Privacy Policy
Last Updated: February 19, 2026
Introduction
Sonar VPN ("we," "us," or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our VPN service.
By using our Service, you agree to this Privacy Policy.
1. Information We Collect
1.1 Account Information
When you create an account, we collect:
- Email address (required for account creation and verification)
- Password (hashed and encrypted, never stored in plain text)
- Account creation date
- Email verification status
1.2 Payment Information
When you add a payment method:
- Payment information is processed by Stripe, Inc.
- We do not store your credit card number, CVV, or full card details
- We store only:
- Stripe customer ID (reference to your Stripe profile)
- Last 4 digits of card (for display purposes)
- Card brand (Visa, Mastercard, etc.)
- Card expiration date
1.3 Session Information
When you use the VPN service, we collect:
- Session start time (when you connect)
- Session end time (when you disconnect)
- Session duration (for billing calculation)
- Session cost (billing amount)
- Server location (e.g., Ohio, us-east-2)
- Server IP address (VPN server endpoint you connected to)
Retention: Session metadata is automatically deleted 7 days after your session ends.
1.4 Connection Metadata
For operational purposes, we temporarily collect:
- Connection status (active, terminated, failed)
- Connection establishment events (for troubleshooting)
Retention: Connection metadata is automatically deleted after 7 days using DynamoDB TTL.
Important: We do NOT store your originating IP address or any identifiable connection logs.
1.5 Information We Do NOT Collect
We do NOT collect or log:
- ❌ Your browsing activity (websites you visit)
- ❌ Traffic content (data you transmit)
- ❌ DNS queries (domain name lookups)
- ❌ Your originating IP address (for privacy)
- ❌ Connection timestamps beyond 7 days
- ❌ Bandwidth usage details
- ❌ Source or destination IP addresses of your traffic
- ❌ VPN configuration files or private keys (never stored server-side)
We are a minimal-logging VPN service.
2. How We Use Your Information
2.1 To Provide the Service
- Establish VPN connections
- Route your traffic securely
- Calculate billing charges
- Process payments
2.2 Account Management
- Verify your email address
- Reset your password
- Communicate service updates
- Send billing receipts
2.3 Fraud Prevention
- Detect and prevent fraudulent transactions
- Identify suspicious account activity
- Prevent abuse of the Service
2.4 Legal Compliance
- Comply with valid legal requests
- Enforce our Terms of Service
- Protect our rights and property
3. Information Sharing and Disclosure
3.1 We Do NOT Sell Your Data
We do not sell, rent, or trade your personal information to third parties.
3.2 Service Providers
We share minimal information with trusted third parties:
Stripe (Payment Processing)
Amazon Web Services (Infrastructure)
Amazon Cognito (Authentication)
3.3 Legal Requests
We may disclose information if required by law:
- Valid subpoena or court order
- Government investigation
- Emergency situations (threat to life or safety)
What we can provide: Email, account creation date, session history (times and costs), payment history
What we CANNOT provide: Browsing history, traffic content, DNS queries (we don't log these)
3.4 Business Transfers
If we are acquired or merge with another company, your information may be transferred to the successor entity.
4. Data Security
4.1 Encryption
- In transit: All VPN traffic is encrypted with WireGuard protocol
- At rest: Database encrypted with AWS encryption
- Passwords: Hashed with bcrypt (industry standard)
4.2 Access Controls
- Access to user data is restricted to authorized personnel only
- Multi-factor authentication required for admin access
- Regular security audits
4.3 No Guarantee
While we implement industry-standard security measures, no system is 100% secure. We cannot guarantee absolute security.
5. Data Retention
| Data Type |
Retention Period |
| Account info (email, password) |
Until account deletion + 30 days |
| Session history (billing records) |
Indefinitely (for tax/accounting) |
| Connection metadata (IP, timestamp) |
7 days |
| Payment transactions |
7 years (IRS requirement) |
| Email verification codes |
24 hours |
Account Deletion: You may delete your account at any time. Most data is deleted within 30 days, except session history (retained for tax compliance).
6. Your Rights
6.1 Access Your Data
You may view your data by logging into your account:
- Session history
- Payment methods
- Account settings
6.2 Update Your Data
You may update:
- Email address
- Password
- Payment methods
6.3 Delete Your Account
You may delete your account from account settings. This will:
- Terminate all active sessions
- Delete your email and credentials within 30 days
- Retain session history for tax compliance (anonymized after 7 years)
6.4 Data Portability
You may export your session history in JSON format from your account dashboard.
6.5 Opt-Out of Emails
You may unsubscribe from marketing emails (if we send any). Service-related emails (receipts, security alerts) cannot be disabled.
7. Cookies and Tracking
7.1 Essential Cookies
We use cookies for:
- Authentication: Keep you logged in
- Session management: Remember your settings
7.2 No Tracking Cookies
We do NOT use:
- ❌ Analytics cookies (Google Analytics, etc.)
- ❌ Advertising cookies
- ❌ Third-party tracking pixels
7.3 Cookie Control
You can disable cookies in your browser, but this will prevent you from logging in.
8. Third-Party Links
Our website may contain links to third-party sites. We are not responsible for their privacy practices. Please review their privacy policies.
9. Children's Privacy
Our Service is not intended for anyone under 18 years old. We do not knowingly collect information from children. If you believe a child has provided us information, contact us immediately.
10. International Users
10.1 Data Location
All data is stored in AWS us-east-2 (Ohio, USA).
10.2 GDPR (European Users)
If you are in the EU, you have additional rights under GDPR:
- Right to access
- Right to rectification
- Right to erasure ("right to be forgotten")
- Right to data portability
- Right to object to processing
- Right to lodge a complaint with a supervisory authority
To exercise these rights, contact us at privacy@example.com.
10.3 Data Transfers
By using our Service from outside the USA, you consent to the transfer of your data to the USA.
11. Do Not Track
Some browsers have "Do Not Track" features. We do not respond to Do Not Track signals because we do not track users across websites.
12. California Privacy Rights (CCPA)
If you are a California resident, you have these rights:
- Right to know: What data we collect and how we use it
- Right to delete: Request deletion of your data
- Right to opt-out: We don't sell data, so this doesn't apply
- Right to non-discrimination: We won't discriminate for exercising your rights
To exercise these rights, contact us at privacy@example.com.
13. Changes to This Policy
We may update this Privacy Policy from time to time. Changes will be posted with an updated "Last Updated" date. Material changes will be emailed to registered users.
Continued use of the Service after changes constitutes acceptance.
14. Contact Us
For privacy-related questions or requests:
- Email: privacy@example.com
- Website: https://example.com
- Data Protection Officer: privacy@example.com
Response time: We aim to respond within 48 hours.
15. Summary (TL;DR)
What we collect:
- Email, password, session times, payment info (via Stripe)
What we DON'T collect:
- Browsing history, traffic content, DNS queries
How we use it:
- Provide VPN service, process payments, prevent fraud
Who we share with:
- Stripe (payments), AWS (infrastructure), law enforcement (if legally required)
Your rights:
- Access, update, delete your data anytime
Questions? Contact privacy@example.com
By using Sonar VPN, you acknowledge that you have read and understood this Privacy Policy.
