FollowNet VPN Privacy Policy

1. Data Controller

The data controller under GDPR is FollowNet (“FollowNet”, “we”, “us”). Privacy contact and data subject requests: [email protected].

2. A note on “logs”

We do not record browsing history or traffic contents (the websites/pages you visit, message contents, etc.). To operate a VPN service and manage plans, we process limited technical metadata (for example, session timing and traffic volume).

Important: if you choose a third‑party DNS provider in the app settings, your DNS queries are processed by that provider under its own policy. On our side, we do not aim to collect DNS query contents in our services.

3. Data we process

3.1 Account

• Email (if you sign in via email code).
• User ID — your account identifier on our servers (assigned when you sign up).
• deviceId — a random UUID generated on first launch and stored in the iOS Keychain; sent to our servers for device limits and account security. We do not use Apple’s advertising identifier (IDFA) or vendor identifier (IDFV) for deviceId.

You may also sign in via Sign in with Apple and/or Google Sign‑In (if available in the app). In that case we receive the data needed for authentication from the respective provider.

3.2 Subscriptions (App Store)

• Plan/status (free/trial/premium) and start/expiry dates.
• Apple transaction identifiers (e.g., original transaction id) for validation and purchase restore.
• We do not receive your card details — payments are processed by Apple.

3.3 VPN service data

• Selected protocol (IKEv2/WireGuard) and selected server/location.
• Connection/disconnection timestamps and session duration.
• Traffic counters (bytes in/out) for stats and free plan limits.
• Device timezone identifier — to display stats and limits in your local time.
• Network‑level parameters required to establish and route VPN traffic (e.g., IP at transport/routing level).

DNS provider (if selected in the app): Cloudflare (1.1.1.1), Google (8.8.8.8), AdGuard, AdGuard Family, Quad9.

3.4 Support

• Support tickets and messages, plus any information you choose to share (logs/screenshots/issue details).

3.5 App analytics (Firebase Analytics)

Our iOS app uses Firebase Analytics (Google) for product events: VPN connection success/failure, server selection, purchase/subscription screens, purchase or restore outcome, speed test start. Only this set of events is transmitted; no browsing history and no traffic content. We do not link Analytics events to your FollowNet account in the Firebase console (for example, setUserId is not used for Firebase): on Google’s side they are tied to an anonymous installation/app instance identifier and are separate from your User ID and email in our systems. Google Firebase privacy information: https://firebase.google.com/support/privacy.

3.6 Crash reporting (Firebase Crashlytics)

We use Firebase Crashlytics (Google) to diagnose crashes and stability. It may receive technical crash data (device model, OS version, stack trace, event time). As long as we do not pair Crashlytics with your FollowNet User ID/email in the SDK, reports typically do not contain your FollowNet account credentials; processing is governed by Google/Firebase policies.

3.7 Server event logs

Servers store technical event logs for operation and support: VPN connection event (server id), Apple webhook events (notification type, productId, originalTransactionId, environment), admin actions. No traffic content is logged; data is retained only as long as needed for operation and security.

3.8 IP address and User‑Agent

IP address and User‑Agent may be considered on the backend for abuse prevention (rate‑limiting) and security during request handling, without writing them to persistent logs and without retention for marketing purposes.

4. Legal bases (GDPR Art. 6)

• Performance of a contract (Art. 6(1)(b)) — account creation, providing the VPN service, issuing VPN credentials, managing subscriptions.
• Legitimate interests (Art. 6(1)(f)) — security and abuse prevention (including ephemeral rate‑limiting without persistent storage of IP/UA), aggregated analytics and crash reports via Firebase without mapping to the FollowNet account in the developer console.
• Consent (Art. 6(1)(a)) — where explicitly requested (e.g., optional notifications).
• Legal obligation (Art. 6(1)(c)) — responding to lawful requests from authorities.

5. How we use data

• Provide the VPN service and issue VPN credentials.
• Passwordless login (email code), security, and abuse prevention.
• Free limits and Premium enforcement (traffic/devices), subscription validation and purchase restore.
• Support and product improvements (analytics and crash diagnostics).

6. Sharing

• Apple — purchases and subscriptions (App Store).
• Apple / Google — if you use Sign in with Apple / Google Sign‑In.
• Email provider (SMTP) — sending login codes.
• Infrastructure/hosting — backend and VPN servers.
• Google Firebase — Analytics and Crashlytics (if enabled in the build).

We do not sell or “share” personal data (within the meaning of CCPA/CPRA).

7. International data transfers

To operate the service, data may be transferred to and stored outside the European Economic Area (EEA), including in countries where VPN servers are located and with service providers (e.g., Google/Firebase in the U.S.). Such transfers rely on applicable legal mechanisms, including the European Commission’s Standard Contractual Clauses, with reasonable safeguards.

8. Retention

• Account/subscription data — while the account remains active or as required for legitimate purposes.
• Session/traffic technical metadata — the minimum time needed for operations, limits, and security.
• Server event logs (connections, Apple webhooks, admin actions) — no longer than needed for operation and support.
• Support tickets — as needed to handle requests and maintain service quality.
• Firebase diagnostics (Analytics, Crashlytics) — according to Google/Firebase retention periods and settings.

9. Security

We apply reasonable technical and organizational measures: encryption in transit (TLS), encrypted VPN tunnels (IKEv2/WireGuard), token storage in iOS Keychain, restricted administrator access, and logging of admin actions.

10. Cookies and the website

The follow-net.com website is a landing page. We do not use cookies for advertising tracking. Technical/operational cookies may be used only for the proper functioning of the pages.

11. Children

The Service is not directed to individuals under the age of 13 (or under the digital consent age in your country). We do not knowingly collect data from such individuals. If you become aware that a child has provided us with data without parental/guardian consent, contact us and we will delete it.

12. Account deletion

You can delete your account in the app. We delete account data and related records (devices, VPN credentials, subscription records, support tickets and related technical records), except where retention is required by law or necessary for abuse prevention.

13. Your rights (GDPR / CCPA)

Under applicable law you have the right to:

• Access your data and obtain a copy.
• Rectify inaccurate or incomplete data.
• Erase your data (“right to be forgotten”).
• Restrict processing in certain cases.
• Data portability in a structured format.
• Object to processing based on legitimate interests.
• Withdraw consent at any time (where processing is based on consent).
• Lodge a complaint with the data protection authority in your EU/EEA country.

For California residents (CCPA/CPRA): you have the right to know what categories of data we collect, the right to deletion, the right to opt out of the sale/“sharing” of personal data (we do not sell or share personal data), and the right to non‑discrimination for exercising your rights.

To exercise your rights, contact us at [email protected]. We respond within a reasonable time as required by law.

14. Terms of Service

This policy supplements our Terms of Service: follow-net.com/terms.

15. Changes

We may update this policy from time to time. The “Last updated” date above reflects the latest revision.