Privacy Policy

Effective 11 July 2026 · This is our current policy and may be updated; material changes are announced here at least 30 days before they take effect.

OllaVPN exists to keep your browsing private. The best way to protect data is to never collect it. This page describes exactly what we do and do not collect, why, and how long we keep it.

1. Our core commitment: no activity logs

We do not log, store, or share:

We cannot hand over what we do not have.

2. What we do collect, and why

2.1 Account data

DataWhyRetention
Email addressAccount identity, sign-in, password recovery, security alertsWhile your account exists; deleted within 30 days of closure
Password (Argon2id hash)Authentication. Your plaintext password is never stored or logged.While your account exists
Email-verified and account-created timestampsAnti-abuse and the “verify before access” gateWhile your account exists
Device public keyIdentifies your registered device on our networkWhile the device is registered

2.2 Operational & abuse-defense data

A free, unlimited-data VPN is a target for abuse. The minimum data below exists solely to keep the service usable and safe for everyone; none of it describes your browsing.

DataWhyRetention
Signup IP addressPer-IP signup rate limit (anti-abuse)7 days
Login IP address (per attempt)Credential-stuffing defense (per-IP login rate limit)1 hour rolling
Session (refresh) tokensSession management; you can review and revoke sessions in your dashboard7 days after last use, or until you sign out
Daily bandwidth counterFair-use soft/hard caps that keep the shared free network healthy90 days
Security audit-log entriesThe security-event timeline you can review in your dashboard1 year
Abuse reports filed against an accountTriage and disputeUntil resolved, then 90 days

We keep a single per-device “last handshake” timestamp (minute-level) to show online status and to clean up stale devices. It is not a per-session activity log.

3. Where your data lives

Account data is stored on our own infrastructure, not rented from a hyperscaler. TLS at our edge is terminated by Cloudflare; a Cloudflare Turnstile challenge runs only at signup to block bots. Country-level GeoIP lookups use a local database on our servers — no per-query data leaves our infrastructure. We do not publish the number or exact locations of our exit servers.

Your tunneled traffic — the actual data you send and receive — only ever transits our exit servers and the public internet. It does not pass through Cloudflare, and its contents are never inspected or logged.

4. Third parties, advertising, and tracking

We do not sell, rent, or trade your data. There is no advertising, no analytics SDK, and no tracking pixel in our apps. We share data with a service provider only when it is strictly required to operate the product (for example, edge TLS or email delivery) and only under a data-processing agreement, or when compelled by valid legal process (see section 6).

5. Your rights

Wherever you live — the EU, UK, California, or elsewhere — you can:

To exercise any right, email privacy@ollavpn.com from your account address. We reply within 7 days.

6. Government & legal requests

If we ever receive a lawful request, we will: (1) require formal, valid legal process; (2) notify you before disclosure where we are legally permitted to; (3) disclose only the specific data named — never bulk exports; and (4) provide only what we actually hold, which for activity data is nothing. We maintain a warrant canary as an additional transparency signal.

7. Children

OllaVPN is not directed at children under 16 and we do not knowingly collect their data. If you believe a child has created an account, email privacy@ollavpn.com and we will delete it.

8. Changes to this policy

We announce material changes on this page at least 30 days before they take effect.

9. Contact