Service is in closed beta testing. Full availability will be announced soon.

EN RU

Transparency & Law-Enforcement Policy

Last updated: 17 Oct 2025
Operator: GLITCH LABS LLC
Governing law & venue: jurisdiction where GLITCH LABS LLC is registered
Legal contact: [email protected]
Postal/legal service address: disclosed upon request


This page explains what data exists at Glitch VPN, how long it lives, what we can or cannot disclose, and how competent authorities may contact us. It complements our Privacy Policy and Terms of Usage.


1) No activity-logs — what that means

We operate the VPN service with no activity-logs. We do not persist logs that would allow us to attribute network activity to an account or device. Specifically, we do not retain:

  • traffic contents (payloads) or destinations (remote IPs/ports);
  • DNS queries resolved through the Service;
  • original/end-user IP addresses;
  • connection start/stop timestamps or session duration history;
  • per-account bandwidth histories or usage records stored beyond the session;
  • persistent identifiers that link an account to specific sessions.

Operational protections rely on ephemeral, in-memory counters/state that exist only while a session is active; once a VPN session ends, this state is discarded.

Consequence: we typically cannot identify which account accessed a given destination or performed a given network action through the VPN.

2) Data inventory (what exists)

We design for data minimization. We store only the minimum data necessary to operate subscriptions, device management, and support.

  • Account identifier: user_code (random 16-character code).
    Retention: up to 1 year from the last successful authorization, but not deleted while paid time is active; deleted thereafter.

  • Devices: device_id, os, device_type (mobile/desktop/browser).
    Retention & deletion: retained while linked; deleted upon device sign out or removal by the primary device.

  • Session ephemera: server_client_id (exists only while connected).
    Deletion: ephemeral; destroyed when the session disconnects.

  • Messaging-platform identifier: Telegram user ID (stored as is), used to manage subscriptions and support (including deletion of sensitive bot messages).
    Deletion: deleted as soon as the user signs out from the Telegram bot or when no longer necessary for subscription/support.

We do not collect names, emails, passwords, or payment card details.
Payments are handled by third-party payment providers/platforms which may change over time; provider-side data is processed under their own terms and policies.

3) What we can and cannot disclose

We cannot provide:

  • traffic contents or destinations, DNS queries, original IPs;
  • connection timestamps, session durations, bandwidth histories;
  • per-session logs linking specific accounts/devices to specific activity.

We may be able to confirm (case-by-case, if still present):

  • whether a user_code exists/was active within the retention window;
  • device entries currently linked to an account (or confirm none, if already signed out);
  • whether a messaging-platform identifier was linked (and if/when it was unlinked);
  • high-level subscription status (active/expired) without payment instrument details.

4) How competent authorities should contact us

  • Scope: We respond only to properly served, valid legal requests addressed to GLITCH LABS LLC under applicable law and jurisdiction.
  • Service: Email [email protected] to initiate contact. We will provide instructions for proper service to our registered agent or postal/legal address (email alone may not constitute valid service unless permitted by law and confirmed by us).
  • Format: Include legal authority, case number, issuing entity, and precise scope. If you are seeking account-level information, include the user_code and (if applicable) the Telegram user ID you believe is relevant.
  • Notice to users: Where legally permitted and operationally feasible, we will attempt to notify the user before or after disclosure (timing subject to legal constraints). Notification may occur via Telegram if the identifier is currently linked; otherwise notification may not be possible.

We do not accept informal or extrajurisdictional requests. Mutual Legal Assistance Treaty (MLAT) or analogous mechanisms may be required.

5) Infrastructure, locations, and subprocessors

  • Server footprint: various worldwide and subject to change.
  • Providers: we use infrastructure and platform providers (e.g., hosting, CDN/SSL, messaging platforms). A current list can be provided upon request.
  • International transfers: where personal data is transferred from the EEA/UK to a third country, we rely on Standard Contractual Clauses (SCCs) or equivalent safeguards where applicable.

If a server is seized, there are no activity-logs on the VPN nodes; only ephemeral in-memory state may have existed during live sessions.

6) Aggregated request statistics

We publish high-level, aggregated counts and update them periodically.

Reporting period: 2025 YTD (through 17 Oct 2025)

  • Legally valid requests received: 0
  • Disclosures produced: 0
  • Requests challenged/denied: 0
  • User notifications attempted (where permitted): 0

We will update these figures on a periodic basis (e.g., quarterly). Numbers exclude invalid or informal contacts that