Privacy Policy
Last updated: May 14, 2026
INNOFUN DIGITAL ENTERTAINMENT LLC ("we", "our", or "us") operates the ShieldWave mobile application (the "Service"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service.
1. Information We Collect
1.1 Account Information
When you create an account, we collect:
- Email address — used for account authentication, account recovery, and essential service communications.
- Hashed password — stored using a one-way cryptographic hash; we never store your password in plain text.
- Sign-in method — whether you registered via email/password, Sign in with Apple, or Google Sign-In.
1.2 Traffic You Explicitly Do NOT Collect
ShieldWave is built with a strict no-logging philosophy for traffic content. We do not collect, log, or store:
- Your browsing history or the content of your internet traffic
- DNS queries you make while connected
- Destination IP addresses or domain names you visit
- Connection or disconnection timestamps
- Your physical location or GPS data
VPN traffic is processed in memory on Cloudflare's edge and is never written to disk.
1.3 Data Usage (Quota Accounting)
To enforce the free plan's monthly data quota, we record:
- Cumulative bytes transferred — a running total of your downstream VPN traffic, counted in aggregate (not per-site or per-session). This number is stored in our database solely to determine whether your quota has been exhausted and resets on the 1st of each month.
This is a byte count only — no traffic content, destinations, or timing information is associated with it.
1.4 Device Information
We collect minimal device metadata for subscription and device-limit management:
- Device identifier — a randomly generated ID stored locally on your device, used to enforce per-account device limits.
- Platform type (iOS or Android) — used for compatibility and to route subscription verification to the correct store.
1.5 Analytics Data
We use Firebase Analytics (provided by Google LLC) to collect anonymised, aggregated usage events that help us improve the Service. These events include:
- App open (first_open, session start)
- Account sign-up and login (auth method only — email, Apple, or Google)
- VPN connect and disconnect events (server region and subscription plan; no traffic content)
- VPN session duration
- Subscription view, purchase intent, and purchase completion events (product ID, price, and currency)
- Rewarded ad watched events
Firebase Analytics also automatically collects device model, OS version, app version, language, country (derived from IP, not GPS), and a Firebase installation ID. This data is processed by Google LLC in the United States under Google's privacy terms. It is not tied to your real name or email address. You can read Google's data practices at policies.google.com/privacy.
1.6 Push Notification Token (FCM)
If you enable push notifications, we register a Firebase Cloud Messaging (FCM) device token on our server. This token is used exclusively to send you service notifications (quota alerts, subscription reminders). It does not carry any personal content and is deleted when you disable notifications or delete your account.
1.7 Advertising Data (AdMob)
The free plan offers optional rewarded advertisements that let you earn additional data quota. These ads are served by Google AdMob (Google LLC). When you watch a rewarded ad:
- Google AdMob may collect your device's advertising identifier (IDFA on iOS, GAID on Android) and contextual signals to serve relevant ads, subject to your consent.
- iOS App Tracking Transparency (ATT): On iOS 14.5+, the app presents Apple's ATT prompt before any advertising identifier is accessed. If you decline, AdMob will only serve contextual (non-personalised) ads and will not access your IDFA.
- Android: You can opt out of personalised ads at any time via Settings → Google → Ads → Opt out of Ads Personalisation.
Ad revenue from rewarded ads funds the free tier of the Service. We do not use ad data for any purpose other than delivering the reward mechanism. AdMob's privacy policy is at policies.google.com/privacy.
1.8 Subscription and Purchase Data
Subscription purchases are processed by Apple App Store or Google Play. We use RevenueCat (RevenueCat, Inc.) as our subscription management layer. RevenueCat receives your anonymised App Store / Google Play purchase receipt and subscription status from the platform, which we use to activate and maintain your Pro plan. RevenueCat does not receive your payment card details, name, or email address. RevenueCat's privacy policy is at revenuecat.com/privacy.
2. How We Use Your Information
We use the limited information we collect to:
- Provide and maintain the VPN service
- Authenticate your account and manage session security
- Enforce monthly data quota limits and device limits per subscription plan
- Manage and verify Pro subscription status
- Send essential service notifications (quota alerts, subscription renewal reminders)
- Deliver optional rewarded advertisements on the free plan (requires your consent on iOS)
- Analyse anonymised usage patterns to improve the reliability and performance of the Service
- Comply with our legal obligations
We do not sell your personal data to third parties, use your data for cross-app behavioural profiling, or use VPN traffic content for any purpose.
3. Data Sharing and Third-Party Processors
We share data only as necessary to operate the Service. Our third-party processors are:
| Processor | Data shared | Purpose | Location |
|---|---|---|---|
| Cloudflare, Inc. | Account data, quota byte counts | VPN proxy infrastructure, D1 database, CDN | Global (Cloudflare edge) |
| Google LLC (Firebase Analytics & FCM) |
Anonymised app events, FCM device token | App analytics, push notifications | USA |
| Google LLC (AdMob) |
Ad impression events, IDFA/GAID (with consent) | Rewarded ad delivery (free plan) | USA |
| RevenueCat, Inc. | Anonymised purchase receipts, subscription status | Subscription management & verification | USA |
| Apple Inc. / Google LLC (App Store / Google Play) |
Purchase transaction data | Payment processing, subscription billing | USA |
We may also disclose information if required by law, subpoena, or governmental request. Because we do not log browsing activity or traffic content, there is no such data for us to provide.
4. Data Storage and Security
Your account data is stored in encrypted Cloudflare D1 databases. VPN traffic is processed in real-time on Cloudflare's edge and is never written to disk. We employ industry-standard security measures including:
- TLS 1.3 encryption for all connections
- Encrypted data storage with access controls
- Automatic token rotation for authentication (short-lived JWT access tokens + refresh tokens)
- Regular security reviews
5. Data Retention
- Account data is retained for the duration of your account and deleted within 30 days of account deletion.
- Quota byte counts reset on the 1st of every month; historical month counts are not retained.
- Analytics events are retained by Firebase Analytics for up to 14 months per Google's default retention policy.
- FCM tokens are deleted when you disable notifications or delete your account.
6. Your Rights and Choices
Depending on your jurisdiction, you may have the right to:
- Access — request a copy of the personal data we hold about you
- Correction — request correction of any inaccurate data
- Deletion — request deletion of your account and all associated data (in-app: Profile → Account Actions → Delete Account; web: shieldwave.uk/delete-account)
- Portability — request your data in a portable format
- Opt out of personalised ads — decline the ATT prompt on iOS, or use Android's ad personalisation opt-out
- Opt out of analytics — contact us at privacy@innofun.digital to request that your Firebase Analytics data be deleted
To exercise any of these rights, contact us at privacy@innofun.digital.
7. Children's Privacy
Our Service is not directed to children under 13 (or the applicable minimum age in your jurisdiction). We do not knowingly collect personal information from children. If you believe a child has provided us with personal data, please contact us immediately and we will promptly delete it.
8. International Data Transfers
Our infrastructure is distributed globally through Cloudflare's network, and we use processors based in the United States (Google, RevenueCat). By using the Service, you consent to the transfer and processing of your data in the United States and other countries where Cloudflare operates. We rely on standard contractual clauses and processor agreements to ensure appropriate safeguards for international data transfers.
9. California Privacy Rights (CCPA)
If you are a California resident, you have the right to know what personal information we collect, to request deletion of your data, and to opt out of the "sale" of personal information. We do not sell personal information as defined by the CCPA. To exercise your rights, contact privacy@innofun.digital.
10. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page and updating the "Last updated" date above. For significant changes, we will also notify you in-app. Your continued use of the Service after changes are posted constitutes your acceptance of the updated policy.
11. Contact Us
If you have questions or concerns about this Privacy Policy, please contact us:
- Email: privacy@innofun.digital
- Address: INNOFUN DIGITAL ENTERTAINMENT LLC, 98 Cuttermill Road Suite 466, Great Neck, NY 11021