Effective: 2026-07-02 Operator: KreasiMaju, Bekasi, Indonesia Contact: support@kreasimaju.id
This Policy explains how ZeroBlock processes personal data. KreasiMaju is the controller of account and service data. ZeroBlock is a general-audience VPN service and is not intended for children.
1. DATA WE PROCESS
a) Account and authentication: email address, internal user ID, authentication status, and account timestamps. b) Device and VPN configuration: device name, platform, app version, public WireGuard key, tunnel allocation, device status, and pseudonymous device identifiers. Your WireGuard private key remains on your device. c) Virtual Locations: locations labelled Virtual route traffic from a ZeroBlock VPN gateway through a third-party proxy provider. The provider receives the gateway IP rather than your direct source IP, and ZeroBlock does not send your account identity to that provider. The provider may process or retain connection metadata such as timestamps, destination host or IP, traffic volume, and provider account identifiers under its own privacy policy. HTTPS content remains encrypted between your app or browser and the destination; unencrypted HTTP content may be visible to network intermediaries. d) Service and connection metadata: selected VPN server or region, session start/end time, connection status, disconnect reason, and aggregate bytes transferred. These are counters only and do not reveal packet contents. e) Network context used transiently: the service may process your source IP address to establish the connection, protect against abuse, apply rate limits, and return an approximate country/ISP result. We do not use it to build browsing profiles or store it as browsing history. f) Subscription and transaction data: plan, entitlement, purchase status (including one-time, non-renewing data pack purchases), remaining data-pack balance and expiry, billing period, store transaction or invoice identifiers, and limited payment metadata. Payment credentials are handled by Google Play, RevenueCat, or the applicable payment provider and are not stored by ZeroBlock. g) Notifications: push token, platform, locale, notification preferences, and delivery status. h) Diagnostics: sanitized error category, stack traces, device model, OS, app version, and pseudonymous user or installation ID through Firebase Crashlytics and Sentry. We configure Sentry without screenshots, breadcrumbs, performance tracing, exception messages, or default PII. i) Product analytics: app screens and actions, connect/disconnect outcome, server code, timing, and feature usage through Firebase Analytics. Analytics does not include browsing activity or traffic content and can be disabled where the app provides that control. j) Support and security: messages and diagnostic details you voluntarily submit, abuse reports, and security/audit records necessary to protect accounts and infrastructure. k) Optional rewarded ads: if a Free user explicitly chooses to watch a rewarded ad for extra quota, Google AdMob may process IP address, device, app and advertising identifiers, consent choices, ad interactions, diagnostics, and fraud-prevention signals. ZeroBlock records the ad event, reward status, app version, and an opaque verification token. We do not provide browsing history, DNS queries, destination data, packet content, or VPN traffic content to AdMob for advertising.
2. WHAT WE DO NOT COLLECT
ZeroBlock does not create or retain logs of websites visited, DNS queries, destination IP addresses contacted through the tunnel, packet payloads, browsing history, or the content of VPN traffic, and does not retain records linking your account to destinations accessed. VPN servers necessarily process packets in transit to route them, but ZeroBlock does not inspect packet content for advertising, build activity profiles, or retain traffic-content logs. This commitment describes ZeroBlock's systems; a third-party proxy provider used by a clearly labelled Virtual Location may process or retain connection metadata under its own policy as described above.
We do not sell personal data, share it for cross-context behavioural advertising, or redirect/manipulate VPN traffic for advertising or monetisation.
3. HOW WE USE THE DATA
We process data only to: a) provide authentication, VPN connections, account features, support, notifications, subscriptions, and purchases; b) allocate tunnel resources, enforce plan/device/quota limits, maintain service integrity, and recover interrupted sessions; c) secure accounts and infrastructure, prevent fraud and abuse, investigate complaints, and comply with valid legal obligations; d) diagnose crashes and improve reliability and product performance; and e) communicate service, billing, security, and policy notices. f) request, verify, and account for optional rewarded ads selected by Free users, including consent, fraud prevention, and quota delivery.
4. LEGAL BASES
Where applicable law requires a legal basis, we rely on: a) performance of our contract to provide the Service; b) legitimate interests in security, fraud prevention, service reliability, support, and limited product analytics, balanced against user rights; c) consent where required, including optional analytics or notifications; and d) compliance with legal obligations and establishment, exercise, or defence of legal claims.
5. RETENTION
We retain data only as long as reasonably necessary for the purposes above: a) account, device, and entitlement data while the account is active, then delete or de-identify it following account deletion, subject to legal and security exceptions; b) ended session records and daily usage counters until they are no longer needed for quota enforcement, security, support, dispute handling, or capacity planning, then delete or de-identify them; account-linked records are also handled through the account-deletion process; c) push tokens until disabled, replaced, invalidated, or the account is deleted; d) support, security, fraud, transaction, tax, and legal records for the period reasonably required by applicable law, dispute handling, or provider rules; and e) diagnostics and analytics according to our configured provider retention periods and no longer than reasonably necessary.
Backups and provider caches may take additional time to expire. We may retain minimal records where required to comply with law, prevent fraud, resolve disputes, enforce agreements, or demonstrate compliance.
6. SERVICE PROVIDERS AND DISCLOSURE
Data may be processed by providers supporting the Service, including Supabase (database/authentication), Google Firebase (analytics, messaging, performance, and Crashlytics), Google AdMob (optional rewarded ads), Sentry (crash diagnostics), RevenueCat and Google Play (subscriptions), Resend (service email), payment providers such as PayPal and NOWPayments when selected by the user, and a contracted third-party proxy provider when you select a Virtual Location.
Rewarded ads are optional and are never inserted into VPN traffic. Where required, ZeroBlock requests advertising consent through Google's User Messaging Platform. If personalized-ad consent is unavailable but ads may lawfully be requested, ZeroBlock requests non-personalized ads. Plus users do not need to watch rewarded ads. Google processes advertising data under its own policies.
Virtual Location proxy providers may process gateway IP addresses and connection metadata for delivery, security, abuse prevention, compliance, and service operation. Their retention and disclosure practices are governed by their own policies. ZeroBlock identifies these locations before connection so you can choose a direct location instead.
We disclose only data reasonably necessary for those services, under applicable contractual and security safeguards. We may also disclose information: a) when required by a binding and valid legal process; b) to protect users, the public, our rights, or infrastructure from fraud, abuse, or imminent harm; or c) in a merger, financing, reorganisation, or sale, subject to continued protection and notice where required.
Because ZeroBlock does not retain traffic-content logs, we cannot disclose information we do not possess. We do not promise to resist every lawful request, and we do not create browsing logs in response to a request unless future law validly requires prospective measures and we are legally obligated to comply.
7. INTERNATIONAL TRANSFERS
KreasiMaju operates from Indonesia and providers may process data in other countries. Where required, we use recognised transfer mechanisms and contractual safeguards. Foreign laws may differ from those in your country.
8. SECURITY
We use reasonable technical and organisational safeguards, including encrypted transport, access controls, least-privilege service credentials, and separation of VPN private keys from our systems. No system is completely secure; users should protect their account and device.
9. YOUR PRIVACY RIGHTS
Depending on your location, you may request access, correction, deletion, portability, restriction, or objection; withdraw consent; appeal a decision; or complain to a regulator. California residents may request to know, correct, or delete covered data and receive non-discriminatory treatment. We do not sell or share personal data as those terms are defined by the CCPA.
Submit requests from the account email to support@kreasimaju.id. We may verify identity and may deny or limit requests where permitted by law. We normally respond within 30 days, or within the applicable statutory period.
10. ACCOUNT DELETION
Users can delete an account in the app or contact support. Deletion removes or de-identifies account-linked data except records retained for billing, security, fraud prevention, legal compliance, dispute resolution, or technical backup expiry. Deleting ZeroBlock does not automatically cancel a store subscription; subscriptions must also be cancelled through the relevant store.
11. CHILDREN
ZeroBlock is not directed to children. You must be at least 18 years old or the age of legal majority in your jurisdiction. We do not knowingly collect personal data from a child. If we learn that a child used the Service contrary to these terms, we will take reasonable steps to close the account and delete applicable data. Contact support@kreasimaju.id with a verifiable request.
12. CHANGES AND CONTACT
We may update this Policy to reflect legal, technical, or service changes. Material changes will be announced as required by law, and the effective date will be updated. Continued use after a change is effective constitutes acknowledgement where permitted; consent will be requested where legally required.
Privacy contact and controller: KreasiMaju · Bekasi, Indonesia support@kreasimaju.id