Privacy Policy - WhiteOut

Summary: WhiteOut does not log your VPN traffic, browsing history, DNS queries, or connection content. The browser extension processes all threat detection locally on your device. We collect only what is necessary to operate the service: an email address for your account, plus the information needed to process payments. Card payments are handled by Stripe, and crypto payments for the VPN tiers are handled by the SafeConnect Router smart contract. We do not sell, rent, or share your personal data with advertisers or data brokers.

1. Who We Are

WhiteOut ("we," "us," "our") operates the WhiteOut VPN application, WhiteOut Security browser extension, WhiteOut mobile application, and the website at whiteoutvpn.com. This policy describes how we handle personal data across all of these services.

2. What We Do Not Collect

When you use the WhiteOut VPN service, we do not collect, store, or log any of the following:

Your browsing history or the websites you visit
Your DNS queries
The content of your network traffic
Your originating IP address after the VPN session ends
Your search queries

The WhiteOut Security browser extension runs entirely in your browser. All threat detection, phishing analysis, and security scanning happen locally on your device. We do not receive telemetry, analytics, or any data about the websites you visit or the content you interact with.

3. What We Collect

3.1 Account Information

When you create an account through Google, Discord, or Telegram, we receive and store:

Your email address
Your display name
Your profile picture URL (if provided)

We use this information solely to identify your account and communicate with you about your subscription. We do not access your contacts, messages, calendar, or any other data from the sign-in provider.

3.2 Payment Information

We support two payment paths. We never hold your card data and we never custody your crypto funds.

Card payments are processed by Stripe. We never see, store, or have access to your full card number, bank account details, or other payment credentials. We receive only a transaction identifier and basic card metadata (last four digits, expiration) for your reference. See Stripe's Privacy Policy for how they handle your payment data.

Crypto payments for the VPN tiers are processed by the SafeConnect Router, an on-chain smart contract that handles the wallet interaction on your device. We never request a wallet signature directly, never custody user funds, never sign transactions on your behalf, and never see your private keys. SafeConnect connects to your wallet, you approve the payment in your wallet, and the SafeConnect Router routes the payment on-chain directly from your wallet to our receiving address. SafeConnect then notifies us by webhook when the on-chain payment is confirmed. We receive the wallet address that paid, the chain it was on, the amount, and the transaction hash, all of which are already public on the blockchain. See SafeConnect's privacy policy at safeconnect.cc/privacy.

3.3 VPN Connection Data

When you connect to a WhiteOut VPN server, we record:

A connection timestamp and server location
Aggregate bandwidth usage per billing period

Connection records for completed sessions are automatically purged within 24 hours. Aggregate bandwidth data is retained for billing and fair-use purposes. We do not log which websites you visit, what you download, or the content of your traffic.

3.4 Breach Monitoring

If you use the password breach check feature, your password is never sent to any server. We use a privacy-preserving lookup technique that prevents both our server and the upstream breach database from learning your password.

If you use the email breach check, your email address is sent to our server (authenticated with your session), which proxies the request to the breach database on your behalf so your IP address stays hidden. Your email is not stored permanently.

3.5 Threat Intelligence

The extension periodically downloads updated threat data from our server. This is a one-way download. We do not receive any information about which threats are detected on your device or which URLs you visit.

4. How We Use Your Data

To provide, maintain, and improve the WhiteOut services
To process your subscription payments
To prevent abuse of our infrastructure
To send you critical service notifications (outages, security incidents, subscription changes)
To respond to support requests you initiate

We do not use your data for advertising, profiling, or behavioral targeting. We do not sell, rent, or share your personal data with third parties for their marketing purposes.

5. Ghost Tier Privacy

The Ghost VPN tier provides additional privacy protections beyond our standard no-logs policy. Cryptographic credentials are generated fresh for every session and destroyed on disconnect. Traffic is routed through multiple jurisdictions with randomized server selection. No persistent VPN identity exists on any server between sessions.

6. Third-Party Services

Stripe -- card payment processing
SafeConnect Router -- on-chain crypto payment processing for VPN tiers
Google, Discord, Telegram -- account sign-in (OAuth)
Cloudflare -- DNS, edge caching, and DDoS protection for our website
Have I Been Pwned (HIBP) -- breach lookup, queried only with k-anonymous hash prefixes so they never see your password or full email

We do not use any analytics, tracking, or advertising services on our website or in our applications.

7. Data Retention

Account data: Retained while your account is active. Deleted within 30 days of account deletion.
VPN connection records: Completed session records purged within 24 hours. Aggregate bandwidth retained per billing period.
Payment records: Retained as required by applicable tax and accounting laws.
Support correspondence: Retained for 90 days after case closure, then permanently deleted.

8. Data Storage and Security

Your account data is stored on servers in Switzerland. VPN infrastructure is located in Switzerland, Germany, and Finland. All data at rest and in transit is protected with industry-standard encryption. Our VPN tunnels use modern, independently audited cryptographic protocols.

9. Your Rights

Depending on your jurisdiction, you may have the right to:

Access the personal data we hold about you
Correct inaccurate personal data
Delete your account and all associated data
Export your data in a portable format
Object to or restrict processing of your data
Withdraw consent for optional processing

To exercise any of these rights, email [email protected]. We will respond within 30 days.

For users in the European Economic Area, you have the right to lodge a complaint with your local data protection authority. For users in California, we do not sell personal information.

10. Children

WhiteOut services are not directed at children under 13 years of age. We do not knowingly collect personal data from children under 13. If we learn that we have, we will delete it promptly.

11. Infrastructure Transparency

WhiteOut operates an automated server integrity monitoring system. Our VPN servers publish a cryptographically signed heartbeat at regular intervals confirming that no unauthorized access has occurred. An independent external watchdog monitors these heartbeats and posts public alerts if anything goes wrong. This system runs independently of our control so that users are notified automatically if a server is compromised or seized.

12. Changes to This Policy

We will notify you of material changes to this policy via email and/or in-app notification at least 14 days before the changes take effect.

13. Contact

For privacy-related questions or requests:

Email: [email protected]
Support: [email protected]