Privacy Policy
Last updated 15 July 2026
Phantom VPN is built on the Sentinel decentralized network and published by Capx Ecosystem Apps FZE. This policy covers the apps for iPhone, iPad, Mac and Android, and this website. It is written to be read, not to be survived.
The short version
We never log your browsing, your DNS queries, or the content of your traffic. The encrypted tunnel runs directly between your device and an independently operated node, so your traffic never crosses our systems. It is not ours to log.
We are not going to tell you we keep nothing, because that would not be true. To run an account, meter a free tier and keep your subscription working on more than one device, we hold a small amount of operational data: your email, when you connected and disconnected, which node, and how many minutes you used. Signing in is required, so your account is not anonymous. Section 3 lists every item, with the reason we have it. If any of it bothers you, section 9 tells you how to have it erased.
What we never see
This is architecture, not a promise. It holds because of how the product is built, and it would keep holding even if we changed our minds.
- The sites you visit, the content of your traffic, and your DNS queries. The tunnel is device to node, directly. We are not in the path.
- Your private key. Your device generates a fresh Curve25519 keypair every time it connects and keeps the private half in the keychain. Only the public key is ever sent. We could not decrypt your tunnel if we were ordered to.
- Your payment details. Apple and Google process every purchase. We are told whether a subscription is active, and nothing else.
- Anything an ad network would collect. The iOS app links no third-party advertising or tracking SDKs. Ad creatives in the free tier are plain media files served by our own API, so watching one does not hand you to an ad exchange.
One honest caveat, because most VPNs bury it. While the tunnel is up, your device is pointed at Cloudflare's public resolvers, 1.1.1.1 and 1.0.0.1. We do not see those lookups, but Cloudflare handles them under Cloudflare's own privacy policy. Your DNS does not stay inside the Sentinel network, and we will not pretend otherwise.
What we collect, and why
This is the complete list. If an item is not here, we do not hold it.
| What | Why we have it |
|---|---|
| Your email address | Signing in is required, and email is the account. It is what carries your premium status and your free-minute balance to every device you sign in on. |
| Your sign-in identifiers | A Firebase user id, plus a Google or Apple subject identifier if you used those buttons. They map a returning sign-in back to your account. |
| Account timestamps | When the account was created and when it last signed in. Used for support requests and to spot a stolen account. |
| One entry per device | An install-specific token, the platform, a device name, and first and last seen times. This is the mechanism that lets one account share one balance and one subscription across your devices. |
| Connect and disconnect events | Which node you connected to, and when. Used to meter free minutes, to rank nodes by measured health, and to investigate abuse of the network. |
| Minutes used | Connection time earned and spent, and how many ad tasks you finished today. This is what enforces the free tier: 60 minutes an ad, three ads a day, 300 minutes a day. |
| Subscription status | Whether Apple or Google reports an active subscription for your account. Card numbers never reach us. We could not see them if we wanted to. |
We do not sell your personal information, and we do not share it for cross-context behavioural advertising. We have not done either in the preceding twelve months. We run no advertising profile on you at all.
Our lawful basis
If you are in the UK or the European Economic Area, the GDPR requires us to name a legal basis for each purpose. Here they are.
| Data | Basis | Reasoning |
|---|---|---|
| Email, sign-in identifiers, device entries, session events, minutes used | Performance of a contract, GDPR Article 6(1)(b) | We cannot sign you in, meter a free tier, or keep premium working across your devices without them. |
| Abuse investigation and network security | Legitimate interests, GDPR Article 6(1)(f) | Keeping the network usable for everyone else, balanced against the fact that this data cannot reveal your browsing. |
| Billing and tax records | Legal obligation, GDPR Article 6(1)(c) | Apple and Google are the merchants of record. Where we hold a record of a purchase, we keep it because the law requires it. |
| Analytics cookies on this website | Consent, GDPR Article 6(1)(a) | Off until you press Accept, and you can take it back at any time. See the Cookie Policy. |
How long we keep it
Your account record and your session events live for as long as your account does. We have not yet set a fixed automatic expiry on connection events, and we would rather say so than print a number the code does not enforce.
When you ask us to delete your account, we delete the account record and every device entry attached to it, and the session history goes with them. Ask at privacy@phantomvpn.site and it is done inside 30 days. Where we are legally required to keep a billing or tax record, that record stays for as long as the law says, and nothing more.
Companies we rely on
A short list, which is the point. Each one gets the minimum it needs to do its job.
Apple
App Store billing, subscription status and refunds, and Sign in with Apple. Apple is the merchant of record for purchases made on iPhone, iPad and Mac.
Play billing, subscription status and refunds on Android, and Google sign-in.
Firebase Authentication (Google)
Verifies your email one-time code and issues the token the app signs in with. It holds your email and your sign-in identifiers.
Our hosting and database provider
Runs the orchestrator that finds you a node, and the Postgres database holding the account data in section 3. The orchestrator is never in your traffic path.
Cloudflare
Operates the public DNS resolvers your device is pointed at while the tunnel is up. We do not see those lookups, and neither do we control them.
Google Analytics 4
This website only, and only if you press Accept on the cookie banner. Never in the apps. Decline and it is never loaded.
Node operators are not us
This section matters more than the rest, so read it properly. The nodes you connect through are run by independent third parties. We do not own them, staff them, host them, or control them. The app finds them with a public on-chain query to sentinelhub-2. Anyone can run one, which is exactly why there is no company-owned fleet for anyone to subpoena.
The consequence is that an operator, like any internet provider standing between you and the internet, can observe the traffic that reaches it, and we cannot audit what any given operator does. They are not our subprocessors and they act on their own account, not on our instructions. Your traffic is encrypted between your device and the node, and the sites you use over HTTPS stay encrypted beyond it. But do not read "decentralized" as "nobody is at the other end". Someone is. The design ensures it is not one company with a list of every user.
Where your data goes
The account data in section 3 is processed on servers operated by our hosting provider, and by Apple, Google and Firebase, which are global companies. If you are in the UK or the EEA, this means your account data may be transferred outside your country, and we use the safeguards the law requires for those transfers, including standard contractual clauses where they apply.
Nodes are a different matter and you should understand it clearly. Choosing a country means choosing to route your traffic through an operator in that country, under that country's laws. That is the feature. You pick, every time, and the app shows you the country before you connect.
Your rights, and how to use them
Under the GDPR you can ask us to do all of the following, and under the CCPA California residents have close equivalents. We do not require a reason, and we will not treat you worse for asking.
Access
Get a copy of everything we hold about you, which is the list in section 3.
Erasure
Have your account and its history deleted. This is the one most people want, and it is one email.
Rectification
Correct anything that is wrong.
Portability
Receive your data in a machine-readable file, or have us send it somewhere else.
Objection and restriction
Object to processing we base on legitimate interests, or ask us to pause it while a dispute is settled.
Withdraw consent
Take back analytics consent whenever you like. It never affects the apps.
Email privacy@phantomvpn.site from the address on the account, which is how we know it is you, and we will answer within 30 days. There is no charge. If you think we have handled your data badly, you can complain to your national data protection authority, and you are entitled to do that without telling us first.
Children
Phantom VPN is not directed to children under 13, and we do not knowingly collect personal information from them. In parts of the EEA the relevant age is 16. If you believe a child has created an account, write to privacy@phantomvpn.site and we will delete it.
Changes to this policy
If we change what we collect, we will change this page and move the date at the top. For a change that materially affects your rights, we will tell you in the app or by email rather than hoping you re-read the page.
Contact
Privacy questions and rights requests go to privacy@phantomvpn.site. Anything else, including help with the app, goes to support@phantomvpn.site. The service is published by Capx Ecosystem Apps FZE.
Related reading: the Terms of Service and the Cookie Policy.