---

Privacy policy

Last updated: April 14, 2026

All of our policies:

• Privacy policy (including GDPR)
• Terms of service

Policy overview

As a VPN service, the privacy of our users is a top priority, and therefore it is our policy to never store logs of what you browse online. However, due to the nature of our product, we cannot, and do not aim to guarantee anonymity online. We recommend users that require highly sophisticated privacy to look into other services, such as The Tor Project, or Mullvad.

What we log and store

We do not log your browsing activity. We cannot see which sites you visit, when you visit them, or what you do on them.

What we do store, and why:

• Your routing configuration. Safety Act VPN works by selectively routing specific domains, so we store the list of domains you have chosen to route (your vpnlist) and the list you have chosen to exclude (your allowlist). We cannot tell from this data whether you have ever visited any of these domains.
• Aggregate traffic counters. For abuse prevention, we store per-account byte counts per day and per month: total traffic, and total traffic to the subset of domains we route via residential IPs. These are aggregate totals only. We do not store per-domain, per-session, or per-request data.
• Session metadata. While you are connected, we store which server you are connected to, when you connected, and when we last saw you. This is deleted when the session ends.
• Product events. See the Analytics section for the full list. These are product events (e.g. "app opened", "connect pressed") and do not include destinations or traffic content.
• Account metadata. Date of creation, subscription metadata, see the Account and Payments sections for the full list.

Payments

Payment information is processed for the purpose of providing you with the service we offer, to pay out refunds and for accounting purposes. The processing of payment data for the first two purposes are necessary for us to be able to handle the payment (i.e. performance of contract) Payment information processed for accounting purposes are necessary for the compliance of a legal obligation to which we are subject.

We use Stripe to process payments in our browser extensions. Please review Stripe's privacy policy.

Data that we share with Stripe, if an account opens a checkout:

• A public token cryptographically derived from your Account ID, that lets only us reverse it to the corresponding account ID.

Data that we store from Stripe, if an account has, or had a subscription:

• account_id
• customer_id
• state
• interval
• price_id
• access_expires_at
• latest_expires_at
• cancel_at_period_end
• livemode
• last_event_id
• last_event_timestamp_ms
• updated_at

Account Email & Account ID Recovery

When a recovery email is added to a user account, we store it in our database linked to your Account ID. If your email is subsequently submitted into the account recovery form on our website, we use Resend to send you an email. The email will contain a link that expires in 15 minutes, which, when opened, reveals your Account ID. Please review Resend's Data Processing Addendum. We perform per-email and per-ip rate limiting. IP addresses are stored for a maximum of 25 hours.

When adding a recovery email, you are given the choice to opt-in to our marketing terms. If checked, we store your consent, send a hash of your email address to Meta's Conversions API, and may email you in the future. All marketing emails are sent with a List-Unsubscribe header, so you can revoke marketing consent, easily, at any time, directly from your email client. These will also be sent via Resend. Please review Meta's Conversions API documentation.

Ad Attribution

If you found Safety Act VPN through an ad on a Meta platform, we use Meta's Conversions API to link your account or website session to the ad click for attribution purposes. We may share the following information:

• Your click id*
• Revenue from purchases you make*
• How long you spent, and how far you progressed through a web2extension funnel
• Your hashed email, if you consented to our marketing privacy terms

* signifies always shared, for users who clicked a Meta ad

Our numbered accounts

We do not require you to share with us personal information – no username, no password, no email address - to use Safety Act VPN. Instead, a random account number is generated, a so-called numbered account. This number is the only identifier a person needs in order to use a Safety Act VPN account.

Anyone at anytime can create as many numbered accounts as they wish. An account can be used by multiple people or by someone other than the person who initially generated it.

Data that we store for an account:

• Creation date
• Subscription expiry date
• Domains you have opted to route through our servers
• Domains you have opted to exclude from being routed through our servers
• Latest Meta ad click ID, if present
• Stripe subscription metadata (see payments section)
• Account recovery email, if provided (see Account ID Recovery section)
• Marketing terms consent and time of consent
• Product usage events (see analytics section)
• Per-day, and per-month traffic usage to domains proxied by your account, overall, and overall for the set of domains we treat as requiring extra anti-detection measures. This is for abuse prevention. The list of domains for which traffic is metered separately can be fetched via our API. The domain decision logic is done in-memory and individual-domain usage data - in any form - is never collected. Please review the Anti-Detection Routing section for more information.

Analytics

We do not use any external services for product analytics. We currently track the following events, along with the account that triggered them, the time of the event, and, if applicable, event properties:

• account.created
• app.installed
• app.opened
• app.closed
• onboarding.completed
• vpn.connect_pressed
• vpn.connect_blocked (property: reason)
• vpn.connected (property: transport)
• ui.settings_opened
• ui.help_opened

Anti-Detection Routing

To prevent giving our users a poor experience, we maintain a list of "high risk" domains that block our servers on a large scale. We route requests through Safety Act VPN to these domains through residential IP addresses, using our partner, SOAX, specifically their residential proxies. Data is always encrypted with TLS when being sent to SOAX. SOAX acts as the exit point for traffic to these domains, so they see the destination traffic the same way any ISP would. They do not receive your account ID or any identifier that links traffic back to you. Please review SOAX's privacy policy.

The list of domains this applies to can be found via our API.

As an anti-abuse measure, we meter the traffic that we forward to SOAX per-account. Please review the "Data that we store for an account" section for more information.

The rights of individuals

You have the right, in certain situations, to request us to correct or delete personal data regarding you and/or restrict the processing as well as a right to data portability (if applicable). Where the legal basis for the processing is based on a weighing of interests you are as a data subject entitled to object at any time to the processing of your data. You also have the right to request for a copy of your personal data and a registry extract.

If you would like to exercise your rights, please contact [email protected] for more information.

Please note that exercising some rights may limit our ability to provide support that requires such information, for example issuing a refund or finding a lost account. We are also unable to approve some request due to legal requirements or that the processing of personal data might be based on a legal basis to which the right do not apply.

Data controller contact information

Annandale Labs, LLC
30 N Gould St
Ste R
Sheridan, WY, 82801, USA
[email protected]

To exercise your rights under the GDPR or if you have any questions regarding our processing of your personal data, please send your inquiry to the e-mail address above.

You also have the right to complain to the UK Information Commissioner's Office (ICO) if you believe your personal data has been handled unlawfully or unfairly. Information about how to complain is available at ico.org.uk.

Updates

This Privacy policy may be updated and, in such case, a new version will be published on Safety Act VPN’s website.

---

© 2026 Annandale Labs, LLC

Operated by Carter Annandale in London, UK