The main objective of GDPR is to give the public more control over their personal data and to simplify regulations for international businesses by establishing an EU-wide law. The GDPR replaces the 1995 Data Protection Directive.
Because we are a privacy-focused service, our existing policies are already fairly consistent with GDPR, but because a large number of ProtonVPN users are from the EU we have nevertheless made a few changes to prepare for GDPR. Below is a summary of the changes we made. Our new policies go into effect starting April 16 and are already available for review on our website.
Summary of policy changes:
We have also changed our money back policy from 60 days to 30 days to make it consistent with the policy that is informally used by ProtonMail. This will only apply to new subscriptions and not retroactively to subscriptions from the past 60 days. This policy change is necessary because previously different policies would apply depending on whether a user upgraded via protonvpn.com or protonmail.com.
Our Terms and Conditions now also include a standard notice regarding external websites to which we link from our website. Specifically, we are not responsible for the content of external websites that we link to, we have no liability for any content hosted on a third-party site, and external sites are governed by the terms and conditions of those sites.
Because ProtonVPN and ProtonMail may introduce a referral program in the future, our policies have been updated to include the following provision: If you are referred to ProtonVPN by a friend or some other third party who is participating in our referral program, we may associate your account with the referrer to appropriately credit the referrer.
While the use of analytics software was already mentioned in our existing policies, in line with the GDPR requirements we are adding additional details. Currently, ProtonVPN does not run any analytics software on our website, but we anticipate that this will change in the future for several reasons. First, various countries have started to block ProtonVPN, and currently we have no way to identify those blocks unless we receive user complaints. The nature of the blocks often means the users who have been blocked are also unable to complain. The addition of analytics would allow us to see in real time when a block goes into effect and to work faster to counteract it.
As another example, looking in aggregate at the geographic distribution of ProtonVPN users allows us to understand which countries have the most need for ProtonVPN. We can then allocate development resources toward providing the best service in those countries.
Consistent with our existing policies, we will deploy analytics carefully and we will never associate usernames and passwords (logins) with IP addresses. All collected data will be anonymous and will not contain any personally identifying information, and IPs will be stripped out whenever possible. Analytics will also not be deployed on sensitive pages, such as the login pages and password reset pages. Analytics will only be used for visits to our website, and we do not log any VPN activity, consistent with our existing No Logs VPN policy.
Our long-term goal is to use Matomo, an open source, self-hosted analytics software, for protonvpn.com site analytics. However, because Matomo still has limited capabilities, and because detecting country blocks is an urgent need for ProtonVPN, we will also initially utilize Google Analytics for some low-sensitivity analytics, such as homepage visits, while we invest in improving the capabilities of Matomo and contributing back to the Matomo open source community.
Finally, our policies now specifically mention that we comply with GDPR, even though as a Swiss company we do not have a formal legal requirement to do so. While it is only mandatory to extend the new GDPR protections to EU citizens and residents, we are applying its provisions globally.
We are happy to see that online privacy is getting the attention it needs from the EU, and we hope that the GDPR will push more companies to respect privacy. If you have any questions about our new policies, don’t hesitate to let us know. Your privacy is important to us, so with or without GDPR, we will always work to provide the ProtonVPN community with the highest level of privacy and security.
The ProtonVPN Team
Follow us to stay up to date on ProtonVPN news and releases: