Meet Marta. She found your VPN through a blog post at midnight in Lisbon, paid with a Portuguese credit card, opened one support ticket, unsubscribed eight months later, and asked you to delete everything.
Marta never noticed it, but she just walked your company through seven separate legal events under two of the world’s toughest privacy regimes. Her signup demanded a lawful basis and a compliant notice. Her payment created records that tax law forces you to keep and privacy law forces you to justify. Her support ticket handed your helpdesk vendor the very IP-and-timestamp data your servers refuse to store. Her deletion request started a clock — and reached into your backups.
Multiply Marta by every subscriber in Portugal, Germany, France, the Netherlands, and Brazil, and you have the real shape of GDPR & LGPD for VPN companies: not an abstract legal cloud, but a sequence of concrete moments in one customer’s lifecycle, each carrying specific obligations and specific fines. Europe’s regime reaches €20 million or 4 percent of global turnover; Brazil’s Lei Geral de Proteção de Dados reaches R$50 million per violation — and its regulator has already fined a company with a handful of employees, which retires the comforting myth that enforcement only hunts giants.
Our team at VPN Crafter has walked white label partners through this lifecycle on real launches into both markets. This primer follows Marta’s path moment by moment, hands you a dual-compliance worksheet covering both laws at once, prices the fines honestly, and flags the traps we have watched catch smart founders.
A necessary caveat: this is education, not legal advice. Arrive at your lawyer’s office informed; do not use this to cancel the appointment.
Why Both Laws Already Apply to You
GDPR applies to any VPN company serving or monitoring people in the EU, and LGPD applies to any company processing data collected in Brazil or offering services to Brazilians — no local office, server, or incorporation required in either case.
Founders test scope with the wrong question (“where are we registered?”) when both statutes ask a different one (“whose people are you touching?”). Three quick self-checks settle it:
- Currency and language are scope evidence. Pricing in euros, a checkout in German, or a Portuguese app store listing all signal that you are offering services to those markets — the trigger in GDPR Article 3 and LGPD’s territorial rules alike.
- Analytics count as monitoring. Tracking EU visitors on your marketing site places you in GDPR scope even before anyone subscribes, because the CJEU’s Breyer ruling made IP addresses personal data back in 2016.
- Offshore incorporation changes nothing here. A BVI or Panama entity still owes GDPR an Article 27 EU representative and still answers to Brazil’s ANPD — the Autoridade Nacional de Proteção de Dados — for Brazilian users.
One clarification prevents a common overcorrection: neither law regulates your tunnel into scope. Obligations attach to the business relationship — the account, the payment, the ticket, the pixel. Keep that distinction; the entire lifecycle below is built on it.
GDPR and LGPD both apply to VPN companies wherever they are incorporated, whenever they serve users in the EU or Brazil. The laws regulate the business layer — accounts, billing, support, marketing analytics — not just logs, with penalties reaching €20M or 4% of global turnover (GDPR) and R$50M per violation (LGPD).
The Fine Math Founders Should Actually Run
Headline maximums make poor planning numbers. Run the arithmetic that reflects how enforcement actually lands.
GDPR’s two tiers. Serious violations — unlawful processing, ignored rights, transparency failures — reach €20 million or 4 percent of global annual turnover, whichever is higher. Procedural failures (missing records, absent DPAs) carry a lower tier of €10 million or 2 percent. Notice the asymmetry for startups: the fixed euro figures, not the percentages, are your exposure, and €10 million dwarfs most seed rounds.
LGPD’s per-violation cap. Brazil fines up to 2 percent of Brazilian revenue, capped at R$50 million — per violation. Stack a missing encarregado, an untranslated notice, and a late breach report, and the cap multiplies. The ANPD also wields non-monetary weapons founders underestimate: processing bans and public disclosure of the infraction, which for a privacy brand is arguably worse than the money.
Small companies are in season. The ANPD’s first-ever sanction, issued in 2023, hit a micro-enterprise — a telemarketing firm fined for processing without a legal basis. European DPAs likewise fine SMEs weekly; DLA Piper’s annual survey counts cumulative GDPR penalties beyond €5 billion across thousands of actions, most of them far below headline size. The enforcement lottery sells no exemptions for being early-stage.
The planning conclusion: budget compliance as product engineering, not legal contingency. Prevention prices in the tens of thousands; the alternative starts at seven figures and includes your reputation as a privacy company.
The Compliance Lifecycle: Seven Moments Where the Law Touches Your VPN
Follow Marta again — this time with the statutes open.
Moment 1: The Visit (Cookies, Pixels, and the Homepage You Forgot Is Regulated)
Before Marta creates an account, your website processes her personal data: IP address, analytics events, maybe an ad pixel. Under GDPR plus the ePrivacy rules, non-essential cookies need real consent — a banner with a genuine reject option, no pre-ticked boxes. LGPD expects equivalent transparency for Brazilian visitors. This moment matters disproportionately because it is publicly inspectable: a regulator, journalist, or Reddit thread can audit your homepage from anywhere, making a broken consent flow the cheapest violation to catch.
Moment 2: The Signup (Lawful Basis and the Honest Notice)
Creating Marta’s account processes her email and credentials. Delivering the paid service rests on contract performance — GDPR Article 6(1)(b), LGPD Article 7, II — which requires no consent theater. The privacy notice she clicks through must describe reality from your data map, in English for GDPR audiences and Portuguese for Brazil. Overpromising (“we collect absolutely nothing”) is a transparency violation; the accurate, modest truth is both compliant and more credible.
Moment 3: The Payment (Where Privacy Law Meets Tax Law)
Marta’s transaction creates records your payment processor holds and tax authorities require you to retain for years. Privacy law does not forbid this; it demands you document the reconciliation — a retention schedule stating what billing data you keep, under which legal obligation, for how long. Your processor, meanwhile, needs an Article 28 data processing agreement, as does every vendor in this lifecycle.
Moment 4: The Usage (Minimization as Architecture)
Here the VPN business earns its structural advantage. GDPR Article 25 mandates data protection by design and by default; LGPD Article 6 enshrines necessity. A tunnel built on RAM-only servers, unjoinable billing and traffic domains, and near-zero telemetry does not merely comply — it demonstrates the principle better than nearly any business model on earth. Neither the EU nor Brazil imposes a general data-retention mandate on consumer VPNs, so the no-logs posture is lawful in both markets and legally rewarded: data never written cannot breach, cannot be demanded, and never triggers a clock.
Moment 5: The Support Ticket (The Log You Didn’t Mean to Keep)
Marta pastes her IP address and a connection timestamp into a help request — as users constantly do — and your helpdesk vendor now retains correlation-grade data your infrastructure refuses to store. The remedies are unglamorous and essential: PII scrubbing on intake where feasible, a short ticket-retention cycle, a DPA with the vendor, and a disclosure line in the policy. Every VPN company we have reviewed had this gap until someone looked.
Moment 6: The Exit (Rights Requests on a Deadline)
Eight months later, Marta unsubscribes and requests deletion. GDPR gives you one month to complete access, correction, portability, or erasure requests; LGPD’s Article 18 rights run parallel, with a 15-day window for the detailed access format. Two implementation truths: identity verification must not demand more data than you hold, and deletion must reach backups on a documented, provable cycle — regulators treat backup retention as retention.
Moment 7: The Incident (Two Clocks, Pre-Drafted)
Somewhere in your company’s life, an incident will touch personal data. GDPR Article 33 gives you 72 hours from awareness to notify the supervisory authority when rights are at risk; Brazil’s Resolution CD/ANPD 15/2024 sets 3 business days to the ANPD and affected users. Both clocks accept phased reporting and both start before forensics finishes — which is why the notification templates, the severity rubric, and the named incident owner belong on the shelf now, drafted on a calm Tuesday rather than the worst Friday of your year.
The Ten GDPR–LGPD Differences That Actually Bite
LGPD borrowed GDPR’s architecture, so dual compliance is mostly one program. These ten deltas are where the copy-paste assumption fails:
- The breach clock: 72 hours to an EU authority versus 3 business days to the ANPD — different regulators, different forms, different languages.
- Legal bases: GDPR offers six; LGPD’s Article 7 offers ten, including credit protection and health-protection bases with no EU equivalent. Re-map, don’t assume.
- The DPO question: GDPR requires one only under Article 37 triggers; LGPD broadly expects an encarregado from controllers — named, published, and reachable — with relief for the smallest businesses.
- The representative question, inverted: GDPR demands an Article 27 EU representative from foreign companies; LGPD has no equivalent mandate, leaning on the encarregado instead.
- Language: Brazilian users get Portuguese notices — a faithful translation of your data map, not marketing localization.
- Fine structure: a global-turnover percentage versus a Brazil-revenue percentage with a per-violation cap. Different math, different worst cases.
- Regulator topology: one centralized ANPD versus a federation of national DPAs (CNIL, ICO under UK GDPR, the Irish DPC, AEPD, and peers) coordinated by the EDPB — which shapes where complaints land and how precedent forms.
- Transfer paperwork: EU SCCs with post-Schrems II transfer impact assessments versus Brazil’s own clauses under ANPD Resolution 19/2024. Same concept, non-interchangeable documents.
- Children’s data: the EU’s consent-age bands (13–16 by member state) versus Brazil’s best-interest-of-the-child standard with parental-consent emphasis.
- Enforcement maturity: eight years of EU precedent versus a young, centralizing, and visibly accelerating ANPD — meaning Brazilian ambiguities resolve in real time, and your compliance program needs an owner who watches for new resolutions.
Strategy follows from the list: build once to the stricter GDPR baseline, then bolt on Brazil’s deltas. Practitioners call it GDPR-plus, and it halves the maintenance of running two parallel programs.
The Dual-Compliance Worksheet
One artifact, both laws. Work each row with counsel; the two right-hand columns keep the deltas visible.
| Requirement | GDPR Action | LGPD Action |
|---|---|---|
| Processing inventory | Article 30 record of processing, owned and current | Equivalent inventory; feeds the encarregado’s oversight |
| Lawful basis per purpose | Map to Article 6 (service = contract; marketing = consent/LI; analytics = consent) | Re-map to Article 7’s ten bases; document divergences |
| Privacy notice | Accurate, data-map-derived, in English + market languages | Portuguese version, faithful to the same map |
| Cookie/tracker consent | ePrivacy-grade banner: real reject, no pre-ticks | Equivalent transparency for Brazilian visitors |
| Named people | Article 27 EU representative; DPO if Article 37 triggers | Encarregado appointed and published with live contact |
| Vendor contracts | Article 28 DPAs: payments, helpdesk, email, analytics, infrastructure | LGPD-aligned processing terms in the same contracts |
| Rights workflow | One-month response; verified identity; logged | Article 18 rights incl. sharing disclosure; 15-day detailed access |
| Retention schedule | Per data class; tax retention reconciled with minimization | Same schedule; Brazilian tax and consumer-law periods added |
| Deletion depth | Production + backups on a provable cycle | Identical standard; anonymization recognized as an outcome |
| Breach playbook | 72-hour DPA path; user-notification criteria; templates drafted | 3-business-day ANPD path per Resolution 15/2024; Portuguese templates |
| Transfers | Adequacy, SCCs + transfer impact assessment, or BCRs | ANPD Resolution 19/2024 clauses, adequacy, or BCRs |
| Design-by-default evidence | Article 25 proof: RAM-only fleet, domain separation, minimal telemetry | Article 6 necessity proof — the same documents |
Notice how many rows converge on identical evidence. That convergence is the founder’s leverage: one data map, one architecture dossier, one vendor file — serving two regulators.
Proving It: Where Compliance Meets Your Audit Story
Regulators, auditors, and privacy-conscious customers ultimately read the same shelf of documents, and a smart founder writes them once.
The architecture evidence behind GDPR Article 25 — diskless servers, unjoinable data domains, pipeline-enforced configuration — is precisely what independent no-logs audits verify under ISAE 3000. A provider that passes one has, in effect, pre-assembled its design-by-default file for both statutes; conversely, the data map this primer keeps invoking doubles as the audit’s data-flow register. Teams planning their build should read our complete guide to VPN development with this dual-use lens: every architectural decision — client, tunnel, fleet, control plane — either generates compliance evidence or generates compliance debt, and the choice is made at design time, not at the regulator’s deadline.
The commercial takeaway lands hardest for founders weighing build versus buy. Retrofitting minimization into a logging-era stack is the expensive path on both the legal and audit ledgers — a hidden line item behind every honest answer to how much does VPN development cost. Whether you pursue custom VPN development, enterprise VPN development for B2B buyers, or broader VPN app development, insist that any provider of VPN development services show you how their architecture maps to Article 25 and Article 6 evidence before contracts are signed. “Compliance-ready” without documents is a slogan.
Who Owns What: Compliance Across Business Models
Legal roles — controller versus processor — decide which obligations land on whom, and VPN business models distribute them unevenly.
Direct consumer brands are controllers of everything in Marta’s lifecycle. All seven moments are yours.
White label brands split the stack. The platform typically acts as your processor for infrastructure-level operations, which makes the platform DPA the most consequential contract in the relationship — and makes platform selection a compliance decision, not just a technical one. A white label VPN development platform built on minimization-by-design hands you Moment 4 essentially solved, complete with the Article 25 evidence file; Moments 1–3 and 5–7 — your website, your notices, your payments, your helpdesk, your rights workflow, your breach comms — remain permanently yours as controller. At VPN Crafter, partner onboarding pairs the infrastructure dossier with a full white label VPN compliance checklist for exactly this reason: the inherited half must be documented, and the retained half must be understood.
B2B sellers flip roles again. Provide remote access to companies and you frequently become the processor of their employees’ data — answering your customers’ DPAs, publishing sub-processor lists, and completing their security questionnaires. Design those disclosures in from the start; retrofitting them mid-enterprise-deal is how quarters get lost.
Expert Insights from the VPN Crafter Team
Field notes from real launches into both jurisdictions:
Insight 1: A currency toggle put a partner in scope overnight. One brand added euro pricing “for conversion optimization” without telling anyone who watched the legal map. Euro checkout plus German-language ads is textbook Article 3 targeting — scope arrived months before the compliance file did. Growth experiments now route through a one-line question in our launch reviews: does this change whose people we are touching?
Insight 2: The chat widget nobody contracted. During a pre-launch review we inventoried every third-party script on a partner’s site and found a live-chat widget — added by a contractor, storing transcripts abroad, covered by no DPA. Fifteen minutes of JavaScript archaeology closed a genuine Article 28 gap. Inventory the scripts, not just the vendors you remember hiring.
Insight 3: App-store privacy labels are a regulator’s cheat sheet. A partner’s iOS privacy label claimed “data not collected” while the app shipped a crash-reporting SDK. Beyond the store-rejection risk, the mismatch was a public transparency violation in two regimes at once. We now diff privacy labels against the data map at every release — the same document, three audiences: Apple, Brussels, Brasília.
Insight 4: Deletion collided with fraud prevention, and documentation won. A deletion request arrived from an account flagged for payment fraud. Erasing everything would have destroyed evidence supporting a legitimate-interest retention; deleting nothing would have violated the request. The resolution — delete the marketing and account data, retain the minimal fraud file under a documented basis with a review date — satisfied counsel precisely because the reasoning was written down before regulators ever asked. Rights requests are rarely all-or-nothing; documented partial responses are the professional pattern.
Insight 5: The Portuguese notice outperformed the English one. Translating a partner’s privacy notice for LGPD compliance, we rewrote it plainly instead of transliterating legalese — short sentences, honest categories, the encarregado’s real inbox. Brazilian trial-to-paid conversion ticked up measurably within the quarter. Compliance documents are read by customers before regulators; write them for the reader who can pay you.
Statistics and Data: Enforcement in 2026
Citable figures, sources named:
- Cumulative GDPR fines exceed €5 billion across thousands of enforcement actions since 2018, per DLA Piper’s annual GDPR survey — with most penalties landing far below headline scale, on companies of every size. (DLA Piper)
- The landmark maximums are real: Meta’s €1.2 billion transfer fine (Irish DPC, 2023) and Amazon’s €746 million penalty (Luxembourg, 2021) anchor the upper range. (EU DPAs; EDPB)
- Brazil’s ANPD opened its fining era in 2023 against a micro-enterprise — Telekall Infoservice, sanctioned over processing without a legal basis — establishing that LGPD enforcement does not wait for giants. (ANPD)
- LGPD’s ceiling is 2 percent of Brazilian revenue, capped at R$50 million per violation, alongside processing bans and public disclosure of infractions. (ANPD; Law 13,709/2018)
- Resolution CD/ANPD 15/2024 fixed Brazil’s breach-notification deadline at 3 business days, replacing the old “reasonable time” standard; Resolution 19/2024 delivered Brazil’s SCC-based transfer framework. (ANPD)
- IP addresses have counted as EU personal data since the CJEU’s Breyer ruling (2016) — the precedent that regulates every VPN marketing site’s analytics. (Court of Justice of the EU)
- Context for the opportunity these laws protect: the VPN market reaches $86 billion in 2026, serving 1.75 billion users, with privacy regulation acting as both demand engine and conduct standard. (The Business Research Company; VPNpro)
Read together: enforcement is broad, increasingly small-company-inclusive, and accelerating in exactly the two markets — Europe and Brazil — where VPN demand runs hottest.
Common Compliance Mistakes
- Testing scope by incorporation instead of audience. Currency, language, and ad targeting decide the question your registered agent cannot.
- Assuming no-logs closes the file. The tunnel is minimized; Moments 1–3 and 5–7 of the lifecycle remain fully regulated.
- Borrowing a competitor’s privacy policy. It describes their data map; every mismatch with yours is a documented transparency gap.
- Running consent-free analytics on a privacy brand’s homepage. The most publicly visible violation in either regime, checkable from any browser.
- Forgetting the encarregado — or hiding them. A named, answered contact is both an LGPD expectation and a conversion asset in Brazil.
- Uncontracted scripts and widgets. Chat tools, pixels, and SDKs added by contractors create Article 28 gaps nobody owns.
- Deletion that stops at production. Backups are retention; provable expiry cycles are the standard both regulators apply.
- Treating the two breach clocks as one. Different deadlines, regulators, forms, and languages — pre-draft both paths.
- Letting marketing outrun the map. “Zero data, total anonymity” copy beside billing records invites privacy and consumer-protection scrutiny together.
- Compliance as a launch artifact. New SDKs, markets, and payment rails amend the data map; an unowned map drifts into fiction within two quarters.
Best Practices That Survive Growth
- Assign the map an owner. One living processing inventory, updated per release, feeding the notices, DPAs, worksheets, and audit evidence alike.
- Build GDPR-plus once. The stricter baseline plus Brazil’s deltas beats parallel programs on cost, consistency, and sanity.
- Make architecture your first exhibit. RAM-only fleets and domain separation turn Article 25 and Article 6 from claims into documents.
- Contract every vendor that touches a byte — including the widgets contractors installed while nobody watched.
- Write compliance documents for customers first. Plain-language notices convert; legalese merely complies.
- Rehearse both clocks annually. A tabletop from detection to draft notification, in under a day, in two languages.
- Route growth experiments through a scope check. New currencies, languages, and ad geographies change whose laws you owe.
- Version everything. Regulators ask what you knew and when; dated policies, schedules, and playbooks answer for you.
Frequently Asked Questions
Do GDPR and LGPD apply to a VPN company with no EU or Brazil office?
Yes. Both laws attach to the audience, not the address: serving or monitoring people in the EU triggers GDPR under Article 3, and offering services to individuals in Brazil triggers LGPD — regardless of incorporation, servers, or staff location.
What data does a VPN company hold that these laws regulate?
Account emails and credentials, billing and tax records, support tickets (often containing user-pasted IPs and timestamps), and marketing analytics — the full business layer. A no-logs tunnel empties only the connection layer.
Is running a no-logs VPN legal under GDPR and LGPD?
Yes. Neither regime currently imposes a general data-retention duty on consumer VPN services, and both enshrine data minimization — so retaining less is the legally favored direction, provided the business layer stays compliant.
What is the maximum GDPR fine a VPN company could face?
€20 million or 4 percent of global annual turnover, whichever is higher, for serious violations; €10 million or 2 percent for procedural ones. For startups, the fixed euro figures — not the percentages — define the realistic worst case.
How are LGPD fines calculated?
Up to 2 percent of the company’s Brazilian revenue per violation, capped at R$50 million, with additional sanctions including processing bans and public disclosure. Multiple simultaneous violations multiply exposure under the per-violation structure.
Has Brazil actually fined anyone under LGPD?
Yes — starting in 2023, when the ANPD sanctioned a micro-enterprise (Telekall Infoservice) for processing without a legal basis, and continuing with a steadily expanding docket. Small size is not a shield.
What is an encarregado and does my VPN need one?
The encarregado is LGPD’s data protection officer: a named contact, published on your site, mediating between users, your company, and the ANPD. Controllers are broadly expected to appoint one, with relief available for the smallest businesses — and a reachable encarregado doubles as a trust signal in the Brazilian market.
What is the breach notification deadline under each law?
GDPR Article 33 requires notifying the supervisory authority within 72 hours of awareness when the breach risks individuals’ rights; Brazil’s Resolution CD/ANPD 15/2024 requires notifying the ANPD and affected users within 3 business days. Both accept phased reports.
Which lawful basis covers providing the VPN service itself?
Contract performance — GDPR Article 6(1)(b) and LGPD Article 7, II. Delivering the subscription the user purchased needs no separate consent; marketing and analytics, by contrast, generally do.
Do website analytics really fall under these laws?
Yes. IP addresses are personal data in the EU under the CJEU’s Breyer decision, and Brazil treats online identifiers equivalently — which makes your cookie banner and analytics configuration regulated activity before anyone subscribes.
How do deletion requests work when tax law requires keeping billing records?
Both duties coexist: delete what no obligation covers, retain the legally mandated records under a documented basis with defined periods, and explain the split in your response. The written reconciliation — a retention schedule — is what regulators actually review.
Who handles GDPR and LGPD in a white label VPN arrangement?
The brand is the controller — owning notices, consent, rights requests, the encarregado, and breach communications — while the platform typically processes infrastructure-side data under a DPA. The platform’s minimization architecture transfers as evidence; the controller duties never transfer at all.
What are the rules for transferring user data out of the EU or Brazil?
EU exits need adequacy, Standard Contractual Clauses with a transfer impact assessment, or BCRs; Brazilian exits use ANPD Resolution 19/2024’s clauses, adequacy findings, or BCRs. RAM-only traffic servers holding no personal data sit outside the analysis — billing, helpdesk, and analytics flows are where the paperwork concentrates.
What single document most improves a VPN company’s compliance posture?
The data map (processing inventory). It feeds the privacy notices, lawful-basis analysis, vendor DPAs, retention schedule, deletion workflow, breach assessments, and audit evidence — one living document, every obligation’s foundation.
Conclusion: Marta Is the Compliance Program
Strip the statutes to their function and they ask one question seven times: what happens to one subscriber’s data at each moment she touches your company? Answer it honestly — with a mapped visit, a truthful notice, reconciled payment records, minimization by architecture, a scrubbed helpdesk, deletion that reaches backups, and two breach clocks pre-drafted — and GDPR and LGPD stop reading as threats. They start reading as the specification for the company your customers hoped you were building anyway.
The closing irony deserves its due: no industry is better positioned to comply than this one. Data-minimization law and no-logs engineering are one philosophy in two dialects, and a VPN built properly walks into either regulator’s office carrying its own best evidence.
Key Takeaways
- Scope follows the audience: currencies, languages, and ad targeting — not incorporation — decide whether the EU and Brazil own a piece of you.
- Seven lifecycle moments carry the load: visit, signup, payment, usage, support, exit, incident — each with specific statutes and specific documents.
- Run realistic fine math: fixed-figure GDPR tiers and LGPD’s per-violation cap threaten startups directly, and the ANPD already fines micro-enterprises.
- Ten deltas separate the laws; build GDPR-plus once and bolt on Brazil’s — the encarregado, Portuguese notices, the 3-day clock, Resolution 19/2024 clauses.
- One evidence shelf serves three audiences: the data map and architecture dossier satisfy regulators, no-logs auditors, and skeptical customers alike.
- Roles route obligations: consumer brands control everything, white label splits the stack under a DPA, and B2B adds a processor persona.
Inherit the Hard Half — Launch on VPN Crafter
Moment 4 of Marta’s lifecycle — minimization engineered into the infrastructure itself — is the half no founder should rebuild from scratch. VPN Crafter white label partners inherit it on day one: RAM-only fleets, unjoinable data domains, pipeline-enforced configuration, and the Article 25-grade evidence dossier to prove it, alongside our compliance checklist and DPA covering the split of duties in writing. You own the brand and the promises; the architecture already keeps them.
Book a free consultation with the VPN Crafter team — whether you are entering the EU and Brazil for the first time or bringing an existing brand up to GDPR-plus standard. The two toughest privacy regimes on earth are also your two hottest markets. Launch on infrastructure that treats that as the opportunity it is.