Privacy Policy
Last updated: 19 June 2026
This Privacy Policy is in force on the running service. The no-logs commitments below apply today.
1. Our approach
UNIFY VPN is built so that the data needed to deanonymise you does not exist. We collect the minimum required to run an account and a subscription, and nothing about what you do inside the tunnel. This policy explains exactly what that means.
It covers the VPN service, apps, browser extension, Telegram bot, command-line tools, and website.
2. What we never collect
We do not log connection metadata: not the sites you visit, not the IP addresses you connect to, not DNS queries, not timestamps of individual connections. Session tables on the VPN edges live in RAM only and are never written to disk.
We do not inspect, modify, or record the contents of your traffic. End-to-end encryption with perfect forward secrecy makes operator-side decryption mid-stream structurally impossible.
The only traffic data we keep is an aggregate byte counter per server, used for capacity planning. It cannot be tied to an individual user.
3. What we do collect
Account data: your email address (or Google account identifier), a display name if you set one, your password stored only as an Argon2id hash, and your account and session state. If you link Telegram, we store the mapping between your Telegram user ID and your account.
Subscription and payment data: your plan, its status and dates, and references to payments held by our payment processors. We store payment identifiers, not card numbers — card data is handled entirely by the processor.
Anti-fraud signals: a device fingerprint and signup IP, used to enforce signup limits and detect abuse (for example, more than three signups from one IP in 24 hours). These are not used to track your browsing.
Website and product telemetry: error reports via Sentry, with personally identifying fields scrubbed before they are sent, and aggregate performance metrics. New-device login alerts include a coarse location and user-agent so you can recognise the session.
4. How we use it
We use this data only to operate the Service: to authenticate you, run your subscription, process payments, prevent fraud and abuse, send essential account email (verification, new-device alerts, PREMIUM-period and billing reminders), and keep the Service reliable. We do not sell your data and we do not use it for advertising.
5. Legal basis
Where the GDPR applies, we process account, subscription, and payment data to perform our contract with you; anti-fraud and security data on the basis of our legitimate interest in protecting the Service; and we send marketing only with your consent. We maintain a data register and honour data-subject access requests.
6. Who we share with
We share data only with the processors we need to run the Service: Supabase for authentication, our payment processors (LAVA, our on-chain crypto payment processor, and the Telegram payment rails) for billing, an email provider for transactional mail, and Sentry for error reporting. Each receives only what it needs for that function.
We do not share account data with advertisers or data brokers. We do not respond to extra-judicial requests. We will respond to a valid, lawful order only to the extent we are legally required, and we can only ever produce the limited account data described above — never connection logs, because they do not exist.
7. How long we keep it
We keep account, subscription, and payment data while your account is active and as long as the law requires us to retain payment records. RAM-only session data is gone the moment a session ends or an edge restarts. Disposable-email and anti-fraud caches expire automatically.
When you delete your account, we delete your personal data within 30 days, except records we are legally required to retain (such as payment receipts for tax purposes).
8. Your rights
You can access, correct, export, or delete your data. You can delete your account yourself from your dashboard, which completes within 30 days. Where the GDPR or a similar law applies, you also have the right to object to or restrict certain processing and to lodge a complaint with your data-protection authority.
To exercise any right, use your dashboard or contact [email protected].
9. Cookies and the website
The website uses only the cookies needed to keep you signed in and to remember your language. We do not use third-party advertising or analytics cookies. Session cookies are set Secure, HttpOnly, and SameSite.
10. International transfers and jurisdiction
Our servers are located outside the region whose censorship the Service is designed to bypass, and no infrastructure that processes your personal data sits under that region's jurisdiction. Where data is transferred between regions, we rely on appropriate safeguards.
11. Children
The Service is not directed to children. We do not knowingly collect data from anyone below the age of digital consent in their jurisdiction.
12. Changes and contact
We may update this policy; material changes will be announced through the Service before they take effect.
Privacy questions and data-subject requests: [email protected].