IVPN

IVPN is a virtual private network service offered by the Gibraltar-based company Privatus Limited.

This page is not published. While you can access it via its direct link, it is not yet displayed on the website.

Transparency

Does the policy require users to be notified in case of a data breach? No

0/7

Decided May 17, 2020 (revision history). This question accounts for 8% of the final score.

Note that all companies operating in the EU are subject to Art. 33 of the GDPR, which requires companies to notify their data protection authority of a data breach within 72 hours of discovering it.

Possible Options

No0/7
Yes, eventually5/7
Yes, within 72 hours7/7
N/A (the service collects so little personal data that notification would not be possible)7/7

Note

There is no mention of alerting a user due to breach

Click here to suggest a change or to flag this conclusion as incorrect, or here for more information.


Will affected users be notified when the policy is meaningfully changed? Yes

5/5

Decided May 17, 2020 (revision history). This question accounts for 6% of the final score.

Possible Options

No0/5
Yes5/5
N/A (no personal data—or contact information—collected)5/5

Citation

IVPN reserves the right to change this privacy policy at any time. In such cases, we will take every reasonable step to ensure that these changes are brought to your attention by posting all changes prominently on the IVPN web site for a reasonable period of time, before the new policy becomes effective as well as emailing our existing customers.

Click here to suggest a change or to flag this conclusion as incorrect, or here for more information.


Is the policy's history made available? No

0/5

Decided May 17, 2020 (revision history). This question accounts for 6% of the final score.

Possible Options

No0/5
Only the date it was last modified3/5
Yes, with revisions or a change-log5/5

Note

No date or changelog

Click here to suggest a change or to flag this conclusion as incorrect, or here for more information.


Does the policy outline the service's general security practices? Yes

2/3

Decided May 17, 2020 (revision history). This question accounts for 4% of the final score.

Possible Options

No0/3
Somewhat1/3
Yes2/3
Yes, including audits2.5/3
N/A (no personal data collected)3/3
Yes, including independent audits3/3

Citation

IVPN is subject to EU law and is in compliance with the EU Data Protection Directive (Directive 95/46/EC), which prohibits companies transferring data to overseas jurisdictions with weaker privacy laws. IVPN will not locate servers in countries where it's forced to break this compliance. Due to the nature of our logging practices VPN servers do not contain any personally identifiable information and thus, if seized, could not be used to identify users.

No 3rd parties have access to any of your data. We always use 1st or 3rd party tools we can host on our own servers in a protected and secure environment.

Note

An audit by Cure53 happened 2020-01-23 (https://www.ivpn.net/blog/independent-security-audit-concluded/)

Click here to suggest a change or to flag this conclusion as incorrect, or here for more information.


Collection

Is it clear why the service collects the personal data that it does? Yes

10/10

Decided May 17, 2020 (revision history). This question accounts for 12% of the final score.

This question deals with transparency. Even if the service uses data for reasons that aren't ideal for privacy, provided they list all of those uses, the service can still receive full credit for this question. However, if they are not explicit about their uses (by employing language like "such as"), a lower score is assigned.

Possible Options

No0/10
Somewhat4/10
Mostly7/10
Yes10/10
No personal data is collected10/10

Citation

To create an IVPN account you need only provide an email address. That address is used to facilitate password resets and to send important security updates relating to our service. Should you wish to opt out of email communication please contact out support team to be removed from our mailing list. You're free to use any email address, disposable or permanent. Your email address will be associated with an IVPN ID, an internal ID used to manage your account.

We don't require any other personally identifiable information should you use more anonymous payment methods such as cash or cryptocurrency.

Each account also carries a subscription expiry date so we can manage both trial period expiry and re-subscription.

[...]

Some payment information may be related to your account, for example, if PayPal is used a PayPal transaction ID with be associated with your account, as well as a subscription ID should you set up a PayPal subscription.

For credit card payments, we use Braintree as our payment processor, and store a Braintree transaction ID against your account. If you elect to enable auto-renew for card payments, a subscription ID will also be stored.

In order to process your payment Braintree and PayPal will request additional information. Braintree requires collection of your card details to process your payment, and PayPal will require name, email and address information to create a new PayPal account as well as agreement to their terms of service. These additional datapoints are not stored by IVPN, though Braintree and PayPal are required to retain them for many years. In addition, no 3rd party payment provider has access to your IVPN ID.

In short, where we can offer anonymous payment methods we will, and we collect as little information as possible to process them. However centralised or 3rd party payment systems and their data processing and storage are out of our control.

Please select cash or cryptocurrency payments should this be of concern.

Click here to suggest a change or to flag this conclusion as incorrect, or here for more information.


Does the policy list the personal data it collects? Yes, exhaustively

10/10

Decided May 17, 2020 (revision history). This question accounts for 12% of the final score.

All types of collected personal data are listed specifically

Possible Options

No0/10
Only summarily3/10
Yes, generally7/10
Yes, exhaustively10/10
N/A (no personal information is collected)10/10

Citation

o create an IVPN account you need only provide an email address. That address is used to facilitate password resets and to send important security updates relating to our service. Should you wish to opt out of email communication please contact out support team to be removed from our mailing list. You're free to use any email address, disposable or permanent. Your email address will be associated with an IVPN ID, an internal ID used to manage your account.

We don't require any other personally identifiable information should you use more anonymous payment methods such as cash or cryptocurrency.

Each account also carries a subscription expiry date so we can manage both trial period expiry and re-subscription.

Some payment information may be related to your account, for example, if PayPal is used a PayPal transaction ID with be associated with your account, as well as a subscription ID should you set up a PayPal subscription.

For credit card payments, we use Braintree as our payment processor, and store a Braintree transaction ID against your account. If you elect to enable auto-renew for card payments, a subscription ID will also be stored.

In order to process your payment Braintree and PayPal will request additional information. Braintree requires collection of your card details to process your payment, and PayPal will require name, email and address information to create a new PayPal account as well as agreement to their terms of service. These additional datapoints are not stored by IVPN, though Braintree and PayPal are required to retain them for many years. In addition, no 3rd party payment provider has access to your IVPN ID.

In short, where we can offer anonymous payment methods we will, and we collect as little information as possible to process them. However centralised or 3rd party payment systems and their data processing and storage are out of our control.

Click here to suggest a change or to flag this conclusion as incorrect, or here for more information.


Does the service collect personal data from third parties? No

10/10

Decided May 17, 2020 (revision history). This question accounts for 12% of the final score.

This includes the use of data brokers and independent verification authorities (such as background check providers).

Possible Options

Yes0/10
Only for critical data7/10
No10/10

Note

No data is fetched from third parties.

Click here to suggest a change or to flag this conclusion as incorrect, or here for more information.


Does the service allow the user to control whether personal data is used or collected for non-critical purposes? On an opt-out basis, for all non-critical data/uses

3/5

Decided May 17, 2020 (revision history). This question accounts for 6% of the final score.

Some services allow users to opt-out or opt-in to of non-critical collection or use of personal data, such as collecting data for personalized advertisements.

Possible Options

No0/5
On an opt-out basis, but only for some non-critical data/uses1.5/5
On an opt-out basis, for all non-critical data/uses3/5
N/A (no data used for non-critical purposes)5/5
On an opt-in basis5/5

Citation

Should you wish to opt out of email communication please contact out support team to be removed from our mailing list.

On our mobile apps, you can opt-out of crash log reporting by disabling it in user preferences.

Click here to suggest a change or to flag this conclusion as incorrect, or here for more information.


Handling

Does the policy allow personally-targeted or behavioral marketing? No

10/10

Decided May 17, 2020 (revision history). This question accounts for 12% of the final score.

Possible Options

Yes0/10
Yes, but you can opt-out3.5/10
Yes, but you must opt-in7/10
No10/10

Note

No information mentioning such

Click here to suggest a change or to flag this conclusion as incorrect, or here for more information.


Does the service allow third-party access to private personal data? Yes, all parties specified (only to critical service providers)

8/10

Decided May 17, 2020 (revision history). This question accounts for 12% of the final score.

This may come in the form of outright data sharing or by using local third-party analytics software (such as Google Analytics, which collects a plethora of user information).

Note that whether the policy allows sharing aggregated user data does not affect this question.

If the personal data is encrypted when it passes through the third-party, it does not count as third-party access (as the data is inaccessible to that party).

If personal data has been made public by, for example, posting it to a blog, it does not count as private personal information (and is therefore not considered by this question).

Possible Options

Yes, not all parties specified0/10
Yes, all parties specified (including non-critical service providers such as advertisers)3/10
Yes, not all parties specified (but only to critical service providers)7/10
Yes, all parties specified (only to critical service providers)8/10
No10/10

Citation

Some payment information may be related to your account, for example, if PayPal is used a PayPal transaction ID with be associated with your account, as well as a subscription ID should you set up a PayPal subscription. [...] For credit card payments, we use Braintree as our payment processor, and store a Braintree transaction ID against your account. If you elect to enable auto-renew for card payments, a subscription ID will also be stored. [...] IVPN have selected Piwik as their web analytics platform. [...] Piwik is open source software that is hosted on our own server infrastructure to ensure your privacy[...].

Note

Piwik is, presumably, hosted under https://stats.ivpn.net (according to NoScript logging)

Click here to suggest a change or to flag this conclusion as incorrect, or here for more information.


Does the service allow you to permanently delete your personal data? Yes, by contacting someone

3/5

Decided May 17, 2020 (revision history). This question accounts for 6% of the final score.

Even if there is a reasonable delay before the data is fully deleted (as is common), the data still counts as "permanently deleted" and satisfies the parameters for this question.

Possible Options

No0/5
Yes, by contacting someone3/5
Yes, using an automated mechanism5/5
N/A (no personal information collected)5/5

Citation

When a VPN account is terminated on our network due to the subscription ending, non-payment or for any other reason, all data associated with that VPN account including the account itself is deleted from all systems.

We do not delete our customer's client area account which includes the email address and password which they use to sign up for their account.

However if you wish you can simply request deletion of your client area account by submitting a ticket to our billing department.

Click here to suggest a change or to flag this conclusion as incorrect, or here for more information.


When does the policy allow law enforcement access to personal data? Only when required by a court order or subpoena

4/5

Decided May 17, 2020 (revision history). This question accounts for 6% of the final score.

Possible Options

Always0/5
Not specified0/5
When reasonably requested3/5
Only when required by a court order or subpoena4/5
N/A (no personal data to share)5/5
Never (special legal jurisdiction)5/5

Citation

The company is incorporated in Gibraltar. If a court order is received from a recognised legal authority with jurisdiction over IVPN then the company will comply with that order. However, the company cannot be compelled to hand over information which it does not have. When a customer signs up we request the minimum information possible, a valid email address. If it ever becomes required by law for us to keep a persistent log of our customers connections or any personal data relating to their network activity, we will immediately notify our customers and do everything in our power to move jurisdictions or close the service to protect those who entrust their privacy to us.

Click here to suggest a change or to flag this conclusion as incorrect, or here for more information.



Warnings

IVPN has no warnings published on PrivacySpy. PrivacySpy publishes warnings when it learns a service has announced a data breach or is found misusing user data. If you believe a warning should be published for IVPN, submit one here.


Highlighted Policy Snapshot ALPHA

No highlighted policy snapshot has been created for this privacy policy. To view the policy at its original location, click here.

7.6/10

How we calculate ratings →


Version Added

May 17, 2020

Ratings Updated

May 17, 2020

Warnings

0

Maintained by

doamatto

Original Location
Open in New Tab
Other Versions