Legal

Privacy Policy

Last updated: January 1, 2025

Our Commitment to Privacy

CipherShift is built on a fundamental principle: your privacy is not negotiable. We designed our service from the ground up to collect the minimum data necessary to operate, and to protect what little we do collect.

What We Don't Collect (VPN Traffic)

When you use CipherShift VPN, we do NOT collect:

  • Browsing history or traffic destinations
  • DNS queries
  • Connection timestamps
  • Session duration
  • Your originating IP address
  • Bandwidth used per session
  • Any content of your communications

This is not just a policy, it's technically enforced. Your dedicated server runs without logging infrastructure. We cannot see what you do online because we built our system so that we can't.

What We Do Collect (Account Data)

To operate your account, we collect:

  • Email address: For account creation, authentication, and service communications
  • Payment information: Processed by Stripe. We store only the last 4 digits of your card and expiration date for your reference. We never see your full card number.
  • Server preferences: Your chosen server location and configuration settings

Dedicated Server Architecture

Unlike traditional VPNs, your CipherShift server is dedicated to you. We provision it in your chosen region, configure it with your encryption keys, and then step back. We do not have access to your server's traffic or logs because there are no logs to access.

CipherShift Key Rotation

Our proprietary key rotation generates new encryption keys every hour. Old keys are cryptographically destroyed. This means even if someone obtained a key, they could only decrypt at most one hour of traffic, and since we don't log traffic, there would be nothing to decrypt.

Third-Party Services

We use the following third-party services:

  • Stripe: Payment processing
  • Cloud providers: Server infrastructure (AWS, DigitalOcean, Vultr depending on region)
  • Cloudflare: DDoS protection for our website (not VPN traffic)

Data Retention

Account data is retained while your account is active. Upon account deletion, we remove all personal data within 30 days. Payment records are retained as required by law for tax and accounting purposes.

Law Enforcement Requests

If we receive a valid legal request, we can only provide what we have: your email address and payment information. We cannot provide browsing history, connection logs, or traffic data because we don't have it. We maintain a warrant canary to signal if we've received orders we cannot disclose.

Your Rights

You have the right to:

  • Access the personal data we hold about you
  • Request correction of inaccurate data
  • Request deletion of your data
  • Export your data in a portable format
  • Withdraw consent for marketing communications

To exercise these rights, contact privacy@ciphershift.io.

Contact

For privacy-related inquiries, contact our Data Protection Officer at privacy@ciphershift.io.