TunaVPN ("us", "we", or "our") operates the TunaVPN Service ("Service"). As a company that promises security, we recognize the importance of our customers fully understanding what personal information we collect, store and process. Our systems are designed with your privacy and the principle of data minimization in mind.

This privacy policy describes how we processes the personal information you provide to us in accordance with the requirements of the Wyoming Statutory data security requirements and the General Data Protection Regulation (GDPR).

We have done our best to make this policy as clear and simple as possible so that you understand everything without having to wade through many pages of boring legal text.

We do NOT log your VPN sessions, browsing behavior, the websites you visit, or any other activity related to your VPN connection. In addition, we NEVER store VPN connection logs and timestamps that associate your incoming and outgoing IP address or session duration.

What does this policy cover?

This policy applies where we act as a data controller in relation to the personal information of visitors and service users; in other words, where we determine the purposes and means of processing that personal information. This includes when you use our services, when you visit our website or when you use or iOS or Android App.

This policy does not apply to third-party services or products, even if we are associated with such third-party service or product. Our website contains hyperlinks to and information from web sites operated by third party providers. We have no control over and are not responsible for the privacy policies and practices of third parties.

How and why do we process the collected personal information?

We use the collected data for various purposes:

· To provide, maintain and develop our Services

· To inform you about changes to our services

· To allow you to participate in interactive features of our Services, if you choose to do so

· To provide customer support, including sending password reset emails

· To gather analytics or valuable information so that we can improve our services or conduct scientific research

· To monitor the utilization of our services

· To detect, prevent, and resolve technical problems

· To detect and prevent fraud or other criminal activity

· To carry out the terms of a contract you have with us or to enter into a contract with us

· To comply with a legal obligation to which we are subject or to protect your vital interests or the vital interests of another natural person

· To provide you with news, special offers and general information about other goods, services and events we offer that are similar to those you have already purchased or requested, unless you have opted not to receive such information

What personal information do we collect and store?

a) when you subscribe to one of our plans or create a user account

We process your personal information. This is any information relating to an identified or identifiable individual (Art. 4 No. 1 GDPR). We process the data of our users, registered users in order to be able to provide our contractual services to them as well as on the basis of legitimate interests in order to ensure the security of our offer and to be able to develop it further. The required information is identified as such in the context of the subscription or comparable contract conclusion and includes the information required for the provision of services and billing as well as contact information.

Unless otherwise specified the purposes of processing are Contractual performance and service, the Legal bases are Contractual performance and pre-contractual enquiries (Art. 6 para. 1 p. 1 lit. b. GDPR), Legal obligation (Art. 6 para. 1 p. 1 lit. c. GDPR), and our Legitimate interests (Art. 6 para. 1 p. 1 lit. f GDPR).

b) Convenience log in and sign up

The connect feature of Google and Apple are offered as an option to register with us. When registering via Google`s or Apple`s connect function, you agree to the respective terms and conditions and consent to certain data from your respective profile of being transferred to us. The Legal bases is your consent (Art. 6 para. 1 p. 1 lit. a. GDPR).

c) when you contact us

If you contact us, your enquiry including all personal information resulting from it (name, enquiry) will be stored and processed by us for the purpose of processing your request. We do not pass on this data without your consent. The processing of this data is based on Art. 6 (1) lit. b GDPR if your request is related to the performance of a contract or is necessary for the implementation of pre-contractual measures. In all other cases, the processing is based on our legitimate interest in the effective processing of the enquiries addressed to us (Art. 6 para. 1 lit. f GDPR) or on your consent (Art. 6 para. 1 lit. a GDPR) if this has been requested. The data you send us via contact requests will remain with us until you request us to delete it, revoke your consent to store it or the purpose for storing the data no longer applies. (e.g., after your request has been processed). Mandatory statutory provisions - in particular statutory retention periods - remain unaffected.

d) when you log on to our VPN service

To protect your privacy, we only collect the minimum information necessary, and that is your email address to let you access our service. We store your email address encrypted on our secured servers. All personal information, including your email address, sent from your web browser to our web server or from our web server to your web browser is protected by encryption technology. The Legal bases are Contractual performance (Art. 6 para. 1 p. 1 lit. b. GDPR), Legal obligation (Art. 6 para. 1 p. 1 lit. c. GDPR) , and our Legitimate interests (Art. 6 para. 1 p. 1 lit. f GDPR).

e) when you connect to our VPN service

We keep a temporary log of connection data for troubleshooting purposes, which includes a randomly generated username of the customer and an internally assigned (non-public) IP address and is securely deleted every few hours. This randomly generated username cannot be linked to your real username. We have deliberately and consistently chosen not to log all other data in order to limit our legal liability. We do, however, log the Connection status, bandwidth consumption so that we can bill you properly and maintain a high quality of service. All usage data is anonymized and not linked to your real, public IP address. The Legal bases are Contractual performance (Art. 6 para. 1 p. 1 lit. b. GDPR), Legal obligation (Art. 6 para. 1 p. 1 lit. c. GDPR), and our Legitimate interests (Art. 6 para. 1 p. 1 lit. f GDPR).

f) for marketing and advertisement services

We do not store your name, IP address or physical addresses or any other personal information. We may use your personal information in your account, such as your email address, to contact you with newsletters, marketing or promotional materials, and other information that may be of interest to you. You may opt out of these or other communications from us by following the unsubscribe link or instructions in an email we send you or by contacting us. You consent to this processing by signing up for a TunaVPN account. The legal basis for the processing of your personal information in the context of direct marketing measures is your consent (Art. 6 para. 1 p. 1 lit. a. GDPR) or our legitimate interest (Art. 6 para. 1 p. 1 lit. f GDPR) in marketing and promoting our courses and services. The purpose of processing your personal information in the context of direct marketing measures is to send information, offers and, if applicable, to promote sales.

g) when you browse our websites

We may process data about your use of our websites ("Website Usage Data"). Website Usage Data may include your IP address, geographic location, browser type and version, operating system, referral source, visit duration, page views and website navigation paths, as well as information about the timing, frequency and patterns of your visits. The source of website usage data is web server logs. This usage data may be processed for purposes of analyzing the use of the website and services. The legal basis for this processing is our legitimate interest (Art. 6 para. 1 p. 1 lit. f GDPR), namely security, monitoring, protection and improvement of our website and services.

h) Cookies

We use temporary and permanent cookies, i.e., small files that are stored on users' devices (for an explanation of the term and its function, see the last section of this privacy policy). In part, the cookies serve the purpose of security or are necessary for the operation of our online offer (e.g., for the display of the website) or to save the user decision when confirming the cookie banner. In addition, we or our technology partners use cookies for range measurement and marketing purposes, about which users are informed in our Cookie Policy.

A general objection to the use of cookies for online marketing purposes can be declared for a large number of services, especially in the case of tracking, via the US site https://www.aboutads.info/choices/ or the EU site https://www.youronlinechoices.com/. The legal basis for this processing is our legitimate interest (Art. 6 para. 1 p. 1 lit. f GDPR), namely security, monitoring, protection and improvement of our website and services.

i) device information

We collect information from and about your device(s), including hardware and software information such as IP address, device ID and type, version and language, operating system, time zones, identifiers associated with cookies or other technologies that may uniquely identify your device, information on your wireless and mobile network connection, like your service provider and signal strength to maintain a record of how many devices you use to connect to our service.

j) when you send a data subject access request

The legal basis for the processing of your personal information in the context of handling your data subject access request is our legal obligation and the legal basis for the subsequent documentation of the data subject access request is both our legitimate interest and our legal obligation (Art. 6 para. 1 p. 1 lit. c. GDPR), and (Art. 6 para. 1 p. 1 lit. f GDPR). The purpose of processing your personal information in the context of processing data when you send a data subject access request is to respond to your request. The subsequent documentation of the data subject access request serves to fulfil the legally required accountability.

k) for the enforcement of our rights and legal defense

The legal basis for the processing of your personal information in the context of legal defense and enforcement of our rights is our legitimate interest (Art. 6 para. 1 p. 1 lit. f GDPR). The purpose of processing your personal information in the context of legal defense and enforcement of our rights is the defense against unjustified claims and the legal enforcement and assertion of claims and rights.

l) Advertising

In the free version of our services advertisers and third parties also may collect information about your activity on app, on devices associated with you, and on third-party sites and applications using tracking technologies. Tracking data collected by these advertisers and third parties is used to decide which ads you see in our app. You can opt out on the Digital Advertising Alliance (DAA) website if you wish not to receive targeted advertising. You may also be able to choose to control targeted advertising on other websites and platforms that you visit. In addition, you may also choose to control targeted advertising you receive within applications by using the settings and controls on your devices.

m) Authorizations and Access

We may request access or permission to certain functions from your device (i.e., geolocation in de-identified form to find the closest server for optimum connection and speed and permission to add a VPN connection to the system). The legal basis for data processing is our legitimate interest (Art. 6 para. 1 p. 1 lit. f GDPR) and the provision of contractual or pre-contractual measures (Art. 6 para. 1 p. 1 lit. b GDPR).

n) Icon links to social networks

We use small icons that refer to third-party social media platforms. These are hyperlinks in each case, so no data is transferred from you automatically, but only when you click on the icons. When you tell a friend about the TunaVPN, a connection to the social media platform server is established. This tells the social media platforms server that you have visited our services.


Your personal information will be deleted as soon as they are no longer required to achieve the purpose for which they were collected. In the case of the processing of a data subject access request, this is three years after the end of the respective process. You have the possibility at any time to object to the processing of your personal information in the context of the processing of a data subject access request for the future. In this case, however, we will not be able to further process your request. The documentation of the legally compliant processing of the respective data subject access request is mandatory. Consequently, there is no possibility for you to object.

Security measures

We take appropriate technical and organizational measures in accordance with Article 32 of the GDPR, taking into account the state of the art, the costs of implementation and the nature, scope, circumstances and purposes of the processing, as well as the varying likelihood and severity of the risk to the rights and freedoms of natural persons, in order to ensure a level of protection appropriate to the risk; the measures include, in particular, safeguarding the confidentiality, integrity and availability of data by controlling physical access to the data, as well as access to, input of, disclosure of, assurance of availability of, and separation of, the data relating to them. We also have procedures in place to ensure the exercise of data subjects' rights, deletion of data and response to data compromise.

Furthermore, we already take the protection of personal information into account during the development and selection of hardware, software, and procedures, in accordance with the principle of data protection through technology design and through data protection-friendly default settings (Art. 25 GDPR). The security measures include in particular the encrypted transmission of data between your device and our server and the connection to our service is protected by industry standard TLS (transport layout security).

Cooperation with processors and third parties

If, in the course of our processing, we disclose data to other persons and companies (order processors or third parties), transmit it to them or otherwise grant them access to the data, this will only be done on the basis of a legal permission (e.g., if a transmission of the data to third parties, such as to payment service providers, is necessary for the performance of the contract pursuant to Art. 6 para. 1 lit. b GDPR), you have consented, a legal obligation provides for this or on the basis of our legitimate interests (e.g., when using agents, web hosts, etc.). If we commission third parties to process data on the basis of a so-called "processing agreement", this is done on the basis of Art. 28 GDPR.

Online Payment, Secure data transmission and Credit card information

The transmission of your personal information during an order transaction is encrypted using industry standard Secure Socket Layer ("SSL") technology, (SSL encryption version 3). Any credit card information you provide will not be stored by us but will be encrypted and collected directly from our payment service provider via hypertext transfer protocol secure ("https"). We may share information with, and you may need to provide credit or debit card information directly to the provider in order to process payment details and authorize payment following a secure link. The information which you supply to in such cases is not within our control and is subject to our payment service provider ’s own Privacy Policy and Terms and Conditions.

Use of analysis programs

The website uses the web analytics service Jetpack to analyze and regularly improve the use of our website. The statistics obtained enable us to improve our offer and make it more interesting for you as a user. Furthermore, we use the system for measures to protect the security of the website, e.g., the detection of attacks or viruses. For the exceptional cases in which personal information is transferred to the USA. The legal basis for the use of Jetpack is Art. 6 para. 1 p. 1 lit. f GDPR.

For this evaluation, cookies are stored on your computer. The information collected in this way is stored on a server in the USA. If you prevent the storage of cookies, please note that you may not be able to use this website to its full extent. You can prevent the storage of cookies by changing the settings in your browser or by clicking the "Click here to Opt-out" button at http://www.quantcast.com/opt-out .

Who is the recipient of data? To whom is your data disclosed?

Data is only disclosed to third parties if there is a legal basis for the processing. For example, we disclose personal information to persons or companies that act as processors for us in accordance with Art. 28 of the GDPR. A processor is anyone who processes personal information on our behalf, i.e., in particular in an instruction and control relationship with us. In accordance with the requirements of the GDPR, we conclude a contract with each of our processors to oblige them to comply with data protection regulations and thus to provide your data with comprehensive protection.

Transfers to third countries

Since we are based in the USA and facilitate data centers around the world, we process data outside the European Union (EU).In this sense we are relying on the adequacy decision of the EU. If processing takes place outside the EEA this is done in the context of using third-party services or disclosing or transferring data to third parties, this is only done if it is done in order to fulfil our (pre-)contractual obligations, on the basis of your consent, due to a legal obligation or on the basis of our legitimate interests. Subject to legal or contractual permissions, we only process or allow the processing of data in a third country if the special requirements of Art. 44 ff. GDPR are met. This means, for example, that processing is carried out on the basis of special guarantees, such as the officially recognized determination of a level of data protection corresponding to the EU or compliance with officially recognized special contractual obligations (so-called "standard contractual clauses").

Rights of data subjects

In accordance with the GDPR you have individual data subject right.

· You have the right to request confirmation as to whether data in question is being processed and to information about this data, as well as further information and a copy of the data in accordance with Art. 15 of the GDPR.

· You have according to. Article 16 of the GDPR, you have the right to request that the data concerning you be completed or that inaccurate data concerning you be corrected.

· In accordance with Art. 17 of the GDPR, you have the right to demand that the data in question be deleted without delay, or alternatively, in accordance with Art. 18 of the GDPR, to demand restriction of the processing of the data.

· You have the right to obtain the data concerning you that you have provided to us in accordance with Article 20 of the GDPR and to request that it be transferred to other data controllers.

· You also have the right to lodge a complaint with the competent supervisory authority in accordance with Art. 77 GDPR.

· You have the right to revoke any consent you have given in accordance with Art. 7 (3) of the GDPR with effect for the future.

· You may object to the future processing of data relating to you in accordance with Art. 21 GDPR at any time. The objection can be made in particular against the processing for purposes of direct advertising.

Data Subject Access Request

For clarification, you have the right to request confirmation from us at any time as to what information we hold about you and to request that we amend, update, or delete that information. We may comply with your request in response. In addition, we have the following options: Ask you to confirm your identity, or ask you for more information about your request, and were permitted by law, refuse your request. (However, in this case we will explain the reasons for the refusal).

Deletion of data

The data processed by us will be deleted or its processing restricted in accordance with Articles 17 and 18 of the GDPR. Unless expressly stated within the scope of this privacy policy, the data stored by us will be deleted as soon as it is no longer required for its intended purpose and the deletion does not conflict with any statutory retention obligations. If the data is not deleted because it is required for other and legally permissible purposes, its processing will be restricted. I.e., the data is blocked and not processed for other purposes. This applies, for example, to data that must be retained for reasons of commercial or tax law.

Online presences in social media

We maintain online presences within social networks and platforms in order to be able to communicate with the customers, interested parties and users active there and to inform them about our services there. When calling up the respective networks and platforms, the terms and conditions and data processing guidelines of their respective operators apply. Unless otherwise stated in our privacy policy, we process the data of users if they communicate with us within the social networks and platforms, e.g., write posts on our online presences or send us messages.

Obligation to provide personal information

You are not obliged to provide us with personal information. However, depending on the individual case, the provision of certain personal information may be necessary for the provision of the above services. If you do not provide us with this personal information, we may not be able to provide the service.

Automated decision-making

We do not use automated decision-making or profiling.

Do Not Sell My Personal Information

We do not sell information that directly identifies you, like your name, address or phone records.


It is important that the data we hold about you is accurate and current, therefore please keep us informed of any changes to your personal information.

Data transfer to the USA and other third countries

Among other things, we use tools from companies based in the USA or other third countries that are not secure under data protection law. If these tools are active, your personal information may be transferred to these third countries and processed there. We would like to point out that no level of data protection comparable to that in the EU can be guaranteed in these countries. For example, US companies are obliged to hand over personal information to security authorities without you as a data subject being able to take legal action against this. It can therefore not be ruled out that US authorities (e.g., intelligence services) process, evaluate and permanently store your data located on US servers for monitoring purposes. We have no influence on these processing activities.


In certain countries, including in the European Union, you have a right to lodge a complaint with the appropriate data protection authority if you have concerns about how we process information. The data protection authority you can lodge a complaint with notably may be that of your habitual residence, where you work or where we are established.

Revocation of your consent to data processing

Many data processing operations are only possible with your express consent. You can revoke consent you have already given at any time. The legality of the data processing carried out until the revocation remains unaffected by the revocation.

Information, deletion, and correction

Within the framework of the applicable legal provisions, you have the right at any time to free information about your stored personal information, its origin and recipient and the purpose of the data processing and, if applicable, the right to correction or deletion of this data. You can contact us at any time with regard to this and any other questions you may have on the subject of personal information.

Children Data

Our website is not intended for children, and we do not knowingly collect data relating to children. If you become aware that your Child has provided us with Personal information, without parental consent, please contact us and we take the necessary steps to remove that information from our server.


This version of the Privacy Policy is effective as of 02/08/2022. This policy and our commitment to protecting the privacy of your personal information can result in changes to this policy. Please regularly review this policy to keep up to date with any changes.

Queries and Complaints

If you have any questions, please do not hesitate to contact us.