Documentation update

README.md

@@ -124,3 +124,4 @@ Official binaries distributed by **[K-Ops Oy](https://k-ops.eu)**.
 © Eugen Kaparulin. All rights reserved.  
 [`konduit-platform`](./konduit-platform) is published under the [PolyForm Noncommercial License 1.0.0](LICENSE).  
 All other parts of Konduit are proprietary.  
+[Privacy Policy](docs/privacy-policy.md)

docs/privacy-policy.md

@@ -0,0 +1,72 @@
+# Konduit Privacy Policy
+
+_Last updated: 9 June 2026_
+
+## Who we are
+
+Konduit is a TCP-native VPN client developed and distributed by **[K-Ops Oy](https://k-ops.eu)**. Questions about this policy can be sent to: **[konduit@k-ops.eu](mailto:konduit@k-ops.eu)**
+
+## What data Konduit processes
+
+### On your device
+
+The Konduit client stores the following data locally:
+
+| Data | Purpose | Where it is stored |
+|------|---------|-------------------|
+| VPN server address and port | Connect to your VPN server | Local config file |
+| Peer ID and pre-shared key (PSK) | Authenticate with your VPN server | Local config file |
+| Session statistics (bytes sent/received, connection state) | Display connection status | In-memory only, not persisted |
+
+### On the VPN server
+
+When you connect, the VPN server you connect to processes:
+
+| Data | Purpose |
+|------|---------|
+| Your IP address | Route return traffic to your device |
+| Connection timestamps | Session management |
+| Traffic volume (bytes in/out) | Capacity planning and abuse prevention |
+| Destination IP addresses of tunnelled traffic | Route packets to their destination |
+
+The content of tunnelled traffic is not inspected beyond what is necessary for routing.
+
+## What we do not collect
+
+- Konduit does **not** collect analytics, crash reports, usage statistics, or any telemetry.
+- Konduit does **not** display advertising.
+- Konduit does **not** sell or share connection metadata with third parties.
+
+## Self-hosted deployments
+
+Konduit is designed to be self-hosted. If you run your own Konduit server, all server-side data listed above stays under your control and is never transmitted to [K-Ops Oy](https://k-ops.eu).
+
+## Data retention and deletion
+
+All client-side data is stored in the local config file. To delete it, remove your configuration or uninstall Konduit.
+
+Server-side connection logs are retained for a limited period for operational purposes and then deleted. The exact retention period depends on the server operator.
+
+## Security
+
+- All traffic between client and server is encrypted using **X25519** key exchange and **ChaCha20-Poly1305** AEAD.
+- The pre-shared key (PSK) is stored in the local config file with permissions restricted to the current user.
+- Stealth mode wraps the tunnel in a protocol that is indistinguishable from HTTPS, preventing deep-packet inspection from identifying Konduit traffic.
+
+## Children
+
+Konduit is not directed at children under 13 and does not knowingly collect data from children.
+
+## GDPR (EU residents)
+
+When using a [K-Ops Oy](https://k-ops.eu) operated server, [K-Ops Oy](https://k-ops.eu) acts as data processor for connection metadata (IP address, timestamps, traffic volume) as described above. This data is processed on the legal basis of legitimate interest (providing the VPN service). You may request deletion of your connection metadata by contacting **[konduit@k-ops.eu](mailto:konduit@k-ops.eu)**.
+
+When using a self-hosted server, [K-Ops Oy](https://k-ops.eu) does not process any of your data.
+
+## Changes to this policy
+
+If we update this policy, the new version will be published at this URL with an updated "Last updated" date.
+
+## Contact
+
+Privacy questions: **[konduit@k-ops.eu](mailto:konduit@k-ops.eu)**