BMT-VPN — Privacy Policy

Effective: TBD (the date this is first published at https://bmtvpn.online/privacy) Last updated: 2026-06-01

This is the source text. It is deployed as a static HTML page on Cloudflare Pages at bmtvpn.online/privacy. Update this file, push, the page redeploys.

Who we are

BMT-VPN is operated by Pavel BMT (Israel). Contact: support@bmtvpn.online.

We provide a virtual private network service for iOS devices.

What this policy covers

This policy explains, in plain language, every piece of information we collect, why we collect it, how long we keep it, and what you can do about it.

We have written this to be honest, not to be impressive. If anything below is unclear, email us.

The short version

Account: when you sign in (Apple, Google, or email), we store your email address and which provider you used. That's it. No name, photo, phone, or location.
VPN traffic: not logged. We don't know what websites you visit.
Abuse log: when you connect, we store a salted hash of your account identifier together with the endpoint, for 24 hours, then delete it.
Devices: we store one record per device on your account (label, last-seen date). Up to 5 devices per account.

That's the entire policy. The rest of this page is detail.

1. What we collect inside the iOS app

To create or use your account, we collect through Firebase Authentication:

Your email address (or Apple's private-relay address, if you choose "Hide my email").
The identity provider you used (Apple, Google, or email/password).

That's the entire account record. We do not collect your name, photo, phone number, or any other profile field from Apple or Google.

The app stores locally on your device (in iOS Keychain, never sent to us):

A device identifier (UUID) we issue you on first launch, used to manage the 5-devices-per-account limit.
The VPN configuration the server returns when you connect.

The app does not contain analytics SDKs, crash reporters, or any third-party telemetry.

When the app talks to our backend, it sends only:

Your Firebase ID token (over TLS), to prove you are signed in.
Your device identifier (over TLS), to identify which device is requesting a config.
A request for a fresh VPN configuration (over TLS).

We do not collect your IP address on these calls beyond what is incidentally visible to the cloud provider hosting our API (Google / Firebase). We do not log it.

2. What we collect about your VPN traffic

Nothing.

Specifically, we do not log:

The websites or services you visit.
DNS queries.
Source IP addresses.
Destination IP addresses.
Byte counts.
Session start or end times.

The VPN servers do not write traffic logs. The system logs on the servers are limited to one day of operational events (e.g., "wireguard service started") and contain no per-user information.

The only record we keep about VPN usage is the "abuse log" described in §3.

3. Our 24-hour abuse log

When you successfully connect to a VPN endpoint, we write a single row to a private collection that contains:

A salted hash of your account identifier. The salt rotates daily, so the same account produces a different hash each day.
The endpoint identifier you connected to (e.g., us-east-nyc3).
The timestamp of the connection request.

This row exists so that we can detect abuse (e.g., a single account being used to mass-connect from many IPs in a short window).

The row is irreversibly deleted after 24 hours by an automated process. We cannot recover it after that, even if subpoenaed.

We never see your IP address in this log. We never see your email in this log.

4. Devices on your account

For each device you sign in on, we store:

A label (default "iPhone" — you can rename it in Settings).
The date the device was added.
The date the device last connected.
The most recent VPN endpoint that device used.

You can remove any device from your account at any time in Settings → Devices. Removing a device cuts off its VPN access on the next connect. We keep up to 5 devices per account.

5. What Apple and Google see (sign-in)

When you sign in with Apple or Google, the sign-in process happens between you and that provider. We receive only what the provider sends back to Firebase Authentication — at minimum, an email address and a provider user ID.

Apple's "Hide my email" feature is fully supported. If you use it, we never see your real address — only an anonymous @privaterelay.appleid.com forwarding address.

Apple and Google have their own privacy practices, governed by their own policies:

We have no control over what either provider does with information about your sign-in attempts.

6. What Apple and the App Store see

The iOS app is distributed through the Apple App Store. Apple collects standard download and crash data per Apple's policies, independent of us.

We do not have any access to App Store user identities or analytics beyond aggregate download counts.

7. Payments

The current version of BMT-VPN is free to use for anyone who can sign in. We do not collect any payment information.

A future version may add paid subscriptions via Apple's In-App Purchase. When that happens, this policy will be updated to describe what Apple shares with us about your subscription (typically: subscription status only, no card data).

8. Cookies and trackers on the website

The bmtvpn.online website is a single static page. It uses no cookies, no analytics, no third-party scripts.

9. Who has access to your data

Inside our team, access to the database is limited to operators in our admin allowlist. As of the effective date, the allowlist contains one person: Pavel BMT.

Every administrative action (looking up a user, blocking an account, revoking a device) is recorded in an internal audit log retained indefinitely. The audit log captures who did what, not the contents of your data.

10. Where your data is stored

VPN servers: DigitalOcean datacenters in New York City (USA) and Frankfurt (Germany).
Account records and audit log: Google Cloud Firestore in the United States.
Sign-in itself: handled by Firebase Authentication (Google Cloud).

Google and DigitalOcean are independent processors. They have their own privacy practices, which we do not control.

11. Your rights

Regardless of where you live, you can:

Ask what we have on you. Email support@bmtvpn.online. We will tell you everything within 30 days.
Ask us to delete your account. Email support@bmtvpn.online. We will delete your account record, devices, and any audit-log entries that refer to your uid within 30 days. This is irreversible.
Stop using the service. Sign out and uninstall the app. Without signing in we cannot identify you.

If you are in the European Union, the United Kingdom, or California, you may have additional rights under GDPR, UK GDPR, or CCPA. Email us and we will honor them.

12. Legal requests

If a government or law enforcement agency sends us a request for data about a specific user, we will:

Verify the request is lawful in the jurisdiction it comes from.
Provide only what we actually have. In most cases, that means: an email address and a list of devices — see §1 and §4.
We do not have your browsing history, source IP, or destination IPs to provide — see §2.
Notify the affected user, where the law allows.

If we are ever served with a request that compels us to silently undermine the service or our users, we will instead shut the service down and announce the shutdown publicly. This sentence is a "warrant canary." Its presence in this policy means no such request has been received as of the effective date.

13. Children

This service is not directed at children under 13. We do not knowingly collect data from anyone under 13.

14. Changes to this policy

We will update this page when something changes. Material changes will also be announced in-app on the first sign-in after the update.

Previous versions are kept in the project's public changelog at https://github.com/[TBD].

Plain-English summary of how to reach us: email support@bmtvpn.online. We answer within 48 hours on business days.