UnfoldingVPN

Privacy Policy

Last updated: 3 June 2026

1. Who we are

UnfoldingVPN ("we", "us", "our") provides a virtual private network ("Service") that encrypts your internet traffic and hides your IP address from the sites and networks you connect to. We are based in the United Kingdom and act as the data controller for the personal data described in this policy. If you have questions, contact us at support@unfoldingvpn.co.uk.

2. Our core privacy commitment

We do not monitor, log, store, or share the contents of your VPN traffic, the websites you visit, the DNS queries you make, the IP addresses you connect to, or the timestamps of your VPN sessions. We could not produce such logs if asked, because the VPN servers are configured not to generate them.

3. Information we do collect

To run the Service we collect the minimum information needed to give you an account and bill you:

  • Account data: your email address, an encrypted password hash, and the date you created your account.
  • Billing data: your PayPal subscription identifier, plan, status, and renewal dates. We never see or store your full card or bank details — those stay with PayPal.
  • Device / VPN configuration data: the WireGuard public keys, device names, and allowed-IP assignments needed to connect your devices. We do not store your private keys.
  • Support data: messages you send us via the contact form or email, and our replies.
  • Diagnostic data: aggregated, non-identifying counts (e.g. total active subscribers, total bandwidth across the platform) used to size the network. No individual usage is tracked.

4. Legal bases (UK GDPR)

  • Contract: to create your account, provision your VPN access, and handle billing.
  • Legitimate interests: to keep the Service secure, prevent fraud and abuse, and improve reliability.
  • Legal obligation: to comply with tax, accounting, and lawful court orders directed at us as a UK entity.
  • Consent: for optional product update emails. You can withdraw consent at any time using the unsubscribe link.

5. Service providers (processors)

We use a small number of vetted providers to operate the Service. They process data on our instructions only:

  • Supabase — managed Postgres database and authentication, EU-hosted.
  • PayPal — subscription billing. Their privacy policy governs payment data.
  • Cloudflare — content delivery, DDoS protection, and edge runtime for our website.
  • Transactional email provider — to send account, billing, and support emails.

We do not sell, rent, or trade your personal data, and we do not run third-party advertising or analytics trackers on our site.

6. International transfers

Where data is transferred outside the UK or EEA (for example to PayPal in the United States), we rely on the UK International Data Transfer Addendum, the EU Standard Contractual Clauses, or an adequacy decision, together with appropriate technical safeguards.

7. How long we keep your data

  • Account and VPN configuration data: for as long as your account is active.
  • Billing records: 7 years after the transaction, to meet UK tax law.
  • Support correspondence: up to 24 months after the conversation closes.
  • When you delete your account, your account data, VPN keys, and email are removed within 30 days, except where we are required to retain billing records.

8. Security

Traffic between your device and our VPN servers is encrypted using WireGuard (ChaCha20-Poly1305). Your account password is stored only as a salted hash. Access to production systems is restricted, logged, and protected by multi-factor authentication.

9. Your rights

Under UK GDPR you have the right to:

  • access a copy of the personal data we hold about you;
  • have inaccurate data corrected;
  • have your data erased (subject to legal retention);
  • restrict or object to processing;
  • data portability;
  • lodge a complaint with the UK Information Commissioner's Office (ICO) at ico.org.uk.

To exercise any of these rights, email support@unfoldingvpn.co.uk from the address on your account.

10. Cookies

Our website uses only strictly-necessary cookies to keep you signed in and to remember your theme preference. We do not set advertising, profiling, or third-party analytics cookies.

11. Children

The Service is not directed at people under 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact us and we will delete it.

12. Changes to this policy

We may update this policy from time to time. Material changes will be notified by email or a clear notice on the site at least 14 days before they take effect. The "last updated" date above always reflects the current version.

See also our Terms of Service.