Privacy Policy
Effective 11 July 2026 · This is our current policy and may be updated; material changes are announced here at least 30 days before they take effect.
OllaVPN exists to keep your browsing private. The best way to protect data is to never collect it. This page describes exactly what we do and do not collect, why, and how long we keep it.
1. Our core commitment: no activity logs
We do not log, store, or share:
- The websites, IP addresses, or services you connect to.
- Your DNS queries. DNS runs inside the encrypted tunnel and is not recorded.
- Per-destination, per-port, or per-flow byte counts.
- Any browsing-history-equivalent data.
- Your real name, home address, phone number, payment details, or government ID. The free tier has no payment surface, so we have no way to receive any of these in the first place.
We cannot hand over what we do not have.
2. What we do collect, and why
2.1 Account data
| Data | Why | Retention |
|---|---|---|
| Email address | Account identity, sign-in, password recovery, security alerts | While your account exists; deleted within 30 days of closure |
| Password (Argon2id hash) | Authentication. Your plaintext password is never stored or logged. | While your account exists |
| Email-verified and account-created timestamps | Anti-abuse and the “verify before access” gate | While your account exists |
| Device public key | Identifies your registered device on our network | While the device is registered |
2.2 Operational & abuse-defense data
A free, unlimited-data VPN is a target for abuse. The minimum data below exists solely to keep the service usable and safe for everyone; none of it describes your browsing.
| Data | Why | Retention |
|---|---|---|
| Signup IP address | Per-IP signup rate limit (anti-abuse) | 7 days |
| Login IP address (per attempt) | Credential-stuffing defense (per-IP login rate limit) | 1 hour rolling |
| Session (refresh) tokens | Session management; you can review and revoke sessions in your dashboard | 7 days after last use, or until you sign out |
| Daily bandwidth counter | Fair-use soft/hard caps that keep the shared free network healthy | 90 days |
| Security audit-log entries | The security-event timeline you can review in your dashboard | 1 year |
| Abuse reports filed against an account | Triage and dispute | Until resolved, then 90 days |
We keep a single per-device “last handshake” timestamp (minute-level) to show online status and to clean up stale devices. It is not a per-session activity log.
3. Where your data lives
Account data is stored on our own infrastructure, not rented from a hyperscaler. TLS at our edge is terminated by Cloudflare; a Cloudflare Turnstile challenge runs only at signup to block bots. Country-level GeoIP lookups use a local database on our servers — no per-query data leaves our infrastructure. We do not publish the number or exact locations of our exit servers.
Your tunneled traffic — the actual data you send and receive — only ever transits our exit servers and the public internet. It does not pass through Cloudflare, and its contents are never inspected or logged.
4. Third parties, advertising, and tracking
We do not sell, rent, or trade your data. There is no advertising, no analytics SDK, and no tracking pixel in our apps. We share data with a service provider only when it is strictly required to operate the product (for example, edge TLS or email delivery) and only under a data-processing agreement, or when compelled by valid legal process (see section 6).
5. Your rights
Wherever you live — the EU, UK, California, or elsewhere — you can:
- Access / port — request a structured copy of the data we hold on you (returned within 30 days).
- Rectify — correct inaccurate account data.
- Erase — delete your account and associated data. We complete deletion within 30 days, retaining only pre-existing security audit entries for the limited period required for abuse defense.
- Object / restrict — particularly for the anti-abuse rate-limit data.
To exercise any right, email privacy@ollavpn.com from your account address. We reply within 7 days.
6. Government & legal requests
If we ever receive a lawful request, we will: (1) require formal, valid legal process; (2) notify you before disclosure where we are legally permitted to; (3) disclose only the specific data named — never bulk exports; and (4) provide only what we actually hold, which for activity data is nothing. We maintain a warrant canary as an additional transparency signal.
7. Children
OllaVPN is not directed at children under 16 and we do not knowingly collect their data. If you believe a child has created an account, email privacy@ollavpn.com and we will delete it.
8. Changes to this policy
We announce material changes on this page at least 30 days before they take effect.
9. Contact
- Privacy & data requests — privacy@ollavpn.com
- Abuse & takedowns — abuse@ollavpn.com
- Security disclosure — security@ollavpn.com
- General support — support@ollavpn.com