Privacy Policy
Last Updated: February 04, 2026
1. Introduction
This Privacy Policy describes how our VPN service ("we", "our", or "the Service") collects, uses, and protects your information. This policy applies to our VPN applications, website, APIs, and backend services. We are committed to data minimization and privacy by design. We do not collect data unless it is strictly necessary for the technical operation of the Service.
2. Data Controller
The Data Controller for this Service is LibreGuard D.O.O., registered in the Republic of Serbia. For privacy-related inquiries, please contact us at the support email address provided in your account dashboard or at support@libreguard.net.
3. Data We Collect
We strictly limit data collection to the following categories necessary for account management and service delivery:
| Category | Data Points | Format & Storage | Purpose | Retention |
|---|---|---|---|---|
| Account Identity | Email address, Password |
Email: Plaintext Password: Hashed (ASP.NET Identity) 2FA Keys: Encrypted at rest |
Authentication and account recovery. | Until account deletion. |
| Google OAuth | Email address, Google Provider ID |
Email: Plaintext Provider ID: Plaintext Scope: email onlyPassword: Never collected or stored |
Single Sign-On (SSO) if you choose to login via Google. We only receive your email to identify your account. | Until account deletion. |
| Device Info | Unique Device ID, App Version |
Device ID: SHA-256 Hashed (Pseudonymized) App Version: Plaintext |
Enforcing simultaneous connection limits (e.g., max 3 devices). | Until device logout or account deletion. |
| Service Usage | Total Data Consumed (Bytes), Last Active Timestamp |
Bytes: Aggregate counter (Integer) Timestamp: UTC Date/Time |
Enforcing traffic quotas (for Free plans) and identifying inactive sessions. | Reset per billing cycle (usage) or updated on activity (timestamp). |
| Payments | Transaction ID (TxID), Payment Provider ID, Amount | Plaintext (No raw sensitive financial data) | Verifying subscription status and processing refunds. | As required by applicable statutory tax and accounting laws (typically 10 years for Serbian entities). |
| Security Logs | Device ID Hash, Action Type, Timestamp |
ID Hash: SHA-256 Action: Register/Login/Fail |
Security auditing, identifying brute-force attempts, and troubleshooting connection issues. | Until account deletion. |
| External Links | Provider Name, Unique ID (from Google) | Plaintext | Maintaining the connection between your account and your external OAuth provider. | Until account deletion or manual unlinking. |
4. Data We Do NOT Collect
To ensure your privacy, our infrastructure is technically designed NOT to collect or store:
- Browsing History: We do not log websites you visit.
- Traffic Content: We do not inspect or store data packets (payloads).
- DNS Queries: We do not log DNS lookup requests. DNS traffic is routed through trusted third-party resolvers (Cloudflare or AdGuard).
- Source IP Addresses: We do not store your original IP address in our application logs, user tables, or verification records.
- VPN Session IPs: We do not equate your identity with the IP address assigned to you inside the VPN tunnel for historical logging purposes.
5. IP Address Handling
We operate a strict policy regarding IP addresses:
- Application Registration & Login: We do not store your IP address during registration, login, or email verification flows.
- VPN Connection: Your IP address is processed transiently in memory by the VPN server software (e.g., OpenVPN, strongSwan) solely to establish the connection. It is not written to our permanent database logs.
6. Hashing & Pseudonymization
Where tracking is required for license enforcement (such as limiting the number of active devices), we use hashing (SHA-256) to pseudonymize identifiers.
Device IDs: We receive your device's unique identifier, compute a cryptographic hash, and store only the hash. While hashes are technically linkable if the original input is known, this measure ensures we do not hold a database of raw hardware identifiers.
7. Data Sharing & Third Parties
We do not sell, rent, or trade your personal data. Data is shared only with the following technical processors:
- Hosting Providers: Our servers run on cloud infrastructure (VPS). These providers ensure physical security but do not have access to encryption keys or user data at rest.
- Payment Processors (Lemon Squeezy): When you pay via credit card, payment is processed directly by the provider. We receive only a success confirmation and a transaction ID. We never see or store your full credit card number.
- Cryptocurrency Networks (Monero): Payments made via crypto are public on the blockchain, but we do not link your wallet address to your identity beyond what is necessary to verify the specific transaction.
- Email Processing (Infomaniak): We use Infomaniak to deliver transactional emails (e.g., verification links, usage alerts). They receive your email address solely for delivery purposes.
- DNS Resolvers (Cloudflare / AdGuard): Your DNS queries are processed by these providers when connected to our VPN. They may process queries transiently to provide the service according to their own privacy commitments.
8. Security Measures
We employ industry-standard security practices:
- Encryption at Rest: Sensitive secrets (like 2FA recovery codes) are encrypted in our database.
- Encryption in Transit: All communications between your client and our servers are encrypted via TLS 1.2/1.3.
- Access Control: Administrative access is restricted and protected by Multi-Factor Authentication (MFA).
- Minimal Logs: We disable default logging features in our web servers and VPN daemons to prevent accidental data retention.
9. User Rights
Depending on your jurisdiction, you may have rights to access, correct, or delete your data.
- Deletion: You may request full account deletion. This will remove your email and all associated usage/device records from our system. Financial transaction records may be retained as required by tax law but will be delinked from your active account profile.
- Access: You can view the data we hold (Email, Data Usage, Device Hashes) directly in your User Dashboard.
10. Cookies & Tracking
We use a minimal number of cookies, strictly for functional purposes:
- Authentication Cookies: Used to maintain your login session on the website.
- Security Cookies: Used to prevent Cross-Site Request Forgery (CSRF) and secure OAuth login flows.
We do not use any third-party tracking cookies, analytics pixels (like Facebook Pixel or Google Analytics), or advertising trackers.
11. Policy Changes
We may update this policy to reflect technical changes. Significant changes will be communicated via email or an in-app notification. The "Last Updated" date at the top of this page indicates the current version.
12. Contact Us
If you have questions about this privacy policy or our privacy practices, please contact us at:
Email: support@libreguard.net