No legalese designed to obscure. If you need a lawyer to understand our logging policy, we wrote it wrong. This is the plain English version — and it's the only version.
We do not log what you do online. We don't record the websites you visit, the content of your traffic, your DNS queries, your search terms, or anything you download or upload. That information never touches our systems.
We do log a small amount of connection data — session timestamps, bandwidth totals, and your source IP at connection time. We keep your IP for 30 days for abuse response, then it's permanently and automatically purged. We log this because running a network responsibly requires it, and we'd rather tell you that plainly than hide it in a "zero logs" claim that isn't true.
We are US-based. We operate under US law. That means certain legal obligations exist. We don't pretend they don't. What we can tell you is that we log the minimum required — nothing more — and we've built our systems to purge data automatically on schedule.
| Data type | Details & reason | Logged? |
|---|---|---|
| Websites you visit | We do not monitor, record, or inspect your browsing destinations. Your traffic is encrypted end-to-end and we do not attempt to read it. | Never |
| Traffic content | The content of everything you send and receive is encrypted. We cannot read it and we do not try. | Never |
| DNS queries | Your DNS queries route through our servers. We resolve them and discard them. They are not stored or analysed. | Never |
| Search terms | Not logged, not stored, not our business. | Never |
| Downloads & uploads | We track total bandwidth per session (see below) but not what was transferred, where it came from, or where it went. | Never |
| Connection timestamps | Session start and end times. Required for abuse response and legal compliance. Retained 90 days then purged. | Yes · 90 days |
| Bandwidth per session | Total data transferred during a session — not broken down by destination or application. Used for infrastructure management and fair-use enforcement only. | Yes · 90 days |
| Source IP at connection | Your IP address at the time you connect. Held for 30 days to support abuse investigation, then permanently and automatically purged. Not linked to your browsing activity. | 30 days only |
| Abuse flags | If a session triggers our spam or fraud detection systems, the event is flagged. The content of the session is never logged — only the fact that a flag was raised. | Event only |
| Account email | Required for account management, renewal reminders, and support. Stored for the life of your account. Deleted within 30 days of account closure on request. | Yes · account life |
| Payment records | Transaction records retained for accounting and legal compliance. Full card details are never stored by us — processed by Stripe. Crypto payments are not linked to account identity. | Yes · 7 years |
SecureTunnel is operated by Sterling Security Research, Inc., a North Dakota S-Corporation. Ben and Shawn are the named operators. There is no parent company, no holding group, and no offshore entity behind this.
Being US-based means we are subject to US law, including valid legal process. We cannot ignore a lawfully issued court order. What we can do is log as little as possible, so that if we ever receive such an order, there is very little to hand over.
We will notify affected users of any legal request for their data to the maximum extent the law allows. If we are prohibited from doing so, we will update our warrant canary.
A VPN that incorporates in the British Virgin Islands or Panama to "avoid" legal obligations isn't actually protecting you. It's protecting itself from you. The same lack of oversight that shields them from US law shields them from any obligation to you as a customer.
Offshore jurisdiction doesn't mean they log nothing. It means there's no mechanism to verify what they log, no recourse if they lie, and no legal protection if they sell your data.
We'd rather be in a jurisdiction you can hold us accountable in than in one that makes accountability impossible for everyone, including you.
Third-party audits are the only meaningful way to verify logging claims. We commit to pursuing one as the business scales and to publishing the results whatever they say — including findings we don't like. An audit that only gets published when it's flattering isn't an audit — it's marketing.
Until that audit is complete, we ask you to verify what you can: our WHOIS record, our publicly stated ownership, our warrant canary, and this policy. Then make your own call.
Verify our ownership in 30 seconds. SecureTunnel.com has been in continuous ownership since 2002, never transferred. The WHOIS record is publicly accessible at lookup.icann.org. We actively invite you to check — it's auditable proof of who we are that money can't fake and competitors can't replicate.
Verify at ICANN →