🔐Privacy Policy

This notice describes how we collect and process users’ data by GOMASKME–FZCO through the “GOMASKME”, “VPN” mobile application (“App”), collectively referred to as the “Service”, “Platform”. The terms “Company”, “we”, “us”, and “our” refer GOMASKME–FZCO incorporated and registered under the laws of Dubai.

From the data protection perspective, we are a data controller for the information collected through the Platform.

This privacy notice shit explain how we collect, use, share data about you when you use our platform. We take privacy seriously and aim to be transparent about our practices.

By using our services, you agree to the practices described here. Read this carefully to understand our approach to data.


In collecting and using of the personal data, the Company is subject to a variety of applicable laws controlling how such activities may be carried out and the safeguards that must be put in place to data protect.


We process personal data to a limited extent to provide Services, process payments for the Services, and enable the functioning of our Websites and mobile applications. We may process the following categories of personal data:

Subscription Information

- Subscription Data: When you subscribe to our Services, we process certain subscription information (e.g., your email address, the subscription plan you have chosen, subscription term, subscription ID, subscription frequency, amount, currency, status, auto-renewal status, information about enabled/disabled features such as multi-factor authentication (MFA), etc.).

Payment-Related Information (for paid Services)

- Payment Data: This information is necessary to collect payments for the Services. Our payment processing partners handle basic billing information for payment processing and refund requests (e.g., date of purchase, payer's IP address, postal (ZIP) code, credit card owner's full name and credit card information). We also process some of such billing information ourselves (e.g., date of purchase, credit card owner's full name, part of your credit card number, its expiration date) in cases of recurring payments or when you provide your payment details directly to us.

- Country Details: When making a purchase, we process information on the user's country from which the purchase takes place.

- Payment Fraud Prevention: To prevent fraudulent payments for the Services, your personal data (such as payer's email address and device information) can be verified by our and/or our payment processing partners' fraud management tools. A payment transaction considered high-risk may be rejected by us.

- Zero Authorization for Billing: The purpose of the zero authorization is to confirm that your payment method is still valid, which ensures a seamless continuation of your Subscription. No personally identifiable information is collected in this case, apart from the fact that your provided payment method is still valid (or not) and the date of such authorization.

Communication data

Email address. We use your email address to: i) send you important updates and announcements related to your use of the Services and Websites; ii) respond to your requests or inquiries; iii) send you offers, surveys, and other marketing content (you can opt-out of those at any time).


During the collecting and processing of the personal data, the Company adheres to the principles provided by Data Protection Law 2020 (hereinafter - “Law”) and other legal basis if it applies to the Company. The Company’s policies and procedures are designed to ensure compliance with the principles of Data Protection Law 2020. Personal Data shall be:

(a) Processed in accordance with Article 10 of Law;

(b) Processed lawfully, fairly and in a transparent manner in relation to a Data Subject;

(c) Processed for specified, explicit and legitimate purposes determined at the time of collection of Personal Data;

(d) Processed in a way that is not incompatible with the purposes described in Article 9(1)(c);

(e) relevant and limited to what is necessary in relation to the purposes described in Article

9 (1)(c);

(f) Processed in accordance with the application of Data Subject rights under the Law;

(g) accurate and, where necessary, kept up to date, including via erasure or rectification, without undue delay;

(h) kept in a form that permits identification of a Data Subject for no longer than is necessary

for the purposes described in Article 9(1)(c); and

(i) kept secure, including being protected against unauthorized or unlawful Processing (including transfers), and against accidental loss, destruction, or damage, using appropriate technical or organizational measures.

We use your Account information:

  • to create and maintain your account. The applied legal basis for this is the performance of the contract (Terms of Use) between you and us;

  • to contact you regarding the work of the application or your Account, including by email and by sending you web notifications (if any);

  • to respond to support requests;

  • upon receiving your consent from you, to send you marketing or promotional materials;

  • to analyze the efficiency of our Services in our legitimate interests;

  • to store certain types of information for compliance with law, e.g., KYC obligations.


Service Usage: We gather information regarding the specific Services and features you utilize.

As part of our fraud detection measures, we shall collect data relating (i) to Application usage information, such as IP address (captured and stored in an anonymized format), approximate location (country only), (ii) transaction information, items purchased, the price paid, billing method, partial credit card information, chargeback requests, cancelled orders. The above mentioned Personal Data is not, at any point, associated with any kind of activity done by the user inside the GoMaskMe VPN tunnel which is NOT recorded, logged or stored at all.

Cookies: Cookies, pixels, and similar technologies are typically small text or image files that are placed on your device when you visit our Websites. Some cookies are necessary for the smooth operation of our Websites, while others are utilized to enhance Website functionality, analyze aggregated usage statistics for improved performance, and for advertising purposes. Additionally, we employ affiliate cookies to identify customers referred to our Websites by our partners, enabling us to provide the referrers with their commission. For details on the cookies we use, please refer to our privacy policy.


The Company collects the personal data on the basis of consent obtained from the Data Subjects who have reached the age of 18 years.


The Company processes and stores the personal data during the period that is needed for the realization of the processing purposes, specified in this Policy.

After the expiration of the period of storage, the Company is obliged to delete the personal data or ask the Data Subject to provide the Company with new consent, if the necessity of processing remains actual for the Company or another purpose of processing appears.

The Company is entitled not to store more and delete the earlier collected Data Subject personal data of at any time if such personal data are not needed more. Herewith, the Company is obligated to notify the respective Data Subject that his/her personal data are deleted.

The Company may keep storing the personal data if subsequent processing is foreseen by law and is deemed relevant for a purpose that is not compatible with the original purpose of processing stated in this Policy. Herewith, under incompatible purposes means the purposes concerning archiving in the public interest, scientific, statistical, or historical use.


This Policy provide all Data Subjects with the opportunity to realize any of the following rights:

Right to withdraw consent:

(1) Where the basis for the Processing of Personal Data is consent under Article 10(1)(a) or under article 11(1)(a), the Data Subject may withdraw consent at any time by notifying the Controller in accordance with Article 12(5). Where a Controller has not complied with Article 12(5) a Data Subject may notify the Controller by any reasonable means.

(2) The right to withdraw consent is an absolute right available to a Data Subject if the basis for the Processing of the Data Subject’s Personal Data is consent under Article 10(1)(a) or Article 11(1)(a).

(3) Upon the exercise of a Data Subject's right to withdraw consent, a Controller must comply with Article 22 and must cease Processing the Personal Data as soon as reasonably practicable, and ensure that any Processors do the same.

Rights to access, rectification, and erasure of Personal Data:

(1) Upon request, a Data Subject has the right to obtain from a Controller without charge and within one (1) month of the request:

(a) confirmation in writing as to whether or not Personal Data relating to him is being Processed and information at least as to the purposes of the Processing, the categories of Personal Data concerned, and the recipients or categories of recipients to whom the Personal Data are disclosed;

(b) a copy of the Personal Data undergoing Processing in electronic form and of any available information as to its source, including up-to-date information corresponding with the information requirements set out in Articles 29 and 30; and

(c) subject to Article 33(4), the rectification of Personal Data unless it is not technically feasible to do so.

(2) Subject to Article 33(3), the Data Subject has the right to require the Controller to erase the Data Subject's Personal Data where:

(a) the Processing of the Personal Data is no longer necessary in relation to the purposes for which it was collected;

(b) a Data Subject has withdrawn consent to the Processing where consent was the lawful basis for Processing and there is no other lawful basis, provided that in such circumstances the Controller must comply with Article 22;

(c) the Processing is unlawful or the Personal Data is required to be deleted to comply with Applicable Law to which the Controller is subject; or

(d) the Data Subject objects to the Processing and there are no overriding legitimate grounds for the Controller to continue with the Processing.

(3) The Controller is only required to comply with a request by a Data Subject to erase Personal Data where:

(a) one of the conditions in Article 33(2) applies; and

(b) subject to Article 33(4), the Controller is not required to retain the Personal Data in

compliance with Applicable Law to which it is subject or for the establishment or defence of legal claims.

(4) Where rectification or erasure of Personal Data is not feasible for technical reasons, then the Controller is not in violation of this Law for failing to comply with a request for rectification or erasure of the Personal Data, in accordance with Articles 33(1)(c), 33(2)(a) or Article 33(2)(d) as applicable, if:

(a) the Controller collected the Personal Data from the Data Subject; and

(b) the information provided to the Data Subject under Article 29(1)(h)(ix) was explicit, clear and prominent with respect to the manner of Processing the Personal Data and expressly stated that rectification or erasure (as the case may be) of the Personal Data at the request of the Data Subject would not be feasible.

(5) Where a Data Subject suffers adverse effects as a result of the inability of a Controller to rectify Personal Data and where the need for rectification was not caused by the Data Subject's own provision of inaccurate data, the Controller shall provide all reasonable assistance to the Data Subject to enable the Data Subject to take steps to mitigate the adverse effects.

(6) A Controller shall direct all recipients and Processors to rectify or erase Personal Data where the respective right is properly exercised or to cease Processing and return or erase the Personal Data where the right to object is validly exercised. In such circumstances, Article 22 applies to the erasure of the Personal Data by both the Controller and the Processor.

(7) If a Data Subject request under Article 33(1) is particularly complex, or requests are numerous, the Controller may send notice to the Data Subject, within one (1) month, to increase the period for compliance by a further two (2) months citing the reasons for the delay.

(8) Where requests from a Data Subject are manifestly unfounded or excessive, in particular because of their repetitive character, the Controller may either:

(a) charge a reasonable fee taking into account the administrative costs of providing the information or communication or taking the action requested; or

(b) refuse to act on the request, providing written confirmation to the Data Subject reasons for the refusal.

(9) A Controller must be able to demonstrate to the Commissioner upon request that a Data Subject’s request made in accordance with Article 33(8) is manifestly unfounded or excessive.

(10) If a Controller has reasonable doubts as to the identity of a Data Subject asserting a right under this Article 33, it may require the Data Subject to provide additional information sufficient to confirm the individual’s identity. In such cases, the time period for complying with the Data Subject request does not begin until the Controller has received information or evidence sufficient to reasonably identify that the person making the request is the Data Subject.

(11) Where a Controller complies with a request under Article 33(1)(b) it shall not disclose the Personal Data of other individuals in a way that may infringe their rights under Applicable Law and the Controller may redact or otherwise obscure Personal Data relating to such other individuals. Where the Data Subject's request is received by electronic means, and unless otherwise requested by the Data Subject, the information may be provided in a commonly used electronic form.

(12) The information to be supplied pursuant to a request under this Article 33 must be supplied by reference to the data in question at the time the request is received, except that it may take account of any amendment or deletion made between that time and the time when the information is supplied, being an amendment or deletion that would have been made regardless of the receipt of the request.

(13) Without derogating from the requirements on DIFC Bodies as set out in Article 65(2), a Controller may restrict, wholly or partly, the provision of information to the Data Subject under Article 33(1). to the extent that and for so long as the restriction is, having regard to the fundamental rights and legitimate interests of the Data Subject, a necessary and proportionate measure to:

(a) avoid obstructing an official or legal inquiry, investigation or procedure;

(b) avoid prejudicing the prevention, detection, investigation or prosecution of criminal

offences or the execution of criminal penalties;

(c) protect public security;

(d) protect national security; or

(e) protect the rights of others.

(14) Where the provision of information to a Data Subject under Article 33(1) is restricted in accordance with Article 33(13), a Controller must inform the Data Subject in writing without undue delay:

(a) that the provision of information has been restricted;

(b) of the reasons for the restriction;

(c) of the Data Subject’s right to lodge a complaint with the Commissioner under Article 60; and

(d) of the Data Subject’s right to apply to the Court under Article 63.

(15) Article 33(14)(a) and (b) do not apply to the extent that complying with them would undermine the purpose of the restriction.

Right to object to Processing

(1) A Data Subject has the right to:

(a) object at any time on reasonable grounds relating to his particular situation to Processing of Personal Data relating to him where such Processing is carried out on the basis that:

(i) it is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in a Controller; or

(ii) it is necessary for the purposes of the legitimate interests, where applicable, of a Controller or of a Third Party; and

(b) be informed before Personal Data is disclosed for the first time to third parties or used on their behalf for the purposes of direct marketing, and to be expressly offered the right to object to such disclosures or uses, subject to any provision of this Law that does not permit disclosure; and

(c) where Personal Data is Processed for direct marketing purposes, object at any time to such Processing, including Profiling to the extent that it is related to such direct marketing.

(2) Where there is a justified objection, Processing initiated by a Controller shall no longer include that Personal Data, and Article 22 shall apply with respect to such Personal Data. An objection under Article 34(1)(a) is deemed justified unless the Controller can demonstrate compelling grounds for such Processing that overrides the interests, rights of a Data Subject or that the circumstances in Article 34(3) apply.

(3) If a Controller collected Personal Data from a Data Subject and the Controller can demonstrate that the information provided to the Data Subject under Article 29(1)(h)(ix) was explicit, clear and prominent with respect to the manner of Processing the Personal Data and expressly stated that it would not be possible to implement an objection to the Processing at the request of the Data Subject, then the Controller may continue Processing the Personal Data in the same manner, subject to this Law in all other respects.

(4) A Controller shall, no later than its first communication to a Data Subject, explicitly bring to the attention of the Data Subject in clear language that is prominent and separate from other communications or information, the rights referred to in Article 34(1).

Right to restriction of Processing

(1) Subject to Article 35(3), a Data Subject shall have the right to require a Controller to restrict

Processing to the extent that any of the following circumstances apply:

(a) the accuracy of the Personal Data is contested by the Data Subject, for a period allowing the Controller to verify the accuracy of the Personal Data;

(b) the Processing is unlawful and the Data Subject opposes the erasure of the Personal Data and requests the restriction of its use instead;

(c) the Controller no longer needs the Personal Data for the purposes of the Processing, but they are required by the Data Subject for the establishment, exercise or defence of legal claims;

(d) the Data Subject has objected to Processing pursuant to Article 34 pending verification of whether the legitimate grounds of the Controller override those of the Data Subject.

(2) If a Controller lifts the period of restriction, it shall inform the Data Subject in writing.

(3) Where Article 35(1) applies, the only Processing that may continue to be conducted without the consent of the Data Subject is:

(a) storage of the Personal Data concerned;

(b) Processing of the Personal Data for the establishment, exercise or defence of legal claims;

(c) Processing for the protection of the rights of another person; and

(d) Processing for reasons of Substantial Public Interest.

Right to data portability

(1) A Data Subject shall have the right to receive Personal Data that he has provided to a Controller in a structured, commonly used and machine-readable format where the Processing is:

(a) based on the Data Subject's consent or the performance of a contract; and

(b) carried out by automated means.

(2) The purpose of Article 37(1) is to enable ready portability between Controllers if so required by the Data Subject, and the Data Subject shall have the right to have the Personal Data transmitted directly from the Controller to whom the request is made to any other person, where technically feasible.

A Controller is not required to provide or transmit any Personal Data where doing so would infringe the rights of any other natural person.


We may update this privacy notice from time to time by posting a new version on our Platform. We advise you to check this page occasionally to ensure you are happy with any changes. However, we will endeavor to provide you with an announcement about any significant changes.


If you have any questions, comments, or concerns regarding our Privacy Policy and/or how we process your personal data, please contact us at the email address support@gomaskme.com.

Last updated