Privacy Policy

Effective Date: February 7, 2026 | Last Updated: March 3, 2026

🔒 Strict No-Activity-Logs Policy

Our Promise: DeVpn does not monitor, record, or store your browsing activity, VPN traffic content, DNS queries, or the websites you visit. We collect only the minimum data necessary to operate the service, process payments, and calculate provider rewards.

Table of Contents

Who We Are
What We Do NOT Collect
What We Collect
How We Use Your Data
How We Handle Payments
Provider Network
Third-Party Services
Data Security
Cookies & Local Storage
Data Sharing
Data Retention
Your Rights
California Residents (CCPA)
European Residents (GDPR)
International Data Transfers
Children's Privacy
Changes to This Policy
Contact Us

1. Who We Are

DVPN LLC ("we", "us", "our") operates a decentralized VPN service accessible via desktop applications (Windows, macOS, Linux), mobile applications (iOS, Android), and through our website at devpn.org. This Privacy Policy explains what data we collect, why we collect it, and how we protect and handle it.

DVPN LLC is the data controller responsible for your personal information as described in this Privacy Policy.

2. What We Do NOT Collect

We want to be absolutely clear about what we never collect or store:

Browsing history — We never see or record the websites you visit
VPN traffic content — Your data is encrypted end-to-end via WireGuard; we cannot read it
DNS queries — We do not log DNS resolution queries
Source IP logging — We do not permanently log your real IP address in connection with VPN activity
Connection timestamps — We do not keep persistent logs of when you connect or disconnect
Traffic destinations — We do not record the IP addresses or domains you connect to through the VPN

3. What We Collect

We collect the minimum data necessary to operate the service:

Data	Purpose	Retention
Account info (username, email, hashed password)	Account creation and authentication	Until account deletion
Payment info (processed by Stripe)	Billing and subscriptions	Per Stripe's retention policy
Bandwidth usage (aggregate bytes per session)	Fair use enforcement, provider rewards, usage-based billing	30 days after session end
Session metadata (provider ID, duration, status)	Service operation and troubleshooting	30 days after session end
Device info (OS type, client app version)	Troubleshooting and compatibility	Until account deletion
Solana wallet address (if provided)	Crypto payments and provider token rewards	Until account deletion
Shipping info (name, address, phone)	Hardware order fulfillment	Per tax/financial regulations
Claim code (DVPN-XXXX-XXXX)	Linking hardware nodes to user accounts	Until claimed, then 1 year
Hardware order details (product, date, payment status)	Order processing and support	Per tax/financial regulations
Provider node data (public IP, location, speed, uptime, version)	Network operation, quality monitoring, reward calculations	Until provider deregistered
Email communications (support emails)	Customer support	Until account deletion or 2 years

4. How We Use Your Data

We use the data we collect for the following purposes:

Service operation: Routing VPN connections, maintaining session state, ensuring network reliability
Billing: Processing payments, managing subscriptions, usage-based billing
Provider rewards: Calculating DVPN token rewards based on bandwidth and availability
Security: Detecting and preventing abuse, fraud, and network attacks
Support: Responding to support requests and troubleshooting issues
Communications: Sending transactional emails (account verification, password reset, order confirmation, claim codes)
Legal compliance: Meeting regulatory, tax, and legal requirements

We do not use your data for targeted advertising, profiling, or marketing to third parties.

5. How We Handle Payments

Credit and Debit Cards

Card payments are processed entirely by Stripe, Inc. We never see, store, or have access to your full card number, CVV, or card expiration date. Stripe is PCI-DSS Level 1 certified. See Stripe's Privacy Policy.

Cryptocurrency

Crypto payments (Solana, Bitcoin, Ethereum, DVPN token) are processed on their respective public blockchains. Blockchain transactions are inherently public. We store only the wallet address you provide and transaction hashes for payment verification purposes.

Hardware Store

When you purchase hardware from our store (DeVpn Node Pro, DeVpn Node, or SD Card), we collect your name, shipping address, email, and phone number to fulfill your order. This data is shared with our shipping and logistics partners solely for delivery purposes.

Claim Codes

Each hardware purchase generates a unique claim code (format: DVPN-XXXX-XXXX). This code is emailed to you and used to link your physical node to your DeVpn account at devpn.org/claim. Claim codes are stored in our database until redeemed. After redemption, the association is retained for support and warranty purposes.

6. Decentralized Provider Network

DeVpn uses a decentralized network of exit node providers. Important privacy considerations:

Traffic encryption: All traffic between your device and the exit node is encrypted via WireGuard (ChaCha20-Poly1305). Providers cannot read your traffic content.
Provider obligations: All providers contractually agree not to log, inspect, store, or manipulate user traffic.
Provider monitoring: We actively monitor providers for suspicious behavior, including traffic manipulation and bandwidth fraud. Violating providers are immediately removed from the network.
Multi-hop option: For enhanced privacy, our multi-hop add-on routes traffic through two separate exit nodes, so no single node sees both your identity and your destination.

Data Collected from Provider Nodes

Provider nodes regularly send heartbeat data to our control plane. This includes:

Node identity: Provider ID, WireGuard public key
Network info: Public IP address, port, download/upload speeds
Location: City, country, and coordinates (derived from IP geolocation)
Operational data: Online status, software version, uptime, connected user count
Aggregate bandwidth: Total bytes routed (aggregate, not per-user; used for reward calculations)

This data is used to route users to optimal nodes, calculate provider rewards, and maintain network health. Provider node data does not include any information about individual user activity or browsing history.

7. Third-Party Services

We use the following third-party services to operate DeVpn:

Service	Purpose	Data Shared
Stripe	Payment processing	Payment card details (we never see full card numbers)
SendGrid (Twilio)	Transactional email delivery	Email address, email content (verification, claim codes, receipts)
Cloudflare	DNS, CDN, DDoS protection	IP address, request metadata (per Cloudflare's privacy policy)
CoinGecko	Cryptocurrency price data	No user data shared (API queries for token prices only)
DigitalOcean / IONOS / Hostinger	Server infrastructure	Server-level data (providers do not have access to decrypted VPN traffic)
Shipping partners	Hardware order fulfillment	Name, shipping address, phone number

Each third-party service is subject to its own privacy policy. We recommend reviewing their policies for complete information on how they handle data.

8. Data Security

We implement industry-standard security measures to protect your data, including:

WireGuard encryption for all VPN tunnels (ChaCha20-Poly1305, Curve25519, BLAKE2s)
TLS/SSL encryption on all API and website connections
Bcrypt password hashing — passwords are never stored in plaintext
Database access controls restricted to authenticated services only
Cloudflare DDoS protection and web application firewall
Regular security monitoring of exit node infrastructure
JWT token authentication with time-limited expiration for API access

While we implement robust security measures, no method of electronic storage or transmission over the internet is 100% secure. We cannot guarantee absolute security but are committed to protecting your data using commercially reasonable measures.

9. Cookies and Local Storage

Authentication token: We store a JWT authentication token in your browser's local storage to maintain your login session. This is not a tracking cookie.
No third-party tracking: We do not use Google Analytics, Facebook Pixel, or any third-party tracking or analytics tools on our website.
No advertising cookies: We do not serve advertisements or use ad tracking cookies.
No cross-site tracking: We do not track your activity across other websites.

10. Data Sharing

We do not sell, rent, or trade your personal data to anyone. We share data only in these limited circumstances:

Stripe: Payment card details for processing (we never handle or store full card numbers)
SendGrid: Email address and email content for transactional email delivery only
Shipping partners: Name and shipping address for hardware order fulfillment only
Law enforcement: Only when compelled by valid, lawful legal process (court order, subpoena). Since we do not log browsing activity, traffic content, or DNS queries, we have very limited data to provide. We will notify affected users unless legally prohibited from doing so.
Infrastructure providers: Server hosting providers have physical access to servers but not to decrypted VPN traffic or user passwords

We have never sold user data and will never do so. We have never participated in any mass surveillance program.

11. Data Retention

Account data: Retained until you request account deletion
Session metadata: 30 days after session ends, then permanently deleted
Bandwidth records: 30 days after session ends, then permanently deleted
Payment records: Retained as required by tax and financial regulations (typically 7 years)
Hardware order data: Retained as required by tax and financial regulations (typically 7 years)
Claim codes: Retained until redeemed, then kept for 1 year for support purposes
Provider node data: Retained while the provider is registered; removed upon deregistration
Provider reward records: Aggregated and anonymized data may be retained indefinitely for network analytics
Support communications: Retained until account deletion or 2 years, whichever is shorter

12. Your Rights

Regardless of your location, you have the following rights regarding your personal data:

Access: Request a copy of the personal data we hold about you
Correction: Request correction of inaccurate or incomplete personal data
Deletion: Request deletion of your account and all associated personal data
Export: Request your data in a portable, machine-readable format
Objection: Object to certain types of data processing
Restriction: Request restriction of processing in certain circumstances

To exercise any of these rights, contact us at privacy@devpn.org. We will respond to your request within 30 days. We may ask you to verify your identity before processing your request.

13. California Residents (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA):

Right to Know: You may request disclosure of the categories and specific pieces of personal information we have collected about you, the categories of sources, the business purpose for collecting it, and the categories of third parties with whom we share it.
Right to Delete: You may request deletion of your personal information, subject to certain exceptions (e.g., legal compliance, completing transactions).
Right to Opt-Out of Sale: We do not sell your personal information. We have never sold personal information and have no plans to do so.
Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA/CPRA rights.
Right to Correct: You may request correction of inaccurate personal information.
Right to Limit Use of Sensitive Personal Information: We only use sensitive personal information (such as account credentials) for the purposes of providing the Service.

To make a CCPA/CPRA request, email privacy@devpn.org with the subject line "CCPA Request." We will verify your identity and respond within 45 days.

Categories of personal information collected in the last 12 months: Identifiers (username, email, wallet address), commercial information (purchase history, subscription details), internet activity information (aggregate bandwidth usage), and geolocation data (provider node location via IP).

14. European Residents (GDPR)

If you are located in the European Economic Area (EEA), the United Kingdom, or Switzerland, you have additional rights under the General Data Protection Regulation (GDPR):

Legal Basis for Processing: We process your personal data based on:
- Contract performance: Processing necessary to provide the VPN service you have subscribed to
- Legitimate interests: Network security, fraud prevention, and service improvement
- Legal obligation: Tax and financial record-keeping requirements
- Consent: Where required (e.g., marketing communications), which you may withdraw at any time
Right to Data Portability: You may request your personal data in a structured, commonly used, machine-readable format.
Right to Erasure ("Right to Be Forgotten"): You may request deletion of your personal data, subject to legal retention requirements.
Right to Lodge a Complaint: You have the right to lodge a complaint with your local data protection authority (supervisory authority) if you believe we have violated the GDPR.
Data Protection Officer: For GDPR-related inquiries, contact privacy@devpn.org.

15. International Data Transfers

DeVpn operates servers in multiple countries, including the United States and several European countries. Your data may be processed in jurisdictions other than your own. When we transfer personal data outside of your jurisdiction, we implement appropriate safeguards to ensure your data remains protected, including:

Encryption of data in transit and at rest
Contractual obligations with service providers to maintain data protection standards
Limiting the data transferred to what is strictly necessary for service operation

By using the Service, you acknowledge that your data may be transferred to and processed in jurisdictions with different data protection laws than your own.

16. Children's Privacy

DeVpn is not intended for individuals under the age of 18. We do not knowingly collect personal information from children under 18. If we become aware that we have collected personal data from a minor, we will take steps to delete that information promptly. If you believe a child under 18 has provided us with personal information, please contact us at privacy@devpn.org.

17. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. Material changes will be communicated to registered users via email at least 30 days before they take effect. The "Last Updated" date at the top of this page will be revised accordingly. We encourage you to review this policy periodically.

18. Contact Us

For privacy-related questions, data access requests, deletion requests, or concerns about how we handle your data:

DVPN LLC

Privacy Inquiries: privacy@devpn.org

General Support: support@devpn.org

Website: https://devpn.org

We are committed to resolving any concerns about your privacy. If you have an unresolved privacy concern that we have not addressed satisfactorily, please contact us and we will work with you to resolve it.