FenixUzSecure Messenger
Download
HomeAboutFeaturesSecurityDownloadPermissionsFAQSupportTransparencyOpen SourceContact
Legal
PrivacyTermsEULACookiesGDPRChildrenAcceptable UseDMCADPA
Language
🇬🇧 EN🇷🇺 RU🇺🇿 UZ
Home DPA
Data Processing Agreement

Data Processing Agreement

Official document defining the data processing arrangements between VipAds LLC and sub-processors. Compliant with GDPR Art. 28, UK GDPR, and other applicable laws.

01Parties and definitions

This DPA is entered into between the following parties:

  • Controller: the FenixUz user (you).
  • Processor: VipAds LLC (Tashkent, Uzbekistan).

"GDPR" — General Data Protection Regulation (EU) 2016/679. The terms "Personal Data," "Processing," "Sub-processor," and "Breach" are used in accordance with the definitions of the GDPR.

02Subject of processing

ElementDetails
Type of dataPush notification token, device diagnostic data, anonymous usage statistics
Category of subjectsUsers of the FenixUz mobile application
PurposeDelivery of push notifications, fixing crashes, improving the app
DurationUntil the user uninstalls the app or upon request
Legal basisGDPR Art. 6(1)(b) performance of contract and Art. 6(1)(f) legitimate interest

03Sub-processors

VipAds LLC uses the following approved sub-processors:

Sub-processorLocationServiceSCC/DPF
Google LLCUSA / EUFirebase Cloud Messaging, Analytics, CrashlyticsEU-US DPF certified ✓
Apple Inc.USAApple Push Notification Service, App StoreSCC + DPF ✓
Telegram FZ-LLCUAE / GlobalBackend message transmission (independent Controller)SCC ✓
Cloudflare Inc.USA / EUfenixuz.uz website CDN and DDoS protectionSCC + DPF ✓

04Technical and organizational measures

In accordance with GDPR Art. 32, VipAds LLC implements the following measures:

  • Encryption in transit and at rest (TLS 1.3, AES-256);
  • Encryption of the local database (SQLCipher);
  • Data access on a least-privilege basis;
  • Confidentiality agreements signed by employees;
  • Independent security audit (once a year);
  • Bug bounty program to incentivize vulnerability discovery;
  • Automated vulnerability scanning (within CI/CD);
  • Maintaining usage logs and monitoring;
  • Annual penetration testing.

05Data subject requests

When a data subject exercises their rights under the GDPR (access, erasure, rectification, etc.), VipAds LLC will respond within 30 days and will request action from Sub-processors as necessary.

06Breach notification

When a personal data breach is identified, VipAds LLC will undertake the following:

  • Notify the competent supervisory authority within 72 hours (GDPR Art. 33);
  • Where there is a high risk — directly notify data subjects (Art. 34);
  • Prepare an impact assessment document;
  • Maintain a breach log.

07Right to audit

The data subject or supervisory authority may request an audit of VipAds LLC's data processing practices. Requests must be submitted in writing 30 days in advance. Audit costs are typically borne by the audit requester, except in cases where a GDPR breach is identified.

08International transfers

Data transfers outside the EU/EEA are carried out through the following mechanisms:

  • European Commission Adequacy Decisions;
  • Standard Contractual Clauses (SCC) Module 2 (Controller–Processor);
  • EU-US Data Privacy Framework (for Google and Apple);
  • Additional technical measures (transit encryption, key storage outside the service provider).

09Termination and return

When the user uninstalls the app:

  • The push token is invalidated within 30 days;
  • Crash reports are deleted within 90 days;
  • Anonymous analytics data is anonymized after 14 months;
  • Upon the data subject's request — data is exported in a machine-readable format.

10Adding new sub-processors

When a new sub-processor is added or replaced, we will notify you 30 days in advance (on the transparency.html page). If you object, you may stop using the application.