Privacy Policy
Version 1.0.0 (effective ) · Last updated
ForestVPN is built around a simple idea: the safest data is the data we never collect. We run a no-logs VPN, which means we do not keep records of the websites you visit, the content of your traffic, or a connection log that could reconstruct what you did online. This policy explains the limited information we do handle, why, and the choices you have.
The data controller for the consumer ForestVPN service is the ForestVPN operating company located at #27, 36-38, Takaishvili st., Batumi, Georgia, 6004 ("ForestVPN", "we", "us"). For privacy questions or to exercise your rights, contact our data-protection contact at [email protected].
ForestVPN is also a white-label VPN platform: alongside our own consumer VPN app, we power VPN products that other businesses ("tenants") run under their own brand. If you reached the Service through a third-party brand, your relationship with that brand and with ForestVPN is described in section 5 below.
1. Information we collect
- Account information. When you create an account we collect your email address and account status. Where you sign in with a third-party identity provider (such as Apple, Google, or your organization's single sign-on), we store the identifier that provider returns for you (an OIDC "subject"), the email captured at link time, and the claim set from your last sign-in. We use this to sign you in and contact you about the Service.
- Device records. For each device you connect we store a record containing a device name and platform (macOS, iOS, Android, Windows, Linux, router, or TV), the cryptographic public keys that device uses to join the network (we never hold your device's private keys), a "last seen" timestamp, the device's last advertised relay region, and any operational configuration such as tags or exit-node status. We do not store the contents of anything that device sends or receives.
- Billing information. Paid plans are processed by our payment providers (see section 4). We receive limited billing metadata — such as plan, subscription status, payment vendor, card brand, card country, and the last four digits of a card — but the full payment-card number is held by the payment provider, not by us.
- Connection metadata (counters, not a log). To keep the Service running, to enforce plan limits, and to bill metered plans, we record aggregate transfer counters. Each counter sample contains a timestamp, the account, device, and session it belongs to, whether the connection went direct or through a relay, the broad server region (not a destination), the direction (in or out), and the number of bytes and packets transferred. This is a usage meter, not an activity log — see section 2. Raw counters are automatically deleted after 90 days.
- Support correspondence. If you contact support, we keep that correspondence so we can help you and improve the Service.
2. What we do not collect
We do not log your browsing history, your DNS queries, the contents of your traffic, the destination IP addresses, ports, hosts, or domains you connect to, the source IP address of your real connection, or any timestamped record that could be used to reconstruct your activity. The only per-connection data we keep is the byte/packet counter described above, which records how much you transferred, through which region, and when — never where to or what. This boundary is built into the system: the connection-metadata table simply has no destination, hostname, DNS, or content columns. No-logs is the default we build around, not a setting you switch on.
3. How we use information, and our lawful bases
We use the limited information above to provide and secure the Service, process payments, enforce plan limits, meter usage on metered plans, prevent abuse and fraud, comply with legal obligations, and communicate with you about your account. We do not sell your personal information and we do not use it to build advertising profiles.
Where the GDPR or a similar law applies, we rely on these lawful bases:
| Purpose | Lawful basis |
|---|---|
| Creating your account, delivering the VPN, processing payments | Performance of a contract with you |
| Enforcing plan limits, securing the network, preventing fraud and abuse | Our legitimate interests in running a safe, sustainable service |
| Keeping billing and tax records | Compliance with a legal obligation |
| Optional analytics and any non-essential cookies | Your consent (see our Cookie Policy) |
You can withdraw consent at any time where consent is the basis.
4. How we share information
We share information only with the service providers ("processors" / "sub-processors") that help us operate the Service, under agreements that require them to protect it; when required by valid legal process; and to protect the rights, safety, and security of ForestVPN, our users, and the public. Our current processors are:
| Provider | Purpose | Region |
|---|---|---|
| Stripe | Card payment processing for web/direct subscriptions. | Global |
| CloudPayments | Card payment processing (additional processor). | Global |
| Apple App Store | In-app purchases and subscriptions on Apple platforms. | Global |
| Google Play | In-app purchases and subscriptions on Android. | Global |
| Enbbox | Transactional account email (sign-in, billing, service notices). | Global |
| Cloudflare | Edge network, DNS, and DDoS protection in front of our services. | Global edge |
| Hetzner | Server and infrastructure hosting for the core platform. | EU |
| Google Cloud | Build artifact registry and object storage for releases. | Global |
| Backblaze | Encrypted off-site backup storage. | Global |
| Linode / Akamai | Relay (DERP) and network-edge server hosting. | Global |
Because we do not keep activity logs, we cannot produce activity records we never collected, even in response to legal process.
5. White-label products (who controls your data)
ForestVPN powers VPN products for other businesses ("tenants") under their own brands. If you signed up through a tenant's branded product rather than the ForestVPN consumer app:
- the tenant is the controller of your relationship with that branded product — they decide what to offer you, set their own terms, and are your first point of contact for your account with them; and
- ForestVPN acts as the tenant's processor for the personal data of that tenant's end users, handling it on the tenant's documented instructions and under a Data Processing Agreement (see our DPA).
The no-logs design described above applies the same way regardless of which brand you reached the Service through. Where a tenant's own privacy notice governs your relationship with that brand, it sits alongside this policy; this policy describes ForestVPN's own handling of data.
6. Data retention
We keep account and billing information for as long as your account is active and for a limited period afterwards as needed to comply with legal, tax, and accounting obligations or to resolve disputes. The byte/packet connection counters are automatically deleted after 90 days. Aggregated usage records kept for metered billing are retained on the order of thirteen months to support invoicing and dispute resolution, then deleted or aggregated. Billing and tax records are retained for the period required by applicable law.
7. Your rights
Depending on where you live, you may have the right to access, correct, export (portability), or delete the personal information we hold about you; to object to or restrict certain processing; to withdraw consent; and not to be subject to solely automated decisions with legal effect. California residents have the right to know, delete, correct, and to opt out of "sale" or "sharing" (we do neither), and not to be discriminated against for exercising these rights. You can exercise any of these rights by contacting [email protected]; we will respond within the time required by applicable law, and you may complain to your local data-protection authority. If you reached us through a tenant's brand, direct controller requests to that tenant; we will assist them.
8. Security
We protect information using TLS encryption in transit, encryption at rest for sensitive credentials, role-based access controls, secret management, and operational safeguards appropriate to the sensitivity of the data. No system is perfectly secure, but minimizing what we collect is itself a security measure. To report a vulnerability, contact [email protected].
9. International transfers
We may process information in countries other than the one in which you live, including through the providers listed in section 4. Where we transfer personal data out of the EEA, the UK, or another protected region, we rely on an appropriate safeguard recognized by applicable data-protection law, such as the European Commission's Standard Contractual Clauses.
10. Children
The Service is not directed to children, and we do not knowingly collect personal information from children below the age of digital consent. If you believe a child has provided us information, contact [email protected] and we will delete it.
11. Changes to this policy
We may update this policy from time to time. When we make material changes, we will update the version and effective date shown at the top of this page and, where appropriate, notify you.
12. Contact
ForestVPN — #27, 36-38, Takaishvili st., Batumi, Georgia, 6004. Questions about this policy, or requests to exercise your privacy rights, can be sent to our data-protection contact at [email protected]. For general support contact [email protected].