1. Data controller
The data controller for information collected through the Service is:
████████████, LLC
████ ████████ ██, ████ ███
██████████, ██ █████
Registration: ██████████████
Data Protection Contact: privacy@vextraq.com
PGP fingerprint: ████ ████ ████ ████ ████ ████ ████ ████ ████ ████
Primary server infrastructure is located in Helsinki, Finland, operated by ██████ █████ ████ (EU jurisdiction). Additional exit nodes may operate in jurisdictions listed on our regions page. All processing complies with the laws of the jurisdiction where the processing occurs.
2. Data we collect and store
The data stored on our servers depends entirely on which account tier you choose. We designed it this way deliberately. If you don't want us to have your email, choose Ghost tier. The tables below represent the complete set of data fields stored for each tier — there are no hidden fields, shadow databases, or undisclosed collections.
Ghost Tier — Maximum Privacy ($10/month)
We store the absolute minimum required to deliver the service. Nothing more.
| Field | Example | Purpose |
|---|---|---|
| account_id | QS-4829-1057-3846 | Authentication, service delivery |
| tier | ghost | Account classification |
| expires_at | 2026-04-01T00:00:00Z | Subscription expiry enforcement |
| wireguard_pubkey | aB3d...xY9z | WireGuard tunnel establishment |
| preferred_region | helsinki | Exit node selection (optional) |
| lambda | 0.50 | Ad blocking sensitivity preference |
| created_at | 2026-03-01T12:00:00Z | Account age (retention policy) |
That is it. No email. No name. No payment details. No IP address. The crypto payment is processed by our self-hosted BTCPay Server — we receive a payment confirmation event, not your wallet address or transaction hash. The BTCPay Server logs are purged every seventy-two (72) hours.
Standard Tier ($7/month)
Full features with email-based account recovery. Two additional fields vs. Ghost.
| Field | Example | Purpose |
|---|---|---|
| All Ghost tier fields, plus: | ||
| user@example.com | Account recovery, service notifications | |
| hashed_password | $argon2id$v=19$m=65536... | Authentication (Argon2id, never plaintext) |
Your email is used solely for account recovery and critical service notifications (payment failures, terms changes). We do not send marketing emails, newsletters, or promotional content. Ever. Password is stored as an Argon2id hash with memory cost 64MB, time cost 3, parallelism 4 — industry-leading parameters that make brute-force attacks computationally infeasible.
Annual Tier ($60/year)
Best value. All Standard fields plus Stripe integration.
| Field | Example | Purpose |
|---|---|---|
| All Standard tier fields, plus: | ||
| stripe_customer_id | cus_Qx7... | Stripe subscription management |
| stripe_subscription_id | sub_1T5... | Subscription lifecycle tracking |
The Stripe customer ID is a reference pointer. Your actual card number, CVV, expiration date, and billing address are held exclusively by Stripe, Inc. and are never transmitted to or stored on Company infrastructure. Stripe's own privacy policy governs payment data they hold.
3. Data we NEVER collect
The following data types do not exist on our servers. They are not logged, not stored temporarily, not cached, not sampled, and not accessible to us or any third party. This is not a policy choice — it is an architectural decision. The systems are engineered so that collection is technically impossible without redesigning the infrastructure.
- Traffic logs
We do not log which websites you visit, what content you access, what files you download, what searches you perform, or any characteristics of your traffic. The proxy processes requests in volatile memory and writes nothing to disk.
- DNS query logs
DNS queries are processed in memory by the ad blocking engine and immediately discarded after evaluation. The query log visible in the Dashboard is rendered client-side using Server-Sent Events (SSE) — events are consumed by your browser's JavaScript runtime and never persisted on our servers. If you close the tab, the data is gone.
- Connection timestamps
We do not record when you connect, when you disconnect, how long your sessions last, or how frequently you use the Service. WireGuard's handshake mechanism does not require server-side session logging.
- Source IP addresses
Your real IP address is never logged, stored, or associated with your account. WireGuard establishes a cryptographic tunnel using public key authentication — the protocol does not require IP logging for operation.
- Bandwidth usage per user
We do not track or meter individual bandwidth consumption. Aggregate server bandwidth is monitored at the infrastructure level for capacity planning, but this data is not attributable to individual users.
- Device fingerprints and hardware identifiers
We do not collect information about your device type, operating system, browser version, screen resolution, installed fonts, WebGL renderer, or any other fingerprinting vector. The Dashboard does not include any fingerprinting or analytics scripts.
- Real names, phone numbers, physical addresses
We never ask for and have no database field to store this information. Even if you voluntarily provided it (e.g., in a support email), it would not be entered into any system associated with your account.
- Ad blocking decisions per user
The P(ad) classifier runs in-process using bloom filters and LRU caches held in volatile memory. Which requests were blocked or allowed for your traffic is not recorded, aggregated, or analyzed. We collect no telemetry on ad blocking performance.
4. Zero-knowledge architecture
Our server infrastructure is designed so that it is technically impossible for us to observe, reconstruct, or correlate your internet activity. Here is how each component enforces this:
4.1 WireGuard tunnel
All traffic is encrypted end-to-end between your device and our exit node using Curve25519 key exchange, ChaCha20-Poly1305 encryption, and BLAKE2s hashing. The tunnel operates at the kernel level. No userspace process has access to decrypted traffic content.
4.2 Proxy engine
The Quicksand proxy processes HTTP/HTTPS requests in volatile memory. No request or response data is written to disk at any point. The process operates with no disk write permissions for traffic data. Crash dumps are disabled.
4.3 Ad classification
The ML classifier evaluates requests against in-memory data structures (bloom filters, feature vectors, LRU caches). Classification decisions are made synchronously and the result is consumed immediately. No classification history is maintained.
4.4 Dashboard query log
The real-time query log displayed in the Dashboard uses Server-Sent Events (SSE). The server emits events directly to the browser's EventSource API. Events are not buffered, stored, or replayed. If the browser tab is not open, events are lost. This is intentional.
4.5 DNS resolution
DNS queries are resolved by the proxy's internal resolver. Queries are processed in memory, evaluated against the ad blocking rules, and the response is returned to the client. No query log, no cache dump, no analytics. The resolver's in-memory cache is cleared on process restart.
4.6 Future: RAM-only mode
We plan to migrate all exit nodes to RAM-only operation where the entire operating system and all session data exist exclusively in volatile memory. A server power cycle or reboot erases everything — there is nothing on disk to seize, subpoena, or forensically recover.
5. Data retention and deletion
5.1 Active accounts
Account data (as defined in Section 2) is retained for the duration of the active subscription. Data is stored in an encrypted PostgreSQL database. Backups are encrypted at rest using AES-256 and retained for ██ days.
5.2 Expired accounts
All account data — including email, hashed password, Stripe IDs, WireGuard public key, and all metadata — is permanently deleted thirty (30) days after subscription expiration. Deletion is automated and irreversible. Backup copies are purged on the next backup rotation cycle.
5.3 Ghost account deletion
Since Ghost accounts have no email for recovery, deletion is final. The account ID ceases to exist. There is no mechanism to verify prior ownership or restore a deleted Ghost account.
5.4 WireGuard key deletion
When an account is deleted (or expires), the associated WireGuard public key is removed from the server's peer configuration. The peer is deprovisioned and the allocated tunnel IP address is returned to the pool.
5.5 On-demand deletion
You may request immediate account deletion at any time by contacting privacy@vextraq.com or through the Dashboard settings. Deletion is executed within twenty-four (24) hours of request receipt.
6. Third-party data processors
We use a minimal number of third-party services. The following is a complete and exhaustive list:
Stripe, Inc.
Applies to: Standard and Annual tiers only. Ghost tier does not use Stripe.
Data shared: Email address (for Stripe customer record), subscription metadata (plan type, billing period).
Data they hold: Payment card details, billing address (if provided by you to Stripe). We never see or store this data.
Privacy policy: stripe.com/privacy
BTCPay Server (self-hosted)
Applies to: Ghost tier (and Standard if paying via crypto).
Data shared: None. BTCPay Server runs on our own infrastructure. No external party is involved in cryptocurrency payment processing.
Data retained: Payment confirmation events. Transaction hashes and wallet addresses are purged every seventy-two (72) hours. We cannot trace a payment back to a wallet after the purge window.
Infrastructure provider
Provider: ██████ █████ ████, Helsinki, Finland.
Data accessible: The provider has physical access to the hardware. Disk encryption (LUKS/dm-crypt) ensures data at rest is unreadable without decryption keys held exclusively by the Company. The provider cannot access user data, account records, or traffic.
We do not use Google Analytics, Facebook Pixel, Hotjar, Mixpanel, Amplitude, Segment, or any other analytics, tracking, or behavioral monitoring service. We do not participate in advertising networks or data broker exchanges. We do not sell, rent, or share user data with any third party for any purpose.
7. Cookies, tracking, and analytics
Landing page (vextraq.com)
Zero cookies. Zero tracking scripts. Zero analytics. The landing page is a static site with no server-side processing and no JavaScript that phones home. View the source — there is nothing hidden.
Dashboard (app.vextraq.com)
One (1) session cookie for authentication (Standard/Annual tiers). HttpOnly, Secure, SameSite=Lax. Expires when you sign out or after the session timeout. No tracking cookies, no third-party cookies, no fingerprinting scripts, no analytics. Ghost tier Dashboard uses a session token derived from the account ID — no cookie is set.
8. Jurisdiction, legal requests, and law enforcement
The Company is registered in ██████████, ██, United States. Primary server infrastructure is located in Helsinki, Finland (EU jurisdiction).
What we can provide in response to a valid legal request:
| Tier | Data producible |
|---|---|
| Ghost | Account ID, expiry date, preferred region. That's it. |
| Standard | Email address, account creation date, subscription status, preferred region. |
| Annual | Same as Standard, plus Stripe customer/subscription IDs. |
| All tiers | No traffic data, browsing history, DNS queries, connection timestamps, or IP associations. This data does not exist. |
We will comply with valid legal process (subpoenas, court orders, warrants) issued by courts of competent jurisdiction. We will not comply with informal requests, voluntary data sharing programs, or requests that lack proper legal authority. We will challenge overly broad or legally deficient requests where practical.
We maintain a warrant canary that is cryptographically signed and updated on the 1st of each month.
9. International data transfers
Account data is stored on servers in Helsinki, Finland (EU). If you access the Service from outside the EU, your account data (as defined in Section 2) is transferred to and processed in Finland. VPN traffic passes through the exit node in your selected region — traffic data is not stored, so no "transfer" of traffic data occurs in any legally meaningful sense.
For EU/EEA users: the legal basis for processing your personal data (email, for Standard/Annual tiers) is contract performance (Article 6(1)(b) GDPR) — we need your email to deliver the service you signed up for. For Ghost tier users, we process no personal data under GDPR definitions.
10. Your rights
Regardless of your jurisdiction, you have the following rights with respect to your data:
Right of access
You can view all data we hold about your account via the Dashboard (Standard/Annual) or by contacting us with your account ID (Ghost). We will provide a complete data export within seventy-two (72) hours of request.
Right to deletion (right to be forgotten)
You may request immediate and permanent deletion of all data associated with your account. Contact privacy@vextraq.com or use the Dashboard. Deletion is executed within twenty-four (24) hours and is irreversible.
Right to rectification
You can update your email address through the Dashboard. Password changes are available through the Dashboard settings. Ghost accounts have no rectifiable data.
Right to data portability
You can export your WireGuard configuration file from the Dashboard at any time. Account data export is available on request.
Right to object
Since we process data solely for service delivery (not marketing, profiling, or automated decision-making), the right to object is exercised by cancelling your account.
EU/EEA residents may lodge a complaint with their local supervisory authority if they believe their data protection rights have been violated.
11. Children's privacy
The Service is not directed at individuals under the age of eighteen (18). We do not knowingly collect personal data from minors. If we become aware that a minor has provided personal data, we will delete the account and associated data immediately. If you believe a minor has registered for the Service, contact privacy@vextraq.com.
12. Security measures
We implement the following technical and organizational measures to protect stored data:
- Database encryption at rest (AES-256)
- Full disk encryption (LUKS/dm-crypt) on all servers
- TLS 1.3 for all web traffic (dashboard, landing page, API endpoints)
- SSH key-only authentication for server access (password auth disabled)
- fail2ban intrusion prevention with automatic IP blocking
- Argon2id password hashing (64MB memory cost, 3 iterations, parallelism 4)
- Stripe webhook signature verification (HMAC-SHA256) for all payment events
- HSTS with preload, X-Content-Type-Options, X-Frame-Options security headers
- Automated security updates via unattended-upgrades
13. Data breach notification
In the event of a security breach that compromises stored personal data, we will:
- Notify affected Standard/Annual tier users via email within seventy-two (72) hours of discovery.
- Publish a notice on our status page and warrant canary.
- Report to relevant supervisory authorities as required by applicable law (e.g., GDPR Article 33 for EU authorities).
- Ghost tier users: because we have no contact method, breach notifications will be published on the status page only. Ghost users should check the status page periodically.
Note: Because we do not store traffic data, browsing history, or IP associations, a breach of our account database would expose only the data listed in Section 2 — not your internet activity. A Ghost account breach would reveal only an account ID and an expiry date.
14. Changes to this policy
If we modify this Privacy Policy, we will update the "Last updated" date at the top. For material changes that alter how your data is collected, stored, or shared:
- Standard/Annual users: Thirty (30) days' email notice before changes take effect.
- Ghost users: Check this page periodically. We have no mechanism to contact you.
Previous versions of this policy are archived and available on request.
15. Contact
Privacy & data requests: privacy@vextraq.com
General inquiries: hello@vextraq.com
Abuse reports: abuse@vextraq.com
PGP key: ████████████████████████████████████████
████████████, LLC
████ ████████ ██
████ ███, ██ █████
██████ ██████