Privacy Policy
Last updated: February 2026
1. Introduction
VoltaServices Limited, trading as VoltaVPN, provides virtual private network (“VPN”) services designed to protect your online privacy, secure your internet connection, and allow you to browse the internet with confidence. We are committed to safeguarding your personal data and being transparent about how we collect, use, and protect it.
This Privacy Policy explains what information we collect when you visit our website, create an account, subscribe to our services, or communicate with us. It also describes how we use that information, the legal bases for processing it, your rights under the UK General Data Protection Regulation (“UK GDPR”) as implemented by the Data Protection Act 2018, and how you can exercise those rights.
This policy applies to all users of the VoltaVPN website, applications, and services (collectively, the “Service”). By using the Service, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with the practices described herein, please do not use the Service.
2. Data Controller
The data controller responsible for your personal data is:
| Company Name | VoltaServices Limited, trading as VoltaVPN |
| Registered In | England and Wales |
| Company Number | 16178827 |
| ICO Registration Number | ZB874097 |
| Privacy Enquiries | privacy@voltaservices.uk |
| Data Protection Officer | dpo@voltaservices.uk |
Our Data Protection Officer (DPO) can be contacted at dpo@voltaservices.uk for any questions or concerns regarding the processing of your personal data or this Privacy Policy.
3. What Information We Collect
We collect the minimum amount of information necessary to deliver the Service, process payments, and comply with our legal obligations. Below, we describe each category of data and what it includes.
3.1 Account Data
When you create a VoltaVPN account, we collect:
- Email address — used as your account identifier and for service communications.
- Display name — a user-chosen alias displayed within the Service.
- Password — stored only as a securely salted cryptographic hash. We never store your plaintext password.
3.2 Payment Data
Payment processing is handled by our third-party payment processor, Stripe, Inc. When you subscribe to a paid plan, Stripe collects and processes your payment card details directly. We do not receive, store, or have access to your full card number, CVV, or other sensitive payment credentials. We retain only:
- The last four digits of your payment card (for display purposes).
- Card brand and expiry date.
- Stripe customer and subscription identifiers.
- Billing history, including transaction amounts, dates, and invoice references.
Stripe’s handling of your payment data is governed by the Stripe Privacy Policy. Stripe is certified to PCI DSS Level 1, the highest level of certification in the payments industry.
3.3 VPN Connection Data
We operate a strict no-logs policy with respect to your VPN activity. We do not log your browsing history, traffic content, DNS queries, or the IP addresses assigned to you by our VPN servers.
To maintain service quality and enforce fair usage under our subscription plans, we collect the following minimal connection data:
- Connection timestamps — the time at which a VPN session begins and ends. These are held in volatile memory only and are automatically and permanently deleted within 15 minutes of session termination. They are never written to persistent storage.
- Aggregate bandwidth usage — the total volume of data transferred during a billing period, recorded per account (not per session). This is used solely for enforcing plan-based bandwidth allowances and generating billing summaries.
At no point do we associate your VPN connection with the content of your traffic, the websites you visit, or your source IP address.
3.4 Device and Technical Data
When you interact with our website or applications, we may automatically collect limited technical information to diagnose problems and improve the Service:
- Browser type and version.
- Operating system and version.
- Device type (desktop, mobile, tablet).
- Screen resolution and language preference.
- Referring URL and pages visited on our website (not while connected to the VPN).
This data is collected through standard web technologies and our analytics tools. It is not linked to your VPN activity and is used solely for troubleshooting and service improvement.
3.5 Support Communications
When you contact our support team, we collect:
- Your email address and any information you provide in the email body.
- Live chat transcripts, if applicable.
- Diagnostic information you voluntarily share to help resolve your enquiry.
We retain support communications to improve service quality, train our team, and maintain records in case of disputes.
3.6 Website Analytics
We use analytics tools to understand how visitors interact with our website. This data is collected in an anonymised or pseudonymised form and includes:
- Pages visited and time spent on each page.
- Click patterns and navigation flows.
- Approximate geographic location (country/region level only, derived from truncated IP addresses).
- Referral sources (how you arrived at our website).
Analytics data does not identify you personally and is used exclusively to improve the website experience. See Section 10 for more information on cookies.
4. Legal Basis for Processing
Under UK GDPR, we must have a lawful basis for processing your personal data. The table below sets out each category of data, the purpose of processing, and the corresponding lawful basis under Article 6(1) of the UK GDPR.
| Data Category | Purpose | Lawful Basis |
|---|---|---|
| Account data (email, display name, password hash) | Account creation, authentication, and service delivery | Art. 6(1)(b) — Performance of a contract |
| Payment data (Stripe references, billing history) | Processing subscriptions and payments | Art. 6(1)(b) — Performance of a contract |
| Payment records (transaction history, invoices) | Compliance with HMRC tax and accounting obligations | Art. 6(1)(c) — Legal obligation |
| VPN connection timestamps | Service operation and abuse prevention (held for max. 15 minutes) | Art. 6(1)(f) — Legitimate interest |
| Aggregate bandwidth usage | Fair usage enforcement and billing | Art. 6(1)(b) — Performance of a contract |
| Device and technical data | Troubleshooting, service improvement, and security | Art. 6(1)(f) — Legitimate interest |
| Support communications | Responding to enquiries and improving support quality | Art. 6(1)(b) — Performance of a contract |
| Website analytics (anonymised) | Understanding website usage and improving user experience | Art. 6(1)(a) — Consent |
| Marketing communications | Service updates and promotional materials (where opted in) | Art. 6(1)(a) — Consent |
Where we rely on legitimate interest as a lawful basis, we have conducted a balancing test to ensure that our interests do not override your fundamental rights and freedoms. You may request further information about these assessments by contacting our DPO.
5. What We Do NOT Collect
Transparency is a core value at VoltaVPN. We want to be unambiguous about the data we never collect, store, or monitor:
- Browsing history or traffic content — we do not inspect, log, or store the content of your internet traffic at any time while you are connected to VoltaVPN.
- DNS queries — we operate our own DNS resolvers and do not log the domain names you resolve through our service.
- VPN-assigned IP addresses after session termination — once your VPN session ends, no record of the IP address assigned to you is retained.
- Connection timestamps beyond 15 minutes — session timing data is held exclusively in volatile memory and is permanently erased within 15 minutes of disconnection.
- Traffic metadata — we do not log packet sizes, connection durations tied to specific destinations, protocol information, or any other metadata that could be used to reconstruct your browsing activity.
- Your source IP address — we do not log the IP address from which you connect to our VPN servers.
Our no-logs commitment means that even if compelled by legal process, we are unable to provide data that we do not possess. We have designed our systems and infrastructure to make it technically impossible to associate any individual user with specific network activity.
6. How We Use Your Information
We process your personal data for the following specific purposes:
- Providing the Service — creating and managing your account, authenticating your sessions, and delivering VPN connectivity.
- Processing payments — managing subscriptions, processing transactions through Stripe, and generating invoices.
- Customer support — responding to your enquiries, resolving technical issues, and providing account assistance.
- Service improvement — analysing aggregated, anonymised data to identify performance bottlenecks, improve server infrastructure, and enhance the user experience.
- Security and abuse prevention — detecting and preventing fraudulent activity, enforcing our Terms of Service, and protecting the integrity of our network.
- Legal compliance — fulfilling our obligations under applicable laws, including tax and accounting requirements imposed by HMRC.
- Communications — sending transactional emails (password resets, billing confirmations, service notifications) and, where you have opted in, marketing communications about new features or promotions.
We do not sell, rent, or trade your personal data to any third party for advertising or marketing purposes. We do not use your personal data for automated profiling or decision-making that produces legal effects concerning you.
7. Data Retention
We retain your personal data only for as long as is necessary to fulfil the purposes for which it was collected, or as required by law. The specific retention periods for each category of data are set out below.
| Data Category | Retention Period | Rationale |
|---|---|---|
| Account data | Duration of active subscription + 2 years | Contract performance and limitation period for claims |
| Payment records and invoices | 7 years from date of transaction | HMRC tax and accounting obligations |
| VPN connection timestamps | Maximum 15 minutes | Held in volatile memory only; never persisted to disk |
| Aggregate bandwidth usage | Duration of active subscription + 90 days | Billing reconciliation and dispute resolution |
| Support communications | 3 years from last interaction | Service quality and dispute resolution |
| Device and technical data | 12 months | Troubleshooting and service improvement |
| Website analytics | 26 months | Trend analysis and website optimisation |
| Marketing consent records | Duration of consent + 3 years | Demonstrating valid consent under UK GDPR |
When data reaches the end of its retention period, it is securely deleted or irreversibly anonymised. Where data has been anonymised such that it can no longer identify an individual, it may be retained indefinitely for statistical purposes.
8. International Data Transfers
VoltaVPN is a UK-based service, and your personal data is primarily stored and processed within the United Kingdom and the European Economic Area (EEA). Our primary infrastructure is hosted with Hetzner Online GmbH in Germany.
Where we transfer personal data outside the UK, we ensure that appropriate safeguards are in place in accordance with UK GDPR requirements. These safeguards include:
- UK adequacy decisions — we may transfer data to countries that the UK Secretary of State has determined provide an adequate level of data protection.
- International Data Transfer Agreement (IDTA) — where no adequacy decision exists, we rely on the UK’s International Data Transfer Agreement or the EU Standard Contractual Clauses with the UK Addendum, as approved by the ICO.
- Supplementary measures — where required, we implement additional technical and organisational safeguards (such as encryption) following Transfer Impact Assessments.
You may request further information about the specific safeguards applied to international transfers of your data by contacting our DPO at dpo@voltaservices.uk.
9. Third-Party Data Processors
We engage a limited number of carefully selected third-party service providers to help us deliver the Service. Each processor operates under a written data processing agreement that complies with Article 28 of the UK GDPR and is contractually obligated to process your data only on our instructions and in accordance with this Privacy Policy.
| Processor | Purpose | Data Processed | Location |
|---|---|---|---|
| Stripe, Inc. | Payment processing | Payment card details, billing information, transaction records | United States (with EU/UK SCCs) |
| Hetzner Online GmbH | Infrastructure hosting | All service data (encrypted at rest) | Germany (EU) |
| SMTP / Email service provider | Transactional and service emails | Email addresses, message content | EU / UK |
| Analytics provider | Website analytics | Anonymised usage data, truncated IP addresses | EU / UK |
We do not share your personal data with any third parties for their own independent marketing or advertising purposes. We may disclose your data to law enforcement or regulatory authorities only where we are legally compelled to do so by a valid court order or statutory obligation. Given our no-logs policy, the data available for disclosure is extremely limited.
10. Cookies and Tracking Technologies
Our website uses cookies and similar technologies to provide essential functionality and, with your consent, to analyse website usage. A cookie is a small text file placed on your device by a website you visit.
10.1 Essential Cookies
These cookies are strictly necessary for the operation of our website and cannot be disabled. They include:
- Session cookies — used to maintain your authenticated session and protect against cross-site request forgery (CSRF).
- Cookie consent preferences — used to remember your cookie choices.
- Security cookies — used for rate limiting and abuse prevention.
Lawful basis: Art. 6(1)(f) — Legitimate interest. These cookies are essential for the secure operation of the Service and are exempt from consent requirements under the Privacy and Electronic Communications Regulations 2003 (PECR).
10.2 Analytics Cookies
With your explicit consent, we use analytics cookies to understand how visitors interact with our website. These cookies collect information in an anonymised form and do not directly identify you.
Lawful basis: Art. 6(1)(a) — Consent. You may withdraw your consent at any time through your browser settings or our cookie preferences panel.
10.3 Your Cookie Choices
You can control and manage cookies through your browser settings. Most browsers allow you to refuse or delete cookies. Please note that disabling essential cookies may impair the functionality of the Service. You can also manage your cookie preferences at any time via the cookie banner displayed on our website.
11. Your Rights Under UK GDPR
Under the UK General Data Protection Regulation and the Data Protection Act 2018, you have the following rights in relation to your personal data. These rights are not absolute and may be subject to certain exemptions or limitations.
You have the right to obtain confirmation as to whether your personal data is being processed and, where that is the case, to request a copy of the data along with supplementary information about how it is processed. We will respond to your request within one month.
You have the right to request the correction of inaccurate personal data and, taking into account the purposes of the processing, to have incomplete data completed.
You have the right to request the deletion of your personal data where, among other grounds, it is no longer necessary for the purposes for which it was collected, you withdraw consent, or the data has been unlawfully processed. Certain data may be retained where required by law (e.g., financial records for HMRC).
You have the right to request the restriction of processing of your personal data in certain circumstances, such as where you contest its accuracy or object to its processing.
Where processing is based on consent or contract and carried out by automated means, you have the right to receive your personal data in a structured, commonly used, and machine-readable format, and to transmit it to another controller.
You have the right to object to processing based on legitimate interest or for direct marketing purposes. Where you object to processing for direct marketing, we will cease processing immediately.
You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you. VoltaVPN does not currently engage in solely automated decision-making of this nature.
Where we process your data based on consent (e.g., analytics cookies, marketing emails), you have the right to withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing carried out before the withdrawal.
If you believe that our processing of your personal data infringes upon your rights, you have the right to lodge a complaint with the supervisory authority. Our supervisory authority is:
Information Commissioner’s Office (ICO)
Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
Telephone: 0303 123 1113
Website: ico.org.uk
To exercise any of these rights, please contact us at privacy@voltaservices.uk or dpo@voltaservices.uk. We will respond to all legitimate requests within one month. In exceptional circumstances, where requests are particularly complex or numerous, this period may be extended by up to two further months, and we will inform you of any such extension within the initial one-month period.
We may request proof of identity before processing your request to ensure we are disclosing data to the correct individual. There is no fee for exercising your rights, except where requests are manifestly unfounded or excessive, in which case we may charge a reasonable fee or refuse the request.
12. Children’s Privacy
The VoltaVPN Service is not intended for, and is not directed at, individuals under the age of 18. We do not knowingly collect personal data from children. If we become aware that a child under 18 has provided us with personal data, we will take steps to delete that information promptly.
If you are a parent or guardian and believe that your child has provided us with personal data, please contact us at privacy@voltaservices.uk so that we can take appropriate action.
13. Security Measures
We take the security of your personal data seriously and have implemented robust technical and organisational measures to protect it against unauthorised access, alteration, disclosure, or destruction. These measures include, but are not limited to:
- Encryption in transit — all communications between your device and our servers are encrypted using TLS 1.2 or higher. VPN tunnels use WireGuard (ChaCha20, Curve25519) or OpenVPN (AES-256-GCM) with perfect forward secrecy.
- Encryption at rest — all stored data, including databases and backups, is encrypted at rest using AES-256 encryption.
- Key management — VPN cryptographic keys are encrypted using Fernet symmetric encryption (AES-128-CBC with HMAC-SHA256) before storage. Key material is isolated and access-controlled.
- HMAC authentication — server-to-server communications are authenticated using HMAC signatures to prevent tampering and ensure message integrity.
- Access controls — access to personal data is restricted to authorised personnel on a need-to-know basis. Administrative access requires multi-factor authentication.
- Password security — user passwords are hashed using industry-standard algorithms with unique salts. Plaintext passwords are never stored.
- Infrastructure security — our servers run hardened operating systems with regular security updates. Network access is restricted through firewall rules and intrusion detection systems.
While we strive to protect your personal data, no method of transmission over the internet or method of electronic storage is 100% secure. We cannot guarantee absolute security, but we are committed to implementing and maintaining appropriate safeguards in line with industry best practices and regulatory requirements.
14. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make changes, we will:
- Update the “Last updated” date at the top of this page.
- Notify registered users by email of any material changes at least 14 days before they take effect.
- Where required by law, obtain your consent before implementing changes that materially affect how we process your personal data.
We encourage you to review this Privacy Policy periodically to stay informed about how we protect your data. Your continued use of the Service after changes become effective constitutes your acknowledgement of the updated policy.
15. Contact Us
If you have any questions, concerns, or requests regarding this Privacy Policy or our data processing practices, please do not hesitate to contact us using the details below.
| General Privacy Enquiries | privacy@voltaservices.uk |
| Data Protection Officer | dpo@voltaservices.uk |
| Company | VoltaServices Limited (trading as VoltaVPN) |
| Registered In | England and Wales |
| Company Number | 16178827 |
| ICO Registration Number | ZB874097 |
Supervisory Authority
Information Commissioner’s Office (ICO)
Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
Telephone: 0303 123 1113
Website: ico.org.uk
This Privacy Policy constitutes part of the contractual arrangement between you and VoltaServices Limited. It should be read in conjunction with our Terms of Service.