Privacy Policy

Last Updated: February 15, 2026 · Effective Date: February 15, 2026 · Version: 1.0

1. Introduction

CasperVPN (“we,” “us,” “our,” or “CasperVPN”) operates the CasperVPN application and related services (collectively, the “Service”). This Privacy Policy explains what information we collect, how we use it, how we share it, and your rights regarding that information.

We are committed to protecting your privacy and operating under a strict minimal-data-collection approach. This policy complies with the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), Lebanese Law No. 81/2018 on Electronic Transactions and Personal Data, and other applicable privacy laws.

Data Protection Officer Contact: privacy@caspervpn.com

2. Information We Collect

2.1 Account Information

When you create an account, we collect your email address (required for account creation, communication, and password recovery), your password (stored as a salted bcrypt hash — we never have access to your plaintext password), and optionally your first and last name. If you sign in via Apple Sign-In or Google Sign-In, we receive an opaque user ID from the provider. We do not receive or store your OAuth provider password.

2.2 Payment Information

We use third-party payment processors including LemonSqueezy, Paddle, and NOWPayments. We store a reference linking your CasperVPN account to your payment profile, subscription IDs, and transaction metadata (payment amount, currency, status, and timestamps). We do not store your credit card number, CVV, or full billing address. For purchases made through Apple App Store or Google Play Store, payment is processed entirely by Apple or Google respectively.

2.3 Connection Metadata

When you connect to our VPN servers, our system currently records connection timestamps, the server selected, the protocol used (WireGuard, IKEv2, or OpenVPN), bandwidth consumed (for data cap enforcement on free/limited plans), device type and OS version (for troubleshooting), and connection status.

2.4 Security and Anti-Fraud Data

To protect accounts from unauthorized access and detect abuse, we process failed login attempts, fraud risk indicators (risk scores computed using IP reputation, email validity checks, and device metadata), and anomaly detection events. This data is used exclusively for security purposes and is not shared with third parties.

2.5 Local Device Data (iOS/Android App)

The following data is stored locally on your device only and is never transmitted to our servers: VPN configuration keys (stored in iOS Keychain or Android Keystore), authentication tokens (JWT stored in encrypted device storage), local connection logs (up to 1,000 entries), data usage counters, and privacy guard results (DNS leak, IP leak, and WebRTC leak tests).

2.6 Information We Do NOT Collect

We do not collect browsing activity, traffic content, advertising identifiers (IDFA/GAID), device fingerprints for tracking, location data (GPS/Wi-Fi/cell tower), contacts, photos, or other device data beyond what is described above. We do not integrate any third-party analytics SDK.

3. How We Use Your Information

We use information to provide the VPN service (contract performance), process payments (contract performance), enforce data caps (contract performance), prevent fraud and abuse (legitimate interest), comply with legal obligations, send service communications, and improve the Service using aggregated anonymized data. We do not use your information for targeted advertising, selling to data brokers, building user profiles for marketing, or sharing with government agencies beyond what is legally compelled.

4. How We Share Your Information

We share limited data with payment processors (transaction data only), infrastructure providers (they do not have access to decrypted user traffic), and our email service provider (email address only for transactional emails). We may disclose information if required by law, subpoena, or court order — however, due to our minimal data collection, we have very limited data to provide. We do not sell, rent, or trade your personal information to any third party.

5. Data Retention

6. Your Rights

GDPR (EU/EEA Residents)

You have the right to access, rectify, erase, restrict processing, data portability, object to processing, withdraw consent, and lodge a complaint with your local data protection authority.

CCPA (California Residents)

You have the right to know what personal information we collect, request deletion, opt out of sale (we do not sell personal information), and non-discrimination for exercising your rights.

Lebanese Law No. 81/2018

Under Lebanese data protection law, you have the right to access, correct, object to processing, and request deletion of your personal data.

To exercise your rights: Submit requests to privacy@caspervpn.com. We respond within 30 days for GDPR requests and 45 days for CCPA requests.

7. Data Security

We implement encryption in transit (TLS 1.3), encryption at rest (AES-256), VPN tunnel encryption (WireGuard: ChaCha20-Poly1305, IKEv2: AES-256-GCM, OpenVPN: AES-256-CBC/GCM), bcrypt password hashing, credential storage in iOS Keychain / Android Keystore, role-based access controls, and CIS-benchmarked server hardening. Despite these measures, no method of transmission or storage is 100% secure.

8. International Data Transfers

Your data may be processed in jurisdictions outside your country of residence, including the Netherlands (VPN server infrastructure). For transfers from the EU/EEA, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission.

9. Children's Privacy

CasperVPN is not directed at children under 16. We do not knowingly collect personal data from children. Contact privacy@caspervpn.com if you believe a child has provided us with personal data.

10. Warrant Canary

We maintain a publicly accessible Warrant Canary at caspervpn.com/canary, updated quarterly. The Warrant Canary affirms that we have not received any National Security Letters, FISA orders, gag orders, or court orders requiring bulk user data disclosure, and that we have not been compelled to produce encryption keys or implement backdoors.

11. No-Log Commitment and Roadmap

CasperVPN is committed to becoming a verified no-log VPN. As of the effective date of this policy, our backend systems record connection metadata as described in Section 2.3, including originating IP addresses. We disclose this transparently rather than making unsubstantiated no-log claims.

Our roadmap includes eliminating originating IP logging, minimizing connection metadata, implementing RAM-only server infrastructure, engaging an independent third-party security audit, and publishing an annual transparency report. We will update this Privacy Policy as each milestone is completed.

12. Third-Party Links

Our Service may contain links to third-party websites or services. We are not responsible for the privacy practices of those third parties.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on our website, sending an email notification, and displaying an in-app notification. Your continued use after a material change constitutes acceptance.

14. Cookie Policy

Our website uses only strictly necessary cookies required for site functionality (session cookies, CSRF protection). We do not use advertising or tracking cookies, third-party analytics cookies, or social media tracking pixels. Our mobile applications do not use cookies.

15. Contact Us

Email: privacy@caspervpn.com
Legal Inquiries: legal@caspervpn.com
General Support: support@caspervpn.com

If you are unsatisfied with our response to a privacy concern, you have the right to lodge a complaint with your local data protection authority.

This Privacy Policy was last reviewed on February 15, 2026.