FeaturesPricingDownloadFAQSupport

Tunari VPN

Privacy Policy

Effective Date: June 29, 2026

Last Updated: June 29, 2026

1. Data Controller

This Privacy Policy explains how TunariVPN Sp. z o.o.("Tunari VPN," "we," "us," or "the Controller") collects, uses, stores, discloses, and protects your personal data when you use our virtual private network service, websites, and related applications (collectively, the "Service").

We process your personal data in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (the "GDPR" / "RODO"), the Polish Act of 10 May 2018 on the Protection of Personal Data, and other applicable provisions of Polish and Union law.

Data Controller:
TunariVPN Sp. z o.o.
ul. <PLACEHOLDER>, 00-000 Warsaw, Poland
KRS: <PLACEHOLDER_KRS> · NIP: <PLACEHOLDER_NIP> · REGON: <PLACEHOLDER_REGON>
Share capital: <PLACEHOLDER_PLN> PLN
Email: support@tunarivpn.com

2. Data Protection Officer

We have appointed a Data Protection Officer ("DPO") who supervises compliance with the GDPR and Polish data protection legislation. You may contact our DPO directly in all matters relating to the processing of your personal data and the exercise of your rights under the GDPR:

Email: dpo@tunarivpn.com
Postal address: Data Protection Officer, TunariVPN Sp. z o.o., ul. <PLACEHOLDER>, 00-000 Warsaw, Poland.

3. Categories of Personal Data Processed

We collect only the minimum amount of personal data necessary to provide the Service:

3.1 Account Data

  • Email address — used for authentication and service-related communications.
  • Password — stored only as a salted cryptographic hash (Argon2id / bcrypt); we never store passwords in plain text.
  • Display name — optional.
  • Telegram ID and username — only if you sign in via Telegram Login.
  • OAuth provider identifier — only if you sign in via Google or Apple.

3.2 Subscription and Billing Data

  • Payment method type (card / SBP / SEPA / IAP), billing email, transaction identifier, subscription plan, currency, amount, billing period.
  • Full card numbers, CVV codes, and bank account details are processed exclusively by our payment processors (Stripe, Severpay, Apple, Google) and are never received or stored by Tunari VPN.

3.3 Technical Data

  • IP address — retained for no longer than 24 hours for security, fraud prevention, and rate-limiting purposes, after which it is permanently deleted from our systems.
  • User-Agent / browser fingerprint, locale, region, device type, application version, operating system.

3.4 Usage Data (VPN sessions)

  • Session metadata: connection timestamps and aggregate bandwidth volume only.
  • NO-LOGS POLICY. We do not log, monitor, or store the content of your traffic, your browsing history, the websites or services you visit, your DNS queries, or the source / destination IP addresses of your VPN connections.

3.5 Analytics Data (consent-based)

  • Pseudonymous client identifier, page views, and events collected via Google Analytics 4 under Google Consent Mode v2 — only after you grant explicit consent.

4. Purposes and Legal Bases of Processing (Art. 6 GDPR)

  • Performance of a contract (Art. 6(1)(b) GDPR) — creation and management of your account, provision of the VPN service, processing of subscriptions and payments, and provision of customer support.
  • Legitimate interest (Art. 6(1)(f) GDPR) — security of the Service, prevention of fraud and abuse, enforcement of fair-use limits, defence of legal claims.
  • Consent (Art. 6(1)(a) GDPR) — analytics, marketing communications, and non-essential cookies. You may withdraw your consent at any time without affecting the lawfulness of processing carried out before the withdrawal.
  • Legal obligation (Art. 6(1)(c) GDPR) — retention of accounting and tax records under Polish tax law and anti-money-laundering (AML) regulations.

5. Recipients of Personal Data (Subprocessors)

We disclose personal data only to the following categories of recipients, each bound by a data-processing agreement (DPA) compliant with Article 28 of the GDPR:

  • Stripe Payments Europe, Ltd. (Ireland) — payment processing for international subscriptions.
  • Severpay (Russian Federation) — payment processing for RUB-denominated subscriptions (Russian users only).
  • Apple Inc. (USA) — In-App Purchase processing for iOS subscriptions, Sign-in with Apple.
  • Google LLC (USA) — Google Play Billing, OAuth authentication, Google Analytics 4.
  • Telegram Messenger Inc. — Telegram Login OAuth (optional sign-in method).
  • Hetzner Online GmbH (Germany) — server hosting and infrastructure.
  • Cloudflare, Inc. (USA) — CDN, DDoS protection, WAF.
  • Vercel Inc. (USA) — website hosting and edge delivery.

We do not sell, rent, or trade your personal data to any third party for marketing or advertising purposes.

6. Transfers of Personal Data Outside the European Economic Area

Some of our subprocessors are established outside the European Economic Area (EEA), primarily in the United States. Where personal data is transferred outside the EEA, we rely on the legal safeguards required by Chapter V of the GDPR:

  • Adequacy decisions of the European Commission, including the EU-US Data Privacy Framework (DPF) for certified US recipients.
  • Standard Contractual Clauses (SCCs) approved by Commission Implementing Decision (EU) 2021/914 of 4 June 2021, supplemented by appropriate technical and organisational measures.

You may obtain a copy of the safeguards applied by writing to dpo@tunarivpn.com.

7. Retention Periods

Category of dataRetention period
Account dataUntil account deletion + 30 days (technical buffer)
Transaction / accounting records5 years from the end of the fiscal year (Polish Accounting Act · Polish Tax Ordinance)
IP address & security logsMaximum 24 hours
Analytics data (consent-based)14 months
Support correspondence24 months from case closure
Data necessary for the defence of legal claimsUntil the relevant limitation period expires

8. Your Rights as a Data Subject (Art. 15–22 GDPR)

You have the following rights with respect to your personal data:

  • Right of access (Art. 15) — to obtain confirmation as to whether your personal data is being processed and to receive a copy.
  • Right to rectification (Art. 16) — to have inaccurate data corrected or incomplete data completed.
  • Right to erasure / “right to be forgotten” (Art. 17) — to have your data deleted, subject to statutory retention obligations.
  • Right to restriction of processing (Art. 18).
  • Right to data portability (Art. 20) — to receive your data in a structured, commonly used, machine-readable format.
  • Right to object (Art. 21) — to processing based on legitimate interest.
  • Right not to be subject to automated decision-making, including profiling (Art. 22).
  • Right to withdraw consent (Art. 7(3)) at any time, without affecting the lawfulness of prior processing.

To exercise any of these rights, please contact us at privacy@tunarivpn.com or our DPO at dpo@tunarivpn.com. We will respond within one (1) month of receipt of your request, in accordance with Article 12(3) GDPR. The period may be extended by two further months where necessary, taking into account the complexity and number of requests.

9. Right to Lodge a Complaint with the Supervisory Authority

You have the right to lodge a complaint with the competent supervisory authority, particularly in the Member State of your habitual residence, place of work, or place of the alleged infringement. In Poland, the supervisory authority is:

President of the Personal Data Protection Office (Prezes UODO)
ul. Stawki 2, 00-193 Warsaw, Poland
Website: uodo.gov.pl

10. Cookies

Our website uses cookies and similar technologies. Essential cookies are required for the operation of the Service and are placed on the basis of Article 173 of the Polish Telecommunications Law. Analytical and marketing cookies are placed only with your prior explicit consent (Google Consent Mode v2). You may manage your preferences at any time through the cookie banner.

11. Children

The Service is not directed at children under the age of 16. We do not knowingly collect personal data from children under 16. If you become aware that a child under 16 has provided us with personal data, please contact us at privacy@tunarivpn.com and we will delete the data without undue delay.

12. Security

We implement appropriate technical and organisational measures (Art. 32 GDPR), including AES-256 encryption of VPN traffic, encryption at rest and in transit, strict access controls, regular security assessments, and incident-response procedures. In the event of a personal data breach likely to result in a risk to your rights and freedoms, we will notify the supervisory authority within 72 hours and, where required, inform you without undue delay.

13. Changes to this Privacy Policy

We may update this Privacy Policy from time to time. Material changes will be notified to you by email or via a prominent notice on our website at least 14 days before they take effect. The date of the most recent update is shown at the top of this page.

14. Contact

General privacy enquiries: privacy@tunarivpn.com
Data Protection Officer: dpo@tunarivpn.com
Customer support: support@tunarivpn.com
Postal address: TunariVPN Sp. z o.o., ul. <PLACEHOLDER>, 00-000 Warsaw, Poland.