VPN privacy policies decoded: AirVPN
This post is part of a series reviewing the privacy policies of popular VPN services. The aim is to find out whether the VPN takes customer privacy seriously. This is not intended as a review of a VPN service, which would need to take into account a number of other factors. For more privacy guides and our criteria for reviewing them, click here.
EDIT AirVPN has disputed some of this review. You can read our responses at the end of the post
Out of the three VPN privacy policies we’ve looked at so far in this series AirVPN takes the most sensible and privacy-orientated approach to its customer’s data. But while AirVPN seems to take user privacy seriously, it is let down by some vague language.
Here’s what AirVPN says about the data it logs:
“Air servers and software procedures acquire only personal data which are strictly necessary for the technical functioning of the service, for example IP address. These data are not collected to identify, through elaboration or any other technique, users’ personal identities. These data are not transmitted to third parties. “
We’re lacking specifics here. In particular, AirVPN does not say how the IP address is stored and if it is anonymised. The policy continues:
“Data transmission is performed between Air servers network exclusively in order to erogate efficiently the AirVPN service. Data are deleted as soon as they are no more necessary for such purposes.”
Also, as the above quote shows, AirVPN’s policy uses somewhat broken English (what does “erogate” mean exactly in this context?). Any legally binding policy needs to be clearly written and easily understood. In this respect, AirVPN is lacking.
EDIT : AirVPN’s rebuttal and our response
We wrote: “AirVPN is VPN service started by a “small group of activists” in 2010 and is based in the Netherlands.” However, AirVPN is in fact based in Italy. This is our oversight and has been corrected. We apologise to AirVPN for this error.
AirVPN writes: “These data are not collected to identify, through elaboration or any other technique” has an unequivocal legal meaning in the EU. It means that personal data, including IP addresses (regardless of the debate whether an IP address is a personal data or not), are not collected at all and in any way. Therefore not only we legally state that they are not stored when a client accesses a VPN service, but we also say that they are not even sent to third-parties WHILE a client is connected to a VPN server, which is a higher privacy condition. It seems, to say the least, bizarre that a higher privacy protection policy is interpreted as a lower one.
AirVPN is somewhat missing the point of these reviews, as stated in our guidelines. The vast majority of people reading such privacy policies do not have a grasp of the legal intricacies and directives being mentioned, and that this has led to false expectations around VPN services. We believe it’s the VPN’s job to state clearly and in plain English what their practices are. The main point of this review wasn’t to say AirVPN is guilty of logging data, but that its policy is not clear enough in this regard. The point still stands.
IVPN: “Data transmission is performed between Air servers network exclusively in order to erogate efficiently the AirVPN service. Data are deleted as soon as they are no more necessary for such purposes.”
AirVPN writes: Once again, the sentence has a very precise legal meaning in the EU. The service is erogated when a client is connected, therefore when a client is disconnected the service is not erogated, ergo when a client disconnects those data are no more on the servers and the data retention period is, in the worst case, the timeout period (up to 60 seconds), in the best case 0 seconds.
Same point as above.
IVPN “AirVPN doesn’t mention anything regarding cookies, affiliates and ad data.”
False. The Privacy Notice states, since three years ago:
Yes, this was a mistake by us. We’ve made the correction and offer our apologies to AirVPN.
IVPN: AirVPN also doesn’t mention how it responds to DMCA notices
That’s true and IT MUST BE SO. We will never mention how we “respond” to laws that are outside our jurisdiction and that are therefore inapplicable, simply because we are not forced to and we MUST NOT comply (and of course we must not even “respond”) to such laws. An USA Act “has jurisdiction” on the USA. We are not subject to every single law existing in the world and we will NEVER mention them as if we recognized their validity. Doing so would imply an utter incompetence on the legal field. Ironically, we would like to ask to IVPN staff why they do not state in their policy how they “respond” to every single law in the world which makes VPN business illegal.
DMCA notices are an issue that’s very important to individuals looking for a VPN service and those concerned with online freedoms. Acknowledging that DCMA notices exist, and are an issue customers want to know our stance on, is hardly legal incompetence. It’s about giving your users relevant information to help them make an informed decision about your service.
IVPN: AirVPN’s policy uses somewhat broken English (what does “erogate” mean exactly in this context?).
We recommend IVPN people to open a dictionary, for example the Webster dictionary, and search for “erogate”, which means “give, lay out, provide, deal out”.
“Erogate” is not a term that’s commonly used in English. There’s a dozen other words or phrases that could have been used that are better understood by the majority of people. One of the main criteria in our reviews is using plain English.