Privacy Policy

This policy gives you an overview of:

  • What information we collect, how it’s stored, and how it’s used
  • What happens in the case we are subpoenaed, receive a court order or DMCA copyright infringement notice
  • What we do with information relating to cancelled or dormant accounts
  • How we handle subject access requests

We’ve tried our best to make this policy human-readable so you can get the facts you need quickly.

What data don’t you log?

We do not log any data relating to a user’s VPN activity (while connected or connecting to the VPN).

  • No traffic logging
  • No connection timestamp or connection duration
  • No DNS request logging
  • No logging of user bandwidth
  • No logging of customer IP addresses
  • No logging of any account activity

What data do you log on sign-up?

When a new account is created, we store the following data:

  • Email: [email protected]
  • Password hash
  • Created at: 2023-08-21 05:03:13
  • Product: VPNSurfer Standart
  • Max devices: 5

Where is my data stored and who has access to it?

VPNSurfer is subject to EU law and is in compliance with the EU Data Protection Directive (Directive 95/46/EC), which prohibits companies transferring data to overseas jurisdictions with weaker privacy laws. VPNSurfer will not locate servers in countries where it’s forced to break this compliance. Due to the nature of our logging practices, VPN servers do not contain any personally identifiable information and thus, if seized, could not be used to identify users.

No third-parties have access to any of your data. We always use first or third-party tools we can host on our own servers in a protected and secure environment.

How do you limit simultaneous connections?

To authenticate clients, our applications send a request to a central authentication server that stores the client's email address associated with their account. If the authentication data is correct, the number of active sessions is checked. If the number of sessions does not exceed the set limit, a new session is created and a response containing the session identifier is sent to the application. Otherwise, the response will contain an authentication error.

What information is retained when I stop using your service?

When a VPN account is terminated on our network due to the subscription ending, all data associated with that VPN account including the account itself is automatically deleted after 90 days. After the account is deleted, the remaining accounting data below has no link to any past account Email. If you want to delete your data immediately, simply click on the ‘delete account’ button within the client area.

How can I get access to the data you store on my behalf via a subject access request?

In accordance with GDPR legislation, reasonable requests for release of a specific user’s data will be honoured within 28 days of an acceptable request from a user or person with a provable legal relationship with that user.

We reserve the right to refuse or charge for requests that are manifestly unfounded or excessive. Any refused subject access requests will be responded to without undue delay including the refusal reason as well as recourse to refer to the supervisory authority.

Subject access requests should be made in writing to [email protected]

What happens if you receive a legal notice such as a DMCA for copyright material that I have downloaded?

Since our customers are using an VPNSurfer issued IP address when using our service, such notices are directed to VPNSurfer and our legal department will issue an appropriate response. Since we store no connection logs, we couldn’t associate a request with a customer identity even if legally compelled to do so.

How do you react when requested by an authority for information relating to a customer?

If a court order is received from a recognised legal authority with jurisdiction over VPNSurfer, then the company will comply with that order. However, the company cannot be compelled to hand over information which it does not have. When a customer signs up, we request no personal information. If it ever becomes required by law for us to keep a persistent log of our customers connections or any personal data relating to their network activity, we will immediately notify our customers and do everything in our power to move jurisdictions or close the service to protect those who entrust their privacy to us.

What happens if laws change?

VPNSurfer is committed to keeping its customers informed of any serious legislative threats to our service. If the laws in our jurisdiction change in way that prevents us from upholding our privacy policy, we will always inform our customers before those laws are enacted. We will also allow customers to cancel their subscription and will refund any fees that cover the remainder of their subscription period.

Crash Logs

By default, if one of our mobile apps crashes while you’re using it, anonymized data about the crash will be collected on the device to help us identify the cause of the crash and hopefully fix it in a future update. These “crash logs” contain information such as the state of the app, operating system, and device at the time of the crash, but no personally identifiable information.

Crash logs for our desktop apps are only sent when the user manually confirms the action. For our mobile apps, you can opt-out of crash log reporting by disabling it in user preferences.

Crash logs are sent to a server hosted and managed by VPNSurfer and no third-party vendors or cloud services.

Device permissions for Personal Data access

VPNSurfer Android and iOS apps may request certain permissions that allow it to access the user’s device data as described below.

These permissions must be granted by the user before the respective information can be accessed. Once the permission has been given, it can be revoked by the user at any time in device settings.

Please note that revoking of such permissions might impact the proper functioning of the app.

Android App

Background location permission (continuous):
Required to access the current Wi-Fi SSID, when the Network Protection feature is enabled.

Camera permission:
Used to scan QR code with an account ID.

iOS App

Permission to save VPN profile:
Required to access the current Wi-Fi SSID, when the Network Protection feature is enabled.

Camera permission:
Used to scan QR code with an account ID.

Changes to policy

VPNSurfer reserves the right to change this privacy policy at any time. In such cases, we will take every reasonable step to ensure that these changes are brought to your attention by posting all changes prominently on the VPNSurfer website for a reasonable period of time, before the new policy becomes effective as well as emailing our existing customers.

If you have any questions or comments regarding this policy, please do not hesitate to contact us.