Tunari VPN

Privacy Policy

Effective Date: April 12, 2026

1. Introduction and Data Controller

This Privacy Policy explains how TunariVPN Sp. z o.o.("Tunari VPN," "we," "us," or "our") collects, uses, stores, and protects your personal data when you use our virtual private network service and related applications (the "Service").

We are committed to protecting your privacy and processing your personal data in accordance with the General Data Protection Regulation (EU) 2016/679 ("GDPR") and applicable Polish data protection laws.

Data Controller:
TunariVPN Sp. z o.o.
Zabraniecka 8L / 212, 03-872 Warsaw, Poland
NIP: 7011263037, REGON: 541903542, KRS: 0001176044
Email: support@tunarivpn.com

2. What Data We Collect

We collect only the minimum amount of personal data necessary to provide and improve our Service. The categories of data we collect include:

2.1 Account Data

  • Email address — required for account creation, authentication, and service-related communications
  • Encrypted password — stored using industry-standard hashing algorithms (not applicable if you sign in via Google OAuth)

2.2 Payment Data

  • Web purchases (Stripe): Payment processing is handled entirely by Stripe. We receive a transaction identifier, subscription status, and billing period. We do not receive, process, or store your full credit card number, CVV, or bank account details.
  • iOS purchases (Apple IAP): Payment processing is handled entirely by Apple. We receive a purchase receipt and subscription status. We do not receive any payment instrument details.

2.3 Connection Metadata

  • Connection timestamps — the date and time of your VPN connection and disconnection, retained for up to 30 days for service quality and abuse prevention purposes. These timestamps are not linked to your browsing activity.
  • Bandwidth usage — aggregate data transfer volume per session, used to manage server capacity

2.4 Device Information

  • Operating system and version (e.g., iOS 19, Windows 11)
  • Application version of the Tunari VPN client
  • Device type (e.g., iPhone, desktop) for compatibility and support purposes

3. What We Do NOT Collect (No-Logs Policy)

Tunari VPN operates under a strict no-logs policy. We do not collect, monitor, record, log, or store:

  • Your browsing history or the websites and services you visit
  • The content of your internet traffic or communications
  • DNS queries made while connected to our VPN servers
  • Your originating IP address when connected to our VPN
  • The destination IP addresses of your connections
  • Any information that could be used to identify your online activity

Our VPN servers are configured to operate without persistent storage of user activity data. We have no ability to associate any specific internet activity with any specific user.

4. Legal Basis for Processing

We process your personal data on the following legal bases as defined by Article 6 of the GDPR:

  • Performance of a contract (Art. 6(1)(b)): Processing of account data, payment data, and connection metadata is necessary to provide the Service as outlined in our Terms of Service.
  • Legitimate interest (Art. 6(1)(f)): Processing of device information and aggregate usage data to maintain, improve, and secure the Service, and to prevent fraud and abuse.
  • Consent (Art. 6(1)(a)): Where applicable, we rely on your explicit consent for optional analytics cookies and marketing communications. You may withdraw your consent at any time.
  • Legal obligation (Art. 6(1)(c)): Retention of payment records as required by Polish tax and accounting regulations.

5. How We Use Your Data

We use the personal data we collect for the following purposes:

  • Providing the Service: To create and manage your account, authenticate your access, connect you to our VPN servers, and enforce device limits
  • Processing payments: To manage subscriptions, process payments, issue refunds, and maintain billing records
  • Service communications: To send essential transactional emails such as account verification, password resets, subscription confirmations, and important service updates
  • Improving the Service: To analyze aggregate, non-identifying usage patterns to optimize server performance, improve application stability, and develop new features
  • Security and abuse prevention: To detect and prevent fraudulent activity, enforce our Terms of Service, and protect the integrity of our infrastructure. We enforce a limit of 10 concurrent active VPN sessions per account to prevent account sharing and abuse.
  • Customer support: To respond to your inquiries and resolve technical issues

6. Third-Party Service Providers

We share personal data with the following third-party service providers, each of which processes data in accordance with their own privacy policies and applicable data protection laws:

  • Stripe (Stripe, Inc.) — Payment processing for web subscriptions. Stripe processes payment data as an independent data controller. See Stripe's Privacy Policy.
  • Apple (Apple Inc.) — In-App Purchase processing for iOS subscriptions. See Apple's Privacy Policy.
  • Google (Google LLC) — OAuth authentication for account sign-in. See Google's Privacy Policy.
  • Cloudflare (Cloudflare, Inc.) — Content delivery network (CDN) and DDoS protection for our website and infrastructure.
  • Vercel (Vercel Inc.) — Website hosting and deployment.

We do not sell, rent, or trade your personal data to any third party for marketing or advertising purposes.

7. Data Retention

We retain your personal data only for as long as is necessary to fulfill the purposes for which it was collected:

  • Account data: Retained for the duration of your account and deleted upon account deletion request, subject to any legal retention obligations
  • Payment records: Retained for the period required by applicable Polish tax and accounting laws (currently up to 5 years after the end of the fiscal year in which the transaction occurred)
  • Connection metadata: Automatically deleted after 30 days
  • Device information: Retained for the duration of your account and deleted upon account deletion

8. Your Rights Under GDPR

As a data subject under the GDPR, you have the following rights with respect to your personal data:

  • Right of access (Art. 15): You have the right to obtain confirmation of whether your personal data is being processed and to request a copy of that data.
  • Right to rectification (Art. 16): You have the right to request correction of inaccurate personal data or completion of incomplete data.
  • Right to erasure (Art. 17): You have the right to request the deletion of your personal data, subject to applicable legal retention requirements.
  • Right to data portability (Art. 20): You have the right to receive your personal data in a structured, commonly used, and machine-readable format.
  • Right to object (Art. 21): You have the right to object to the processing of your personal data based on legitimate interest.
  • Right to restriction (Art. 18): You have the right to request the restriction of processing of your personal data under certain circumstances.
  • Right to withdraw consent (Art. 7(3)): Where processing is based on your consent, you may withdraw that consent at any time without affecting the lawfulness of prior processing.
  • Right to lodge a complaint:You have the right to lodge a complaint with the Polish supervisory authority: Urząd Ochrony Danych Osobowych (UODO), ul. Stawki 2, 00-193 Warsaw, Poland, uodo.gov.pl.

To exercise any of these rights, please contact us at support@tunarivpn.com. We will respond to your request within 30 days, as required by the GDPR.

9. International Data Transfers

Your personal data is primarily processed within the European Union and the European Economic Area (EU/EEA). However, some of our third-party service providers are located in the United States, including Stripe, Cloudflare, and Vercel.

Where personal data is transferred outside the EU/EEA, we ensure that adequate safeguards are in place in accordance with Chapter V of the GDPR, including:

  • Standard Contractual Clauses (SCCs) approved by the European Commission, incorporated into our agreements with US-based service providers
  • Verification that the recipient provides an adequate level of data protection

Our VPN servers are located in France, Poland, and Canada. Canada has been recognized by the European Commission as providing an adequate level of data protection.

10. Data Security

We implement robust technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction. These measures include:

  • AES-256 encryption for all VPN connections
  • Encryption at rest and in transit for stored personal data
  • Secure server infrastructure with regular security audits and updates
  • Strict access controls limiting access to personal data to authorized personnel on a need-to-know basis
  • Regular security assessments and vulnerability testing

While we strive to protect your personal data, no method of transmission or storage is 100% secure. We cannot guarantee absolute security but will promptly notify affected users and relevant authorities in the event of a data breach, as required by the GDPR.

11. Children's Privacy

Tunari VPN is not intended for use by individuals under the age of 18. We do not knowingly collect personal data from children. If we become aware that we have inadvertently collected personal data from a person under 18, we will take immediate steps to delete that data from our systems.

If you believe that a child under 18 has provided personal data to us, please contact us at support@tunarivpn.com so we can take appropriate action.

12. Cookie Policy

Our website uses a minimal number of cookies to ensure proper functionality:

12.1 Essential Cookies

We use session cookies that are strictly necessary for the operation of our website. These cookies enable core functionality such as user authentication and session management. They do not track your browsing activity and are deleted when you close your browser.

12.2 No Tracking Cookies

We do not use third-party tracking cookies, advertising cookies, or social media cookies. Your browsing activity on our website is not tracked for advertising or profiling purposes.

12.3 Analytics (Consent-Based)

We may use privacy-respecting analytics tools to understand aggregate website usage patterns. Analytics cookies are only placed with your explicit consent. You may withdraw your consent at any time through the cookie preferences accessible on our website.

13. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. If we make material changes, we will notify you by email or through a prominent notice on our website at least 30 days before the changes take effect.

We encourage you to review this Privacy Policy periodically. The "Effective Date" at the top of this page indicates when this policy was last updated. Your continued use of the Service after the effective date of the revised policy constitutes your acknowledgment of the changes.

14. Contact Information

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

  • Email: support@tunarivpn.com
  • Postal Address: TunariVPN Sp. z o.o., Zabraniecka 8L / 212, 03-872 Warsaw, Poland

We aim to respond to all data protection inquiries within 30 days of receipt.