privacy_central

Free VPN Investigation
6 Dec 201820 mins read

Free VPN Apps: Chinese Ownership, Secretive Companies & Weak Privacy

We investigated the top free VPN (Virtual Private Network) apps in Apple's App Store and Google Play and found that over half are run by highly secretive companies with Chinese ownership. Very few of these hugely popular apps, which have hundreds of millions of installs worldwide, do anywhere enough to deserve the trust of consumers looking to protect their privacy.

Simon Migliano
Simon MiglianoHead of Research

After the big names like Facebook and Snapchat and games, VPNs are the most searched-for apps in the world. The most popular have amassed hundreds of millions of installs between them worldwide and yet there appears to be little vetting of the companies entrusted with the responsibility for redirecting all their users’ internet traffic through their servers.

A VPN or Virtual Private Network encrypts a user’s internet connection and diverts their traffic via a remote server in order to replace their IP address. They are primarily used to keep internet activity private, evade censorship and use public WiFi securely.

It’s therefore vitally important that consumers choose their VPN provider wisely given the potential for misuse of their data. Unfortunately, the majority of apps appearing in the top results for “VPN” searches are free products from obscure and highly secretive companies that deliberately make it very difficult for consumers to find out anything about them.

We decided to shine a light on these companies to help consumers avoid inadvertently compromising their privacy by using untrustworthy products. We recorded the top 20 free apps displayed in the search results for “VPN” in the App Store and Play Store for UK and US locales. This resulted in a list of 30 apps due to the overlap between stores and locales. See the notes at the end of this report for the full methodology.

Our investigation uncovered that over half of the top free VPN apps either had Chinese ownership or were actually based in China, which has aggressively clamped down on VPN services over the past year and maintains an iron grip on the internet within its borders. Furthermore, we found the majority of free VPN apps had little-to-no formal privacy protections and non-existent user support.

Apple and Google have let down consumers by failing to properly vet these app publishers, many of whom lack any sort of credible web presence and whose app store listings are riddled with misinformation.

Key Findings

  • 59% of apps have links to China (17 apps)
  • 86% of apps had unacceptable privacy policies, issues include:
    • Lack of important detail around logging policies that could lull people into false sense of security
    • Generic policies with no VPN-specific terms
    • No policy at all
    • Tracking user activity or sharing with third parties
    • Several privacy policies explicitly stated that they share data with China
  • 55% of privacy policies were hosted in an amateur fashion
    • Free WordPress sites with ads
    • Plain text files on Pastebin
    • Text files on Amazon servers
    • Text files on raw URLs, such as IP addresses
  • 64% of apps had no dedicated website – several had no online presence beyond app store listings.
  • Vast majority of companies make it very difficult to find out where they are based and who is involved – for a minority it was impossible to track down the provider.
  • Over half (52%) of customer support emails were personal accounts, ie Gmail, Hotmail, Yahoo etc
  • 83% of app customer support email requests for assistance were ignored

Summary Table

The below table lists every VPN app we investigated. Click the app name to jump to its detailed findings. Android install numbers are total installs worldwide, iOS are estimated monthly with all data from Sensortower.
 

App Android installs iOS installs Ownership
TurboVPN 3M 300K Chinese
VPN Proxy Master 1M 800K Chinese
Snap VPN 10M N/A Chinese
X-VPN 5M 600K Chinese
VPN 360 1M 500K Chinese
VPN – Super Unlimited Proxy N/A 400K Chinese
Free VPN by FreeVPN.org 500K 200K Chinese
Secure VPN 1M N/A Chinese
VPN – Master Proxy N/A 60K Chinese
HotspotVPN 1M 70K Chinese
SkyVPN 1M 200K Chinese
VPN Patron N/A 200K Chinese
VPN for iPhone N/A 100K Bangladeshi
YogaVPN 5M 40K Chinese
VPN Guru N/A 80K Chinese
Hola 10M 60K Israeli
Hotspot Shield 50M 1M American
Betternet 10M 1M American
TouchVPN 10M 70K American
Shield VPN N/A 70K Chinese
VPN Wifi Proxy Security Master N/A 50K Chinese
Victory VPN N/A 20K Chinese
Storm VPN N/A 5K Unconfirmed
SuperVPN Free VPN Client 50M N/A Chinese
VPN Private 10M N/A Ukrainian
Thunder VPN 1M N/A HK Chinese
VPN Melon 1M N/A Unconfirmed
Super VPN 5M N/A Chinese
#VPN N/A 200K American
Psiphon 10M 100K Canadian

VPN Master Unlimited, Turbo VPN & Snap VPN

Aliases

  • VPN Proxy Master
  • VPN Master
  • Turbo VPN Private Browser
‎VPN Master Unlimited - App Store Screenshot

Installs

VPN Master

Turbo VPN

SnapVPN

Where is it based?

These apps are operated by three closely-related companies based in Singapore with links to mainland China

Full company details

Company Name: ALL Connected Co. Ltd – named developer on App Store listings for both apps

Corporate Address: 576, Woodlands Drive 16, #05-514, Singapore 730576

Company Registration No. 201537185C

————————————–

Company Name: Innovative Connecting Pte. Ltd – named developer on Play Store listings and VPN Master website. Turbo VPN listing also links to the same website.

Corporate Address: 38 Beach Road #29-11 South Beach Tower, Singapore

Company Registration No. 201812738K

————————————–

Company Name: Lemon Clove Pte Ltd (shares company secretary with Innovative Connecting Ltd and its privacy policy is on the same domain)

Corporate Address: 260, Orchard Road, #16-02, The Heeren, Singapore 238855

Company Registration No. 201813499K

Who’s behind the company?

ALL Connected Co. Ltd

Director: Chand Kumar Vishwakarma (Indian national)

Singapore address (redacted but available on public record)

Secretary: Raja Muhammad Shah Bin Abdullah (Indian national)

Singapore address (redacted but available on public record)

————————————–

Innovative Connecting Pte. Ltd

Director: Chen, Danian (Chinese National)

Singapore address (redacted but available on public record)

Secretary: Yoo, Loo Ping (Singapore Citizen)

Singapore address (redacted but available on public record)

Sole shareholder: Linksure Telecom Sea Holding Ltd (T18UF2859L)

Cricket Sq, Hutchins Dr, PO Box 2681, Grand Cayman, KY1-1111, Cayman Islands

————————————–

Lemon Clove Pte Ltd

Director: Li, Yang (Chinese passport holder)

Singapore address (redacted but available on public record)

Secretary: Yoo, Loo Ping (Singapore Citizen)

Singapore address (redacted but available on public record)

Sole Shareholder: Lemon Seed Investment Ltd (T18UF3035C), Commerce House, Wickhams, Cay 1, PO Box 3140, Road Town, Tortola, BVI, VG 1110

Notes on company structure

While the exact nature of the relationship between these three companies remains unconfirmed, they are clearly associated. ALL Connected is named as developer of VPN Master and Turbo VPN on the App Store, while Innovative Connection appears on the same apps’ Play Store listings and on the VPN Proxy Master website that links to both stores and is linked to from the Turbo VPN Play Store listing.

Lemon Clove shares a company secretary and key addresses with Innovative Connecting.

Furthermore, the privacy policies for the two versions of VPN Master app are identical yet hosted on different domains, one of which is on the ALL Connected domain, the other on a generic Cloudfront domain. The policy for both versions of the Turbo VPN app is hosted on the same generic Cloudfront domain as VPN Master but on a different URL (see below for more info). Similarly, the Snap VPN app from Lemon Clove is also on the same Cloudfront domain and shares the same wording, including notable typos.

See screenshots: website linkdeveloper siteplay store listing

Innovative Connecting director Chen Danian (aka Danny Chen) is a notable and influential Chinese internet entrepreneur and has previously been listed among the 400 richest Chinese. He is founder and CEO of Linksure, which shares a name with the single shareholder of Innovative Connecting. While his name has not been previously publicly linked with this VPN company, he is listed as director on Singapore’s Accounting and Corporate Regulatory Authority (ACRA) Business Profile of the shareholding entity.

Company secretary Yoo Loo Ping for Lemon Clove and Innovative Connecting is a Chinese passport holder.

ALL Connected director C.K Vishwakarma is a Singapore-based Indian management consultant involved in an array of ventures related to the Internet of Things, big data and blockchain with no mention of VPN or digital privacy on his profiles.

British Virgin Island-based Lemon Seed Investment has no online presence beyond its appearance on Lemon Clove’s business registration documentation as sole shareholder in the company.

Privacy policy

VPN Master

Turbo VPN

SnapVPN

Privacy policy notes

The privacy policies for the three apps are identical aside from reference to the app name.

The single biggest issue is that the policy allows for user data to be transferred to China.

Our business may require us to transfer your Personal Data to countries outside of the European Economic Area (“EEA”), including to countries such as the People’s Republic of China or Singapore. We take appropriate steps to ensure that recipients of your Personal Data are bound to duties of confidentiality and we implement measures such as standard contractual clauses. A copy of those clauses can be obtained by contacting our Help Center.

Requests to clarify the justification for this policy along with copies of the aforementioned contractual clauses went unanswered.

We were also concerned over the volume of data collected:

The data we collect can include SDK/API/JS code version, browser, Internet service provider, IP address, platform, timestamp, application identifier, application version, application distribution channel, independent device identifier, iOS ad identifier (IDFA), Android ad master identifier, International Mobile Subscriber Identification Number(IMSI), iOS network card (MAC) address, and iOS international mobile device identification code (IMEI) The equipment model, email address, the terminal manufacturer, the terminal device operating system version, the session start / stop time, the location of the language, the time zone and the network state (WiFi and so on), the hard disk, the CPU, and the battery use, etc.

Missing from the policy were the standard elements that constitute more typical VPN privacy policies, ie specification of connection metadata collection, storage and disposal, and how the company responds to DMCA notices.

There were also instances of poor English and typos in what was a very vague privacy policy, lacking in detail in key areas.

It’s also notable that the privacy policy linked to from the Play Store is hosted on a very obscure URL.

These policies fell far short of what we would expect from a mainstream VPN and we would recommend consumers avoid these apps.

Customer support contact

Customer support response:

Note the Gmail addresses, which is unheard of with professional companies.

We requested clarification on the following from each email support address:

  • Transfer of data to China
  • Contractual confidentiality clauses
  • VPN connection metadata policy

We did not receive a response by the time of publication.


Back to VPN summary table

X-VPN

Aliases

X-VPN Unlimited VPN Proxy
X-VPN – Free Unlimited VPN Proxy

X-VPN Google Play screenshot

Installs

Where is it based?

Hong Kong with links to mainland China

Full company details

Company Name: Free Connected Limited

Corporate Address: Flat/Rm A40, 9/F Silvercorp International Tower 707-713 Nathan Road Mongkok, Kowloon Hong Kong

Company Registration No. 2553621

Who’s behind the company?

Director: Li, Jin (李進)

Chinese address in Sichuan (redacted but available on public record)

Company Secretary: Supreme Hong Kong Registration Limited

Room 3, 27/F., Ho King Commercial Centre, No. 2-16 Fa Yuen Street, Mong Kok, Kowloon, Hong Kong

Company Registration No. 1633781

Sole shareholder: Chengdu Zhuozhuo Technology Co., Ltd. (成都卓拙科技有限公司)

Rm 016, Floor B1, Building 6, Zone D, No. 216, Century Town South Road, Hi-tech Zone, Chengdu, Sichuan, China

Notes on company structure

One of many free VPN app companies based in Hong Kong with Chinese ownership. Both director Li Jin and sole shareholder Chengdu Zhuozhuo Technology Co are based in the Sichuan province of China. Free Connected was incorporated in July 2017.

Chengdu Zhuozhuo Technology Co is a gaming technology company.

Privacy policy

Privacy policy notes

The policy is hosted on the company’s domain, which is a plus. One of the more professional and transparent privacy policies we examined as part of this investigation but still far from best-in-class. It’s not 100% clear from the policy documents exactly what data points are collected to verify individual users as part of VPN connection metadata logging.

Customer support contact

Customer support response

Support was prompt and professional and clarified the policy regarding VPN connection metadata logging.

For your information, we do not collect the users’ original IP address and the server IP address that the users connect to. Our system does assign each user a unique user ID, which is for verification purpose(e.g. If a user made a purchase via App store and does not have an account with us, we’d use the user ID to verify the subscription and provide further assistance).

Having said that, it serves the purpose of user verficiation(user support) (sic) that would be considered as account data. As for all other VPN connection data, our system will automatically delete them after 96 hours.

Despite some flaws, this privacy policy does exceed the minimum standard we expect for mainstream VPNs thanks to the level of detail and transparency.


Back to VPN summary table

VPN 360

Aliases

  • VPN 360 Unlimited VPN Proxy
VPN 360 App Store listing screenshot

Installs

Where is it based?

Hong Kong with links to mainland China

Full company details

Company Name: Infinity Software Co., Limited

Corporate Address: Rm A 20F Kiu Fu Commercial Bldg, 300 Lockhart Road, Hong Kong

Company Registration No. 1621283

Who’s behind the company?

Director and sole shareholder: Zhang, Rui (張銳)

Chinese address in Beijing (redacted but available on public record)

Company Secretary: China Kimfone Business Limited

Room 1605c, Ho King Commercial Centre, 2-16 Fa Yuen Street, Mongkok, Kowloon, Hong Kong

Company Registration No. 1620332

Notes on company structure:

Director and sole shareholder Zhang, Rui has 44 directorships on record, of which 30 remain active.

One of many free VPN app companies based in Hong Kong with Chinese ownership. It was incorporated in June 2011.

Privacy policy

Privacy policy notes

Highly unusually, the privacy policy is hosted on a free WordPress domain displaying advertising.

The policy itself lacks important details, with a substantially greater focus on what a user must not do while using the VPN service rather than what the VPN provider will do to protect their privacy.

An example of its casual and detail-light approach to privacy follows below:

We do not log any user activity (sites visited, DNS lookups, emails etc.) We only log access attempts to our servers (for security and troubleshooting). We do not get involved in any form of censorship. We do not give your personal info to any third parties. We do not cooperate with any requests for information unless we are ordered by a court of competent jurisdiction and the vast majority of these requests would not be from a court of competent jurisdiction We will protect you to the max and our system is setup to automatically do so. There are hundreds of good reasons for being anonymous and we respect them fully.

Despite describing itself as a no-log service, the policy has an alarming number of loosely-defined exemptions. For example:

We will record your aggregate bandwidth usage for billing and network operations and support;

It may become necessary to temporarily maintain usage data to assist in debugging a problem with the service. This usage data may include such information as the date and time of your login and the IP addresses you visited [emphasis ours]. This personal information is not retained once the troubleshooting is resolved;

We may collect and disclose personal information, including your usage data, to governmental authorities or agencies, including law enforcement agencies, at their request or pursuant to a court order, subpoena or other legal process, if there is a good faith belief that such collection or disclosure is required by law;

We may also release your information when we believe release is appropriate to comply with the law, enforce our site policies, or protect ours or others rights, property, or safety.

However, non-personally identifiable visitor information may be provided to other parties for marketing, advertising, or other uses.

Missing from the policy were the standard elements that constitute more typical VPN privacy policies, ie specification of connection metadata collection, storage and disposal; protections should the authorities seek user information; or measures to ensure that troubleshooting data is actually deleted.

Customer support contact

Customer support response

Despite using a popular customer support platform (Zendesk), that automatically responds to support requests and issues a ticket, Infinity Software did not respond to our requests for clarification of the following beyond the initial acknowledgement of our email.

  • VPN connection metadata policy
  • How “unfair usage” was monitored without compromising privacy
  • Deletion policy for temporary usage data logging

Back to VPN summary table

VPN – Super Unlimited Proxy

VPN Super Unlimited Proxy App Store listing screenshot

Installs

iOS: 400,000 new monthly installs | App Store Listing

Where is it based

Mainland China

Full company details

Company Name: Mobile Jump

Corporate Address: 1/F, Building B2, Dongsheng Technology Park, Beijing, 100190, China

Company Registration No. Unconfirmed as Chinese language company name required.

Who’s behind the company?

Director: Liu Yiyi

No address available

Notes on company structure

There is very little information available about this company. However, it’s very interesting that a VPN company would be based in a high-profile Beijing technology park, described as an “innovation incubator” given the aggressive ban on VPNs in China currently.

Privacy policy

Privacy policy notes

The Terms of Service are identical to the document used by VPN 360, simply replacing any mention of “VPN 360” with “VPN”.

The Privacy policy is a very short (315 words) generic document with no reference to VPN.

The same issues therefore apply. Most critically, there is no detailed policy on connection metadata logging, retention and deletion – data that can potentially be used to identify users in certain circumstances.

Customer support contact

Mobile Jump offers no support resources at all beyond a plain text single line web page with this email:

We also found this alternative contact email elsewhere on the web:

Customer support response

We requested clarification on the following from each email support address:

  • Transfer of data to China
  • Contractual confidentiality clauses
  • VPN connection metadata policy

Back to VPN summary table

Free VPN by FreeVPN.org

FreeVPN.org Google Play listing screenshot

Installs

Where is it based

California, USA

Full company details

Company Name: Free VPN, LLC

Corporate Address: 1070 Gray Fox Circle, Pleasanton, California 94566

Company Registration No. 201525910495

Who’s behind the company?

Chairman, CEO: Andrew Foss

CFO: Timothy Bush

Company Name: ActMobile Networks, Inc – website

Corporate Address: 1070 Gray Fox Circle, Pleasanton, California 94566

Notes on company structure

Free VPN, LLC is clearly associated with ActMobile Networks, Inc as the latter is named as the Manager of the company on the Statement of Information filed for Free VPN, LLC.

The two companies share the same California address and ActMobile Networks, Inc. Manager Timothy Bush is named as the agent for service of process on a certificate of conversion filed in 2016 for Free VPN, LLC.

Act Mobile makes no reference to Free VPN by Free VPN.org on its website, however it does promote another service, Dash VPN.

In fact the email address in the Free VPN privacy policy is on the dashoffice.com domain, suggesting they may share operational resources.

Privacy policy

Privacy policy notes

Most strikingly, the privacy policy was last updated on October 19, 2012, which is an eternity in digital privacy terms.

Even more damning, there is no VPN-specific privacy policy or terms at all, which means this VPN provider can do whatever it wants with its user data.

Customer support contact

Customer support response

Only support@freevpn.org is a functioning email address, however we did receive a partial response to our questions, which were as follows:

  1. What are your policies regarding logging, as the policy mentions neither activity nor connection metadata policies. What data points do you collect? How long do you store them for?
  1. Why are there no VPN-specific policies at all? The privacy policy appears to relate to the website only and the link to the Terms of Service does not direct anywhere (http://freevpn.org/privacy-policy/#) Are you able to provide me with official policies regarding the use of your service?
  1. Do you own your own VPN servers or lease third-party servers? Similarly, DNS servers? If you rely on third-party networks, what protections are in place for users of your service?

Frustratingly, the second and third questions were ignored entirely while the first was answered in a very vague way. It’s likely that we received a canned response due to the irrelevance of much of the email, which read as follows:

The only information we capture / log as of now is the amount of data consumed by the user. No other data is stored with us. We also do not associate the data to any physical device, instead use a key which cannot be easily tracked back to a physical device, keeping our service, truly anonymous and secure.

When connected to the VPN you will remain anonymous to any website or online service that you access unless you are required to log into access their service. However, the browser can still keep records of your online activity & need to be configured to not keep track of your online activity.

The device byte cache is created & maintained locally on your device to ensure optimal online performance when the VPN is connected and may require up to 250MB of space on your device storage.

Uninstalling the app should revoke permissions required for establishing a VPN connection. On Android devices, all app data can be deleted from the device settings (Settings -> Apps – > FreeVPN -> Clear Data).

The answer lacks the crucial detail around connection metadata that is required to be able to trust a service with personal data.


Back to VPN summary table

Secure VPN, VPN – Master Proxy & HotspotVPN

Aliases

  • Secure VPN – Free VPN Proxy, Best & Fast Shield
  • VPN – Master Proxy, ماستر VPN
Free VPN Investigation: Secure VPN

Installs

Secure VPN

VPN – Master Proxy

HotspotVPN

Where is it based?

Hong Kong with links to mainland China

Full company details

Company Name: HiMobi Tech Ltd

Corporate Address: 99 Queen’s Road Central, Central, Hong Kong

Company Registration No. 2669400

Who’s behind the company?

Director and sole shareholder: Zhu, Jianpeng (朱建朋)

Chinese residential address in Heibei Province (redacted but available on public record)

Company Secretary: Kong Tsun International Consultants Limited

137-139 Connaught Road Central, 12/F, 12th Floor, San Tai Building, Hong Kong

Company Registration No. 2658066

Notes on company structure

Another pair of Hong Kong-based VPNs with links to mainland China via the ultimate company ownership. It’s clear that VPN – Master Proxy is associated with Secure VPN as its listed developer on the app stores is Sapling Growth Tech, which is prominently named on the privacy policy of Secure VPN.

Sapling Growth Tech does not appear to be a legal entity however.

Privacy policy

Secure VPN & HotspotVPN

VPN – Master Proxy

Privacy policy notes

Note that the privacy policies are hosted on a free WordPress domain with no other information about the VPN or the company. To add to the amateurish impression, elements of placeholder text from the WordPress template have not been edited and remain in original Chinese text (ie This is a text widget. The text widget lets you add text or HTML to the sidebar)

A single policy – dated June 2018 – applies to SecureVPN and HotspotVPN.

The policy shares the majority of its text – typos included – with the policies of apps operated by ALL Connected and Innovative Connecting, ie VPN Master, TurboVPN and SnapVPN.

There are major issues with this policy that suggest user data flowing through this VPN is not private. The most disturbing is:

Our business may require us to transfer your Personal Data to countries outside of the European Economic Area (“EEA”), including to countries such as the People’s Republic of China or Singapore.

Missing from the policy were the standard elements that constitute more typical VPN privacy policies, ie specification of connection metadata collection, storage and disposal, and how the company responds to DMCA notices.

See our assessment of the VPN Master privacy policy for full details.

The policy for VPN – Master Proxy is dated May 2015 and does not refer to that app by name, instead specifying Easy VPN and HotspotVPN.

The policy itself is identical to that of VPN 360 and has all the same serious issues. Refer to that section of our report for full details.

Customer support contact

As with those VPNs, we would recommend consumers avoid these apps also based on these deeply worrying policies.

Customer support response

Our requests for clarification around connection metadata policies and the transfer of data to China were ignored.


Back to VPN summary table

SkyVPN

Aliases

  • SkyVPN-Unlimited Free VPN Proxy protect privacy
  • SkyVPN – Best VPN Proxy Shield
Free VPN Investigation: SkyVPN App Store listing screenshot

Installs

Where is it based?

Hong Kong with links to mainland China.

Full company details

Company Name: Tengzhan Hongkong Limited (騰展香港有限公司) – operates as Dingtone outside China.

Corporate Address: Rm 2103 Futura Plaza 111 How Ming St, Kwun Tong, Hong Kong

Company Registration No. 2314047

Who’s behind the company?

Director and sole shareholder: You, Xiumei (游秀妹)

Chinese address in Guangdong Province (redacted but available on public record)

Company Secretary: Offshore Wealth Accounting Secretary Limited (聚富港會計秘書有限公司)

B015, Unit 5, 27/F., Richmond Comm. Bldg., 109 Argyle Street, Mongkok, Kln, Hong Kong

Company Registration No. 1650349

Notes on company structure

The corporate structure here is highly opaque. The company behind SkyVPN refers to itself variously SkyVPN Inc, Secure Sentry Communications and Dingtone.

Dingtone is named, albeit not prominently, as the “seller” on the App Store Listing (but not the Play Store listing). There is also a pending trademark application from Dingtone for “SkyVPN”.

It would be very difficult for the average consumer to make the leap from Dingtone to The Tengzhan Group, which acquired the company in 2015, according to this Chinese language disclosure document as there is no other reference in English language media. Tengzhen Hong Kong Ltd incorporated in December of that year with You Xiumie as director and sole shareholder.

Once you aware of the connection (and know the Chinese name of the parent company), it’s possible to confirm the ownership of the Dingtone brand – and by extension SkyVPN.

Privacy policy

Privacy policy notes

While certainly more professional in appearance than the policies of most other China-linked VPN services, we noted instances of identical text with those services, down to idiosyncratic word choices.

Overall it was slightly better than the likes of Master VPN, VPN 360 et al, the policy was still lacking much of the important detail consumers need to make the decision to trust a VPN service.

While we noted with relief, no mention of data transfers to China, we were concerned with the lack of an explicit policy on the logging, storage and deletion of connection metadata (such as connecting IP addresses, timestamps etc).

We also noted with concern the following collection of significant personal information:

When you install SkyVPN on your device, we may automatically collect certain information from your device, including an Android, Apple iOS, or other ID, device maker and model, mobile web browser type and version, IP address, MAC address, the operating system’s maker and version, location information, MCC (Mobile Country Code) information, the mobile application name, a list of mobile applications installed on your device and other technical data about your device.

Given the lack of clarification from the company (see below) on these issues, this privacy policy does not meet the standards we would expect in a professional and trustworthy VPN.

Customer support contact

Customer support response

We asked for clarification of the following:

  • VPN connection metadata policy
  • Whether “aggregate bandwidth” refers to an individual or the entire network? If it’s the former, how is this tied back to an individual user?
  • How they ensured user privacy was not compromised by the collection of significant personal information noted above in the privacy policy notes
  • Ultimate ownership of SkyVPN to confirm jurisdiction

SkyVPN did not respond to our requests.


Back to VPN summary table

VPN Patron

Aliases

  • VPN Patron-Super Proxy Master
Free VPN Investigation: VPN Patron App Store listing screenshot

Installs

Where is it based?

Hong Kong with links to mainland China

Full company details

Company Name: IST MEDIA Limited (易拓控股(香港)有限公司)

Corporate Address: Rm 603, 6/F Hang Pont Comm Bldg, 31 Tonkin St, Cheung Sha Wan, Kowloon, Hong Kong

Company Registration No. 2314594

Who’s behind the company?

Director: Wu, Bin (吴斌)

Chinese address in Hubei Province (redacted but available on public record)

Company Secretary: Hongkong Kamkiu Registration Limited (香港金橋商務諮詢有限公司)

Rm 603, 6/F Hang Pont Comm Bldg, 31 Tonkin St, Cheung Sha Wan, Kowloon, Hong Kong

Company Registration No. 1250522

Sole Shareholder: Shenzhen Yituo Holdings Co., Ltd. (深圳市易拓控股有限公司)

Room 201, Building A, No.1 Qianwan One Road, Qianhai Shenzhen And Hk Economic Cooperation Zone, Shenzhen City, China

Unified Social Credit Code / Registration Number: 91440300349962819Y

Notes on company structure

This Hong Kong company has Chinese links via its director Wu Bin and its sole shareholder, Chinese-registered company Shenzhen Yituo Holdings Co. Wu Bin is also one of three shareholders in that company and the only natural person among them.

Incorporated in December 2015, IST MEDIA markets itself in China as mobile advertising company:

IST MEDIA is a mobile app publishing company that helps domestic and overseas customers access global mobile phone users. And help customers to monetize the most efficient traffic. Our customers include 360, Baidu, apus, solo, UC (Ali Mobile), Mico (social app), etc.

Our team gives our partners in 12 months. Within, it has brought more than 100 million global users. The highest daily access to mobile users reaches 70w (global)

This does not suggest a company whose principle mission is to protect its users’ privacy and it’s of concern that this information is not easily available to current and potential users of Patron VPN.

Privacy policy

Privacy policy notes

The presentation is more professional than most VPN services in this report, despite some typos, and the language is friendly and easy-to-understand.

However, we were concerned at the lack of any detail relating to VPN metadata logging, retention and deletion, nor how they respond to copyright notices.

We were also not reassured about the privacy of users’ IP addresses given that VPN Patron uses them to derive approximate location despite claiming “immediate obfuscation” takes place.

We collect your IP address, immediately obfuscate and anonymize it, and provide you with a virtual or proxy IP address. We may also use your IP address to derive your approximate location in order to effectively provide the Services. Again, your true IP address is stored only for the duration of your VPN session and is cleared after your session is closed. We do not associate your true IP address with your online activities and we do not store or log your true IP address after the end of your session.

Nor did we feel comfortable with the following:

When you launch VPN Patron, we also collect device-specific information, such as the hardware model, operating system version, browser type, language, wireless network, and mobile network information. This information does not identify you, and we use it to provide and improve the Services, and perform analytics on our services.

Given the company’s lack of clarification of these issues, we consider this privacy policy to be below the standard we expect for professional VPN services.

Customer support contact

Customer support response

Note the personal Gmail address, which is unheard of for professional companies.

We requested clarification on the following issues:

  • Why do you need to know user’s approximate locations to provide the service?
  • VPN connection metadata logging, storage and deletion policy.
  • Country of incorporation

We did not receive a response to our email requests by the time of publication.


Back to VPN summary table

VPN for iPhone – Proxy Server

Free VPN Investigation: VPN Proxy for iPhone App Store listing screenshot

Installs

Where is it based?

Bangladesh

Full company details

Company Name: Brain Craft Ltd

Corporate Address: House 297, Road 19/B, Mohakhali DOHS Dhaka, Bangladesh

Company Registration No. C-134349

Who’s behind the company?

CEO: Nayeem Hassan

Notes on company structure

Braincraft is a generalist app developer whose portfolio includes: Face Swap, Mirror Reflection, Audio Mixer, Add text to Photos. These are all basic, throwaway apps, underlining that this is not a privacy-focused company.

Privacy policy

Privacy policy notes

This is a shockingly thin privacy policy (around 250 words only), lacking in any of the detail one would expect from a serious VPN provider. It shows a fundamental lack of understanding of digital privacy.

We would never recommend anyone use a VPN with such a threadbare privacy policy.

Customer support contact

Customer support response

Note the personal Gmail address, which is unheard of for professional companies.

We requested clarification on the following issues:

  • VPN connection metadata logging, storage and deletion policy.
  • Policy when official requests are made to share user data
  • How they manage their network performance, as this has privacy implications

They did not respond to our email requests.


Back to VPN summary table

YogaVPN

YogaVPN Google Play listing screenshot

Installs

Where is it based?

Hong Kong with links to mainland China

Full company details

Company Name: Yolo Net Technology

Corporate Address: Unit C, 4/F, China Insurance Building, No.48 Cameron Road, Tsim Sha Tsui, Kowloon, Hong Kong

Company Registration No. 2527678

Who’s behind the company?

Director and sole shareholder: Dong, Hang (董航) – Chinese passport holder

Chinese address in Guangzhou (redacted but available on public record)

Company Secretary: Brilliant Corporate Services Limited (智尚秘書服務有限公司)

Unit 1104a, 11/F Kai Tak Comm Bldg, 317-319 Des Voeux Rd Central, Hong Kong

Company Registration No. 2024057

Notes on company structure

Another Hong Kong-registered VPN with links to mainland China via its director and sole shareholder Dong Hang, whose Chinese passport and Guangzhou address are a matter of public record.

This is an extremely opaque VPN provider in that it has chosen an apparently arbitrary name for the app store listings “Sarah Hawken” with no obvious links to a legal entity behind it. However we discovered a customer support link on an iTunes listing that led to a dead page on the company’s otherwise still active domain.

Yolo Net Technology describe themselves as “focusing on developing small and beautiful mobile applications”, however there is no mention of YogaVPN on their website.

Privacy policy

Privacy policy notes

Note the use of Pastebin for hosting the privacy policy. Among legitimate uses for sharing text files and source code, the site is popular with hackers for sharing stolen data as there is no requirement for registration. Hosting a privacy policy here does very little to inspire trust in the provider.

The policy itself is worthless to a VPN user – the only mention of VPN is in the YogaVPN email address at the bottom. There is no information whatsoever about how user privacy is protected and the entire policy appears to be generic boilerplate text that could apply to any website.

We would recommend consumers absolutely avoid using a VPN with such a lack of focus on privacy and transparency about its practices.

Customer support contact

Customer support response

Note the personal Gmail address, which is unheard of for professional companies.

We requested clarification on the following issues:

  • The VPN connection data logging, storage and deletion policy.
  • Whether they had any VPN-specific privacy policies they could share.
  • The country of incorporation.

We did not receive a response by the time of publication.


Back to VPN summary table

VPN Guru

Aliases

  • VPN Guru – Master of Fast VPN
VPN Guru App Store listing screenshot

Installs

Where is it based?

Hong Kong with links to mainland China

Full company details

Company Name: LionMobi Holdings Ltd

Corporate Address: Unit 24 On 6/F, Topsail Plaza No. 11 On Sum Street Shatin Nt, Hong Kong

Company Registration No. 2092021

Who’s behind the company?

Directors: Lu Jin (魯錦)

Unit 24 On 6/F, Topsail Plaza No. 11 On Sum Street Shatin Nt, Hong Kong

Zhu Jing (朱菁)

Unit 24 On 6/F, Topsail Plaza No. 11 On Sum Street Shatin Nt, Hong Kong

Company Secretary: Global-fortune Irap Limited (香港環澤國際註冊會計專業有限公司)

Rm B, 14/F, Wah Hen Comm Ctr, 383 Hennessy Rd, Wanchai, Hong Kong

Company Registration No. 1169967

Sole shareholder: Chengdu Lions Technology Co Ltd (成都獅之吼科技有限公司)

No.1601, Floor 16, Building 11, No.219, Tianhua Second Road, High-tech Zone, Chengdu, China

Unified Social Credit Code: 91510100099235300A

Note: sole shareholder in that company is another Chinese company Sichuan Xunyou Network Technology Co., Ltd. (四川迅游网络科技股份有限公司) with USCC: 915101006771884972A. LionMobi director Lu Jin is a majority shareholder in this company also.

Notes on company structure

VPN Guru is completely opaque and was the most difficult app to investigate. Its app store listings name “Chi Zhang” as the developer/seller, however this is not a legal entity. It offers a number of apps, including the popular hotspot scanner app WiFi Anywhere. However, it has no website and privacy policies are hosted anonymously.

We were able to track down the company via these policy documents however. They are hosted in the cloud on Amazon servers in a folder called “commonfiles” registered by the developer, along with policy documents for its other apps.

One of these is privacy policy for a VPN proxy app, which contains a reference in its terms to “Cool Summer Dev” as the developer of the app.

We found an app store listing for this developer name that linked to a privacy policy hosted on another domain, baobeshuo.com, containing the following email address: contact@lionmobi.com. This LionMobi domain revealed the name of the company operating it to be LionMobi Holdings Ltd.

Much like the Amazon web services folder, the baobeshuo.com domain only contained text files relating to various apps, including a meditation app privacy policy. This page contained reference to zhangchi0563@yahoo.com – the support email for VPN Guru, confirming the connection between VPN Guru and LionMobi.

Further confirmation of this connection between VPN Guru and LionMobi can be found in the fact that an individual called Songtao Bai works or worked at LionMobi. Songtao Bai was named on the listing page for the meditation app that also contained reference to the zhangchi0563@yahoo.com email as a contact.

LionMobi Holding Ltd is registered in Hong Kong, however its sole shareholder is based in Chengdu, China. One of its directors Lu Jin is the majority shareholder in that Chinese company Chengdu Lions Technology Ltd.

Privacy policy

Privacy policy notes

Note the privacy policies are hosted on standalone Amazon S3 buckets – a very rough-and-ready approach that lacks transparency, as there is no parent domain with information about the company.

The privacy policy itself is a cookie-cutter generic policy that relates to standard websites, rather than VPN services, offering no useful information for VPN users.

The terms document does at least contain reference to VPN. However, it’s very short and lacks detail. It is almost all boilerplate text shared with other VPNs in this investigation, such as VPN 360.

It therefore shares the same issues, most critically a lack of any sort of detailed policy on connection metadata logging, retention and storage.

Given the thin policy and the company’s lack of clarification of these issues, we consider this privacy policy to be well below the standard we expect for professional VPN services.

Customer support contact

Customer support response

Note the personal Gmail address, which is unheard of for professional companies.

We requested clarification on the following issues:

  • The VPN connection data logging, storage and deletion policy.
  • The country of incorporation.

We did not receive a response by the time of publication.


Back to VPN summary table

Hola

Hola App Store listing screenshot

Installs

Where is it based?

Israel

Full company details

Company Name: Hola Vpn Ltd (Hola Vivan Ltd)

Corporate Address: 3 Hamahshev St., Netanya 42507, Israel (POB 8025)

Who’s behind the company?

Co-founders are Ofer Vilenski and Derry Shribman

Notes on company structure

Hola is a VC-capital backed private company in Israel that has raised a total of $24M over two rounds of funding, the last being in September 2015.

Hola is a peer-to-peer VPN network and has provoked controversy with its business model, which is based on selling its users’ bandwidth, and other security flaws.

Privacy policy

Privacy policy notes

Hola VPN may be free but it comes at a very real cost to user privacy in several different ways. The policy is at least explicit in how Hola compromises its users’ privacy.

First red flag is that it actually logs user activity as well as the more typical connection metadata:

Log data may include the following information- browser type, web pages you visit, time spent on those pages, access times and dates.

Worse, data retention is at their discretion.

The next red flag is that, uniquely, Hola VPN is a P2P VPN network, ie when you connect to US “server”, you are connecting via an actual US Hola user’s IP address. Other users will also be routed via your IP address. This means potentially nefarious activity could take place on your IP and you wouldn’t even know it.

Automatic Uploading, Routing and Caching

The Services may improve your use of the Internet, among other means by re-routing some of your requests through other Hola users (the “”Value Exchange””). Your free use of the Services will in turn enable other devices using the Services to be re-routed through your device. By using the Services you consent to the use of your device in the described manner and agree that other Hola devices may use your network connection and resources

Finally, Hola VPN makes money by essentially creating a giant botnet-for-hire from its users. This is explained in the policy:

How is it free?

In return for free usage of Hola Free VPN Proxy, Hola Fake GPS location and Hola Video Accelerator, you may be a peer on the Luminati network. By doing so you agree to have read and accepted the terms of service of the Luminati SDK SLA. “

It should go without saying that we would recommend avoiding this VPN at all costs based on its privacy policy.

Customer support contact

None

Customer support response

Hola does not offer customer support beyond its online FAQ resources


Back to VPN summary table

Hotspot Shield, Betternet & TouchVPN

Hotspot Shield App Store Listing screenshot

Installs

Hotspot Shield

Betternet

TouchVPN

Where is it based?

California, USA

Full company details

Company Name: AnchorFree, Inc.

Corporate Address: 1800 Seaport Blvd, Redwood City, California, 94063, USA

Company Registration No. C2742634

Who’s behind the company?

CEO: David Gorodyansky

Secretary/CFO: Craig Vachon

Notes on company structure

AnchorFree, Inc. may own all three of Hotspot Shield, Betternet and TouchVPN, however it is not very transparent about owning the latter two brands, with no mention of them at all on its corporate site.

However, there are references to AnchorFree in Betternet’s privacy policy, while TouchVPN is based in one of AnchorFree’s California offices. There was also a low-key announcement of its acquisition in 2015.

CEO David Gorodyansky has been at the helm since co-founding the company with Eugene Malobrodsky in 2005.

AnchorFree Inc. found itself at the center of a privacy controversy in 2017 when the Center for Democracy and Technology filed a complaint to the Federal Trade Commission, alleging that the company misled its users about privacy issues relating to advertising in its free version of Hotspot Shield VPN.

Although AnchorFree Inc. firmly refuted the allegations, it has since made significant improvements to its Hotspot Shield privacy policies. The company also committed to publishing an annual transparency report to reassure users about how it deals with requests for user data from the authorities.

Privacy Policies

Hotspot Shield

Betternet

TouchVPN

Privacy policy notes

Hotspot Shield & Betternet

These two apps share the same policy, both are professionally hosted and formatted, and were recently updated at the end of June of this year, which creates a strong first impression.

Overall the policies are very good and take great pains to explain everything as clearly as possible.

A minor gripe is that users of the free version of the app have their city-level location shared with with advertisers. However, the average consumer is unlikely to be too concerned about this.

When you are connected to the Hotspot Shield VPN, advertisers are prevented from seeing your IP address, however if you are using the free version of Hotspot Shield we may share this approximate (city-level) location.

In boths sets of terms, it states that AnchorFree Inc responds to notices of alleged copyright infringements that company with the Digital Millennium Copyright Act (as you would expect from a US-based company) and in the DMCA notification policy, it talks about cutting off repeat offenders.

There is an apparent contradiction between this policy and their stated policy of not storing users’ originating IP addresses beyond the session.

Our VPN product will never store or log your IP address beyond the duration of your VPN session, and we always delete your IP address after you disconnect from the VPN.

Overall while the privacy policies aren’t quite as strong as comprehensive as the leading commercial VPN services, they easily surpass the minimum standards for privacy and transparency we expect from major VPN providers.

TouchVPN

This policy, on the other hand, has not been updated since 2015 and contained outdated references to “Northghost” as the VPN provider rather than TouchVPN or AnchorFree Inc. It is also not formatted to be as readable as the other two policies, making it feel neglected and not particularly reassuring for users.

It’s also harder to find than it should be as the links to the privacy policy on both the App Store and Play Store listings are out-of-date and direct to error pages.

Aside from the show-stopping red flag of referring to a defunct entity, Northghost, rendering the policy invalid, another major issue is that this VPN logs user activity, although they do claim its anonymized.

Log Data is a data that is automatically recorded by our servers when you use the Services. Log Data may include information about your device such as your IP address, browser type, the webpages you visit, the time spent on those pages, access times and dates, unique identifier that was generated for your device (if you use the Services from your mobile device then such identifier may be you mobile number). Such data is used by us in its aggregated form and is not combined with any Personal Information.

This is unheard of among reputable VPN services. Considering the other issues we have with this policy, TouchVPN falls short of what we would expect in this area.

Customer support contact

AnchorFree does not offer email support for users of the free versions of Hotspot Shield and Betternet.

TouchVPN only offers the outdated support@northghost.com, which doesn’t appeared to be monitored.


Back to VPN summary table

Shield VPN

Aliases

  • Shield VPN – Unlimited Proxy
Shield VPN  - cached App Store listing screenshot

Installs

Where is it based?

China

Full company details

Company Name: Wuxi Jiubang Information Technology Co., Ltd. 无锡久邦信息科技有限公司

Corporate Address: 1017, Floor 10, Building A, No.599, Jianzhu West Road, Wuxi – 214000, China

Unified Social Credit Code: 91320211586662561Q

Who’s behind the company?

Executive director and majority (70%) shareholder: Xue Caiqin (薛彩琴)

Minority (30%) shareholder: Geng Tiantian (耿甜甜)

Notes on company structure

Over the course of this investigation, Chinese company Wuxi Jiubang Information Technology Co has sought to obscure its ownership of Shield VPN, replacing reference to it on the App Store listing with “Flare Internet Ltd”. This is a brand new company incorporated in the UK on July 30 with Shanghai resident Xu Peng as its director and secretary. The relationship between the two companies is unclear.

We also noted that the footer of the Shield VPN website has been updated to Flare Internet Ltd rather than Luo Chengju, as it was up until early October. However, it suggests the Flare Internet’s copyright to the website design and content dates from 2017, despite the company not existing at that point.

Note that Wuxi Jiubang Technology Co Ltd is an alternative transliteration of the Chinese 无锡久邦信息科技有限公司 to the romanized Wujiubang Technology Co Ltd that featured on the original app listings.

Privacy policy

Privacy policy notes

While the policies are at least hosted on a proper website, they are poorly written (even containing typos) and lack detail.

While the policy does at least attempt to define its treatment of VPN connection metadata, it does not go far enough and remains frustratingly vague. In the sole clause covering this issue, it omits, for example, to state for how long data is retained:

Shield VPN does not collect, log, store, share any identifiable personal information of Users. Shield VPN may collect the connection times to our Service and the total amount of data transferred per day. Shield VPN stores this to be able to deliver the best possible network experience to you.

We did not feel reassured by the lack of responsibility taken regarding third-party ads:

Third Parties

By using Shield VPN you acknowledge and consent that Shield VPN may display advertisement within the App, as a separate webpage in your browser, or in any manner that Shield VPN finds suitable. Shield VPN may use third party advertisement services with their own terms and conditions. By using Shield VPN you also agree the terms and conditions of those third party services and acknowledge and adhere that Shield VPN shall not take any responsibility nor liability for the contents shown on their behalf.

While significantly better than many policies covered in this investigation, it still falls short of what we would expect from commercial VPN services.

Customer support contact

Customer support response

We requested clarification on the following issues:

  • The VPN connection data logging, storage and deletion policy.
  • The country of incorporation.

We did not receive a response by the time of publication.


Back to VPN summary table

VPN Wifi Proxy Security Master

VPN WiFi Proxy Security Master App Store listing screenshot

Installs

Where is it based?

Registered in Wyoming, USA but based in Singapore

Full company details

Company Name: Ever Fun Apps LLC

Corporate Address: 101 Telok Ayer Street, #03-02, Singapore

Filing ID: 2017-000759613

Who’s behind the company?

Unknown

Notes on company structure

Wyoming LLCs are not required to file any personally identifying information about owners or managers. This VPN provider has taken advantage of this to keep its company structure secret.

When asked about where they were based, the company declined to confirm this information.

Beyond the Wyoming state registration documents, Ever Fun Apps LLC has no online footprint beyond an extremely shoddy free WordPress site and mention in the small print of its VPN website.

Privacy policy

Privacy policy notes

The hosting of the policy on a proper website is the only positive of this highly disturbing document.

This VPN logs all user activity without even any attempt to anonymize this highly sensitive data.

Log Information: We also collect log information when you use our website. That information includes, among other things:

– details about how you’ve used our services.

– device information, such as your web browser type and language.

– access times.

– pages viewed.

– IP address.

– identifiers associated with cookies or other technologies that may uniquely identify your device or browser.

– pages you visited before or after navigating to our website

This absolutely shocking and goes completely against the spirit of using a VPN. It goes without saying that this is far from acceptable and consumers should avoid this VPN at all costs.

Customer support contact

Customer support response

Note the personal Gmail address, which is unheard of for professional companies.

We requested clarification on the following issues:

  • Country of incorporation
  • Privacy safeguards relating to activity logging
  • Data retention policies

Back to VPN summary table

Victory VPN

Aliases

  • Victory VPN – Unlimited VPN
Victory VPN App Store listing screenshot

Installs

Where is it based?

Chengdu, China

Full company details

Company Name: Chengdu ITiger Technology Co. Ltd 成都以太格科技有限公司

Corporate Address: No.619, 27f, Shiwaitaoyuan Square, No.65 North Kehua Road, Wuhou District, Chengdu, 610021, CHINA

Unified Social Credit Code: 91510107MA6CD7J182

Who’s behind the company?

Chairman and General Manager: He Xin 何鑫

Shareholders:

  • He Xin (sole natural person as shareholder)
  • Ningbo Meishan Bonded Port Area Xie Win Partner Investment Management Center (Limited Partnership). Room 630, Office Building, No. 18, Meishan Avenue Business Center, Beilun District, Ningbo, Zhejiang, China. USSC: 91330206MA282HCR2P

Notes on company structure

This Chinese company was established very recently in April 2018. It would be very difficult for the average consumer to find out anything about the company as the English-language corporate website has no information at all about the company, nor any reference to Victory VPN.

It doesn’t help that there is no reference to the Chinese company name on the site, which required to search the public record in China. Similarly, the fact that the Chinese name is not a straight translation or transliteration of the English name.

Chairman and General Manager He Xin is the sole natural person of the two shareholders, the other being a Chinese private equity fund.

Privacy policy

Privacy policy notes

Note the privacy policy is hosted on a standalone Amazon server – a very rough-and-ready approach that lacks transparency, as there is no parent domain with information about the company.

The privacy policy itself is a cookie-cutter generic policy that relates to standard websites, rather than VPN services, offering no useful information for VPN users. It also suffers several typos.

There is reference to Terms & Conditions but no active link so this VPN effectively has no privacy policy at all.

Customer support contact

Customer support response

The support form is a little ridiculous in that it does not even contain an email field so that they can respond to queries.

Despite including a return email in the text, we received no response to our queries about privacy safeguards.


Back to VPN summary table

VPN – Storm VPN Unlimited

Aliases

  • Storm VPN
Storm VPN App Store listing screenshot

Installs

Where is it based?

Most likely China due to qq.com contact address

Full company details

Company Name: FengJie Yao

Corporate Address: Unknown

Who’s behind the company?

Unknown

Notes on company structure

FengJie Yao is a ghost with no traceable online presence beyond an absurdly sparse personal Facebook page linked to from the App Store listing for Storm VPN.

It’s irresponsible of Apple to allow into its store an app from such an opaque entity.

Privacy policy

None

Privacy policy notes

Incredibly, there are no legal documents at all published for this VPN. It should go without saying that no-one should use this app as it stands.

Customer support contact

3128402757@qq.com

Customer support response

We received no response to our request to view any privacy policy documentation.


Back to VPN summary table

SuperVPN Free VPN Client

SuperVPN Free VPN Client Google Play listing screenshot

Installs

Where is it based?

Singapore with links to China

Full company details

Company Name: SuperSoft Tech

Corporate Address: 15 Lower Kent Ridge Rd, Singapore 119077

Who’s behind the company?

Developer: Zheng Jinrong (郑金荣)

Notes on company structure

SuperSoft Tech has no website nor is it registered in Singapore despite the address published on the the Play Store listing (which is actually part of the National University of Singapore campus and therefore likely bogus).

However, not only does the URL of the listing contains reference to Zheng’s name https://play.google.com/store/apps/details?hl=en&id=com.jrzheng.supervpnfree but a search against the goanalyticsapp@gmail.com email address leads to a Chinese-language listing page for the app that references Zheng’s full name.

Another page for SuperVPN lists a Beijing address, which appears to be a 7days Inn hotel – potentially yet another fake address.

While it’s not confirmed where Zheng, who has published several apps, has incorporated, on balance, based on the above, it’s likely that there is a China connection.

Privacy policy

Privacy policy notes

The policy itself is hosted on a user-unfriendly URL that does not inspire trust.

The policy itself is so short and lacking critical detail that it’s close to worthless. It is written in very poor and occasionally nonsensical English and lacks any detail at all about how user privacy is safeguarded.

This extremely amateurish policy is nowhere near the minimum standard we would expect from a professional product.

Customer support contact

Customer support response

Note the personal Gmail address, which is unheard of for professional companies.

We requested clarification on the following issues:

  • VPN connection data logging, storage and deletion policy.
  • Country of incorporation
  • Data retention policy on the following clause: “The only thing we monitor if the IPs you are using to enter our servers are not blacklisted in respected Black lists databases, like spamhaus.org.

We did not receive a response by the time of publication.


Back to VPN summary table

VPN Private

VPN Private Google Play listing screenshots

Installs

Where is it based?

Ukraine

Full company details

Company Name: VPN Private

Corporate Address: Ukraine, Dnipro Hlinky Street, 12

Who’s behind the company?

Vladyslav Minaev filed a trademark application for “VPN Private” against the same Dnipro address on the Play Store listing. We also received email correspondence from someone of the same name.

Notes on company structure

Minaev told us that VPN Private deliberately obscured details of the Ukraine company for security purposes.

Privacy policy

Privacy policy notes

While the policy is at least hosted on a basic website, it is very short and lacking detail. There is not enough detail about VPN connection metadata logging, retention and deletion to reassure potential users.

The following is just too casual to pass muster:

The App may gather the information about the time duration of connections to our servers and the total amount of data transferred per day with the sole purpose of providing you with our awesome network experience.

Worryingly, there is little further policy detail beyond the above, which means this is yet another free VPN with substandard privacy protections.

Customer support contact

Customer support response

Note the personal Gmail address, which is unheard of for professional companies.

We requested clarification on the following issues:

  • VPN connection metadata policy
  • Country of incorporation
  • Official company name

Vladylsav Minaev responded on behalf of VPN Private within 24 hours with the following:

  1. We collect: connection time, bandwidth, speed.

1.1 We confirm that this information is collected anonymously and is not in any way tied to the individual users.

  1. VPN Private is located in Ukraine.

2.1 For security purposes we do not share the information about the company itself, since the less is known about the company, the more our users are protected.


Back to VPN summary table

Thunder VPN

Aliases

  • Thunder VPN – A Fast , Unlimited, Free VPN Proxy
Thunder VPN Google Play listing screenshot

Installs

Where is it based?

Hong Kong

Full company details

Company Name: Signal Lab

Corporate Address: 1000 S. Fremont Ave. Bldg. A1, Alhambra Arkansas 91803 US

Who’s behind the company?

Unknown

Notes on company structure

The company confirmed that the US address is for payment purposes only and that Signal Lab are “independent developers from Hong Kong”.

However there are no companies called Signal Lab or similar currently registered in Hong Kong.

Privacy policy

Privacy policy notes

Hosted on the very basic Thunder VPN website, this privacy policy is generic and lacks critical detail around VPN connection metadata logging, retention and deletion policies. Data collection appears to be wide-ranging yet there is not the detail around privacy safeguards that you would expect.

In addition, when you use our app we may collect the following information: IP address, Internet service provider, OS version, language of the device, app identifier, app version, independent deice [sic] identifier, ad identifier, devide [sic] manufacturer and model, email address, the time zone and the network state (WiFi and so on), times when connected to our service, choice of server location, and the total amount of data transferred per day, etc. We store this to be able to deliver the best possible network experience to you. We analyze this information generically and keep the data secure.

We would also expect a lot more than four paragraphs on privacy to even approach basic privacy policy requirements.

Customer support contact

Customer support response

Note the personal Gmail address, which is unheard of for professional companies.

We requested clarification on the following issues:

  • User activity logging policy
  • VPN connection metadata logging policy
  • Country of incorporation

Signal Lab responded within 24 hours with the following:

We do not log personal activities such as user data traffic or browsing history.

In order to improve the quality of our service, when the user connects to the VPN, we will log the user’s IP, target server IP, connection duration, bytes used, etc., and keep it for one month for analysis. Session data will only be stored on our servers and will not be shared with any third parties.

In addition, our app uses third-party statistical SDK such as Flurry to help us improve the app. These SDK will collect some common information, such as mobile phone system version, language, app version, device model, etc., does not contain personally identifying information.

The US address we provide is for payment purposes. We are not a company registered in the United States.

In response to our follow-up email about country of incorporation, Signal Lab responded:

We are independent developers from Hong Kong.


Back to VPN summary table

VPN Melon

Aliases

  • VPN Melon – Unlimited Free & Fast Security Proxy
VPN Melon Google Play original listing screenshot

Installs

Where is it based?

Unconfirmed

Full company details

Company Name: Fruit Security Studio (Proxy & Communication) (now rebranded as Free Vpn Proxy)

Corporate Address: Unconfirmed although there is mention of San Jose, CA on the Play Listing

Company Registration No. Unknown

Who’s behind the company?

Unknown

Notes on company structure:

Fruit Security Studio relaunched VPN Melon under the new company name of “Free Vpn Proxy” on October 11 2018. The Google cached version of the original Melon VPN Play Store listing shows that they are are the same app based on the screenshots of the distinctive UI.

Prior to the relaunch, total installs were at 1,000,000+ at 200,000 new installs per month. It has since reset to 10,000.

Neither company name has any online footprint or feature in databases of registered companies, suggesting they are not legal entities.

We noted that the listing featured a spurious address as the 15235 zip code does not match San Jose, CA. It’s striking that Google permits this kind of inaccuracy on listings.

Privacy policy

Privacy policy notes

The new privacy policy link is broken and generates a browser error as the domain does not appear to exist. This VPN therefore does not have a valid privacy policy.

The original privacy policy is hosted on Pastebin and is still live, despite no longer being linked to from Google Play. Among legitimate uses for sharing text files and source code, the site is popular with hackers for sharing stolen data as there is no requirement for registration. Hosting a privacy policy here does very little to inspire trust in the provider.

The policy itself is worthless to a VPN user – the only mention of VPN is in the vpn.melon email address at the bottom. There is no information whatsoever about how user privacy is protected and the entire policy appears to be generic boilerplate text that could apply to any website (and is also used by YogaVPN for example)

We would recommend consumers absolutely avoid using this VPN that has somehow managed to remove what scant privacy protections it previously had with its recent relaunch.

Customer support contact

Customer support response

Note the personal Gmail addresses, which is unheard of for professional companies.

We requested clarification on the following issues:

  • Country of incorporation
  • VPN specific privacy policies

We received no response from either address.


Back to VPN summary table

Super VPN

Aliases

  • Super VPN – Best Free Proxy
Super VPN Google Play listing screenshot

Installs

Where is it based?

China

Full company details

Company Name: SuperVPN Inc / cheng cheng

Corporate Address: Residential address Guangzhou, China [redacted]

Who’s behind the company?

Unconfirmed but it appears to be an independent Chinese developer

Notes on company structure

The Singapore address on the Google Play listing is actually a foreign workers’ dormitory, buildings notorious for poor living conditions and not a likely corporate HQ.

We noted the Play Store listing URL referenced cheng cheng and a search revealed third-party listings for Super VPN that still listed cheng cheng as the developer.

One of these listings led us to an old developer site, which then led us to Chinese-language pages featuring the Guangzhou address. However, we’ve decided not to dox what may be an independent developer in China given the current legal status of VPN in the country.

Privacy policy

Privacy policy notes

Note that the policy is hosted on IP address URL that’s via cloud service LINODE so as to be not traceable.

The policy itself is ridiculously short and dangerously vague:

We will record some usage data for handle DMCA complaint. This usage data may include such information as the date and time of your login and bandwidth your usage.

We will record your installed app information, only for handling DMCA complaints. If we receive a DCMA complaint, we will analyze installed app information of the abuser so that we can block all applications that may cause DMCA complaints.

The open-ended nature of these clauses sets of alarm bells due to the potential for abuse. In fact, the policy omits far more than it covers. We would therefore recommend against using a VPN with such a policy.

Customer support contact

Customer support response

Note the personal Gmail address, which is unheard of for professional companies.

We requested clarification on the following issues:

  • Country of incorporation
  • VPN specific privacy policies

We received no response as the email address is disable according to Gmail.


Back to VPN summary table

#VPN

Aliases

  • #VPN – Wi-Fi Hotspot Security
#VPN App Store listing screenshot

Installs

Where is it based?

California, USA

Full company details

Company Name: Apalon Apps – owned by IAC Search & Media, Inc.

Corporate Address: 555 12th Street, Suite 500, Oakland, CA 94607, United States

Company Registration No. C2163946

Who’s behind the company?

CEO: Adam Roston

Company Secretary: Adam Agensky

Notes on company structure

Apalon Apps is based in Belarus but is owned by IAC, the US giant that owns Tinder, Vimeo, Ask.com and many other brands.

This means that users of #VPN come under US jurisdiction, which considered highly privacy-unfriendly.

Privacy policy

Privacy policy notes

The #VPN privacy policy is professionally-written and hosted. The policy itself is well-intentioned and transparent but does have flaws.

  • The policy is multi-purpose as it covers all the apps published by Apalon, so it’s not 100% clear what applies to VPN, although VPN-specific terms are clearly marked.
  • There is not enough clarity on connection metadata logging
  • They share aggregated/hashed data with advertisers
  • Apalon use third-party VPN providers but does not identify them (ie they don’t have their own servers).

Despite these qualms, the policy does meet minimum requirements given its level of detail and transparency that permits users to make a reasonably-informed choice.

Customer support contact

Customer support response

We were disappointed at the lack of email support given the level of backing that the developer has. We were also greatly surprised to receive no response to our queries about their DMCA policy via the contact form.


Back to VPN summary table

Psiphon

Aliases

  • Psiphon Pro – The Internet Freedom VPN
Psiphon App Store listing screenshot

Installs

Where is it based?

Canada

Full company details

Company Name: Psiphon Inc.

Corporate Address: address in Toronto, Canada (redacted but available on public record)

Company Registration No. 1727343

Who’s behind the company?

President: Michael Hull (resident Canadian)

Registered address: address in Toronto, Canada (redacted but available on public record)

Notes on company structure:

Private Canadian company incorporated in February 2007.

Privacy policy

Privacy policy notes

The privacy policy is professionally-hosted and well-written in plain English with useful contextual information to help users understand the policy.

While the policy is reasonably solid overall, we did have some concerns. We were not entirely comfortable with the logging of domain names even with the measures taken to de-link this information from individuals.

Psiphon does not inspect or record full URLs (only domain names), and does not further inspect your data. Psiphon does not modify your data as it passes through the VPN.

Even this coarse data would be difficult to link back to you, since we immediately convert your IP address to geographical info and then discard the IP. Nor is any other identifying information stored.

We were also not comfortable with what appears to be a business model based on selling user behavior data – even if it is aggregated, as claimed.

We collect the following data to find out how well Psiphon is working, what sites are popular, and what propagation strategies are effective. This information is shared with our partners so that they can see, for example, how often their sites are visited through Psiphon and from which countries.

  • Number of email requests for client download link
  • Number of upgrades
  • How often each protocol is used, and error codes after failure
  • How often new servers are discovered
  • Session count and session duration
  • Total bytes transferred and bytes transferred for some specific domains
  • Client platform (simplified operating system list; e.g, not a detailed browser user agent)

Nevertheless we do give credit for transparency here as it allows users to decide whether they are happy with this aggregated data collection in return for a free product.

Customer support contact

Customer support response

We sought clarification on the following issues:

  • Whether they operated their own DNS and VPN servers
  • More information on data sharing with partners
  • DMCA notification policy

We did not receive a response by the time of publication.

Update 11/21/18: we did receive communication from Psiphon following publication, answering our questions. The responses were as follows:

  • “No we do not operate our own DNS but yes we operate our own VPN servers, and we have internal operational security and privacy policies in place, we also have 3rd party security reviews and pen-tests performed regularly to ensure that security (you can view our most recent security evaluation on our blog here).”
  • “Though we don’t consider DMCA directly applicable to Psiphon (as we are not US based and there’s no ability to directly post content on our platform), we cannot forward DMCA complaints to our users even if we did receive any, since we do not have user accounts and do not log our users’ IP addresses.”
  • Psiphon disputed that they sold aggregated use behavior data. We have requested further clarification on this issue and will update this report again as necessary.


Back to VPN summary table

Methodology: We recorded the top 20 free apps displayed in the search results for “VPN” in the App Store and Play Store for UK and US locales. The app stores customize their search results based on locale, meaning we could have had up to 80 apps forming four lists of 20. We excluded a very small number of paid apps that appeared in these search results, replacing them with next app in the results.

Since there is significant overlap between these sets of search results (ie each app appeared between one and four times) and because we excluded paid apps, the total number of individual apps appearing in these sets of search results was 30.

We investigated the following: company ownership, country of incorporation, location of corporate HQ, privacy policies and customer support. All company information was verified via records from the appropriate official company registration databases. App install numbers are taken from Sensortower.com. Privacy policies and customer support emails were taken from links on the app store listings. We emailed customer support from our official top10vpn.com address and did not hide our true identity.

We redacted full address details of individuals in order to avoid any potential repercussions against those individuals. The full addresses are contained however within the supporting documentation that is available on request.