GDPR Policy
Last updated: February 2026
Effective date: February 2026
1. Our Commitment to GDPR
VoltaServices Limited, trading as VoltaVPN, is fully committed to compliance with the UK General Data Protection Regulation (UK GDPR, retained EU law under the European Union (Withdrawal) Act 2018) and the Data Protection Act 2018. We recognise our obligations as a data controller and take the protection of personal data seriously across every aspect of our operations.
We are registered with the Information Commissioner's Office (ICO) under registration number ZB874097. Our registration can be verified on the ICO public register.
This policy sets out how we meet our obligations under the UK GDPR, the lawful bases we rely upon for processing personal data, and the rights available to you as a data subject. This document should be read alongside our Privacy Policy and Terms of Service.
2. Data Controller Information
The data controller responsible for your personal data is:
VoltaServices Limited (trading as VoltaVPN)
Registered in England and Wales
Company Number: 16178827
ICO Registration Number: ZB874097
We have appointed a Data Protection Officer (DPO) who can be contacted for any queries relating to this policy, your personal data, or to exercise your data subject rights:
- DPO Email: dpo@voltaservices.uk
- General Support: support@voltaservices.uk
3. Lawful Basis for Processing
Under the UK GDPR, we must have a valid lawful basis for processing your personal data. The table below sets out each category of data we process, the purpose for processing, the lawful basis we rely upon, and the relevant GDPR article.
| Data Category | Purpose | Lawful Basis | GDPR Article |
|---|---|---|---|
| Account data (email, username, hashed password) | Account creation and management | Contract performance | Art 6(1)(b) |
| Payment processing data (billing details, transaction records) | Subscription billing and payment fulfilment | Contract performance | Art 6(1)(b) |
| VPN connection metadata (aggregate bandwidth, server assignments) | Service delivery and capacity management | Contract performance | Art 6(1)(b) |
| Security monitoring data (failed authentication attempts, abuse signals) | Service security and fraud prevention | Legitimate interest | Art 6(1)(f) |
| Tax and financial records | Compliance with HMRC and financial regulations | Legal obligation | Art 6(1)(c) |
| Marketing communications (email preferences) | Product updates, offers, and newsletters | Consent | Art 6(1)(a) |
| Analytics and cookies | Website improvement and usage analysis | Consent | Art 6(1)(a) |
Where we rely on legitimate interest (Art 6(1)(f)), we have conducted a Legitimate Interest Assessment (LIA) to ensure our interests do not override your fundamental rights and freedoms. Where we rely on consent (Art 6(1)(a)), you may withdraw consent at any time without affecting the lawfulness of processing carried out prior to withdrawal.
4. Your Data Subject Rights
Under the UK GDPR, you have a number of rights in relation to your personal data. We are committed to facilitating the exercise of these rights and will respond to all valid requests promptly and transparently.
4.1 Right to Be Informed (Articles 13 & 14)
You have the right to be informed about the collection and use of your personal data. This GDPR Policy, together with our Privacy Policy, serves as our mechanism for fulfilling this obligation. We provide clear information about what data we collect, why we collect it, how long we keep it, and who it is shared with at the point of data collection and through these published policies.
4.2 Right of Access (Article 15)
You have the right to obtain confirmation as to whether your personal data is being processed and, if so, to access that personal data along with supplementary information. This is commonly known as a Subject Access Request (SAR).
To submit a Subject Access Request:
- Email our DPO at dpo@voltaservices.uk with the subject line "Subject Access Request".
- We will verify your identity before processing the request.
- We will respond within one calendar month of receiving the request and completing identity verification.
- We will provide your data in a commonly used, machine-readable electronic format.
4.3 Right to Rectification (Article 16)
You have the right to have inaccurate personal data corrected, or incomplete personal data completed. If you believe any data we hold about you is inaccurate or incomplete, please contact us and we will rectify it without undue delay.
4.4 Right to Erasure / Right to Be Forgotten (Article 17)
You have the right to request the deletion of your personal data where one of the following conditions applies:
- The personal data is no longer necessary for the purpose for which it was originally collected or processed.
- You withdraw consent (where consent was the lawful basis for processing) and there is no other lawful basis for the processing.
- You object to the processing under Article 21 and there are no overriding legitimate grounds.
- The personal data has been unlawfully processed.
- The personal data must be erased to comply with a legal obligation.
Exceptions: We may be unable to comply with an erasure request where the processing is necessary for:
- Compliance with a legal obligation (e.g., financial record-keeping requirements under HMRC regulations).
- The establishment, exercise, or defence of legal claims.
- Archiving purposes in the public interest, scientific or historical research, or statistical purposes where erasure would seriously impair the processing.
4.5 Right to Restrict Processing (Article 18)
You have the right to request the restriction of processing of your personal data in the following circumstances:
- You contest the accuracy of the personal data (restriction applies while we verify accuracy).
- The processing is unlawful and you oppose erasure, requesting restriction instead.
- We no longer need the data, but you require it for the establishment, exercise, or defence of legal claims.
- You have objected to processing under Article 21, pending verification of whether our legitimate grounds override yours.
Where processing has been restricted, we will store the data but not process it further without your consent, unless for the establishment, exercise, or defence of legal claims, the protection of another person's rights, or for reasons of important public interest.
4.6 Right to Data Portability (Article 20)
You have the right to receive your personal data in a structured, commonly used, and machine-readable format (such as JSON or CSV) and to have that data transmitted directly to another controller where technically feasible. This right applies where the processing is based on consent or contract performance and is carried out by automated means.
4.7 Right to Object (Article 21)
You have the right to object to the processing of your personal data where we rely on legitimate interest (Art 6(1)(f)) as the lawful basis. Upon receiving an objection, we will cease processing unless we can demonstrate compelling legitimate grounds for the processing that override your interests, rights, and freedoms, or for the establishment, exercise, or defence of legal claims.
Direct marketing: Where personal data is processed for direct marketing purposes, you have the right to object at any time. Upon objection, we will cease processing your data for direct marketing immediately and without exception.
4.8 Rights Related to Automated Decision-Making and Profiling (Article 22)
You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects or similarly significant effects concerning you. VoltaVPN does not engage in any automated decision-making or profiling that produces legal or similarly significant effects. All significant decisions affecting your account or service are made with human involvement.
How to Exercise Your Rights
- Contact: Email our Data Protection Officer at dpo@voltaservices.uk.
- Response time: We will respond within one calendar month of receiving your request. For complex or numerous requests, this may be extended by a further two months, in which case we will notify you within the first month and explain the reason for the delay.
- Cost: There is no charge for reasonable requests. We reserve the right to charge a reasonable administrative fee for manifestly unfounded or excessive requests, or to refuse to act on such requests, in accordance with Article 12(5).
- Identity verification: To protect your data, we may need to verify your identity before processing any request. We will ask for sufficient information to confirm you are the data subject or an authorised representative.
5. Data Protection Impact Assessments
In accordance with Article 35 of the UK GDPR, we conduct Data Protection Impact Assessments (DPIAs) prior to implementing any processing activity that is likely to result in a high risk to the rights and freedoms of individuals. This includes the introduction of new technologies, large-scale processing, and any systematic monitoring of publicly accessible areas.
Our DPIAs assess the necessity and proportionality of the processing, evaluate risks to data subjects, and identify measures to mitigate those risks. Where a DPIA indicates a high residual risk that cannot be sufficiently mitigated, we will consult with the ICO prior to commencing processing.
6. Data Breach Notification
We maintain comprehensive data breach detection, investigation, and reporting procedures in accordance with Articles 33 and 34 of the UK GDPR.
- Notification to the ICO: In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of individuals, we will notify the Information Commissioner's Office within 72 hours of becoming aware of the breach. Where notification is not made within 72 hours, we will provide reasons for the delay.
- Notification to affected individuals: Where a breach is likely to result in a high risk to the rights and freedoms of affected individuals, we will notify those individuals without undue delay, providing clear information about the nature of the breach, likely consequences, and the measures taken or proposed to address it.
- Internal records: We document all personal data breaches regardless of severity, including the facts surrounding the breach, its effects, and the remedial action taken, as required under Article 33(5).
7. International Data Transfers
Where personal data is transferred outside the United Kingdom, we ensure that appropriate safeguards are in place to protect your data in compliance with Chapter V of the UK GDPR.
We rely on the following transfer mechanisms:
- UK Adequacy Decisions: We transfer data to countries and territories that have been granted an adequacy decision by the UK Secretary of State, confirming an adequate level of data protection. The European Economic Area (EEA) is covered by a UK adequacy regulation.
- Standard Contractual Clauses (UK International Data Transfer Agreement): Where adequacy decisions are not available, we use the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses, as approved by the ICO, to govern transfers.
- Supplementary measures: Where necessary, we implement additional technical and organisational measures to ensure transferred data remains protected to UK GDPR standards, including encryption in transit and at rest.
Primary data storage: Our primary VPN infrastructure and data storage is located in the European Union (Germany), hosted by Hetzner Online GmbH, within a jurisdiction covered by the UK adequacy regulation for the EEA.
8. Data Processing Agreements
All third-party service providers who process personal data on our behalf operate under Article 28-compliant Data Processing Agreements (DPAs). These agreements ensure that processors:
- Process personal data only on our documented instructions.
- Ensure that persons authorised to process the data are subject to confidentiality obligations.
- Implement appropriate technical and organisational security measures.
- Do not engage sub-processors without our prior written authorisation.
- Assist us in responding to data subject rights requests.
- Delete or return all personal data at the end of the service provision.
- Make available all information necessary to demonstrate compliance with Article 28 obligations and allow for audits.
9. Records of Processing Activities
In accordance with Article 30 of the UK GDPR, we maintain comprehensive records of all processing activities carried out under our responsibility. These records include:
- The name and contact details of the controller and Data Protection Officer.
- The purposes of the processing.
- A description of the categories of data subjects and categories of personal data.
- Categories of recipients to whom personal data has been or will be disclosed.
- Details of transfers to third countries, including safeguards in place.
- Envisaged time limits for erasure of different categories of data.
- A general description of technical and organisational security measures.
These records are maintained internally and are available to the ICO upon request.
10. Privacy by Design and Default
In accordance with Article 25 of the UK GDPR, we implement data protection by design and by default across our systems, products, and processes. This means that data protection considerations are embedded into the design of our services from the outset, not applied as an afterthought.
Our privacy by design and default measures include:
- Minimal data collection: We collect only the personal data that is strictly necessary for the specified purpose. Our VPN service is designed to operate with the minimum amount of user data required.
- Encryption at rest and in transit: All personal data is encrypted both when stored on our servers and when transmitted between systems, using industry-standard encryption protocols.
- Pseudonymisation: Where possible, we apply pseudonymisation techniques to reduce the risks associated with data processing and to enhance data subject protection.
- No traffic logging: We do not log VPN traffic content, browsing history, or DNS queries. Our infrastructure is designed so that this data is never recorded or stored.
- Access controls: Access to personal data is restricted to authorised personnel on a need-to-know basis, with role-based access controls and audit logging in place.
- Regular security reviews: We conduct periodic security assessments and penetration testing to identify and address vulnerabilities.
11. Children's Data
VoltaVPN is not directed at, and is not intended for use by, individuals under the age of 18. We do not knowingly collect, process, or store personal data from children under 18 years of age.
If we become aware that we have inadvertently collected personal data from a child under 18, we will take immediate steps to delete that data from our systems. If you believe that we may have collected data from a child, please contact our DPO at dpo@voltaservices.uk immediately.
12. Complaints
If you are dissatisfied with how we have handled your personal data or responded to a rights request, we encourage you to contact us first so that we can attempt to resolve the matter:
- Data Protection Officer: dpo@voltaservices.uk
If you remain unsatisfied with our response, you have the right to lodge a complaint with the UK supervisory authority:
Information Commissioner's Office (ICO)
Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
Telephone: 0303 123 1113
Website: www.ico.org.uk
You may also contact the ICO directly without first raising the matter with us, though we recommend reaching out to our DPO first to allow us the opportunity to address your concerns.
13. Policy Review
This GDPR Policy is reviewed annually and updated as necessary to reflect changes in our processing activities, legal requirements, or regulatory guidance. Where material changes are made, we will notify users through our website or by email.
Previous versions of this policy are retained for audit purposes and are available upon request to our DPO at dpo@voltaservices.uk.