VPN Proxy Master & Turbo VPN
Developer: ALL Connected Co., Ltd
VPN Proxy Master:
How we share information… Aggregate Information. Where legally permissible, we may use and share information about users with our partners in aggregated or de-identified form that can’t reasonably be used to identify you.
Third-Party Partners. We also share information about users with third-party partners in order to receive additional publicly available information about you.
Guideline 5.4 is very clear that no data sharing is permissible, which renders this policy non-compliant.
[Update 13 June] We received a polite email from the developer’s lawyers that was at pains to emphasise that as they do not collect any senstive data in the first place, they are unable to share anything.
They also stated that they “never share any information about users with third-party beyond the Privacy Policies, APPLE Guidelines, US laws related to personal data protection or GDPR.”
They went on to say, “For the avoidance to doubt, the statement cited in your email has been deleted from the latest Privacy Policies.”
To clarify, what has been removed is the clause above beginning “Third-Party Partners”. The other clause remains in place.
While the data being shared may well be not personally-identifiable, given Apple’s guidelines clearly state that VPN apps may not share any data whatsoever then these apps appear to remain non-compliant.
Hotspot Shield Free, Betternet, TouchVPN, Hexatech
Developer: AnchorFree, Inc.
The privacy policies for Hotspot Shield, Betternet and TouchVPN are hosted individually but are substantively the same. Hexatech directs users to the Betternet policy and does not have its own individual policy.
The following clause that appears in all these privacy policies, with the relevant name of the app referenced, is clearly in breach of Guideline 5.4.
We may share your general (city level) location. Additionally, advertisers may be able to collect certain information independently from you or your device when serving ads from the Hotspot Shield application, including your device’s advertising ID, IMEI, MAC address, and wireless carrier.
Arguably the additional clause below might avoid being in non-compliance as third parties collect the data directly rather than it being provided to them. We would argue it’s certainly against the spirit of the guidelines and not privacy-friendly.
Our service providers may collect IP addresses for marketing attribution purposes.
Overall, AnchorFree products do have comprehensively transparent privacy policies. This makes it possible at least to make an informed decision about the privacy trade-off required for access to a high-quality free service even if that service is more aggressively monetized than we are generally comfortable with.
UPDATE: AnchorFree responded and rather than provide any explanation of the targeted advertising in their apps, instead stated that we were “misinterpreting Apple guidelines” and that Apple didn’t really mean the ban literally. This was a very disappointing response compared to previous efforts to be transparent.
VPN – Super Unlimited Proxy & VPN – Unlimited Best VPN Proxy
Developer: Mobile Jump
VPN – Super Unlimited Proxy:
VPN – Unlimited Best VPN Proxy:
The following clause appears to breach Guideline 5.4 prohibition on sharing any data at all with third parties:
We may share your data with other MobileJump’s affiliate companies in or outside Europe. We may also share your data with third parties, to help manage our business and deliver services.
However, there remain a number of privacy issues and question marks regarding this policy in addition to its compliance or otherwise with the new Apple guidelines. There are also unanswered questions about the company being based in mainland China despite the strict VPN ban in that country.
Mobile Jump neither responded to our communication of our findings nor updated their policies.
Developer: Free Connected Ltd
Note that there do remain potential red flags however due to the Chinese ownership of the company (registered in Hong Kong but with owners based in mainland China) and lack of corporate transparency.
VPN 360 – Unlimited VPN Proxy
However, non-personally identifiable visitor information may be provided to other parties for marketing, advertising, or other uses.
We would also highlight the following:
We do not sell, trade, or otherwise transfer to outside parties your personally identifiable information. This does not include trusted third parties who assist us in operating our website, conducting our business, or servicing you, so long as those parties agree to keep this information confidential.
Given that the policy is hosted on a free WordPress domain and has not been updated since 2017 despite the app’s enduring popularity, we do not feel the VPN provider has done enough to earn the degree of trust required to take this policy at face value.
This harsh assessment is compounded by the fact the developer has quietly changed its name on the App Store from Infinity Software Co., Limited to TouchVPN.
Of course, it may be coincidence that this new name featured in a prominent position on its App Store listing is the same as that of a more established and trusted product.
This second policy has the same text as the main policy linked to from the App Store listing but this time is hosted on a customer support platform domain (Zendesk) and was created more recently, as it was last updated at the end of 2018.
TouchVPN / Infinity Software neither responded to our communication of our findings nor updated their policies.
VPN Proxy Vault – Unlimited VPN
Developer: Appsverse Inc.
Secured VPN Pro
Developer: Contrast Media Inc
When you visit the mobile application, we may use GPS technology (or other similar technology) to determine your current location in order to determine the city you are located within and display a location map with relevant advertisements. If you are subscribed to the use of the Premium package, then no single piece of information will be shared with advertisers.
There are further apparent breaches as specified in the following:
We may disclose User provided and Automatically Collected Information: …. With our trusted services providers who work on our behalf, do not have an independent use of the information we disclose to them, and have agreed to adhere to the rules set forth in this privacy statement.
Aside from the above issues of non-compliance, this policy – which is hosted on a public Google Doc – raises a number of privacy red flags. It not only logs user browsing data, which is severely anti-privacy, but also has an unreasonably long data retention policy. This is an app to absolutely avoid and it should not be available for download in our view.
Contrast Media Inc neither responded to our communication of our findings nor updated their policies.
VPN 24: Hotspot VPN for iPhone
Developer: 24apps GmbH
There are two aspects of this policy in conflict with Guideline 5.4:
The first appears clear cut in that it explicitly states that user data is shared with third parties involved in “marketing [and] advertising” and other companies that share the developer’s parent company.
… the main sharing of users’ information is with service providers and partners who assist us in operating the services, with other IAC Group companies …
With our service providers and partners. We use third parties to help us operate and improve our services. These third parties assist us with various tasks, including data hosting and maintenance, analytics, marketing, advertising and security operations. We follow a strict vetting process prior to engaging any service provider or working with any partner.
With other IAC Group companies …
The second potentially-infringing area relates to personalized ads. It is possible that this does not breach the guidelines on a technicality, ie by virtue of the fact that the third-parties collect the user data directly from within the app itself via embedded ad tech, but it certainly contradicts the spirit of the new rules.
It should be noted though that this a very comprehensive and transparent policy, which is commendable as it allows potential users to make more of an informed choice about their privacy.
24apps GmbH neither responded to our communication of our findings nor updated their policies.
Free VPN by FreeVPN.org
FreeVPN.org may state that they don’t “sell trade, or otherwise transfer to outside parties your personally identifiable information” but the following practices relating to advertising would appear to fall foul of the new rules.
Our apps may include third-party advertising networks. These networks determine independently how to use your information, so review their linked privacy policies to learn more.
However, non-personally identifiable visitor information may be provided to other parties for marketing, advertising, or other uses.
The policy overall is sorely lacking in detail about VPN-specific privacy matters, such as any sort of logging or data retention policies and should not be considered acceptable for a VPN app.
FreeVPN.org neither responded to our communication of our findings nor updated their policies.
Developer: Sentry Secure Communication
There are outstanding questions to answer, however, from our earlier investigation due to the highly opaque nature of this VPN provider that we revealed to be secretly owned by Tengzhan Hongkong Limited (騰展香港有限公司). This is a company registered in Hong Kong whose sole shareholder is based on the Chinese mainland, where VPNs are strictly banned.
Developer: Psiphon, Inc.
While Psiphon should be commended for its professionalism and transparency, Guideline 5.4 does not make allowances based on the granularity of data shared with third parties.
The following is therefore in apparent breach of the rules:
When sharing with third parties, Psiphon only ever provides coarse, aggregate domain-bytes statistics. We never share per-session information or any other possibly-identifying information.
This sharing is typically done with services or organizations we collaborate with — as we did with DW a few years ago. These statistics help us and them answer questions like, “how many bytes were transferred through Psiphon for DW.com to all users in Iran in April?”
Again, we specifically do not give detailed or potentially user-identifying information to partners or any other third parties.
While part of our prior investigation, there are no significant red flags outstanding for Psiphon.
Psiphon, Inc. neither responded to our communication of our findings nor updated their policies.
TunnelBear VPN & WiFi Proxy
Developer: TunnelBear, LLC
Developer: Apalon Apps
#VPN appears to contravene Guideline 5.4 through its sharing of location data with third parties for advertising.
When we collect your precise geolocation data (subject to your consent) (which may be via the device’s cellular, Wi-Fi, Global Positioning System (GPS) networks and/or Bluetooth information), we do so to provide you with our location-related products and services, for example to provide you with forecast and weather alerts for your location, and also to facilitate, measure, or otherwise support advertising by third parties (through our apps or third parties’ apps) that may be related to your location over time.
Apalon Apps neither responded to our communication of our findings nor updated their policies.
VPN for iPhone
Developer: Brain Craft Ltd
Compare the original policy with the updated version and the difference is so stark that it’s hard to take seriously the developer’s claims that they had already changed the policy before we contacted them. The updated date on the new policy being one day later than the date of our email also suggests otherwise.
The original policy was barely 250 words and lacked any substantive detail to back up its claims of not sharing data. For this reason we deemed it non-compliant despite there being no admission of data-sharing, simply due to a lack of any explanation of how their business practices enabled them to make such a claim.
The new policy may be a big improvement on what it has replaced and as such, does now appear compliant with Guideline 5.4.
However the policy is still much shorter than best practice examples and continues to make data privacy claims that need better substantiation before we could recommend this app in good conscience.
HOTSPOT VPN: Unlimited HotSpot
Developer: HotSpot VPN Ltd
Hotspot VPN may disclose automatically collected and other aggregate non-Personal Information with interested third parties to assist such parties in understanding the usage, viewing, and demographic patterns for certain programs, content, services, advertisements, promotions, and/or functionality on the Service.
The developer grants itself significant leeway not just in terms of with whom it can share user data but also for what purpose. The terms “usage” and “viewing” really stand out as providing scope for logging browser activity, which is highly concerning and a clear infringement of the new rules.
“As described in our Terms, however, we may not provide a virtual IP Address for every web site you may visit and third-party web sites may receive your original IP address when you are visiting those web sites.”
HOTSPOT VPN Ltd neither responded to our communication of our findings nor updated their policies.