Skip to main content

Privacy Policy

Updated March 1, 2026

Plain-language summary: We collect your email address and payment information to operate your account. We never collect, store, or log your VPN activity, browsing history, IP addresses, or DNS queries. Your VPN traffic is encrypted and anonymous by design.

Table of Contents

1. Data Controller

LimeVPN ("LimeVPN", "we", "our", "us") is the data controller responsible for personal data processed under this Privacy Policy. If you have questions about data handling, please contact:

2. What Data We Collect

2.1 Account data (collected at registration)

  • Email address — Required to create and access your account, send service notifications, and facilitate account recovery.
  • Password (hashed) — Stored as a one-way cryptographic hash. We cannot recover or read your password.
  • Subscription status — Your current plan, subscription start date, and renewal date.

2.2 Payment data

Payment processing is handled by our third-party payment processors. We receive and store:

  • Payment method type (e.g., "credit card" — not your card number, which is held by our payment processor under PCI-DSS compliance)
  • Transaction reference ID from the payment processor
  • Amount and currency
  • Transaction date

We never see or store your full card number, CVV, or bank account details. These are handled exclusively by PCI-DSS certified payment processors.

For cryptocurrency payments, we store the receiving wallet address and transaction hash only. We do not link wallet addresses to account identities.

2.3 Support communications

When you contact our support team, we retain your email address and the content of your support tickets to resolve your issue and maintain support history. Support correspondence is stored for up to 12 months and then deleted unless a legal obligation requires longer retention.

2.4 Website analytics (aggregated)

Our website uses privacy-respecting analytics that do not identify individual visitors. No personal data is transmitted to third-party analytics providers. We collect aggregated metrics (page views, country-level traffic) to improve our website.

3. What We Do NOT Collect — Ever

This is the foundation of our service. The following data is never collected, stored, or accessible to anyone at LimeVPN:

  • Your browsing history, websites visited, or URLs accessed
  • The IP address you connect from (your real IP is never logged)
  • DNS queries made through our servers
  • Network traffic content, payloads, or destinations
  • VPN session duration or connection timestamps
  • Bandwidth consumed per user or account
  • Which VPN server you connect to
  • Your physical location or GPS data
  • Any metadata about your internet communications

This is not merely a policy commitment — our infrastructure is technically designed to make logging this data impossible. VPN session data is held only in RAM for the duration of your connection and is never written to persistent storage. See our No-Logs Policy for full technical details.

4. Legal Basis for Processing

Under the General Data Protection Regulation (GDPR) and equivalent laws, we process personal data on the following legal bases:

  • Contract performance — Processing your email and payment data is necessary to fulfill our subscription service agreement with you (GDPR Art. 6(1)(b)).
  • Legal obligation — Retaining payment records for tax and accounting purposes is required by applicable financial laws (GDPR Art. 6(1)(c)).
  • Legitimate interest — Operating website analytics and security monitoring of our infrastructure, balanced against your privacy rights (GDPR Art. 6(1)(f)).
  • Consent — For optional marketing communications, where we will ask for your explicit consent and provide clear opt-out mechanisms.

5. Data Retention

Data type Retention period Reason
Account data (email, hashed password) Until account deletion + 7 days Account operation
Payment records 7 years Tax & accounting law
Support tickets 12 months Service improvement
VPN session data Session only (RAM) Connection management
Server metrics (aggregated) 7 days Capacity planning

6. Data Sharing and Third Parties

We do not sell, rent, or trade your personal data. Period.

We share minimal data with the following categories of trusted third-party service providers, each bound by strict data processing agreements:

  • Payment processors — To handle payment transactions under PCI-DSS standards. They receive only the information necessary to process your payment.
  • Email service provider — To send transactional emails (account confirmations, support responses). They are contractually prohibited from using your email for any other purpose.
  • Data center providers — Physical infrastructure hosting. These providers have no access to user account data or VPN traffic.

We may disclose personal data in response to valid legal requests from law enforcement or government authorities with proper jurisdiction. Because we do not collect VPN activity data, the only data we can produce is account-level information (email address, subscription status). See our Transparency Report for all requests received.

7. International Data Transfers

We operate servers globally. If you are located in the European Economic Area (EEA), your account data may be transferred to servers outside the EEA, including to countries that may not have the same level of data protection law as the EU.

Where such transfers occur, we ensure adequate protection through:

  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • Data processing agreements with all third-party processors
  • Encryption of all data in transit and at rest

8. Your Rights

Depending on your location, you have the following rights regarding your personal data:

8.1 Rights under GDPR (EU/EEA residents)

  • Right of access — Request a copy of the personal data we hold about you.
  • Right to rectification — Correct inaccurate or incomplete personal data.
  • Right to erasure ("right to be forgotten") — Request deletion of your personal data, subject to legal retention obligations.
  • Right to restriction — Request that we limit the processing of your data in certain circumstances.
  • Right to data portability — Receive your personal data in a structured, machine-readable format.
  • Right to object — Object to processing based on legitimate interest, including direct marketing.
  • Rights related to automated decision-making — We do not make automated decisions that significantly affect you.

8.2 Rights under CCPA (California residents)

  • Right to know — Request disclosure of personal information we have collected, used, disclosed, and sold.
  • Right to delete — Request deletion of your personal information.
  • Right to opt-out — We do not sell personal information. You have the right to confirm this.
  • Right to non-discrimination — We will not discriminate against you for exercising your privacy rights.

8.3 How to exercise your rights

Contact us at [email protected] or through our contact page. We will respond within 14 days (or within the timeframe required by applicable law). We may ask you to verify your identity before fulfilling a request.

EU residents have the right to lodge a complaint with their national data protection authority if they believe their rights have been violated.

9. Cookies and Tracking

Our website uses cookies for:

  • Essential cookies — Required for the website to function (session management, authentication). These cannot be disabled.
  • Analytics cookies — Aggregated, anonymized visitor statistics. You can opt out of these.

We do not use advertising cookies, cross-site tracking, or fingerprinting technologies. You can manage cookie preferences through your browser settings or read our full Cookie Policy.

10. Security

We implement appropriate technical and organizational measures to protect your personal data:

  • AES-256 encryption for all data in transit and at rest
  • Mandatory two-factor authentication for all administrative access
  • Regular security audits and penetration testing
  • Principle of least privilege for all system access
  • Documented incident response procedures

In the event of a data breach affecting your personal data, we will notify you and relevant supervisory authorities within 72 hours, as required by GDPR.

11. Children's Privacy

Our service is not directed at children under 16 years of age, and we do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a child, please contact us and we will delete it promptly.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by:

  • Updating the "Last updated" date at the top of this page
  • Sending an email notification to your registered address (for significant changes)
  • Displaying a prominent notice on our website

Continued use of our service after changes take effect constitutes acceptance of the updated policy.

13. Contact

For privacy-related questions, requests, or complaints:

Terms of Service · Refund Policy · Cookie Policy · No-Logs Policy · Transparency Report · Contact Us