Legal

Privacy Policy

Last updated: 2026-05-31 · Contact: [email protected]

This policy explains what data ProofKit processes when you use the marketplace, what we deliberately do not collect, who we share data with, and the rights you have. ProofKit is an open, pseudonymously-operated decentralized VPN marketplace.

01 /What we do not collect

ProofKit is built so the parts that matter most for a VPN are simply not recorded:

  • No IP logging. The coordinator does not capture or store your IP address. (An administrative audit-log field exists for account events, but it is never populated from web requests.)
  • No browsing logs. We do not record the websites you visit or inspect your traffic. Your destinations stay inside the encrypted VLESS tunnel.
  • No identity sharing with operators. The operators who route your traffic never receive your email, wallet, or account identity.

02 /What we collect

We process the minimum needed to run a paid, non-custodial marketplace:

  • Account data: email, optional display name, password hash (bcrypt), your TON wallet address, Telegram ID (only if you link Telegram), and a TOTP secret (only if you enable authenticator-app 2FA).
  • Connection metadata: an anonymized session identifier, tunnel UUID, per-session bandwidth counters (bytes up/down), session start/end times, the route node IDs used, protocol, and a price snapshot.
  • Payment data: a TON ledger of deposits, withdrawals, charges, and earnings, with optional blockchain transaction hashes.
  • Referral data: your referral code and, if you signed up via one, who referred you.
  • Administrative audit log: account actions (register, login, settings changes, 2FA toggles) with timestamps — without client IP addresses.
  • Temporary email codes: 6-digit verification, password-reset, and 2FA codes that expire in 5–15 minutes.

03 /How we use it

We use this data to authenticate you, deliver and meter the VPN service, bill pay-per-GB usage, settle operator payouts, prevent fraud and abuse, and send transactional emails you have asked for. With your consent, we also use Google Analytics to understand traffic — see the Cookie Policy.

04 /Legal bases (GDPR/UK GDPR)

Where the GDPR applies, we rely on: performance of a contract (creating your account, providing and billing the service), legitimate interests (security, fraud prevention, keeping the network healthy), and consent (analytics cookies and optional notifications, which you can withdraw at any time).

05 /Who we share data with

We do not sell your data. We share only what each service needs:

  • Brevo (email delivery) — your email address and verification/reset codes, to send transactional messages.
  • Telegram — your Telegram ID and codes, if you authenticate or get notifications via Telegram.
  • TON blockchain & RPC — your TON address, amounts, and transaction hashes. On-chain data is public and pseudonymous.
  • Cloudflare — sits in front of the site for DDoS protection and may process request metadata (including IP) under its own policy. ProofKit does not store this.
  • Google Analytics — only if you accept analytics in the cookie banner.
  • Node operators — an anonymized session email (e.g. [email protected]), tunnel UUID, and bandwidth counters. Never your real email, wallet, referral data, or identity.

06 /What operators can and cannot see

Operators provision your tunnel using an anonymized session email and a tunnel UUID only. Your real identity stays with the coordinator. Exit-node operators can see the traffic they route — as with any VPN — but cannot tie it to your account.

07 /Cookies and analytics

The site uses essential first-party storage (login token, wallet session, UI preferences) that requires no consent, plus optional Google Analytics that loads only after you opt in. Full details and controls are in the Cookie Policy.

08 /Data retention

Account data is kept while your account exists. Financial ledger records are retained for billing, dispute resolution, and any applicable accounting obligations. Temporary email codes expire within minutes. We are transparent that expired records are not yet automatically purged from storage.

09 /Your rights

Subject to applicable law you may request access to, correction of, deletion of, or a copy of your personal data, and you may object to or restrict certain processing and withdraw consent. Self-serve account deletion is not yet available — email [email protected] and we will delete your personal data (email, name, TON address, 2FA secrets, Telegram link), retaining only financial records required for legal or billing purposes and deleting those after the retention window.

10 /Security

We hash passwords with bcrypt, support TOTP and Telegram two-factor authentication, isolate the TON signing key on a separate server, and verify bandwidth with cryptographic proofs. No method of transmission or storage is ever 100% secure.

11 /International use

Operators and infrastructure are global. When you choose a route, your traffic exits from the operator's country. On-chain payments are processed on the public TON network.

12 /Children

ProofKit is not directed to children under 16 (or the age of digital consent in your country). Do not use the service if you are under that age.

13 /Changes to this policy

We may update this policy; the “Last updated” date above will change. Material changes will be highlighted on the site.

14 /Contact

Questions or data requests: [email protected] or our Telegram bot. See also the Imprint.