Over the past 7 years, more than 25 million people have connected to TunnelBear. By design, we don’t know much about who these people are or how they’ve used our service. We’ve done this on purpose, as we see it as crucial to operating a VPN service.

TunnelBear has always been committed to protecting our customers from being tracked online. In practice, not being tracked means not keeping a record of when people connect to the service, how they’re using it and where they’re using it from. We believe VPN best practices involve not storing key pieces of data like: IP addresses, DNS queries, and any type of web traffic running through our network. In the VPN space, this is commonly referred to as having “No Logs.”

feature_no_logging@2x

However, there is a difference between operating a company with “No Logs” versus not knowing anything about your customers. We spend a lot of time talking about customer privacy, and we remain committed to “No Logs” at TunnelBear. Part of our philosophy is to be very clear that there is some information that we need to store in order to run our business, like an email address and your payment history. The data that we do store for functions like paying for TunnelBear and providing our free service are well documented in our Privacy Policy.

TunnelBear’s acquisition by McAfee LLC

As you may have read, TunnelBear was acquired by McAfee in April 2018, and over the last six months, we have been busy working to transition TunnelBear Inc. to TunnelBear LLC. As TunnelBear Inc., our company was a Canadian-owned business based in Toronto. As TunnelBear LLC, we are now part of a security company based in the United States, but our offices are still located in Toronto.

Some customers have asked how this change in ownership affects the way we handle the little Personal Data we collect, and especially how we interact with law enforcement now that we’re part of a company based in the United States. Today, we’d like to share how we approach data requests now that we’re part of McAfee. Hopefully you’ll see from our experience in the past six months, that not much has changed at TunnelBear.

TunnelBear’s approach to Law Enforcement and Governmental Authority Requests

When TunnelBear receives a request from governmental authorities, law enforcement agencies or in connection with a legal proceeding, the request is reviewed by our legal counsel to verify that the request is valid and to determine the appropriate nature and scope of our response.

As TunnelBear has grown from 0 to 25 million users, the number of legal or governmental authority requests we’ve received has been small but is rising. While the rate of requests we’ve received has not changed considerably since becoming part of McAfee, we do expect to see the number of requests continue to rise as our service grows.

In each of the requests that we’ve received since our acquisition by McAfee, our process for validating the request has been the same. The results of our process can be seen in the table below:

April 1 - Sept 30, 2018 Requests received Confirmed an individual has an account Usage data provided
TunnelBear 4 1 0

There’s a limited set of circumstances where TunnelBear may be able to confirm that an individual has an account. For example, if TunnelBear is presented with an email address, we may be required to confirm that an individual has an account. Confirming that an account exists does not result in any usage information being disclosed, because the data we collect does not contain information such as your IP addresses, DNS queries, the time you used TunnelBear or any type of web traffic that can identify you on our network.

At TunnelBear, we believe that the best way to protect our customer’s privacy is simply to not store data that puts your privacy at risk. You can see the exact data that we might be required to provide in a request response by downloading a copy of your data from TunnelBear’s privacy center.

Earning trust with consistent transparency

Global data privacy and access laws are changing how world governments control and share data. With many existing laws and new laws still being shaped and written, it falls on data controllers, like TunnelBear, to scrutinize applicable laws and inform our customers about how we comply.

Protecting our customer’s privacy and data continue to be top priorities at TunnelBear. We hope that by transparently communicating our data policies and minimizing the amount of operational data we require to run our service, you feel confident in TunnelBear’s privacy practices.

If you have any comments, questions or concerns, we want to hear from you. Our friendly Support Bears are always happy to help.

Sincerely rawrs,
the TunnelBear Team