The main objective of GDPR is to give the public more control over their personal data and to simplify regulations for international businesses by establishing an EU-wide law. The GDPR replaces the 1995 Data Protection Directive.

Both ProtonVPN and ProtonMail were developed specifically to further online privacy. We are strong advocates of privacy as a fundamental human right, and we are also strong supporters of the GDPR legislation. In anticipation of GDPR coming into effect, we have conducted a review of our Terms and Conditions and Privacy Policy to ensure compliance.

Because we are a privacy-focused service, our existing policies are already fairly consistent with GDPR, but because a large number of ProtonVPN users are from the EU we have nevertheless made a few changes to prepare for GDPR. Below is a summary of the changes we made. Our new policies go into effect starting April 16 and are already available for review on our website.

Summary of policy changes:

First, in line with the new requirements, our Privacy Policy now specifically requires that we obtain consent from our users before any of their data can be transferred out of Switzerland or the European Union for purposes not already explicitly stated in our Privacy Policy.

While our Privacy Policy has always mentioned that we record the timestamp of the user’s last login (but never the IP address), in accordance with GDPR, we have further explained why we retain this timestamp. Recording the timestamp is absolutely essential for the protection of user accounts because without the timestamps of login attempts, it is impossible to identify password guessing attempts targeting specific user accounts and to take action to protect those accounts.

We have also changed our money back policy from 60 days to 30 days to make it consistent with the policy that is informally used by ProtonMail. This will only apply to new subscriptions and not retroactively to subscriptions from the past 60 days. This policy change is necessary because previously different policies would apply depending on whether a user upgraded via protonvpn.com or protonmail.com.

Our Terms and Conditions now also include a standard notice regarding external websites to which we link from our website. Specifically, we are not responsible for the content of external websites that we link to, we have no liability for any content hosted on a third-party site, and external sites are governed by the terms and conditions of those sites.

Because ProtonVPN and ProtonMail may introduce a referral program in the future, our policies have been updated to include the following provision: If you are referred to ProtonVPN by a friend or some other third party who is participating in our referral program, we may associate your account with the referrer to appropriately credit the referrer.

While the use of analytics software was already mentioned in our existing policies, in line with the GDPR requirements we are adding additional details. Currently, ProtonVPN does not run any analytics software on our website, but we anticipate that this will change in the future for several reasons. First, various countries have started to block ProtonVPN, and currently we have no way to identify those blocks unless we receive user complaints. The nature of the blocks often means the users who have been blocked are also unable to complain. The addition of analytics would allow us to see in real time when a block goes into effect and to work faster to counteract it.

As another example, looking in aggregate at the geographic distribution of ProtonVPN users allows us to understand which countries have the most need for ProtonVPN. We can then allocate development resources toward providing the best service in those countries.

Consistent with our existing policies, we will deploy analytics carefully and we will never associate usernames and passwords (logins) with IP addresses. All collected data will be anonymous and will not contain any personally identifying information, and IPs will be stripped out whenever possible. Analytics will also not be deployed on sensitive pages, such as the login pages and password reset pages. Analytics will only be used for visits to our website, and we do not log any VPN activity, consistent with our existing No Logs VPN policy.

Our long-term goal is to use Matomo, an open source, self-hosted analytics software, for protonvpn.com site analytics. However, because Matomo still has limited capabilities, and because detecting country blocks is an urgent need for ProtonVPN, we will also initially utilize Google Analytics for some low-sensitivity analytics, such as homepage visits, while we invest in improving the capabilities of Matomo and contributing back to the Matomo open source community.

Finally, our policies now specifically mention that we comply with GDPR, even though as a Swiss company we do not have a formal legal requirement to do so. While it is only mandatory to extend the new GDPR protections to EU citizens and residents, we are applying its provisions globally.

Conclusion

We are happy to see that online privacy is getting the attention it needs from the EU, and we hope that the GDPR will push more companies to respect privacy. If you have any questions about our new policies, don’t hesitate to let us know. Your privacy is important to us, so with or without GDPR, we will always work to provide the ProtonVPN community with the highest level of privacy and security.

Best Regards,

The ProtonVPN Team

Follow us to stay up to date on ProtonVPN news and releases:

Twitter | Facebook | Reddit