Legal

Privacy Policy

Effective date: January 1, 2025 · Last updated: January 1, 2025

NinjasProxy (“we,” “us,” or “our”) is committed to protecting your privacy. This Privacy Policy explains how we collect, use, store, and share information about you when you use our proxy services and website (collectively, the “Services”). We comply with applicable data protection law, including the EU General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA).

1Information We Collect

We collect only the information necessary to provide, improve, and secure the Services.

Category	Examples	Purpose	Legal basis (GDPR)
Account data	Email address, username, password hash	Account creation and authentication	Contract
Usage logs	Timestamp, bytes transferred, proxy endpoint, hashed source IP	Billing, abuse detection, SLA monitoring	Contract / Legitimate interest
Payment data	Billing country, invoice history (card details held by Paddle)	Processing payments, tax compliance	Contract
Support communications	Emails or chat messages you send us	Resolving issues	Legitimate interest
Website analytics	Aggregated page views, referrer (cookieless — see §4)	Product improvement	Legitimate interest

We do NOT log or inspect the content of traffic routed through our proxy network. We are a conduit, not a monitor. We have no visibility into the HTTP body, headers, or destination content of your proxied requests.

Source IP addresses included in usage logs are stored in a one-way hashed form (HMAC-SHA256 with a secret key) to prevent re-identification while preserving our ability to detect abuse patterns.

2How We Use Your Information

Provision and maintenance of your account and the Services
Calculating and collecting fees based on bandwidth consumption
Detecting and preventing fraud, abuse, and Terms violations
Responding to support requests and communications
Sending transactional emails (receipts, low-balance alerts, security notices)
Complying with legal obligations and responding to lawful requests from authorities
Improving and developing the Services using aggregated, anonymised analytics

We do not sell your personal data. We do not use your data to train machine-learning models or to build advertising profiles.

3Data Retention

Data type	Retention period
Account data	Duration of account + 30 days after deletion request
Usage logs (hashed IPs, bytes, timestamps)	90 days from the date of the request
Payment / invoice records	7 years (tax and audit compliance)
Support communications	2 years from case closure
Aggregated analytics	Indefinite (no personal identifiers)

After the applicable retention period, data is deleted or irreversibly anonymised. You may request early deletion under your rights in Section 6.

4Third-Party Services

We use a minimal set of carefully selected third parties. We do not use Google Analytics, Facebook Pixel, or any tracking-cookie-based analytics.

PaddlePayment processing and billingPrivacy policy ↗

Paddle acts as Merchant of Record and processes payment card data on our behalf. We receive only tokenised payment references and invoice metadata. Paddle’s own privacy policy governs data they collect.

Plausible AnalyticsWebsite analytics (cookieless)Privacy policy ↗

Plausible is a privacy-first analytics platform. It collects no cookies, no personal identifiers, and no cross-site tracking. Data is aggregated and cannot be linked to individual users.

We may also share data with law enforcement or government bodies when required by a valid legal process (subpoena, court order, etc.). We will notify you of such requests unless legally prohibited from doing so.

5Cookies and Tracking

Our website uses only functional cookies that are strictly necessary for authentication and session management. We do not set third-party cookies, tracking pixels, or advertising cookies. You can configure your browser to reject cookies, though this may impair your ability to log in to the customer portal.

6Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal data. We will respond to verified requests within 30 days.

Right	What it means
Access	Obtain a copy of the personal data we hold about you
Rectification	Correct inaccurate or incomplete data
Erasure (“right to be forgotten”)	Request deletion of your data, subject to legal retention requirements
Portability	Receive your data in a structured, machine-readable format (JSON or CSV)
Restriction	Request that we limit processing while a dispute is resolved
Objection	Object to processing based on legitimate interest
Withdraw consent	Where processing is based on consent, withdraw at any time

CCPA rights for California residents: You have the right to know what categories of personal information we collect, to request deletion, and to opt out of the sale of your data. We do not sell personal information.

To exercise any of these rights, email privacy@ninjasproxy.com with the subject line “Privacy Request” and a description of your request. We may need to verify your identity before processing the request.

7Data Security

We implement industry-standard security measures including TLS 1.3 in transit, AES-256 at rest for sensitive fields, bcrypt password hashing, and regular penetration testing. Access to production systems is restricted to authorised personnel via multi-factor authentication. Despite these measures, no system is completely secure. In the event of a data breach that affects your rights and freedoms, we will notify you within 72 hours of becoming aware, as required by the GDPR.

8International Transfers

Our infrastructure is hosted primarily in the United States. If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, your data is transferred to the US under Standard Contractual Clauses (SCCs) approved by the European Commission. By using the Services you acknowledge this transfer.

9Children

The Services are not directed at children under 13 (or under 16 in the EEA). We do not knowingly collect personal data from minors. If you believe a minor has provided us with personal data, please contact us and we will delete it promptly.

10Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated by email or a prominent notice on our website at least 14 days before they take effect. The “Last updated” date at the top indicates when this policy was last revised. Continued use of the Services after the effective date constitutes acceptance of the revised policy.

11Contact & Data Controller

NinjasProxy is the data controller for personal data processed in connection with the Services. For any privacy-related questions, requests, or complaints, contact our privacy team at:

privacy@ninjasproxy.com

If you are located in the EEA and believe we have not addressed your concern, you have the right to lodge a complaint with your local data protection authority.