Skip to content

Privacy Policy

Last updated: 2026-05-19

This page describes what data Sham VPN collects, how it is stored, what we share with third parties, and how you can exercise control over it. Plain language; nothing about our internal practice differs from what is written here.

In one paragraph

We log the total bytes each subscription transfers (for billing on capped plans), the email and Telegram identifier you sign up with, your subscription expiry date, and operator actions on your account (for audit). We do not log the websites you visit, the DNS queries you make, the contents of your traffic, or the destinations you connect to through the tunnel. The VPN daemons that carry your traffic are configured with logging set to error-only.

What we collect

Account identity

  • Email address — only if you signed up with email, or if you later added one to a Telegram-only account.
  • Telegram user ID and @-handle — only if you signed up with Telegram, or linked one to receive notifications.
  • A display name, if you provided one.
  • An optional phone number, if you provided one.
  • The language preference and country code you chose during signup.
  • Three independent opt-in flags: marketing emails, security alerts, billing reminders.

Authentication state

  • A salted, hashed password if you signed up with email. We never store the password itself.
  • Identity provider records for Google and Telegram OAuth: the provider account ID, the verified-email signal Google sends, and a small profile snapshot (display name, profile picture URL).
  • Last login timestamp and the IDs of your active sessions.

Subscription data

  • Plan name, price, currency, payment method.
  • Start date, expiry date, and status (active / expired / cancelled / paused).
  • Cumulative bytes transferred on the active subscription — provided by the VPN panel so we can enforce traffic caps on capped plans and surface usage on your account page.
  • Per-subscription technical settings: traffic cap, device limit, server allocation.

Payment records

  • Order amount, currency, and reference code.
  • For ShamCash transfers: the sender name and the last four digits of the sending account, as you supply them on the checkout form, so the operator can verify the deposit against the bank statement.
  • For crypto transfers: the transaction hash you supply.
  • We do not accept card payments; there are no card numbers in our system.

Operational metadata

  • IP addresses used for rate limiting on signup, login, password reset, OAuth callback, and the support form. These counters live in the website process's memory and reset on every deploy or container restart.
  • User-agent string captured on sensitive actions (signup, login, password change, deletion request).
  • An audit log of operator-driven actions — issuing trials, marking orders paid, sending notifications, changing integration settings — for security review.

What we do NOT collect

  • Websites you visit, DNS queries you make, IPs you connect to through the tunnel.
  • Contents of any traffic, in any form, encrypted or not.
  • Real-time connection logs (the precise start/stop times of individual tunnels).
  • Behavioural tracking pixels, marketing analytics, or fingerprinting beacons.

Where the data lives

The website, panel, and customer database run on infrastructure we operate. The VPN daemons that carry your traffic run on dedicated VPS instances we rent in Singapore, Germany, Finland, and the United States. Each daemon is configured for the minimum logging the upstream software supports.

Encrypted database backups are taken regularly and retained for thirty days, for disaster recovery only.

Third parties that touch your data

We use the smallest set of third-party services we can. Each one only sees the slice of data it actually needs.

  • Cloudflare — DNS, CDN, and DDoS protection for shamvpn.org and the subscription-fetch endpoint. Cloudflare sees the IP from which you load our website, the time, and the path you requested. It does not see VPN traffic; that flows directly to the exit node and never through Cloudflare.
  • Marzneshin — Open-source VPN management software we run on our own servers. No external party is involved.
  • SMTP email provider — Sends the verification, password-reset, plan-activation, expiry, and trial-reminder emails. The provider sees the recipient address and the message body.
  • Telegram — When you sign in with Telegram or link Telegram for notifications, our bot exchanges messages with you on Telegram's infrastructure, under Telegram's own privacy policy.
  • Google — When you sign in with Google, Google sees that you intended to authenticate with Sham VPN. We receive your verified email, your profile name, your profile picture URL, and your Google account ID; nothing else.
  • VPS providers (region-dependent: Hetzner, Linode, Digital Ocean, AWS, OVH) — Host the VPN nodes. They see the encrypted tunnel traffic and the IP addresses that connect to it; they cannot see what is inside the tunnel.

We do not sell or rent your data to anyone. We do not share it with third parties for advertising or analytics.

How long we keep it

  • Account data — until you delete the account. After you request deletion, the row is marked and removed within thirty days. If you have an active paid subscription at deletion time, please reach out so we can also clean up the Marzneshin panel side.
  • Subscription billing records — retained for the duration legally required for accounting. Personal identifiers (email, name) can be unlinked on request, leaving anonymous totals.
  • Audit log — ninety days, then auto-purged by the scheduler.
  • Rate-limit counters — live in process memory; reset on every deploy, so typically less than a few days old.
  • Backups — thirty days, encrypted at rest, then deleted.

Your rights

You can:

  • See and edit your profile and consent flags from your account page.
  • Request account deletion from your account page; we process the request within thirty days.
  • Unsubscribe from marketing emails at any time via the consent toggle, or by emailing support.
  • Ask us a question about your data by emailing [email protected] or messaging the support Telegram bot from your account page.

If you are in the EU or UK, you also have the rights granted under GDPR / UK-GDPR: access, rectification, erasure, portability, restriction, and objection. We do not charge a fee for any of these requests.

Cookies

We use one cookie: a session cookie that keeps you signed in to your account. No behavioural tracking, no analytics cookie, no marketing pixel. The first-visit cookie banner exists to inform you of the session cookie and link to this policy; once you dismiss it, that choice lives in your browser's local storage, not on our servers.

Children

Sham VPN is not for use by anyone under sixteen. We do not knowingly collect data from anyone under that age. If you believe a child has signed up, contact support and we will delete the account.

Lawful requests from authorities

We will respond to lawful legal process directed at us in our operating jurisdiction. Because we deliberately do not log VPN traffic contents, destinations, or DNS queries, there is little we can produce even when compelled — most requests of that kind will get a response that the data does not exist.

We do not operate a back-door or give-on-demand pipeline with any party.

Changes to this policy

When we change this policy, we update the "Last updated" date at the top of this page. Material changes are also sent to you by email and Telegram, on the channels you have linked. The previous version is available on request.

Contact

Privacy questions: [email protected] or the support Telegram bot from your account page.