Skip to main content

Privacy Policy

Updated April 14, 2026

Plain-language summary: We collect minimal account and payment data to operate your subscription. Our VPN infrastructure is designed to avoid logging browsing activity, IP addresses, or DNS queries. We comply with valid legal process under Singapore law.

Table of Contents

1. Data Controller

LimeVPN ("LimeVPN", "we", "our", "us") is the data controller responsible for personal data processed under this Privacy Policy. As a Singapore-incorporated entity, LimeVPN is subject to the Personal Data Protection Act 2012 (PDPA). Our Data Protection Officer can be reached at:

2. What Data We Collect

2.1 Account data (collected at registration)

  • Email address — Required to create and access your account, send service notifications, and facilitate account recovery.
  • Password (hashed) — Stored as a one-way cryptographic hash. We cannot recover or read your password.
  • Subscription status — Your current plan, subscription start date, and renewal date.

2.2 Payment data

Payment processing is handled by our third-party payment processors. We receive and store:

  • Payment method type (e.g., "credit card" — not your card number, which is held by our payment processor under PCI-DSS compliance)
  • Transaction reference ID from the payment processor
  • Amount and currency
  • Transaction date

We never see or store your full card number, CVV, or bank account details. These are handled exclusively by PCI-DSS certified payment processors.

For cryptocurrency payments, we store the receiving wallet address and transaction hash only. We do not link wallet addresses to account identities.

2.3 Support communications

When you contact our support team, we retain your email address and the content of your support tickets to resolve your issue and maintain support history. Support correspondence is stored for up to 12 months and then deleted unless a legal obligation requires longer retention.

2.4 Website analytics (aggregated)

Our website uses privacy-respecting analytics that do not identify individual visitors. No personal data is transmitted to third-party analytics providers. We collect aggregated metrics (page views, country-level traffic) to improve our website.

3. What We Do NOT Collect

The following data is not collected or stored in the ordinary course of our operations:

  • Your browsing history, websites visited, or URLs accessed
  • The IP address you connect from (your real IP)
  • DNS queries made through our servers
  • Network traffic content, payloads, or destinations
  • VPN session duration or connection timestamps
  • Bandwidth consumed per user or account
  • Which VPN server you connect to
  • Your physical location or GPS data
  • Any metadata about your internet communications

Our infrastructure is designed to minimize data retention. VPN session data is processed in volatile memory (RAM) during your active connection and is not written to persistent storage under normal operating conditions. See our No-Logs Policy for further technical details.

4. Legal Basis for Processing

We process personal data on the following legal bases:

  • Contract performance (GDPR Art. 6(1)(b)) — Processing your email and payment data is necessary to fulfill our subscription service agreement with you.
  • Legal obligation (GDPR Art. 6(1)(c)) — Retaining payment records for tax and accounting purposes is required by applicable financial laws.
  • Legitimate interest (GDPR Art. 6(1)(f)) — Operating website analytics and security monitoring of our infrastructure, balanced against your privacy rights.
  • Consent — For optional marketing communications, where we will ask for your explicit consent and provide clear opt-out mechanisms.
  • Singapore PDPA — Under the Personal Data Protection Act 2012, we process personal data with your consent (provided at registration) and for the purposes for which it was collected, in accordance with the PDPA's data protection obligations and the Do Not Call provisions.

5. Data Retention

Data type Retention period Reason
Account data (email, hashed password) Until account deletion + 7 days Account operation
Payment records 7 years Tax & accounting law
Support tickets 12 months Service improvement
VPN session data Session only (RAM) Connection management
Server metrics (aggregated) 7 days Capacity planning

6. Data Sharing and Third Parties

We do not sell, rent, or trade your personal data.

We share minimal data with the following categories of trusted third-party service providers, each bound by strict data processing agreements:

  • Payment processors — To handle payment transactions under PCI-DSS standards. They receive only the information necessary to process your payment.
  • Email service provider — To send transactional emails (account confirmations, support responses). They are contractually prohibited from using your email for any other purpose.
  • Data center providers — Physical infrastructure hosting. These providers have no access to user account data or VPN traffic.

6.1 Law enforcement and legal process

We may disclose personal data when required to do so by valid legal process, including court orders issued by courts of competent jurisdiction in Singapore. We will comply with lawful requests from Singapore authorities and, where applicable, mutual legal assistance treaty (MLAT) requests from foreign jurisdictions that have been validated through Singapore courts.

Due to our minimal-logging architecture, the data available in response to any legal request is limited to account-level information: email address, subscription status, payment transaction records, and support correspondence. We do not possess VPN browsing activity, connection timestamps, IP address assignments, or traffic content, and therefore cannot produce such data.

We will notify affected users of legal requests for their data unless prohibited from doing so by law or court order.

7. International Data Transfers

We operate servers globally. If you are located in the European Economic Area (EEA), your account data may be transferred to servers outside the EEA, including to countries that may not have the same level of data protection law as the EU.

Where such transfers occur, we ensure adequate protection through:

  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • Data processing agreements with all third-party processors
  • Encryption of all data in transit and at rest

8. Your Rights

Depending on your location, you have the following rights regarding your personal data:

8.1 Rights under GDPR (EU/EEA residents)

  • Right of access — Request a copy of the personal data we hold about you.
  • Right to rectification — Correct inaccurate or incomplete personal data.
  • Right to erasure ("right to be forgotten") — Request deletion of your personal data, subject to legal retention obligations.
  • Right to restriction — Request that we limit the processing of your data in certain circumstances.
  • Right to data portability — Receive your personal data in a structured, machine-readable format.
  • Right to object — Object to processing based on legitimate interest, including direct marketing.
  • Rights related to automated decision-making — We do not make automated decisions that significantly affect you.

8.2 Rights under CCPA (California residents)

  • Right to know — Request disclosure of personal information we have collected, used, disclosed, and sold.
  • Right to delete — Request deletion of your personal information.
  • Right to opt-out — We do not sell personal information. You have the right to confirm this.
  • Right to non-discrimination — We will not discriminate against you for exercising your privacy rights.

8.3 Rights under PDPA (Singapore)

  • Right of access — Request access to your personal data held by us and information about how it has been used or disclosed within the past year.
  • Right to correction — Request correction of any inaccurate or incomplete personal data.
  • Right to withdraw consent — Withdraw consent for the collection, use, or disclosure of your personal data, subject to legal or contractual restrictions. Withdrawal of consent may affect our ability to provide the Service.
  • Right to data portability — Request transfer of your personal data to another organization, where technically feasible.

Complaints under the PDPA may be directed to the Personal Data Protection Commission (PDPC) at pdpc.gov.sg.

8.4 How to exercise your rights

Contact us at [email protected] or through our contact page. We will respond within 14 days (or within the timeframe required by applicable law). We may ask you to verify your identity before fulfilling a request.

EU residents have the right to lodge a complaint with their national data protection authority if they believe their rights have been violated.

9. Cookies and Tracking

Our website uses cookies for:

  • Essential cookies — Required for the website to function (session management, authentication). These cannot be disabled.
  • Analytics cookies — Aggregated, anonymized visitor statistics. You can opt out of these.

We do not use advertising cookies, cross-site tracking, or fingerprinting technologies. You can manage cookie preferences through your browser settings or read our full Cookie Policy.

10. Security

We implement appropriate technical and organizational measures to protect your personal data:

  • AES-256 encryption for all data in transit and at rest
  • Mandatory two-factor authentication for all administrative access
  • Regular security audits and penetration testing
  • Principle of least privilege for all system access
  • Documented incident response procedures

In the event of a data breach affecting your personal data, we will notify you and relevant supervisory authorities within 72 hours, as required by GDPR. Under Singapore's PDPA, we will notify the PDPC and affected individuals of notifiable data breaches as defined under the Act.

11. Children's Privacy

Our service is not directed at individuals under 18 years of age, and we do not knowingly collect personal data from minors. If you believe we have inadvertently collected data from a minor, please contact us and we will delete it promptly.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by:

  • Updating the "Last updated" date at the top of this page
  • Sending an email notification to your registered address (for significant changes)
  • Displaying a prominent notice on our website

Continued use of our service after changes take effect constitutes acceptance of the updated policy.

13. Contact

For privacy-related questions, requests, or complaints:

Terms of Service · Refund Policy · Cookie Policy · No-Logs Policy · Contact Us