The main objective of GDPR is to give the public more control over their personal data and to simplify regulations for international businesses by establishing an EU-wide law. The GDPR replaces the 1995 Data Protection Directive.
Both Proton VPN and Proton Mail were developed specifically to further online privacy. We are strong advocates of privacy as a fundamental human right, and we are also strong supporters of the GDPR legislation. In anticipation of GDPR coming into effect, we have conducted a review of our Terms and Conditions and Privacy Policy to ensure compliance.
Because we are a privacy-focused service, our existing policies are already fairly consistent with GDPR, but because a large number of Proton VPN users are from the EU we have nevertheless made a few changes to prepare for GDPR. Below is a summary of the changes we made. Our new policies go into effect starting April 16 and are already available for review on our website.
Summary of policy changes:
First, in line with the new requirements, our Privacy Policy now specifically requires that we obtain consent from our users before any of their data can be transferred out of Switzerland or the European Union for purposes not already explicitly stated in our Privacy Policy.
While our Privacy Policy has always mentioned that we record the timestamp of the user’s last login (but never the IP address), in accordance with GDPR, we have further explained why we retain this timestamp. Recording the timestamp is absolutely essential for the protection of user accounts because without the timestamps of login attempts, it is impossible to identify password guessing attempts targeting specific user accounts and to take action to protect those accounts.
We have also changed our money back policy from 60 days to 30 days to make it consistent with the policy that is informally used by Proton Mail. This will only apply to new subscriptions and not retroactively to subscriptions from the past 60 days. This policy change is necessary because previously different policies would apply depending on whether a user upgraded via protonvpn.com or proton.me.
Our Terms and Conditions now also include a standard notice regarding external websites to which we link from our website. Specifically, we are not responsible for the content of external websites that we link to, we have no liability for any content hosted on a third-party site, and external sites are governed by the terms and conditions of those sites.
Because Proton VPN and Proton Mail may introduce a referral program in the future, our policies have been updated to include the following provision: If you are referred to Proton VPN by a friend or some other third party who is participating in our referral program, we may associate your account with the referrer to appropriately credit the referrer.
While the use of analytics software was already mentioned in our existing policies, in line with the GDPR requirements we are adding additional details. Currently, Proton VPN does not run any analytics software on our website, but we anticipate that this will change in the future for several reasons. First, various countries have started to block Proton VPN, and currently we have no way to identify those blocks unless we receive user complaints. The nature of the blocks often means the users who have been blocked are also unable to complain. The addition of analytics would allow us to see in real time when a block goes into effect and to work faster to counteract it.
As another example, looking in aggregate at the geographic distribution of Proton VPN users allows us to understand which countries have the most need for Proton VPN. We can then allocate development resources toward providing the best service in those countries.
Consistent with our existing policies, we will deploy analytics carefully and we will never associate usernames and passwords (logins) with IP addresses. All collected data will be anonymous and will not contain any personally identifying information, and IPs will be stripped out whenever possible. Analytics will also not be deployed on sensitive pages, such as the login pages and password reset pages. Analytics will only be used for visits to our website, and we do not log any VPN activity, consistent with our existing No Logs VPN policy.
Our long-term goal is to use Matomo, an open source, self-hosted analytics software, for protonvpn.com site analytics. However, because Matomo still has limited capabilities, and because detecting country blocks is an urgent need for Proton VPN, we will also initially utilize Google Analytics for some low-sensitivity analytics, such as homepage visits, while we invest in improving the capabilities of Matomo and contributing back to the Matomo open source community.
Finally, our policies now specifically mention that we comply with GDPR, even though as a Swiss company we do not have a formal legal requirement to do so. While it is only mandatory to extend the new GDPR protections to EU citizens and residents, we are applying its provisions globally.
Conclusion
We are happy to see that online privacy is getting the attention it needs from the EU, and we hope that the GDPR will push more companies to respect privacy. If you have any questions about our new policies, don’t hesitate to let us know. Your privacy is important to us, so with or without GDPR, we will always work to provide the Proton VPN community with the highest level of privacy and security.
Best Regards,
The Proton VPN Team
Follow us to stay up to date on Proton VPN news and releases:
You are associated with Google? Google is the worst of all privacy violators. Most of Google’s code is dedicated to the sole purpose of violating privacy.
Two of my proton mail accounts were hacked one for my forum and another for my wife banking and now Thailand is not allowing proton mail, to create a new account, though I can still log in on both accounts, they now only have single encryption instead of the double encryption, some one took the double encryption out.. I can not log in to the banking account like I did before from proton mail, it keeps saying wrong password..thought you should know.
Hello Sean, it would be best if you could contact our support team directly via https://protonmail.com/support-form – they will help you out with your ProtonMail accounts.
I do not like what is going on. It is hard to understand what good this will do.
United States of America allegedly seems to be increasing surveillance activities on all data and information transferred via electronic mediums.
Protonmail and ProtonVPN will come under increased surveillance due to President Trump’s desire to strictly monitor internet.
Glad to hear the usage of “Google Analytics” will be temporary (even though it will only be used on low-sensivity analytics).
Contributing to the open-source community (one more time) by improving the already-existent open-source analytics solution (Matomo) is a smart move. Might as well try it out.
Keep up with the good work! :)
Google Analytics – that name scares me. Do you have to use it? They are evil and I do not trust them.
As we mentioned in the article, various countries have started to block ProtonVPN, and currently we have no way to identify those blocks unless we receive user complaints. Since we don’t run any analytics, is extremely difficult to act accordingly without any data. GA won’t be used in any sensitive pages, which includes the Pricing page, Login page, and the Account page and it will eventually be replaced by Matomo once we will be able to configure it the way we want it to work.
Proton VPN is giving me the lowest ping times I’ve seen on a VPN. Thanks.
Headline in a major financial newspaper today is that the U.S. and U.K. suspect Russia of targeting millions of web users. Obviously this was falsely created to attack and constrict web users privacy at sometime in the future. The U.S. and U.K. usually act together when they want to spy on web users. Facebook also “took down” pages having “Russian influence”. Saudi Arabia paid for more than a quarter of Hillary’s Presidential bid! That’s foreign influence. Get the picture? These changes are not to assist citizens. They are ALWAYS enacted to keep a certain group of the powerful in power. And these commands from the powerful are always immoral.
Please support Proton VPN and ProtonMail!
Thanks for the GDPR update!
Every day we get closer to finding out that our national intelligence agencies have our internet data, and are enacting propaganda against their own citizens. If you work at a national intelligence agency, please consider leaking those plans. You will be helping all humanity!
Leaking and whistleblowing are easy using ProtonVPN and ProtonMail.