Legal

Privacy Policy

Effective date: March 19, 2026

Loading operator details…

1. General Provisions

This Privacy Policy (the "Policy") describes how DXVPN(the "Service", "we", "us") collects, uses, and protects the personal data of users in accordance with the General Data Protection Regulation (GDPR, EU 2016/679) and other applicable data protection legislation.

The Data Controller is: DXVPN.

By creating an account you enter into a contract with us under the Terms of Service. The processing of your personal data is necessary to perform that contract.

2. No-Log Policy

DXVPN operates a strict no-log policy for VPN traffic.

We do NOT log or store:

Traffic content or payloads of any kind.
DNS queries made through our servers.
Browsing history or visited URLs.
Destination IP addresses or hostnames of your connections.
Connection timestamps tied to individual sessions.
Bandwidth consumed per individual VPN session.
Source IP addresses paired with connection timestamps.

We DO retain (minimal set, required for service operation only):

Account data — email address, hashed password, username.
Subscription and payment records — plan selected, payment status, transaction identifiers from payment processors.
Aggregate bandwidth per billing period — total bytes transferred, used solely to enforce plan limits.
Failed authentication attempts — count and timestamp only, retained maximum 24 hours for brute-force detection.

Server-side VPN process logging is disabled at the configuration level. No log files containing VPN session metadata are written to disk or transmitted to any third party.

3. Personal Data We Process

Identity data: email address, username, full name (if voluntarily provided).
Contact data: phone number (if voluntarily provided), Telegram identifier (if you link your account).
Subscription and payment data: selected plan, transaction identifiers, payment status. Card details are never stored by us.
Aggregate usage data: total bandwidth transferred per billing period. No per-session or per-destination breakdown.
Security data: password hash (bcrypt), failed authentication counters (auto-purged after 24 hours), TOTP configuration if 2FA is enabled.
Support data: content of support requests you submit.

We do not process special categories of personal data (health status, biometric data, political views, racial or ethnic origin, etc.).

4. Purposes of Processing

Provision of VPN services in accordance with the Terms of Service.
User identification and authentication.
Invoicing, payment processing, and dispute resolution.
Enforcement of subscription plan limits (aggregate bandwidth cap).
Sending transactional notifications — payment confirmations, subscription expiry warnings, and material service changes.
Detecting and preventing fraudulent activity and brute-force attacks against accounts.
Compliance with applicable legal obligations.
Technical support.

5. Legal Basis for Processing (GDPR Art. 6)

Contract performance (Art. 6(1)(b)) — processing is necessary to provide the Service you have subscribed to.
Legal obligation (Art. 6(1)(c)) — compliance with a binding legal obligation such as mandatory financial record-keeping.
Legitimate interests (Art. 6(1)(f)) — detection of brute-force attacks and account fraud prevention.
Consent (Art. 6(1)(a)) — only for optional marketing communications, if you explicitly opt in. May be withdrawn at any time.

6. Server Jurisdiction and Government Requests

VPN servers and infrastructure are operated in locations determined by the Service Operator. The Operator does not maintain servers in countries that are members of the Five Eyes (FVEY) or Fourteen Eyes (UKUSA-extended) intelligence alliances.

Any legally valid requests for user data must originate from a court or competent authority in the jurisdiction of the Data Controller and must comply with applicable procedural requirements.

Because we do not log VPN session metadata (source IPs, timestamps, destinations), we are unable to produce such records in response to any legal request — we cannot provide data we do not hold.

We will notify affected users of any legal data request where we are legally permitted to do so.

7. Retention Periods

Account data (email, hashed password, subscription records) is retained for the duration of your subscription plus 30 days following expiry or account deletion.

No connection metadata is retained. VPN session logs are not written. Failed authentication counters are automatically purged after 24 hours. Aggregate bandwidth totals are reset at the start of each billing period.

8. Transfers to Third Parties

We do not sell or transfer personal data to third parties for advertising or marketing purposes. Data may be shared with:

Payment providers — strictly to the extent necessary to process subscription payments and issue receipts.
Competent authorities — in response to a lawful and procedurally valid request, and only to the extent that we hold relevant data.
Infrastructure providers — hosting and server providers operating under data processing agreements and confidentiality obligations.

9. Your Rights (GDPR Art. 15–22)

Access (Art. 15) — obtain a copy of the personal data we hold about you.
Rectification (Art. 16) — request correction of inaccurate or incomplete data.
Erasure (Art. 17) — request deletion of data where there is no lawful basis for continued processing.
Restriction (Art. 18) — request that we restrict processing in certain circumstances.
Data portability (Art. 20) — receive your data in a structured, machine-readable format.
Object (Art. 21) — object to processing based on legitimate interests.
Withdraw consent — where consent is the legal basis (optional marketing only).
Lodge a complaint — with the supervisory authority in the EU member state of your habitual residence.

To exercise any of these rights, send a request to: not yet configured. We will respond within 30 days of receipt.

10. Automated Decision-Making

We do not subject users to decisions based solely on automated processing that produce legal effects or similarly significant consequences (GDPR Art. 22).

11. Security Measures

Passwords are stored as one-way hashes (bcrypt).
All data in transit is encrypted via TLS 1.2 or higher.
Access to personal data is restricted on a least-privilege basis.
An audit log is maintained for critical administrative operations.
Two-factor authentication (TOTP) is available to all users.
VPN server configuration disables session logging at the process level.

12. Local Storage and Cookies (ePrivacy Directive)

The Service uses browser localStorage to store your session token and user interface preferences. We do not use third-party advertising cookies and do not share localStorage data with analytics platforms or advertising networks.

You may clear local storage via your browser settings. This will terminate your current session and remove saved preferences.

13. Transparency Statement

As of the effective date of this Policy, DXVPN:

Has not received any national security letters, FISA court orders, gag orders, or equivalent legal instruments from any government authority.
Has not been compelled by any authority to create backdoors, install surveillance software, or provide bulk or real-time access to user data or encryption keys.
Has not been subject to any court order requiring the retention or disclosure of VPN session metadata.

This statement will be updated or removed if circumstances change. Its removal or amendment should be treated as an implicit notification that the above is no longer accurate to the extent legally permissible to disclose.

14. Contact / Data Protection Officer

For any questions relating to the processing of your personal data, or to exercise your rights under Section 9, please contact us:

Contact details are being configured. Please use the support form in your account dashboard.

15. Policy Updates

We may update this Policy from time to time. Material changes will be notified to registered users by email or in-app notification at least 7 days before taking effect. The revised version takes effect upon the notified date and is published at dxvpn.sechb.com. Continued use of the Service after the effective date constitutes acceptance of the updated Policy.

Version dated March 19, 2026. This document is aligned with the requirements of the General Data Protection Regulation (GDPR, EU 2016/679) and the ePrivacy Directive.