Legal

Privacy Statement

Last updated: April 2026

FlashVPN is a privately operated WireGuard-based VPN service used by the developer and a small group of authorized users. It is not a commercial consumer product; there is no public signup and no retail sale.

This statement describes exactly what information the service processes, what it does not retain, and how data is handled. It is written plainly because the authors believe privacy policies should be understandable, not performative.

Short version: FlashVPN does not log your traffic, does not share your data with anyone, and retains only the minimum information required to keep authenticated sessions working.

What we don't do

Never logged

  • Traffic content or destinations
  • DNS queries made through the tunnel
  • Browsing history or URLs visited
  • Bandwidth profiling per user
  • Connection timestamps beyond the active session

Never shared

  • No data sold or licensed to third parties
  • No data sent to advertising networks
  • No analytics SDKs embedded in clients
  • No telemetry disguised as "diagnostics"
  • No data given to data-brokers

What is minimally retained

To authenticate sessions and prevent unauthorized access, the servers maintain the following state for authorized users:

  • Username and hashed credentials
  • Current WireGuard public key for the active device
  • Assigned tunnel IP address within the private network range
  • Current-session device identifier (to handle multi-device login takeover)
  • Last handshake timestamp of the active session (used for session liveness, purged on disconnect)

This data is held in server memory and the operator's encrypted database, is not shared externally, and is purged when a user is removed or a session is terminated.

Data security

  • All client ↔ server traffic is encrypted end-to-end via WireGuard (ChaCha20-Poly1305 AEAD)
  • Administrative endpoints use TLS 1.2+ with modern cipher suites
  • Server infrastructure is directly operated by the developer; no third-party administration
  • Private keys are generated on-device; server never sees the user's private key

Third parties

FlashVPN does not integrate any analytics platform, advertising network, or tracking SDK in its clients or server infrastructure. The only third-party service touching FlashVPN traffic is Cloudflare, which fronts the public website (flashvpn.org) for DDoS protection and TLS termination. Cloudflare does not have access to VPN tunnel traffic, which uses a separate protocol (WireGuard over UDP) to the VPN servers directly.

Jurisdiction and scope

FlashVPN is operated as a personal project. There is no corporate entity behind it. No automated legal requests are honored because, in practice, the service retains no data about user activity that could be provided in response to one. Account-level information (username, public key, assigned IP) exists only for active users and is not subject to automated retention.

Changes

If this statement changes, the updated version will appear at this URL with a new "Last updated" date. Material changes will be communicated to authorized users via the client application.

Contact

Questions about this statement or about any data concerns are welcome via the contact page.