Service is in closed beta testing. Full availability will be announced soon. Browser extensions with free servers will be available by the end of November 2025.

Privacy Policy

Last updated: 17 Oct 2025

Glitch VPN (“we”, “us”, “our”) is operated by GLITCH LABS LLC. We collect the minimum data needed to operate subscriptions, device management, and support.

We operate the VPN with no activity-logs: we do not persist traffic contents or destinations, DNS queries, original IP addresses, connection timestamps, session duration history, or per-account bandwidth histories.


Data we process

  • Account Identifier: user_code (random 16-character code).
    Purpose: authenticate and provide the Service. Legal basis (GDPR): performance of a contract.
  • Devices: device_id, os, device_type (mobile/desktop/browser).
    Purpose: device limits, primary-device control, troubleshooting. Basis: contract/legitimate interests.
    Deletion: device data is deleted upon sign out of that device.
  • Session Ephemera: server_client_id (exists only while connected).
    Purpose: routing and anti-abuse protections. Basis: legitimate interests.
    Deletion: ephemeral; destroyed when the session disconnects.
  • Messaging-platform identifier: Telegram user ID (stored as is) to manage subscriptions and support (including deletion of sensitive messages in the bot).
    Also stored in payment metadata as a pseudonymized string.
    Basis: contract/legitimate interests.
    Deletion: deleted as soon as the user signs out from the Telegram bot or when no longer needed for subscription management/support.
  • Payment metadata: Telegram Stars transaction identifiers, plan identifier, amounts, currency equivalent, and timestamps as provided by Telegram.
    Purpose: fulfill the purchase, handle refunds/chargebacks, comply with accounting and tax rules. Basis: performance of a contract/legal obligations.
    Deletion: retained up to 3 years from the transaction to comply with legal and accounting obligations, then anonymized or deleted.

We do not collect names, emails, passwords, or payment card details.


Payments

We partner with Telegram Payments for in-app purchases using Telegram Stars. Telegram (and its payment partners) act as the payment processor and provide us with confirmation of your purchase, Stars amount, and associated transaction IDs. Telegram processes payment data under its own policies, including the Telegram Privacy Policy and Telegram Bot Developer Terms §6.2.1.

We do not receive your card or bank details. We receive only the payment metadata described above, which we use to activate your plan, reconcile accounts, handle support or dispute requests, and meet tax/accounting obligations.


Cookies, analytics, and third parties

  • We do not use trackers/analytics within the VPN Service.
  • Our public website/CDN may rely on infrastructure providers (e.g., Cloud services, CDN/SSL) for performance and security. Such providers may process limited technical data (e.g., IP at the edge) under their own policies to deliver the site and mitigate abuse.

Subprocessors & international transfers

We may use infrastructure and platform providers to operate the Service. Server locations are various worldwide. Where personal data is transferred from the EEA/UK to a third country, we rely on Standard Contractual Clauses (SCCs) or equivalent safeguards where applicable.


Retention

  • user_code: retained up to 1 year from the last successful authorization, then deleted.
    However, if paid time is active, the account will not be deleted until the end of the paid period or cancellation.
  • devices: retained while linked; deleted upon device sign out or removal.
  • server_client_id: ephemeral, deleted on disconnect.
  • telegram_user_id: retained as needed for subscription management/support; deleted upon sign out from the Telegram bot or when no longer necessary.
  • payment metadata: retained up to 3 years to comply with accounting, tax, and dispute-handling requirements, after which it is anonymized or deleted.

Your rights

Where applicable (e.g., GDPR/UK GDPR/CCPA), you may request access or deletion. The most privacy-preserving path is via our support bot @glitch_vpn_support_bot or by emailing [email protected]. We may ask you to prove control of the primary device or the user_code.


Security

We design for no activity-logs. Operational protections rely on in-memory mechanisms and ephemeral state, plus standard network security controls. No method of transmission is 100% secure.


Children

The Service is for users at or above the age of majority in their country, and in any case 18+.


Law enforcement & transparency

We respond only to properly served, valid legal requests addressed to GLITCH LABS LLC under applicable law. Given our design, we typically cannot attribute network activity to a specific user. Where legally allowed, we will disclose if we have no matching records.


Changes

We may update this Policy. Material changes will be posted here with a new “Last updated” date.


Contact