Logging Policy

1. Logging Principles

OX-VPN uses limited operational logging to run the service, authenticate users, prevent abuse, troubleshoot reliability issues, process payments, and comply with legitimate legal or payment processor requirements. The service should not be marketed as a zero-log service unless the actual configuration, infrastructure, backups, and operational procedures have been independently reviewed and aligned with that claim.

2. Account and Billing Logs

The portal logs account creation, login events, profile creation and revocation, administrative actions, email events, subscription status, Stripe or payment processor identifiers, and support/abuse notes.

3. VPN Operational Metadata

OpenVPN may expose or record connection metadata such as certificate common name, VPN username/authentication result, real source IP, assigned VPN IP, connection timestamps, byte counters, client software metadata, and daemon status. This metadata is used for service operation, security, abuse response, and troubleshooting.

4. Traffic Content

We do not intentionally inspect, store, or sell the content of user traffic passing through the VPN tunnel. However, destination services, DNS providers, hosting networks, and other third parties may create their own logs outside our control.

5. DNS and Domain Logs

When DNS/domain logging is enabled, the VPN may route client DNS queries to an operator-controlled resolver and record timestamp, VPN virtual IP, associated VPN profile where available, query type, and domain name. These records are used for abuse handling, security operations, troubleshooting, and lawful requests. DNS/domain logs do not provide full HTTPS URLs, page content, search terms typed into websites, private messages, passwords, or encrypted payload content.

6. Retention and Deletion

Technical logs are retained for the configured period, capped at six months. This includes DNS/domain logs, VPN authentication events, VPN session records, portal session records, and audit events. A user may be excluded from automatic purge only for documented legal hold, court order handling, abuse investigation, fraud investigation, or other legitimate compliance need. Backups may retain data for a longer rolling period until overwritten or deleted.

7. Lawful Requests

We may preserve or disclose records when required by valid legal process, to protect rights and safety, to investigate abuse, or to comply with payment processor, hosting provider, or regulatory obligations.