Privacy Policy

Last updated: May 9, 2026

This Privacy Policy explains how Phatlinks.com LLC ("Casper's Cloak", "we", "us", or "our") collects, uses, and protects information when you use the Casper's Cloak iOS app, Android app, and website at casperscloak.com (together, the "Service").

We built Casper's Cloak as a privacy product. The whole point is to give you a tool that does not log, track, or sell what you do online. This policy is written to be specific and verifiable, not to give us wiggle room.

1. Quick summary

  • We do not log or track activity that would tie to your account. We do not keep logs of the websites you visit, the apps you use, the destinations of your traffic, or the contents of your traffic.
  • We do not sell your data. Ever. We do not share it with advertisers, data brokers, or third-party analytics platforms.
  • We collect the minimum we need to run the Service: an email address to log you in, a device identifier so the right device receives push notifications, and a record that you have an active subscription if you purchase one.
  • You can delete your account and all associated data at any time by following the steps in Section 9.
  • For purchases, we use Apple, Google, or Stripe as the payment processor. We do not see or store your full card number.

2. Who we are

Casper's Cloak is operated by Phatlinks.com LLC, a Wyoming limited liability company.

Mailing address: 1343 Main Street, Suite 705, Sarasota, FL 34236, USA Contact: support@casperscloak.com

For privacy-specific inquiries (including GDPR / CCPA requests), please use the same address with "Privacy" in the subject line, or email support@casperscloak.com.

3. What information we collect

We collect only what we need to operate the Service. Below is an exhaustive list.

3.1 Information you provide

  • Email address. Required to create an account. We send a one-time login code to this address. We do not require a password.
  • Payment information (only if you subscribe). When you purchase a subscription:
    • Through the iOS app: Apple processes the payment. We receive a confirmation that you have an active subscription tier; we do not receive your card number, billing address, or Apple ID.
    • Through the Android app: Google processes the payment via Google Play Billing. We receive a purchase token and tier confirmation; we do not receive your card number.
    • Through casperscloak.com: Stripe processes the payment. We receive a customer reference and tier confirmation. Stripe handles your card details directly under their privacy policy. We do not store full card numbers.
  • Support correspondence. If you email us, we keep the email so we can answer it.

3.2 Information we receive automatically

  • Device identifier. A randomly generated identifier the app creates the first time you launch it, used so we can deliver push notifications to the right device and so the VPN service can identify itself to our control plane. It is not derived from your hardware (no advertising ID, no IMEI, no MAC, no IDFA, no IDFV).
  • Push notification token. Issued by Apple Push Notification service (iOS) or Firebase Cloud Messaging (Android). We send this to Apple/Google when we deliver a push to your device.
  • Subscription tier and status. Whether you are on a free or paid plan, and which paid tier.
  • Operational telemetry. Aggregate metrics that are not tied to your account: total active sessions per server region, total bytes transferred per region, error rates. This data cannot be used to identify any individual user.

3.3 Information we explicitly do NOT collect

We want to be specific about this:

  • We do not log the websites or services you visit through the VPN.
  • We do not log the IP addresses you connect to through the VPN.
  • We do not log the contents of your traffic.
  • We do not log DNS queries you make through the VPN, beyond the in-memory check needed to apply our threat blocklist on your behalf. Those checks are not written to disk and are not associated with your account.
  • We do not log connection start times, end times, or durations in a form that can be tied back to your account.
  • We do not store your originating IP address against your account. Your originating IP appears in transient web-server access logs (standard for any website), and those logs are rotated and deleted on a rolling basis.
  • We do not use third-party analytics SDKs in the iOS or Android apps. There is no Google Analytics, no Firebase Analytics, no Mixpanel, no Amplitude, no Segment, no Crashlytics, no Sentry SDK in the apps.
  • We do not embed advertising SDKs.

4. How the Service works (and why this matters for your privacy)

A VPN that processes your traffic could in theory see everything. We engineered ours so that we cannot.

  • Tunnel architecture. The VPN tunnel is built on the WireGuard protocol. Your device negotiates an encrypted tunnel directly with the VPN server. Our control plane does not sit between you and your destination once the tunnel is up.
  • Threat detection. Casper's Cloak applies a domain-level blocklist (more than 100,000 domains associated with malware, phishing, ad-tracking, and surveillance) against DNS lookups made through the tunnel. The matching happens against a list and is not logged or transmitted off-device in association with your account.
  • Decoy traffic. Casper's Cloak generates cover traffic alongside your real traffic to make timing- and volume-based traffic analysis less effective. The decoy traffic is generated locally; we do not log which streams are decoy versus real.
  • No logs server policy. Our VPN servers are configured not to write per-session activity logs to disk. Our control plane (account, subscription, push) has separate logs that contain only the operational events listed in Section 3.2.

This section is an honest description of what the Service does. If we change the architecture, we will update this section and notify users.

5. How we use information

We use information only for:

  • Running the Service (delivering the VPN, sending login codes, applying threat protection on your behalf).
  • Maintaining your account and subscription.
  • Communicating with you about service-critical matters (security incidents, planned downtime, major changes to this policy or the Terms of Service).
  • Responding to your support requests.
  • Detecting and preventing fraud, abuse, and security threats against the Service itself.
  • Complying with our legal obligations.

We do not use your information for advertising, profiling, automated decision-making with legal effect, or to train AI/ML models that are then sold or shared externally.

6. Who we share information with

We share information only with the following categories of recipients, and only as needed:

Recipient Purpose Data shared
Apple iOS app distribution; Apple ID login (if used); IAP processing Apple's standard transaction data — they do not share your Apple ID with us
Google Android app distribution; Google Play Billing Google's standard transaction data
Stripe Payment processing for web subscriptions Email + your card details (provided by you to Stripe directly)
Apple Push Notification service Delivering iOS push notifications Push token + the notification body
Firebase Cloud Messaging (Google) Delivering Android push notifications Push token + the notification body
Cloud and on-premise infrastructure providers (currently Amazon Web Services, DigitalOcean, Vultr, Linode, Hetzner, OVH, and colocation facilities we operate) Operating our control-plane and VPN server infrastructure The data described in Section 3 to the extent it transits or is stored on this infrastructure
Email delivery (our own mail infrastructure, with overflow routing through Postmark, SendGrid, Amazon SES, Mailgun, or Resend as load and deliverability require) Sending one-time login codes and transactional emails Your email address and the email body
Legal authorities Only when required by valid legal process (subpoena, court order). We will challenge over-broad requests. Only what is responsive to the specific request

We do not sell or rent your information to third parties under any circumstances. We do not share your information with advertisers or data brokers.

If we are ever required to disclose information by law, we will notify the affected user before disclosure unless legally prohibited from doing so.

7. Data retention

  • Account information (email, device identifier, subscription tier): kept for as long as your account is active. Deleted within 30 days of account deletion, except where we are required by law to retain billing records (typically 7 years for tax purposes — only the financial transaction record is retained, not your activity).
  • Push tokens: invalidated and removed when you uninstall the app or delete your account.
  • Support correspondence: kept for 2 years from last contact, then deleted, unless an ongoing matter requires longer retention.
  • Transient web-server access logs (containing originating IP for casperscloak.com): rotated and deleted within 30 days.
  • Aggregate operational telemetry: kept indefinitely in anonymized form.

8. Security

We use industry-standard measures to protect your data, including:

  • TLS (HTTPS) for all communication between your device and our servers.
  • WireGuard cryptography for the VPN tunnel itself.
  • Encryption at rest for our databases.
  • Restricted internal access on a need-to-know basis with audited logging.
  • Regular security review of our infrastructure and dependencies.

No system is perfectly secure. If we ever experience a data breach affecting your information, we will notify you in accordance with applicable law and post a public notice at casperscloak.com/security.

9. Your rights and how to exercise them

9.1 Account deletion

You can delete your account and all associated data:

  • In-app (iOS and Android): Settings → Account → Delete Account. (Coming with version 1.4.)
  • On the web: Sign in to casperscloak.com and use the "Delete Account" option in your profile, or visit casperscloak.com/account-deletion and submit a deletion request without signing in.
  • By email: Email support@casperscloak.com from the email address on your account, with the subject line "Delete my account". We will confirm deletion within 14 days.

When you delete your account, we delete all data described in Section 3 within 30 days, except for the limited categories noted in Section 7 that we are legally required to retain.

9.2 GDPR rights (European Economic Area, United Kingdom, Switzerland)

If you are in the EEA, UK, or Switzerland, you have the right to:

  • Access the personal data we hold about you;
  • Rectify inaccurate personal data;
  • Erase your personal data ("right to be forgotten");
  • Restrict or object to processing;
  • Portability — receive your data in a machine-readable format;
  • Withdraw consent at any time where processing is based on consent;
  • Lodge a complaint with your local supervisory authority.

The legal bases on which we process personal data are:

  • Contract (Article 6(1)(b) GDPR): to deliver the Service you have signed up for.
  • Legitimate interests (Article 6(1)(f) GDPR): to keep the Service secure, prevent fraud, and operate aggregate analytics.
  • Legal obligation (Article 6(1)(c) GDPR): to comply with tax, accounting, and law-enforcement obligations.
  • Consent (Article 6(1)(a) GDPR): for any optional features that explicitly ask for consent.

To exercise any of these rights, email support@casperscloak.com.

9.3 CCPA / CPRA rights (California residents)

California residents have the right to:

  • Know what personal information we collect, use, disclose, and (if applicable) sell or share — this Privacy Policy provides that disclosure.
  • Delete the personal information we have collected — see Section 9.1.
  • Correct inaccurate personal information.
  • Opt out of sale or sharing of personal information. We do not sell or share your personal information as those terms are defined under the CCPA/CPRA, so there is nothing to opt out of.
  • Limit use of sensitive personal information. We do not use sensitive personal information for any purpose other than the operation of the Service.
  • Non-discrimination for exercising your rights.

To exercise any of these rights, email support@casperscloak.com. We will verify your identity (typically by sending a confirmation to the email on file) and respond within 45 days.

9.4 Other US states

If you are a resident of a US state with comprehensive privacy legislation (Virginia, Colorado, Connecticut, Utah, Texas, and others as enacted), you have substantively similar rights to those described in 9.3. The same contact path applies.

10. Children

The Service is not directed to children under 13 (or under 16 in the EEA / UK). We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, contact support@casperscloak.com and we will delete it.

11. International transfers

Casper's Cloak is operated from the United States. If you use the Service from outside the United States, your information is transferred to and processed in the United States, which may have different data protection laws than your country.

For transfers from the EEA, UK, or Switzerland, we rely on the Standard Contractual Clauses approved by the European Commission and supplementary measures as required by applicable law. A copy of the SCCs is available on request to support@casperscloak.com.

12. Third-party services and links

The Service may link to third-party websites, services, or apps that are not operated by us. This Privacy Policy does not apply to those third-party services. We are not responsible for their content or privacy practices.

13. Changes to this Privacy Policy

We may update this Privacy Policy from time to time. When we do:

  • We will post the updated policy at casperscloak.com/privacy-policy.
  • We will update the "Last updated" date at the top of this page.
  • For material changes (changes that meaningfully reduce your privacy or expand our use of your data), we will notify you by email at least 30 days before the change takes effect, and where required by law, ask for your renewed consent.

14. Contact us

For any question, request, or concern relating to this Privacy Policy:

Email: support@casperscloak.com Postal: Phatlinks.com LLC, 1343 Main Street, Suite 705, Sarasota, FL 34236, USA