Skip to main content

Transparency Report

Last updated: March 2026

Last reviewed by Pablo Ivaldi on 2026-04-25.

1. Our commitment

NexTunnel is committed to transparency about how we handle government requests, legal orders, and law enforcement inquiries. This page documents what we log, what we don't, where we operate, and every request we have received and our responses.

2. No-logs policy

Our no-logs commitment is not a slogan — it is an architectural choice we audit ourselves. Specifically, we do NOT log any of the following:

  • No source IP addresses We do not record the IP address you connected from, beyond ephemeral memory needed to maintain the active tunnel. The moment you disconnect, that IP is gone.
  • No DNS queries We do not log domain lookups. Our resolvers run in-RAM and emit no query logs to disk.
  • No traffic content or destination We do not inspect, log or store the websites you visit, the destination IPs, or any payload — encrypted or otherwise.
  • No connection timestamps We track per-device aggregate bytes for quota enforcement, but we do not store the time you connected, disconnected, or how long a session lasted.
  • No payment details after processing Stripe and NowPayments hold the card / wallet data on their side. Once a payment posts, we keep only the subscription state — no PAN, no full wallet address, no tax IDs.

3. Jurisdiction

Our primary infrastructure (web app, database, control plane) runs in Helsinki, Finland — a GDPR-protected EU jurisdiction with no mass-surveillance laws and no equivalent of the US National Security Letter regime. Finland has no secret-court regime that can compel disclosure with a gag order.

VPN exit nodes are spread across multiple jurisdictions for routing flexibility, but the user database — the only place that links an account to a person — is exclusively in Finland. A request to a single exit-node host cannot subpoena user identities, because the exit nodes do not hold them.

4. Warrant canary

As of March 9, 2026:

  • NexTunnel has NOT received any National Security Letters (NSLs)
  • NexTunnel has NOT received any gag orders or sealed court orders
  • NexTunnel has NOT been required to install any government backdoors
  • NexTunnel has NOT been compelled to provide encryption keys to any government
  • NexTunnel has NOT provided user data to any intelligence agency under bulk-surveillance programs

If any of these statements is removed or modified in a future update, it may indicate that NexTunnel has received such a request. This canary is updated quarterly.

5. Legal request statistics

Transparency report data — quarterly legal request counts.
PeriodRequests ReceivedData ProvidedRequests Challenged
Q1 2026 (Jan–Mar)000

6. Open-source clients

Our user-facing clients are open source. You do not have to trust us — you can read the code that runs on your device.

  • github.com/nextunnel client SDK, browser extensions, and reference clients
  • Subscription URL bundles regenerate every 30 minutes — the format is documented and reproducible from the open-source SDK.
  • Issue reports and contributions are welcomed via the public repos.

7. Bug bounty & responsible disclosure

If you find a security issue in NexTunnel — web, infrastructure, or VPN protocol implementation — we want to hear from you. We commit to acknowledge new reports within 48 hours and to publish a postmortem for any vulnerability that affected users.

security@nextunnel.com encrypted reports welcome (PGP key on request)

8. What we can disclose

Due to our minimal data collection, even with a valid court order in our jurisdiction we can only provide:

  • Email address associated with an account
  • Account creation date
  • Last login timestamp (retained for 90 days)
  • Payment processor reference (Stripe / NowPayments)
  • Aggregate bandwidth usage per account

We CANNOT provide:

  • Browsing history or visited URLs
  • DNS queries
  • Content of internet traffic
  • Destination IP addresses of user connections
  • Connection logs older than the retention period

9. Our process for legal requests

  1. We verify the legal validity and jurisdiction of every request
  2. We challenge overly broad or invalid requests
  3. We notify affected users whenever legally permitted
  4. We provide only the minimum data required by the specific legal order
  5. We log all legal requests for this transparency report

10. Data protection

For details on how we collect, process, and protect your data, see our Privacy Policy.

11. Contact

For questions about this report, contact our legal team at legal@nextunnel.com or our Data Protection Officer at dpo@nextunnel.com.