individuals and to the New York Attorney General, the New York Division of State Police, and the Department of State's Division of Consumer Protection, within 30 days of discovery.
13. Your Rights
You have the right to:
- Delete your data -- Remove any or all tunnel configurations, bandwidth statistics, application logs, and authentication secrets within the App at any time.
- Export your data -- Export tunnel configurations and application logs using the App's built-in export features.
- Remove the App -- Uninstall Vylos to permanently remove all data stored by the App from your device.
Since Vylos does not store data on any server, there is no server-side data to request access to or deletion of. All data management is performed directly on your device through the App.
14. Changes to This Addendum
CBN Ventures reserves the right to update or modify this Addendum at any time. Changes are effective upon posting. Your continued use of the App after any changes constitutes acceptance of the revised Addendum. Material changes will be reflected by an updated effective date at the top of this document.