Privacy Policy
Last updated: March 2026
1. Introduction
NexTunnel ("we," "our," "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, store, and safeguard your information when you use our VPN service ("Service"). We process data in accordance with the General Data Protection Regulation (GDPR) and applicable privacy laws.
2. Data Controller
The data controller responsible for your personal data is NexTunnel, operating under the jurisdiction of Romania / European Union. For data protection inquiries, contact our Data Protection Officer (DPO) at dpo@nextunnel.com.
3. Information We Collect
3.1 Account Information
When you register, we collect:
- Email address (required for account creation and communication)
- Name (as provided during registration)
- Hashed password (we never store plaintext passwords; we use bcrypt hashing)
3.2 Payment Information
All payment processing is handled by Stripe, our PCI DSS-compliant payment processor. We store:
- Stripe customer ID and subscription ID
- Last 4 digits of your payment card (for display purposes only)
- Payment amounts, dates, and status
We do NOT have access to or store your full credit card number, CVV, or card expiration date.
3.3 Usage Data
- Aggregate bandwidth: We track total data transferred per account for quota enforcement
- Connection metadata: Connection timestamps, duration, and server location for abuse prevention. This data is automatically purged after 72 hours.
- Device information: Device names as labeled by you, and device-level traffic counters
3.4 Security & Authentication Data
- IP address at login (for abuse detection and account security)
- Login attempt timestamps and failed login counters
- Country of login (derived from IP geolocation)
4. What We Do NOT Collect
We do not and cannot collect:
- Your browsing history or visited URLs
- DNS queries made through the VPN tunnel
- The content of your internet traffic
- Destination IP addresses of your connections
- Timestamps correlated to specific browsing activity
The VLESS+Reality protocol is designed so that we cannot inspect the content of your encrypted tunnel traffic.
5. Legal Bases for Processing (GDPR)
We process your personal data based on the following legal grounds:
- Contract performance (Art. 6(1)(b)): Account data, payment data, and usage data necessary to provide the Service
- Legitimate interests (Art. 6(1)(f)): Security data for fraud prevention, abuse detection, and service protection
- Legal obligation (Art. 6(1)(c)): Payment records retained for tax compliance
- Consent (Art. 6(1)(a)): Marketing communications (if applicable, with opt-in)
6. How We Use Your Information
- To provide, maintain, and improve the VPN Service
- To process payments and manage subscriptions
- To enforce traffic quotas and device limits
- To prevent abuse and detect fraudulent activity
- To send transactional emails (receipts, security alerts, support responses)
- To comply with legal obligations
- To respond to support requests
7. Data Sharing
We do not sell, trade, or rent your personal information to third parties. We share data only with:
- Stripe — Payment processing (PCI DSS compliant)
- Resend — Transactional email delivery
- Law enforcement — Only when compelled by valid legal process (court orders, warrants). We can only provide the limited data we actually retain.
We do not use any analytics, advertising, or tracking services that collect user data.
8. Data Retention
| Data Type | Retention Period |
|---|---|
| Account data | While account is active + 30 days after deletion |
| Connection metadata | 72 hours (auto-purged) |
| Traffic counters | Reset monthly; historical totals while account active |
| Payment records | 7 years (tax/legal requirement) |
| Support tickets | While account is active + 1 year |
| Login/security logs | 90 days |
9. Your Rights (GDPR)
If you are located in the European Economic Area (EEA), you have the following rights:
- Right of access — Request a copy of your personal data
- Right to rectification — Correct inaccurate personal data
- Right to erasure — Request deletion of your personal data ("right to be forgotten")
- Right to restriction — Restrict processing of your personal data
- Right to data portability — Receive your data in a machine-readable format
- Right to object — Object to processing based on legitimate interests
- Right to withdraw consent — Withdraw consent at any time where processing is based on consent
- Right to lodge a complaint — File a complaint with your national data protection authority
To exercise any of these rights, contact our DPO at dpo@nextunnel.com or use the support ticket system. We will respond within 30 days.
10. International Data Transfers
Your data may be processed on servers located within the European Union. If data is transferred outside the EEA, we ensure appropriate safeguards are in place (Standard Contractual Clauses or adequacy decisions).
11. Security Measures
We implement appropriate technical and organizational measures to protect your data:
- VLESS+Reality protocol with TLS 1.3 encryption for all VPN traffic
- bcrypt password hashing with salt
- Encrypted database connections
- Rate limiting and brute-force protection
- Regular security audits and updates
- Access controls and principle of least privilege
12. Cookies
We use only essential cookies for authentication and session management. No tracking, advertising, or analytics cookies are used. For details, see our Cookie Policy.
13. Children's Privacy
The Service is not intended for use by individuals under 18 years of age. We do not knowingly collect personal data from children. If we learn that we have collected data from a child, we will delete it promptly.
14. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be communicated via email at least 14 days before they take effect. The "Last updated" date at the top of this page reflects the most recent revision.
15. Contact — Data Protection Officer
For privacy inquiries, data access requests, or complaints:
- Email: dpo@nextunnel.com
- Support: Submit a ticket through your dashboard
We aim to respond to all requests within 30 days as required by GDPR.