— Legal

Privacy Policy

Version 1.0Effective May 19, 2026

Multi Layer Security Pvt. Ltd. ("MSecurity", "we", "us", or "our") builds security software for Windows, macOS, iOS, and Android. This policy explains what data we collect, why we collect it, who we share it with, and the rights you have over it. We try to write this the way we'd want it written for ourselves: short sentences, plain language, no euphemisms.

If anything below is unclear or you want to exercise any of the rights listed in section 9, email us at [email protected]. We answer privacy requests within 30 days.

1. Who we are

Multi Layer Security Pvt. Ltd. is a company registered in Nepal, with its principal office at Koteshwor, Kathmandu, Nepal. For the purposes of the EU/UK General Data Protection Regulation (GDPR), we are the data controller for personal data we collect through our products, website, and support channels.

Our website is msecurity.app. Our products are distributed via our website (Windows installer), Apple App Store (iOS, macOS), and Google Play (Android).

2. What we collect, and why

2.1 Account information

When you create an MSecurity account, we collect:

  • Email address — used as your login identifier, to send license keys, transactional notices, security alerts, and (if you opt in) product updates.
  • Password — stored only as a salted hash. We never see or store your plaintext password.
  • Phone number — required for one-time-passcode (OTP) verification at sign-in. We store it so we can send the OTP and prevent account takeover. We do not use it for marketing.

2.2 Device and license information

When you install MSecurity on a device, the app sends us:

  • A device identifier (a randomly generated UUID, not your hardware MAC or IMEI),
  • The device model, operating system, and version,
  • A user-set device name, if you provide one,
  • Your license key and its current activation state,
  • The current app version, and the timestamp of the last sync.

We need this to enforce per-device license limits, push security definition updates, and show you the list of your protected devices in the dashboard.

2.3 Antivirus and threat-scanner data

MSecurity runs scans on your device. We do not upload your files, your file contents, or a full inventory of what's on your machine.

When the scanner finds something it cannot classify with high confidence — typically a single file that matches a suspicious heuristic but isn't yet in our signature database — it may upload that specific file to our analysis servers so our team and machine-learning models can decide whether it is a threat. We use these uploads only to improve detection. We do not read the file for any purpose other than malware analysis, and we delete the file within 90 days of analysis unless it is confirmed malware (in which case we retain a copy for signature development).

You can disable suspicious-file upload at any time in Settings → Privacy → Cloud analysis. Disabling it does not affect any other product feature; it only means novel threats will take longer to be caught.

2.4 VPN traffic

We operate our own VPN servers. Our VPN is no-logs, which means:

  • We do not log the websites or services you visit.
  • We do not log the IP addresses you connect from or the IP addresses you receive from our servers.
  • We do not log connection timestamps, session durations, or bandwidth used per user.
  • Server-side memory caches reset on every reboot. Our servers run on a stateless image — there is no persistent disk that can be subpoenaed.

We retain aggregate, anonymous server-load metrics (CPU, total throughput, server uptime) for capacity planning. These metrics cannot be tied back to any individual user.

2.5 Payment data

We do not store your card number, CVV, bank account, or wallet credentials. When you buy a subscription, your payment is processed by one of:

We receive from these processors only what we need to fulfil the order: a transaction ID, the amount, the currency, the country (for tax purposes), the payment method type (e.g. "Visa ending 4242"), and whether the charge succeeded. We store this information for tax, accounting, and refund/dispute handling.

2.6 Customer support

When you email [email protected] or fill out our contact form, we keep a copy of the conversation and any details you choose to include (e.g. screenshots, log files, device info) so we can help you and improve the product. We retain support correspondence for up to 24 months.

2.7 Website analytics

Our marketing website (msecurity.app) uses third-party analytics to understand how visitors find and use the site:

  • Google Analytics 4 (Google Ireland Ltd. / Google LLC) — for aggregate page views, source/medium, and conversion attribution. Google Analytics is configured with IP anonymisation enabled, and we do not link analytics identifiers to your MSecurity account.
  • Meta Pixel (Meta Platforms Ireland Ltd.) — to measure the performance of advertisements on Facebook and Instagram and to build audiences for retargeting.

These tools rely on cookies and similar technologies. On your first visit, you can accept, reject, or customise non-essential cookies via the consent banner. If you reject, the analytics tags do not load. You can change your choice at any time via the Cookies link in the footer.

Note: the MSecurity apps (Windows, macOS, iOS, Android) do not contain Google Analytics, Meta Pixel, or any third-party advertising SDK. Analytics is a website-only concern.

2.8 Server logs

Our API servers keep standard request logs — request method, path, status code, response time, and the requesting IP address — for security monitoring and abuse prevention. These logs are rotated and deleted after 30 days.

3. Legal bases (GDPR)

Under the GDPR, every use of your personal data must have a legal basis. Ours are:

  • Contract (Art. 6(1)(b)): account creation, license activation, device management, payment processing, and customer support — we need this data to deliver the product you bought.
  • Legal obligation (Art. 6(1)(c)): tax records, accounting, responding to lawful requests from authorities.
  • Legitimate interests (Art. 6(1)(f)): security monitoring of our infrastructure, fraud prevention, and improving threat detection through analysis of suspicious-file uploads. You can object to processing based on legitimate interests at any time (see section 9).
  • Consent (Art. 6(1)(a)): marketing emails, non-essential cookies, and any analytics that load before you accept the banner. You can withdraw consent at any time without affecting prior processing.

4. Who we share data with

We do not sell your personal data. We share it only with:

  • Service providers who process data on our behalf, under a data-processing agreement: our cloud hosting provider, our transactional email provider, our SMS OTP provider, and the payment processors listed in section 2.5. Each of these has contractual obligations to use your data only for the services we've engaged them for.
  • Law enforcement, but only when we receive a legally binding request (subpoena, court order, or equivalent in the relevant jurisdiction) and only to the extent the request is specific and proportionate. We do not provide bulk access. We will notify affected users unless legally prohibited.
  • An acquirer, if Multi Layer Security Pvt. Ltd. is acquired or merges with another company. We'll notify you before your data is transferred and you'll have the right to delete your account before any transfer takes effect.

5. International transfers

If you access MSecurity from outside the region where our servers are physically located, your data will be transferred across borders. For transfers from the EU/UK/Switzerland to countries without an adequacy decision, we rely on the European Commission's Standard Contractual Clauses (SCCs) and supplementary measures as appropriate.

6. Data retention

DataHow long we keep it
Account email, password hashUntil you delete your account
Phone number (OTP)Until you remove it or delete your account
Device listUntil you remove the device or delete your account
License keysFor the full subscription term + 30 days after expiry
Payment / invoice records7 years (tax law requirement)
Support correspondence24 months
Suspicious-file uploads90 days, unless confirmed malware
Server access logs30 days
VPN session dataNot retained

7. Security

We protect your data with industry-standard measures:

  • TLS for all network traffic between your devices and our servers.
  • AES-256 for sensitive data at rest in our databases.
  • Passwords stored as salted hashes.
  • OTP-based two-factor authentication for sign-in.
  • Principle of least privilege for staff access, with audit logging.

No security control is perfect. If we ever have reason to believe your personal data has been compromised, we will notify you and the relevant authorities within the timeframes required by applicable law (72 hours for GDPR).

8. Children

MSecurity is not directed to children under 13 (or 16 in the EU, or the equivalent age of digital consent in your jurisdiction). We do not knowingly collect data from anyone in this age group. If you believe a child has provided us with personal data, please email [email protected] and we will delete it.

9. Your rights

Wherever you live, you have the right to ask us:

  • What data we hold about you and to receive a copy (right of access / portability),
  • To correct any inaccurate or incomplete information (rectification),
  • To delete your data (erasure / "right to be forgotten"),
  • To restrict or object to our processing,
  • To withdraw consent at any time, where consent is the legal basis,
  • To not be subject to automated decisions with legal effect. We do not make any such decisions about you.

9.1 For residents of the European Economic Area, UK, and Switzerland

You have all of the rights above under the GDPR. You also have the right to lodge a complaint with your local supervisory authority. We will not charge you for exercising any of these rights, and we will respond within one month.

9.2 For residents of California, USA

Under the California Consumer Privacy Act (CCPA) as amended by the CPRA, you have the right to know what personal information we collect, to delete it, to correct it, and to opt out of any "sale" or "sharing" of it for cross-context behavioural advertising. We do not sell your personal data. However, our use of Meta Pixel may, under the CCPA's broad definition, qualify as "sharing." You can opt out by rejecting non-essential cookies on our website or by emailing [email protected].

You may also designate an authorised agent to make a request on your behalf, and we will not discriminate against you for exercising any CCPA right.

9.3 How to exercise your rights

Email [email protected] from the address associated with your account, or visit Dashboard → Settings to export or delete your account directly. We verify identity before fulfilling requests to prevent unauthorised access to your data.

10. Cookies

Our website uses cookies in three categories:

  • Strictly necessary — required for the site to work (e.g. remembering you're signed in, storing your region preference). These cannot be disabled.
  • Analytics — Google Analytics 4. Loaded only if you accept.
  • Marketing — Meta Pixel. Loaded only if you accept.

Manage your cookie preferences from the footer link Cookies at any time.

11. Changes to this policy

We may update this policy when our practices or the law changes. Material changes will be announced by email to active account holders at least 30 days before they take effect. The "Last updated" date at the top of this page reflects when this version was published. Previous versions are available on request.

12. Contact us

For any privacy-related question, request, or complaint:

Multi Layer Security Pvt. Ltd.
Privacy Inquiries
Koteshwor, Kathmandu, Nepal
Email: [email protected]

This page is provided in English. In the event of any translation, the English version controls.