Privacy Policy
1. Scope
This Privacy Policy explains how OX-VPN collects, uses, stores, shares, and protects personal data when you visit the website, create an account, purchase a subscription, download VPN profiles, contact support, or use the VPN service.
2. Data We Collect
We may collect account data such as email address, password hash, role, account status, support notes, plan information, device/profile labels, VPN usernames, and authentication status. We may collect billing identifiers from Stripe or another payment provider, such as customer ID, subscription ID, plan status, and payment event metadata. We do not store full card numbers on this server.
For security, reliability, and abuse prevention, we may process operational metadata such as login events, support requests, email delivery records, profile creation/revocation events, authentication decisions, IP addresses used to access the portal, browser/user-agent strings, VPN certificate common name, VPN username, VPN real IP and source port, VPN virtual IP, VPN protocol, server port, connection timestamps, byte counters, daemon status output, and DNS/domain lookups resolved through the VPN DNS resolver. DNS/domain logs may show domains requested by a device using the VPN, but they do not show full HTTPS URLs, page contents, messages, passwords, or encrypted payloads.
3. Purposes and Legal Bases
We process data to create and secure accounts, provide VPN access, process subscriptions, generate and revoke VPN profiles, respond to support and abuse reports, prevent fraud, comply with legal obligations, improve reliability, enforce policies, and protect our users and infrastructure. Where GDPR or similar laws apply, legal bases may include contract performance, legitimate interests in security and abuse prevention, compliance with legal obligations, and consent where required. Domain-level DNS logging should be used only where it is disclosed, proportionate, and consistent with the published retention period.
4. Sharing and Processors
We may share limited data with payment processors, hosting providers, email providers, fraud and abuse prevention vendors, professional advisers, and authorities where legally required or necessary to protect rights, safety, and service integrity. Stripe or any replacement payment provider processes payment data under its own terms and privacy documentation.
5. Retention
We keep account, billing, support, and email records for as long as needed to provide the service, resolve disputes, comply with tax/accounting obligations, prevent fraud, and enforce policies. Operational VPN, DNS/domain, portal-session, and security logs are retained for no more than the configured retention period, capped at six months, unless an account is placed under a documented legal hold or active abuse/investigation exemption.
6. Security
We use technical and organizational measures such as password hashing, role-based access, limited root helpers, restricted file permissions, TLS for production deployments, backups, firewall controls, and administrative audit events. No internet service can guarantee perfect security, and users must keep their credentials and VPN files confidential.
7. International Users
If you access the service from outside the country where the server or company is located, your data may be processed in other jurisdictions. Where required, appropriate safeguards should be used for international transfers.
8. Your Rights
Depending on your location, you may have rights to access, correct, delete, export, restrict, or object to certain processing of your personal data. You may also have the right to complain to a data protection authority. Requests should be sent to the support email listed on this website.
9. Children
The service is not intended for children or minors who cannot lawfully enter into a service contract. Do not use the service if you are not legally eligible.
10. Contact
Privacy requests should be sent to the support email listed on this website. Abuse and security reports should be sent to the abuse email listed on this website.