1. Effective date
This Privacy Policy is effective as of January 2026 and was last updated on January 2026. Any material change is announced on the FnTest VPN homepage at least thirty days before it takes effect.
2. Who we are
FnTest VPN Labs Ltd ("FnTest VPN", "we", "us") is the data controller for the FnTest VPN service at fn-test.example. Registered office: Remote operations; contact by email only.. Jurisdiction: United Kingdom. For any privacy matter write to privacy@fn-test.example; for formal data-protection requests write to dpo@fn-test.example.
3. Data we collect
We keep the footprint small:
- Account data: email address and an anonymised account identifier.
- Payment data: a billing reference (full card details never touch our servers).
- Diagnostic signals: aggregate counters (connections attempted / succeeded / failed) — no per-user activity.
- Support correspondence: the contents of any message you send to support.
We do not collect: browsing history, DNS queries, inspected tunnel contents, IP-address logs of end-destinations, or advertising identifiers.
4. How we use it
Data is used only for the purposes below:
- To provide the service: authenticate you, deliver the client, and route your traffic through our network.
- To bill you: through a third-party payment processor identified in section 6.
- To detect abuse: aggregate rate-limit signals protect the network from coordinated attacks.
- To answer you: if you contact support we use the address you supplied to reply.
5. VPN data commitment
We do not sell, use, or disclose user data to third parties for any purpose. FnTest VPN is a VPN service; we treat your traffic as opaque and we do not log your activity. This is not a marketing claim — it is the shape of the service, reviewed every year by an independent auditor. Our system is engineered so that your browsing history, DNS queries, and the IP addresses you connected to are not recorded.
6. Third-party processors
FnTest VPN relies on the following sub-processors. Each has an active data-processing agreement with us.
- Stripe, Inc. — Payment processing. Policy: https://stripe.com/privacy
- Cloudflare, Inc. — Edge delivery and DDoS protection. Policy: https://www.cloudflare.com/privacypolicy/
- Apple, Inc. — App distribution and receipt validation. Policy: https://www.apple.com/legal/privacy/
- Amazon Web Services — Server infrastructure (encrypted at rest). Policy: https://aws.amazon.com/privacy/
We confirm these third parties provide the same or equal protection for user data as outlined in this policy. Where contracts cannot guarantee equivalent protection we do not engage the vendor.
7. Retention schedule
We retain data only as long as required by the purpose for which it was collected, or by law:
| Category | Retention period |
|---|---|
| Account email | 24 months after last login, then anonymised |
| Payment records | 7 years per tax law, then purged |
| Diagnostic signals | 7 days rolling window, then purged |
| Support correspondence | 12 months after ticket closure |
| Server access logs (truncated IP) | 7 days |
To request earlier deletion, write to privacy@fn-test.example.
8. International data transfers
Some of our sub-processors (notably payment and infrastructure providers) are based in the United States. For transfers of personal data from the European Economic Area, the United Kingdom, or Switzerland to the United States we rely on Standard Contractual Clauses (SCCs) approved by the European Commission, supplemented where necessary by additional technical measures (encryption at rest, encryption in transit, key management under our sole control).
9. Your rights under the GDPR and UK GDPR
If you are in the European Economic Area, the United Kingdom, or Switzerland, the General Data Protection Regulation grants you the following rights:
- Access: confirmation of whether we hold data about you, and a copy.
- Rectification: correction of inaccurate personal data.
- Erasure: deletion of personal data (sometimes called "right to be forgotten").
- Portability: export of your data in a common machine-readable format.
- Objection: to processing based on legitimate interest.
- Restriction: temporary halt of processing while a dispute is resolved.
Write to privacy@fn-test.example with the subject "Data request" and we will respond within thirty days.
10. California privacy rights (CCPA / CPRA)
If you are a California resident, the California Consumer Privacy Act and the California Privacy Rights Act grant you:
- Right to know: the categories of personal information we have collected about you, the sources, the purposes, and the third parties with whom we share it.
- Right to delete: request deletion of personal information we hold about you.
- Right to correct: inaccurate personal information.
- Right to opt out of sale: FnTest VPN does not sell personal information. There is nothing to opt out of, but you retain the right.
- Right to non-discrimination: we will not deny the service or charge a different price for exercising these rights.
To exercise any California right write to privacy@fn-test.example and include "California privacy request" in the subject line.
11. Security and breach notification
Traffic is encrypted in transit (TLS 1.3; WireGuard and IKEv2 for VPN tunnels). At rest we apply AES-256 with keys managed in a hardware security module. Production access is limited to a small operations team; every administrative action is logged; hardware-key authentication is mandatory.
Breach notification: in the event of a personal-data breach, we will notify affected users within 72 hours of discovery, and notify the relevant supervisory authority where required. Notifications include the nature of the breach, the categories and approximate number of people affected, and the measures we are taking.
12. Contact and complaints
For general privacy questions: privacy@fn-test.example.
To request deletion of your account and data: email the address above with "Delete my data" in the subject. We respond within two business days.
You have the right to lodge a complaint with a supervisory authority. In the European Economic Area the list is maintained at edpb.europa.eu. In the United Kingdom the regulator is the Information Commissioner's Office (ICO) at ico.org.uk. In California, complaints may be directed to the California Privacy Protection Agency (CPPA).