Transparency report

Most VPN marketing asks you to take big claims on faith. We would rather show our work. This page lists exactly what vpn.now stores, what we never collect, and how we handle requests for data.

Magnifying glass over a public report with every disclosure checked off

What data we collect

Here is the complete list of personal data our systems store. If it is not on this list, we do not have it.

Data Why we need it Kept for
Account email addressLogin, receipts, and important service noticesLife of the account
Hashed passwordSecuring your account. We never see the actual passwordLife of the account
Subscription and payment recordsBilling, refunds, and tax obligationsAs long as law requires for financial records
Device names you chooseSo you can tell your devices apart in the dashboardUntil you delete the device
Device public keysLetting your devices authenticate to our serversUntil revoked or rotated
Aggregate per-server session counts and bandwidthCapacity planning, so servers do not get overloadedPurged after 30 days
Total data usage per accountA single running total so we can operate the service fairly and apply the free plan limit. It contains no destinations and no contentsLife of the account
Approximate sign-in location and IP addressAccount security and spotting suspicious sign-ins. You can see your own recent sign-ins in your account. This is where you signed in to your account, not anything you did over the VPNPurged after 30 days

What we never collect

The following data is not stored by vpn.now, not even temporarily in a database:

  • Your browsing activity
  • Your DNS queries
  • The contents of your traffic
  • The websites you visit

Our session statistics are aggregate counts per server per day. They contain no source IP addresses, no destinations, and nothing that links a session to a specific account. If you want to understand what your provider can normally see, read what your ISP sees, and for how to judge any provider's claims, see our guide on reading a VPN logging policy.

Diagram contrasting the small amount we keep, a few aggregate counts purged after 30 days, against the things we never collect: your browsing, location, and DNS queries, each crossed out.
A little aggregate data keeps the service running. The things that reveal what you do are never collected.

Why we need any operational data at all

A paid service cannot run on nothing. We need your email to give you a login. We need payment records because tax law requires them and because our 30 day money back guarantee means processing refunds. We need your devices' public keys because that is how our VPN protocol authenticates connections. And we need rough per-server usage counts so we know when to add capacity. Each item maps to one concrete job, and we collect nothing beyond that.

Retention periods

Aggregate session counts are purged after 30 days by a scheduled job. Account data lives as long as your account does. When you delete your account, your email, devices, and keys are removed. Payment and invoice records are kept only as long as financial regulations require, then deleted.

Law enforcement requests

If we receive a legally binding request from a court with jurisdiction over us, we can only hand over what we actually store, which is the list above. We cannot produce browsing histories, connection logs tied to users, or traffic contents, because that data does not exist on our systems.

Our process for any request:

  • Our legal team verifies that the request is valid and binding in our jurisdiction.
  • We push back on requests that are overly broad or lack proper legal basis.
  • We disclose only the specific data the order legally compels, never more.
  • We will notify affected users when we are legally allowed to do so.

Audit roadmap

We have not yet completed an independent audit, and we will not pretend otherwise. A third party review of our data handling and server infrastructure is planned, and we will publish the full results here when it is done, including anything the auditors find that we need to fix.

Infrastructure model

Our VPN servers run on infrastructure leased from established hosting providers in each region. Servers run a minimal hardened image, are managed only by our own team over key based SSH, and hold no customer account data. Account information lives on separate systems, isolated from the machines that carry VPN traffic. Read more on our security page.

Questions about your data?

Read the full privacy policy or ask us directly. We answer plainly.

Contact support