Effective Date: April 3, 2026 | Last Updated: May 18, 2026
Terms of Service Payment & Refund Policy Warrant Canary
ip and user_agent columns from the security audit log (§3.8). Tightened audit-log retention 90 days → 7 days. Tightened per-minute VPN usage records (§3.5) 90 days → 1 day — only the day-level summaries (no server, no IP) survive longer. POST /logout now revokes the server-side session row, not just the cookie. See ADR-0011.
This Privacy Policy describes how TIDE VPN ("we," "us," or "our") collects, uses, and protects information when you use our virtual private network service ("Service"), accessible through the Telegram bot @tide_vpnbot and the website tide-vpn.com.
We built TIDE VPN on a foundational principle: your online activity is yours alone.
The VPN tunnel itself is configured so that none of the following is written to disk, sent to a third party, or otherwise persisted on our infrastructure:
| Category | Data NOT Collected |
|---|---|
| Source IP address | Your real (client-side) IP address while connected to the tunnel |
| DNS activity | DNS queries you make through the tunnel, resolved hostnames |
| Destination addresses | The remote IPs and hostnames you connect to through the VPN |
| Browsing activity | Websites visited, URLs, browser history |
| Per-connection metadata | Per-flow timestamps, individual session start/stop, per-site bandwidth |
| Traffic content | Packet payload, application-layer data, request/response bodies |
| Protocol metadata | Per-flow protocol, destination port |
| Plain-text passwords | Account passwords are stored only as bcrypt hashes |
| TLS keys | We do not retain handshake keys or session tickets after a connection ends |
warning with no per-connection or access-log target — flow-level events are never produced.info, no per-connection log target.truncate -s 0 /var/log/nginx/access.log /var/log/nginx/error.log).Even if a server were physically seized, no VPN traffic data, browsing history, or per-connection logs would be recoverable — that data is not produced. Account, billing, and audit data stored in our central PostgreSQL database (described in Section 3) would be accessible. We design Section 3 specifically so that no field in that database can reveal which sites you visited.
The following sub-sections describe every category of personal data we hold in the central PostgreSQL database that powers the Service. We aim to be exhaustive — if you find a category that is collected but not listed here, that is a documentation bug; please contact us through the channels in Section 12 and we will correct it.
We process your personal data under the following legal bases (GDPR Article 6):
| Data Category | Legal Basis |
|---|---|
| Account data | Contract performance — necessary to provide the Service |
| Web Cabinet authentication, sessions, 2FA | Contract performance and our legitimate interest in account security |
| Payment data | Legal obligation — financial record-keeping requirements |
| Credits, streaks, referrals, leaderboard | Legitimate interest — loyalty program operation |
| Aggregate VPN usage | Legitimate interest — loyalty program credits calculation |
| AI support conversations | Contract performance — providing support service |
| Email-breach (HIBP) lookups | Your consent — feature is opt-in via the Identity Guard screen |
| Audit logs of privileged actions (login, 2FA, password reset, admin actions) | Legitimate interest in fraud prevention and security incident response |
users table)| Data | Purpose | Retention |
|---|---|---|
| Telegram User ID | Authentication, unique account identifier | Active subscription + 30 days |
| Telegram username | Display name, support identification | Active subscription + 30 days |
| Telegram first name | Personalization | Active subscription + 30 days |
| Email address (optional) | Web Cabinet login, account recovery, notifications. Provided only if you choose to set up password-based login. | Active subscription + 30 days |
| Password hash (optional, bcrypt) | Web Cabinet password authentication. We never store the plain-text password. | Active subscription + 30 days |
| Email-verified flag | Account state | Active subscription + 30 days |
| Role (user / moderator / admin / owner) | Access control inside the admin Cabinet | Active subscription + 30 days |
| Two-factor (TOTP) secret & recovery codes | Optional 2FA. Stored encrypted at rest (Fernet, key derived from server secret); recovery codes are bcrypt-hashed. | Until you disable 2FA, then deleted |
Email-breach lookup cache (breach_check_at, breach_check_result) | Identity Guard feature: stores the timestamp of the last Have I Been Pwned lookup and the JSON list of breaches your email appears in (if any). Cached for 24 hours so we do not hammer the upstream API. | Cache cleared automatically 24 hours after each lookup; result re-fetched on next opt-in scan |
| Leaderboard visibility flag | Whether you opted in to appear by username on the public credits leaderboard. Default: opted-out. | Active subscription + 30 days |
Preferred UI language (ru / en) | Bot, Mini App, Web Cabinet UI language | Active subscription + 30 days |
| Account creation / last-updated timestamps | Account management | Active subscription + 30 days |
| Trial used flag | Trial eligibility tracking | Active subscription + 30 days |
| Referral code & referred-by ID | Referral program attribution | Active subscription + 30 days |
subscriptions table)| Data | Purpose | Retention |
|---|---|---|
| Plan reference, status, start & end dates | Billing period tracking, service delivery | Active subscription + 30 days |
VPN account credentials (xray_username, xray_uuid) | VPN access provisioning on the exit servers | Active subscription + 30 days |
| Subscription token | Generates the per-user subscription URL (multi-protocol config) | Active subscription + 30 days |
| Server reference | Tracks which exit cluster a user belongs to | Active subscription + 30 days |
| Auto-renew preference | Subscription management | Active subscription + 30 days |
payments and crypto_invoices tables)For Telegram Stars and TON, we record the following:
| Data | Purpose | Retention |
|---|---|---|
| Amount & currency | Billing records | 1 year |
Payment provider (stars / ton / one of the supported on-chain networks) | Transaction routing & reconciliation | 1 year |
| Payment status | Transaction verification | 1 year |
| Provider payment ID | Payment verification, dispute resolution | 1 year |
| Provider metadata (raw response from the payment processor) | Audit, dispute resolution | 1 year |
| Transaction timestamps | Financial records | 1 year |
For other on-chain payments (Bitcoin, Ethereum and other EVM chains, Tron, Solana, Litecoin, Dogecoin, Monero) processed through our self-hosted TIDE Pay gateway, we additionally store:
| Data | Purpose | Retention |
|---|---|---|
Chain identifier and the deposit address derived for your invoice (BIP44/BIP84 HD index, or Solana reference pubkey, or Monero integrated address with 8-byte payment ID) | Match incoming on-chain payment to your invoice | 1 year |
| Payment memo / reference | Match payment to invoice for chains that need a tag (TON, Solana, Monero) | 1 year |
| Transaction hash, block height, settlement timestamp | Reconciliation and dispute resolution | 1 year |
We do NOT collect: credit card numbers, debit card numbers, bank account details, billing addresses, your wallet's xpub or private keys, or your legal name.
Public-ledger note: on-chain payments are by definition publicly recorded on the respective blockchain. The deposit address you send funds to is a one-time-use address derived from our hot wallet. Anyone observing the blockchain can see the deposit, but only we know which invoice it corresponds to (via the HD index, reference key, or payment ID).
TIDE Credits is our in-product loyalty program. We track the following, linked to your Telegram User ID:
| Data | Purpose | Retention |
|---|---|---|
Credits balance and total earned (credits_balance) | Loyalty program | Active subscription + 30 days |
Credits transaction history (credits_transactions: amount, reason code, description, date) | Transparency, dispute resolution | Active subscription + 30 days |
Daily check-in / streak state (streak) | Streak feature, freeze tokens | Active subscription + 30 days |
Referral records (referrals: referrer ID, referred user, reward amount, status) | Referral attribution and reward calculation | Active subscription + 30 days |
League and leaderboard rank snapshots (leagues, leaderboard_snapshots) | Engagement features | Snapshots: 90 days. Live rank computed on demand from credits totals. |
Promo code redemption records (promo_codes, promo_usage) | Discount tracking, anti-abuse | Active subscription + 30 days |
Bot delivery state for one-time messages (one_time_messages) | Idempotency for transactional notifications | 30 days |
vpn_usage_records and vpn_usage_summaries)To power the TIDE Credits loyalty program (1 credit per active minute of VPN usage), we periodically poll VPN statistics counters and store byte-volume deltas:
| Data | Purpose | Retention |
|---|---|---|
Per-user, per-server, per-minute upload/download byte counts (vpn_usage_records) | Calculate active minutes for the credits loyalty program | 1 day — rolled into the daily summary, then deleted |
Per-user, per-day rollup of total bytes and active minutes (vpn_usage_summaries) | Daily aggregation for credits, monthly usage reports | 30 days |
Internal VPN stats cursors (xray_user_cursors) | Resume polling without double-counting | Active subscription + 30 days |
Important — what these counters do not contain: these are integer counters of total bytes per user per server per minute. They do not include destination IPs, hostnames, URLs, DNS queries, packet contents, or your real client IP. They cannot be used to reconstruct which sites you visited, what content you accessed, or where you were geographically located.
Why 1 day for the per-minute records: the per-minute table is the only place that pairs which user with which exit server at minute granularity. Even without IP or destination data, that pairing is sensitive enough to warrant the tightest retention we can run while still allowing the credits-earning cron to process recent intervals. Yesterday's per-minute rows are gone forever; only the daily totals survive.
web_sessions)If you log into the Web Cabinet at tide-vpn.com/app, we issue an httpOnly cookie containing a JWT and a server-side session row:
| Data | Purpose | Retention |
|---|---|---|
| Session ID and JWT identifier | Authenticate the cookie on subsequent requests | 30 days from last activity, or until you log out |
| Issuance / last-seen timestamps | Idle expiry, force-logout | Same as session |
| Telegram-login pairing tokens (transient) | One-time magic-link login from the bot to the Web Cabinet | 15 minutes (single-use) |
Password-reset tokens (password_reset_tokens) | Single-use password-reset magic links sent via the bot | 15 minutes (single-use) |
Cookie: We set one strictly necessary httpOnly session cookie when you log into the Web Cabinet. This cookie holds only a session identifier (a JWT reference) and is required for authentication to work. We do not set tracking, advertising, or analytics cookies anywhere on the Service.
conversations, ai_feedback)When you use our in-bot AI support feature, your questions and the AI-generated answers are stored to provide conversation context and improve response quality. The conversation is sent in real time to our AI provider (see Section 5):
| Data | Purpose | Retention |
|---|---|---|
| Support questions | AI response generation, context continuity | 30 days |
| AI responses | Conversation history | 30 days |
| Conversation status (open / escalated / closed) | Hand-off to a human moderator on escalation | 30 days |
| Optional thumbs-up/down feedback you give on a reply | Quality improvement | 30 days |
Support conversations are not used for advertising or shared with third parties beyond the AI provider needed to generate the response. You can clear your conversation history at any time via the bot's support menu.
audit_logs)For security and incident response, we keep an append-only audit trail of privileged actions: Web Cabinet logins (success and failure), 2FA setup / use / disable, password resets and changes, admin actions (broadcasts, promo creation, server CRUD, role changes, ticket assignments), and explicit device disconnects.
| Data | Purpose | Retention |
|---|---|---|
Action code (e.g. login_success, 2fa_enabled, broadcast_created) | Forensic trail | 7 days |
| Actor user ID and role | Identify who took the action | 7 days |
| Target type / target ID and a small JSON metadata blob | Identify what the action affected (e.g. which broadcast, which server) | 7 days |
| Timestamp | Forensic trail | 7 days |
We do not store IP addresses or User-Agent strings in this table. Prior versions did keep them for 90 days; that contradicted our no-logs positioning, so as of May 2026 the ip and user_agent columns were removed from the database and the remaining rows now auto-purge after 7 days. If you need to see from-where your current logins came (browser, OS, country), the per-session view in the Web Cabinet Active sessions tab covers that — those rows are tied to a session you can revoke at any time and they auto-purge when you log out.
Our backend, bot, and worker processes emit structured application logs (errors, slow queries, scheduler heartbeats, warnings) for debugging and reliability. These logs run through a PII-redaction filter that hashes Telegram IDs, redacts emails, IPs, and tokens before the log line is written. Logs are retained for 7 days on the host. They do not contain VPN traffic data.
stream). No decryption, no per-flow storage.Encryption: TLS 1.3 (X25519, AES-256-GCM / ChaCha20-Poly1305). Data at rest in our database: PostgreSQL on encrypted volumes; sensitive fields (e.g. TOTP secrets) are additionally encrypted at the application layer (Fernet, AES-128-CBC + HMAC-SHA256).
The following third parties are involved in delivering the Service. Each receives only the data strictly necessary for its function:
| Service | Role | Data Received |
|---|---|---|
| Telegram (Telegram Messenger Inc.) | Bot platform, Telegram Stars payments | Telegram User ID, bot interactions, Stars transaction confirmations. Telegram does not share your phone number or client IP with us. |
| Cloudflare | (1) CDN for the website & Mini App; (2) WARP egress for our VPN exit traffic; (3) Pages hosting for the Mini App | Standard CDN access logs (your visit IP, User-Agent) for the marketing site; encrypted traffic only for WARP egress (Cloudflare cannot decrypt the encrypted tunnel). |
| Have I Been Pwned (Troy Hunt) | Email-breach lookup (Identity Guard feature, opt-in) | SHA-1 hash of your email address only when you trigger a check (or, with our paid API key tier, the email itself over TLS). Lookups are rate-limited to once per 24 hours per user. |
| OpenRouter (and the underlying model provider, Qwen) | AI support chat | The text of your support question and the recent conversation history. Routed strictly to fulfill the support request; we do not opt the conversation into training. We do not send your account email, payment details, or VPN credentials. |
| TON, Bitcoin, Ethereum, BSC, Polygon, Arbitrum, Optimism, Base, Avalanche, Tron, Solana, Litecoin, Dogecoin, Monero networks | Public-ledger payments | The on-chain payment itself, which is by definition publicly recorded. We use public RPC providers (CoinGecko for price quotes; mempool.space / litecoinspace.org / Blockchair / TronGrid / Solana mainnet-beta / Etherscan V2 / public Monero daemon) to read confirmations. These providers see our reads, not your wallet. |
| Contabo | Server hosting (VPN exit servers, monitoring) | The hosting provider has physical access to the hardware. They do not have application-level access to data inside our processes. |
| OpenPanel (self-hosted) | Privacy-friendly product analytics | Cookieless page-view and interaction events. All data is stored exclusively on our own server infrastructure (Contabo SG VPS). No data is shared with any third party; OpenPanel is operated entirely by us. |
We do not sell, rent, or share your data with any third party for marketing or advertising.
Where a third party in the table above acts as a processor of personal data on our behalf, we operate under their published terms (which serve the Article 28 GDPR data-processing-agreement role for processors that publish standard terms covering all customers).
Transfers of personal data to Cloudflare and OpenRouter to countries outside the EEA are covered by their Standard Contractual Clauses pursuant to GDPR Article 46(2)(c).
To request deletion of your account, send a message to @tide_vpnbot. We will fulfil the request within 30 days, retaining only the records we are legally required to keep (payment records for 1 year as noted above).
GET /api/v1/users/me/export (Web Cabinet → Security → Export my data), or by messaging @tide_vpnbot. The response is JSON with every section annotated with category, purpose, and retention period — matching the Article 15 disclosure requirements. Rate-limited to 1 request per 24 hours.DELETE /api/v1/users/me or via the bot.To exercise any of these rights, contact us through any of the channels in Section 12. We will respond within 30 days. We do not currently have an appointed Data Protection Officer (we are below the GDPR Article 37 thresholds that require one); for now, the team owner acts as the privacy contact and may be reached at the channels in Section 12.
We disclose user data only when legally compelled by a binding order from a competent authority that we are legally obliged to obey. We will challenge orders that we believe to be improper.
What we could disclose if legally compelled (the categories described in Section 3 above): Telegram User ID and the existence of an account; subscription status; payment transaction IDs; the entries that exist in the security audit log (Section 3.8) within the 7-day window — note these no longer contain IPs or User-Agents. We could also disclose AI support conversations within the 30-day retention window if specifically requested, and the per-session metadata in the Web Cabinet "Active sessions" tab (the user can revoke any of those at any time).
What we cannot disclose because we never collected it: Browsing history, DNS queries, websites visited, destination IPs, packet contents, and the source IP you used while connected to the VPN tunnel are not produced or written to disk by the tunnel. No one (us, a hosting provider, or a court) can compel data that does not exist.
We maintain a Warrant Canary, updated quarterly, attesting whether we have received a National Security Letter, gag order, or other secret request.
The Service is not intended for individuals under the age of 16, as stated in our Terms of Service (Section 3). We do not knowingly collect personal data from children under 16. If we become aware that we have collected data from a child under 16, we will take steps to delete that information promptly.
Material changes will be notified through @tide_vpnbot. Continued use constitutes acceptance.
For privacy questions, GDPR rights requests, account deletion, security disclosures, or any other matter covered by this Policy, contact us through:
Telegram bot: @tide_vpnbot (Help → AI Support, then "Talk to a human" to escalate to the team)
Web Cabinet: tide-vpn.com/app (signed-in users can open a ticket from the Support page)
Website: tide-vpn.com
We aim to acknowledge privacy requests within 5 business days and to fulfill them within 30 days, in line with GDPR Article 12.
Back to TIDE VPN