Privacy Policy

Last Updated May 2nd, 2019

Confirmed VPN is certified as Openly Operated, so it is able to provide proof of the privacy claims in this Privacy Policy by using references from its Audit Kit. Learn more about the Openly Operated Certification.

Confirmed, Inc. (also “Confirmed”, “the company”, “we”, and “us”) collects the minimum data possible to ensure your data and privacy is protected.

Confirmed complies with the European Union’s General Data Protection Regulation (GDPR) for all users, regardless of location. In addition, we collect the minimum personal information required to provide the Confirmed service.

We do not sell or provide data to advertising services, and there are zero third party frameworks for marketing or re-marketing purposes. This includes any direct or indirect advertising frameworks by Facebook, Twitter, and Google, including Crashlytics, Fabric, Google Analytics, Facebook SDK, Firebase, and Twitter SDK.

Although this Privacy Policy is a legal document that Confirmed is required to follow, we also prove that Confirmed’s operations and services conform to this Privacy Policy by engaging independent 3rd parties to audit us. The materials provided to auditors are also available publicly as an "Audit Kit".

Information We Collect

Information From Website Browsers

If you are just browsing the Confirmed website, we do not store or log your IP address or use a cookie to track you.

Personal Information From Users With Accounts

If you create an account, we require some basic information at the time of account creation.

For all users, we record the creation date of the account and the active subscription plan for the account. While using the Confirmed service, we record the total amount of bandwidth consumed in the last thirty days. No website data or traffic is stored related to this metric. This bandwidth data is used only to throttle very high-bandwidth users and provide a fair distribution of resources to all users.

For mobile users, we require an App Store or Google Play receipt, which contains no personally identifying information. The sole purpose of this data is to to validate that the account has an active subscription for the Confirmed service.

For desktop users, we require a valid credit card that is processed and stored by Stripe, Inc., a PCI-compliant payment processor. We do not store your credit card number on our servers, nor can we access it. Stripe also will also store metadata related to your financial transaction that we can access, such as zip code and country of origin, primarily to validate the authenticity of the transaction and pay applicable local taxes (i.e., Value Added Tax in the European Union).

A valid e-mail address is not required for the Confirmed service, but strongly recommended. It provides a means of communication for changes to our Terms and Conditions and Privacy Policy, as well as a communication channel for all data access. We record an encrypted form of your email address, which we cannot decrypt because we do not have direct, unaudited access to the encryption keys, nor do we have direct, unaudited access to the database where this encrypted email resides. We also record a hashed form of your email address, which we also do not have direct, unaudited access to.

Referral Program

If you participate in our voluntary referral program, the Confirmed service will record each account that signed up with your referral code in your account data. This is solely to attribute active subscribers to your account and provide the applicable discount to your subscription plan.If you refer someone (or you were referred by someone), the referrer will receive an e-mail upon the referred user signing up for a trial as well as upon becoming a paid subscriber. The referrer always will be able to see whether you have an active subscription because it affects the pricing of their account.

Website Traffic

We do not log or track any usage of our website, except for error messages on our server (such as accessing a page that does not exist). For these cases, we log the error (i.e., the URL attempted) and the time that it happened, but no personally identifying information such as a user’s IP address is logged.

VPN Traffic

Not logging user traffic and being able to prove this is a standout feature for Confirmed VPN. The following summarizes our proof (rather than blind assertions made by other VPN services), and we encourage you to read the entire detailed proof in our independently conducted Audit Reports as well as explore the actual VPN's source code and open infrastructure in the Audit Kit, which provides full transparency in everything in Confirmed VPN's operations.

If you have any questions or feedback, we're always available via email, Telegram, and other contact methods.

For traffic and data through our VPN, we do not log or store any website or traffic data for any period of time, with the exception of violations of Confirmed's anti-abuse rules, which are fully public and designed to prevent malicious VPN users from abusing other VPN users. Without these restrictions, malicious users could significantly deteriorate the quality of other users' internet connections. Every VPN has anti-abuse measures, but only Confirmed is able to prove exactly what these measures are.

The anti-abuse rules are based on the public and industry-standard Emerging Threats ruleset, with our services' specific customizations publicly available here. To access a specific rule file, simply append the file name that's listed to the same url — for example, the direct link to access the confirmed.rules file is here.

The anti-abuse rule triggers are performed algorithmically and no individual has access to or processes any data. Even in the case that an anti-abuse rule is triggered, the user's real IP address is not logged. The anti-abuse measures above are also described in the Acceptable Use provisions of Confirmed's Terms of Service.

Privacy Practices

We store and process the information that we collect in the United States in accordance with this Privacy Policy.

However, Confirmed understands that we have users from different countries and regions with different privacy expectations, and we try to meet those needs even when the United States does not have the same privacy framework as other countries.

We provide the same standard of privacy protection — as described in this Privacy Policy — to all our users around the world, regardless of their country of origin or location, and we are proud of the levels of notice, choice, accountability, security, data integrity, access, and recourse we provide.

Openly Operated Principles

Data transmitted by Openly Operated is at the minimum encrypted using HTTPS and SSL/TLS. The limited data we collect on our servers is encrypted with a key that we cannot access without automatically sending the user an alert that we are accessing this data. By being an Openly Operated product, our architecture is open source and available for public audit to prove that we cannot access any personal data. For proof of these claims, see our Audit Kit's Open Infrastructure and Open Source sections.

In the event of a data breach that affects your personal information, we will act promptly to mitigate the impact of the breach and notify any affected users without undue delay.

Compelled Disclosure

Confirmed may be legally required to disclose information to law enforcement in response to a valid subpoena, court order, warrant, or similar government order, or when we believe in good faith that disclosure is reasonably necessary to protect our property or rights, or those of third parties or the public at large. In complying with court orders and similar legal processes, Confirmed strives for transparency and protection of user data. We will notify users of any disclosure of their information, unless we are prohibited by law or court order from doing so, or in rare, exigent circumstances.

Right to Erasure

Confirmed will retain your account information for as long as your account is active or as needed to provide you services.

If you would like to delete the encrypted version of your account information, you may do so by contacting us. We will retain and use your information as necessary to comply with our legal obligations, resolve disputes, and enforce our agreements, but barring legal requirements, we will delete your full account within 90 days of your request. To see proof of how your data is stored and deleted, see the Open Source section of the Confirmed VPN Audit Kit.

If you have any questions or concerns regarding our Privacy Policy, please contact us at privacy@confirmedvpn.com and we will respond as quickly as we can.

Start a free 1 week trial.

Try the only Openly Operated way to browse securely and privately.

DOWNLOAD

Mac iOS PC Android

© 2020 Confirmed, Inc. All rights reserved.