Skip to content

We never log your browsing. Here is what we do keep.

We never log your browsing, your DNS queries, or the content of your traffic. That sentence is true because the tunnel runs directly between your device and an independent node, so none of it reaches us. Everything else we hold is listed below with a reason next to it. There is no second page where the real answer is.

What do we actually store?

Six things. A VPN that genuinely kept nothing could not sign you in, could not stop one account from farming the free tier forever, and could not route you away from a broken node. So instead of claiming zero, here is the list.

Every category of data Phantom VPN retains, the reason for it, and how long it is kept
What we keepWhy we keep itHow long
The email on your accountTo sign you in, and to restore your premium on a new device. Signing in is required, so there is no version of this we can skip.While the account exists
Last login timeTo tell an active account from a dormant one, and to spot an account being passed around.While the account exists
Connect and disconnect eventsTo meter the free tier honestly and to catch abuse of it. An account that never disconnects is not a person.While the account exists
Which node you used, and whenTo measure node health. This is what lets Phantom rank by latency and route you around an operator whose box is failing.While the account exists
Minutes usedTo meter free time against the 60 minutes per ad and the 300 minute daily cap. Premium accounts are not metered.While the account exists
Subscription stateTo know whether you are premium on any device you sign in on. Premium is account-wide, so it has to live on the account.While the account exists

We do not publish a fixed retention window in days, so we are not going to invent one here. Operational records are tied to the life of your account. To ask what we hold on yours, or to have it removed, email privacy@phantomvpn.site.

Why can you promise you never see my browsing?

Because of where we are standing, not because of a policy we wrote. The tunnel is device to node. Our orchestrator finds you a node and then steps out of the way. Data we never receive is not data we can promise to delete, leak, or be compelled to produce.

The sites you visit

Your traffic goes directly from your device to the node. It never enters our systems, so there is nothing for us to record even if we were asked to.

Your DNS queries

They travel inside the tunnel and are resolved by Cloudflare, not by us. We are not on that path.

The content of your traffic

Encrypted with a key we have never held. The private half never leaves your keychain.

Anything from an ad or tracking SDK

The iOS app ships with no third-party ad or tracking SDKs in it.

What should worry you about this?

Three things, and you will not find them in the footer. You will find them here, in the same size type as everything else.

Your account is not anonymous

Signing in is required. Email one-time code, Google, or Apple. We store the email and the last login, which means your usage of Phantom is tied to an identifier you handed us.

That is a genuine privacy cost and we are not going to dress it up. It buys you a premium subscription that follows you to every device and a free tier that cannot be farmed into the ground. If you need a VPN with no account at all, we are not it.

Your DNS goes to Cloudflare

The tunnel pushes Cloudflare resolvers, 1.1.1.1 and 1.0.0.1. Your queries travel inside the tunnel and are answered by Cloudflare.

We never see them, and that is the honest limit of what we can tell you. We will not claim your DNS stays inside the decentralized network, because it does not. Cloudflare is a third party operating under their own policy, and you should read it rather than take ours as cover.

Strangers run the nodes

Node operators are independent third parties. We do not own them, employ them, or approve them. Sentinel is permissionless, so anyone can run one.

A node is an exit point and sees traffic leaving it, exactly as a centralized VPN server does. HTTPS still protects the contents from the operator. The trade is deliberate: no single company sees every user, and no operator sees more than the session it carried.

What could you be forced to hand over?

The inventory above, and nothing beyond it. Not because we would refuse, but because the rest was never ours to hold. Policies change when a company is under pressure. Architecture does not.

We could not produce

  • Your browsing history. It never reaches us.
  • Your DNS queries. They are answered inside the tunnel.
  • Your traffic content. We have never held the key.
  • Your private key. It has never left your keychain.
  • A server fleet. We do not own a single node.

We could produce

  • The email on the account, and the last login.
  • Connect and disconnect events.
  • Which node was used, and when.
  • Minutes used, and subscription state.

That is the same list as the table. It does not get longer for anyone.

Everyone says "no logs."
Here is our actual list.

A VPN that kept literally nothing could not bill you or stop abuse. So rather than say "zero logs" and hope you don't check, here is precisely what we cannot see and precisely what we hold. There is no third column.

What we never see

  • The sites you visit

    Your traffic never enters our systems, so there is nothing for us to record.

  • Your DNS queries

    Resolved inside the tunnel, between your device and the node.

  • The content you send

    Encrypted end to end with a key we have never held.

The tunnel runs directly between your device and an independent node. We are not in the path.

What we do keep, and why

  • Connect and disconnect events

    To bill fairly and to catch abuse of the free tier.

  • Which node, and when

    To measure node health so we can route you around bad ones.

  • Minutes used

    To meter free time. Premium accounts are not metered.

  • The email on your account

    To sign you in and restore your purchase on a new device.

That is the whole list. No asterisks.

Read how we handle your data

If it is free, am I the product?

No, you are the audience for an ad. Watch one of at least 30 seconds and you earn 60 minutes of connection time, up to three ads a day, capped at 300 minutes. New accounts start at zero. Time is metered per minute on the server, which is why connect and disconnect events are in the list above.

The iOS app ships with no third-party ad or tracking SDKs in it. Your browsing is not funding this, because your browsing never reaches us to be sold. Premium removes the ads and the clock.

The trade, stated plainly

  • You give us an email address, because login is required.
  • We meter your minutes, so the free tier survives.
  • We never receive your traffic, so it cannot be part of the deal.
  • Premium is account-wide, on every device you sign in on.
See the plans

Privacy questions, answered straight

Does Phantom VPN keep logs?

We never log your browsing, your DNS queries, or the content of your traffic. The encrypted tunnel runs directly between your device and an independent node, so it never passes through our systems. We do keep operational data: connect and disconnect events, which node and when, minutes used, and the email on your account. We will not write "no logs", because any service with an account system keeps something and the phrase is false.

Is my Phantom VPN account anonymous?

No. Signing in is required, by email one-time code, Google, or Apple, and we store your email address and last login. Your account is tied to an identifier you gave us. If you need a VPN that works with no account at all, that is a real requirement and Phantom does not meet it.

Which DNS servers does the tunnel use?

The tunnel pushes Cloudflare resolvers, 1.1.1.1 and 1.0.0.1. Your queries travel inside the WireGuard tunnel to the node and are then resolved by Cloudflare. We never see them, but we will not claim your DNS stays inside the decentralized network, because it does not. Cloudflare is a third party and their handling is governed by their policy, not ours.

Can a node operator see my traffic?

A node is an exit point, so it forwards your traffic to the internet exactly as any VPN server does. It can see that traffic leaves it, and where to. It cannot read anything already encrypted, which for most browsing means HTTPS is still protecting the contents from the operator. Nodes are independent third parties we do not own or vet, so this is the trade the decentralized model makes: no single company sees everyone, and no operator sees more than the session they carried.

What could you hand over if you were subpoenaed?

Only what is in the inventory on this page: an email, a last login, connect and disconnect events, which node and when, minutes used, and subscription state. We could not hand over browsing history or DNS queries because we are not in the traffic path and never receive them. We could not hand over your keys because the private key never leaves your device. There is also no server fleet of ours to seize, since we do not own any nodes.

Who runs the nodes I connect to?

Independent third-party operators. We do not own, rent or run any of them, and we do not choose who is allowed to join, because Sentinel is permissionless. Phantom discovers them with a public on-chain query to sentinelhub-2, then ranks them by measured latency before connecting you.

How do I find out what you hold on my account?

Email privacy@phantomvpn.site. The list on this page is the whole inventory, so there will be no surprises in the answer, but you are entitled to ask and to ask us to remove it.

A privacy page you can check.

Read how the connection is built, then run it and watch it do exactly that.