9 minute read
If you’ve been following TunnelBear’s exploits for any length of time now, you’ll know that we’ve built our reputation on trust and transparency. We want people to have a clear understanding of what TunnelBear is, how we protect your information, and what your rights to the small amount of information you share with us are.
For those of you that are new to TunnelBear, here’s a quick recap on how we approach transparency and view data minimization:
- Don’t collect data
- If we absolutely have to collect data, collect the minimum amount possible to accomplish the task that needs it
- If data is collected, communicate it clearly with customers so they can clearly understand how we operate our service. Even when it’s awkward.
No logging policy
Once more for the people in the back, TunnelBear DOES NOT KEEP LOGS. Put simply, our strict no logging policy means that when you use the TunnelBear service:
- We don’t know who you are.
- We don’t know where you connect from.
- We don’t know what you do while you use TunnelBear.
- We can’t give any information related to the above three points to anyone.
When you sign up for a paid subscription, we require an email address, a credit card number, and the last name on the credit card. We keep that information on file so we know the status of your account and whether or not payments are current.
The only other information we keep is operational data that we use for marketing, like how our website performs, or how many people click through an ad and become paying customers. We also use operational data for network performance analytics, like how fast connections are made to servers in different countries, or how fast data moves through the network. Network performance data only shows us how our systems are running, it doesn’t show any individual’s connection data.
How we collect data, and what we do with it
First off, TunnelBear only makes money off of subscriptions. We don’t have resale side deals. We don’t sell user data. We only make money when you pay for a Bear to tunnel you around the world.
We take data protection and minimization seriously, and one of the ways we do that is to only store personal data for the length of time that we need it. GDPR regulations require us to delete any personally identifying data once we no longer have a purpose for it. Account data, for example, is used for fraud prevention and detection. If you opt-out of auto renewal, and your subscription expires, we delete your information 30 days after expiry because we no longer have a need for it.
We also collect some data, through our website, for marketing purposes. This data is anonymized, but it does contain things like a visitor’s regional data (at the city level) that help us understand where people see our ads, how they interact with them, and whether or not they’ve decided to purchase TunnelBear after seeing or hearing an ad.
TunnelBear’s approach to government authority requests
You may have heard of the “Five Eyes Network”. If you haven’t, the short version is, it’s a group of countries (US, Canada, UK, Australia, New Zealand) that share government intelligence information. Why are we bringing this up? Well, there’s a lot of confusion (mostly intentional) about what a VPN in a Five Eyes country is legally obligated to do if authorities request information from them. This is the reason we publish a transparency report, to let people know how many times we’ve been asked for information, what information they’ve asked for, and if we’ve shared anything.
we can't share what we don't have
Since TunnelBear is located in Canada, we have to obey Canadian data laws. If we receive a subpoena, we’re obligated to respond and cooperate to the best of our ability. However, that doesn’t mean we can create information that we don’t have. Remember the first part of this report? The one where we say, “Don’t collect data”? It’s been our experience that we can't share what we don't have.
The TunnelBear service was designed to require as little personal information as possible to run. If a subpoena shows up asking for things like when a specific customer logged into a specific server from a specific place, we can’t help because we don’t have any of that information. And we never will.
How many requests did TunnelBear receive in 2020?
Updated for 2020
|Year||Requests received||Confirmed an individual has an account||Usage data provided|
|Jan 1, 2020 - June 30, 2020||12||0||0|
|July 1, 2020 - December 31, 2020||10||1||0|
Jan 1, 2020 - June 30, 2020
Requests Received: 12 Confirmed an individual has an account: 0 Usage data provided: 0
July 1, 2020 - December 31, 2020
Requests Received: 10 Confirmed an individual has an account: 1 Usage data provided: 0
There’s a limited set of circumstances where TunnelBear may be able to confirm that an individual has an account. For example, if TunnelBear is presented with an email address, we may be required to confirm whether or not an account with that email address exists.
However, confirming that an account exists does not result in any usage information being disclosed, because the data we collect:
- Does not contain IP addresses
- Does not contain DNS queries
- Does not contain the time you used TunnelBear
- Does not contain any type of web traffic that can identify you on our network
See you in 2022
One of the changes we made this year was to wait until the calendar year was over, to make sure we account for the entire previous year's worth of requests. This will be an onging change, so look out for our 2021 report in early 2022.
Thanks for tuning in to this year’s transparency report. If you have any comments, questions, or concerns, please reach out to our friendly Support Bears.
TunnelBear is a very simple virtual private network (VPN) that allows users to browse the web privately and securely. It secures browsing from hackers, ISPs, and anyone that is monitoring the network. TunnelBear believes you should have access to an open and uncensored internet, wherever you are.