Pangea VPN is currently in active development and is provided “as is” with no warranty. The desktop app is open source under the GNU GPLv3.

Legal

Privacy Policy

Last updated: 3 July 2026

1. Who we are

Pangea VPN ("we", "us", "our") is an independent service operated from the United Kingdom. The operator is the data controller responsible for the personal data processed in connection with the Service.

If you have questions about this policy or wish to exercise your data-protection rights, contact us at [email protected].

2. Data we collect

We collect only the personal data necessary to provide and improve our service:

  • Account data — name, email address, and authentication identifiers provided when you register via Auth0.
  • Billing data — payment card details (processed and stored solely by Stripe; we hold only a Stripe customer ID and subscription status), transaction history, and invoices.
  • Service data — VPN provisioning events, device identifiers, connection metadata required to deliver the VPN service, and encrypted VPN configuration files.
  • Communications — name, email address, subject, and message content submitted through our contact form.
  • Technical data — IP address, browser type, and operating system collected automatically when you visit our website.

We do not log your VPN traffic, browsing activity, or DNS queries.

3. Lawful basis for processing

Under UK GDPR, we rely on the following lawful bases:

  • Performance of a contract (Article 6(1)(b)) — to create your account, process payments, provision VPN access, and provide customer support.
  • Legitimate interests (Article 6(1)(f)) — to maintain security, prevent fraud and abuse, and improve our service. We balance these interests against your rights and do not use this basis where the impact on you would override our interests.
  • Legal obligation (Article 6(1)(c)) — to comply with tax, accounting, and regulatory requirements.
  • Consent (Article 6(1)(a)) — where you voluntarily submit a contact form or opt in to marketing communications. You may withdraw consent at any time.

4. How we use your data

  • To register and authenticate your account.
  • To process subscription payments and manage billing.
  • To provision, maintain, and deprovision your VPN connection.
  • To respond to support and contact enquiries.
  • To detect and prevent fraud, abuse, and unauthorised access.
  • To comply with legal obligations, including tax records and law enforcement requests where legally required.

5. Third-party processors

We share personal data only with processors that are necessary to operate the service. Each processor is bound by a data-processing agreement:

  • Auth0 (Okta, Inc.) — authentication and identity management. Data is processed in the United States.
  • Stripe Payments Europe, Ltd. — payment processing and subscription management. Headquartered in Ireland, with processing also taking place in the United States. Stripe acts as an independent controller for payment data under its own privacy policy.
  • Supabase, Inc. — database hosting (PostgreSQL). Data is hosted in London, United Kingdom (AWS eu-west-2 region).
  • Resend — transactional email delivery. Data is processed in the United States.

We do not sell, rent, or trade your personal data to any third party.

6. International transfers

Some of our processors operate outside the United Kingdom, including the United States and the European Economic Area (EEA). Where personal data is transferred to a country without a UK adequacy regulation, we rely on one or more of the following safeguards approved by the UK Information Commissioner's Office (ICO):

  • The International Data Transfer Agreement (IDTA);
  • The UK Addendum to the EU Standard Contractual Clauses; or
  • The UK Extension to the EU-US Data Privacy Framework, where the receiving organisation is certified.

You can request a copy of the safeguards in place for any specific transfer by emailing [email protected].

7. Data retention

  • Account data — retained while your account is active, then deleted within 30 days of account closure unless retention is required by law.
  • Billing records — retained for 7 years to comply with HMRC tax obligations.
  • VPN provisioning logs — retained for 12 months for operational and security auditing, then deleted.
  • Contact messages — retained for 24 months, then deleted.
  • Audit logs — retained for 24 months.

8. Your rights

Under UK GDPR and the Data Protection Act 2018, you have the following rights:

  • Access — request a copy of the personal data we hold about you.
  • Rectification — ask us to correct inaccurate or incomplete data.
  • Erasure — ask us to delete your personal data where there is no compelling reason for continued processing.
  • Restriction — ask us to suspend processing of your data in certain circumstances.
  • Data portability — receive your data in a structured, commonly used, machine-readable format.
  • Objection — object to processing based on legitimate interests or for direct marketing.
  • Withdraw consent — where processing is based on consent, withdraw it at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, email [email protected]. We will respond within one month, as required by law.

9. Cookies

We use only essential cookies required for authentication and session management. We do not use advertising or analytics tracking cookies. Because these cookies are strictly necessary to provide the service you have requested, they are exempt from consent requirements under the Privacy and Electronic Communications Regulations 2003 (PECR).

On our public marketing pages we measure visits with a self-hosted instance of Umami, a privacy-focused analytics tool. It sets no cookies and does not store your IP address. It records anonymised usage data — page views, clicks on pricing and plan buttons, referrer, approximate location (country or region), and browser and device type — using a rotating identifier derived from your IP and browser that is discarded and regenerated periodically, so it cannot track you over time or identify you personally. All analytics data stays on our own infrastructure and is never shared with third parties. Our servers also record anonymous aggregate counters — for example, how many checkouts were started and completed — with no personal data attached. Analytics does not run on account, dashboard, login, or checkout pages.

10. Security

We implement appropriate technical and organisational measures to protect your personal data, including encryption at rest and in transit, access controls, and regular security reviews. VPN configuration files are AES-encrypted at rest.

11. Children

Our service is not directed at individuals under the age of 18. We do not knowingly collect personal data from children. If you believe we have collected data from a child, please contact us immediately and we will delete it.

12. Changes to this policy

We may update this policy from time to time. Material changes will be notified via email or a prominent notice on our website. The "last updated" date at the top of this page indicates when the policy was last revised.

13. Lawful disclosure to authorities

We will only disclose your personal data to law enforcement, regulators, or other public authorities where we are legally required to do so — for example, in response to a valid court order, production order, or a notice issued under the Investigatory Powers Act 2016, the Police and Criminal Evidence Act 1984, or equivalent UK legislation.

We do not log VPN traffic content, browsing activity, or DNS queries, and so we cannot disclose what we do not hold. We do hold limited operational data (account, billing, and provisioning records) as set out in section 7, and we may be compelled to disclose this data. Where we are not legally prohibited from doing so, we will inform affected users.

14. Complaints

If you are unhappy with how we have handled your personal data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):

We would appreciate the chance to address your concerns before you approach the ICO, so please contact us first at [email protected].