Privacy Policy

Last updated: March 16, 2026

We built VPNTesting.com to help people check whether their VPN is working properly. It would be contradictory to run a privacy-focused testing tool while being careless with your data. This policy explains exactly what information we collect, why, and what we do with it.

The Short Version

Information We Collect

Information You Provide Voluntarily

We only collect personal information that you actively choose to give us:

• Contact form submissions – If you reach out to us via a contact form, we receive your name, email address, and message content. We use this solely to respond to your inquiry.
• Email subscriptions – If you subscribe to our newsletter or alerts, we collect your email address. You can unsubscribe at any time using the link in every email.
• Comments – If you leave a comment on the site, WordPress collects the name, email, and website URL you provide, along with your comment text.

Information Collected Automatically

When you visit the site, certain technical information is collected automatically:

• Analytics data – We use analytics tools to understand traffic patterns, popular pages, and how visitors navigate the site. This data is aggregated and not used to identify individual users.
• Server logs – Our hosting provider records standard server logs including IP addresses, browser type, referring pages, and timestamps. These logs are used for security monitoring and troubleshooting.
• Cookies – We use cookies for site functionality and analytics. See the Cookies section below for details.
• Rate limiting – Some tools (HTTP Headers Checker, email forms) temporarily store your IP address in server-side cache to enforce rate limits and prevent abuse. This data auto-expires within minutes and is not logged or retained.

VPN Leak Test Data

This is the part most visitors care about, so we want to be completely transparent:

• To detect IP and DNS leaks, your browser connects to external detection endpoints. These connections are necessary for the test to work – that is how we determine what IP address and DNS servers the outside world can see.
• We store your test results on our servers. This data includes the detected IP addresses, DNS servers, WebRTC endpoints, and whether leaks were found, along with a timestamp and your general location (country/region level).
• Test results are not linked to your identity. We do not associate results with your name, email, or any account information.
• We use stored test results to improve our testing tools, generate aggregate statistics (e.g., leak detection rates by VPN provider), and provide historical context for our reviews.
• You can request deletion of your test data by contacting us. See the Your Rights section below.

What’s My IP Tool

Our What’s My IP tool detects your IP address server-side when the page loads, then enriches it with geolocation data (country, city, ISP, VPN detection) via an external lookup service. It also runs client-side WebRTC and IPv6 checks in your browser. Aggregate usage statistics (country, device type) are recorded but are not linked to individual visitors.

Password Generator

Our password generator runs entirely in your browser using client-side JavaScript. Generated passwords are never transmitted to our servers. We never see, store, or log any password you generate. The optional breach-checking feature uses the Have I Been Pwned k-anonymity API, which sends only the first 5 characters of a password’s hash – never the full password or the hash itself.

What Is My Browser Tool

Our browser fingerprint tool runs 100% in your browser. All detection – browser version, operating system, screen resolution, canvas fingerprint, hardware capabilities, and privacy settings – happens via client-side JavaScript. No data is transmitted to our servers or any third party. The canvas fingerprint is calculated locally and discarded when you leave the page.

HTTP Headers Checker

When you enter a URL into our HTTP Headers Checker, our server fetches the HTTP headers from that URL on your behalf and analyses them. We do not store the URLs you check beyond a short-lived cache (5 minutes) used for rate limiting. The tool is protected against misuse (SSRF prevention, rate limiting of 10 checks per minute per IP).

What We Do Not Collect

How We Use Your Information

The information we do collect is used for:

• Responding to your inquiries if you contact us
• Sending emails you have opted in to receive
• Understanding site traffic and improving content
• Improving VPN testing accuracy and generating aggregate leak detection statistics
• Informing our VPN reviews with real-world test data
• Maintaining site security and preventing abuse
• Complying with legal obligations

Third-Party Services

We use the following third-party services to operate the site. We name them specifically because vague disclosures are not meaningful disclosures.

• Digital Ocean (hosting) – Serves the website and processes requests.
• Cloudflare (CDN and security) – Routes traffic through its network for DDoS protection and performance. Cloudflare processes request headers and IP addresses to filter malicious traffic. Cloudflare Privacy Policy.
• Google Analytics (analytics) – We use Google Analytics 4 to measure site traffic and usage patterns. Data is aggregated and used for understanding visitor behaviour, not tracking individuals. Google Privacy Policy.
• Matomo (analytics) – We run Matomo as a self-hosted analytics tool for privacy-respecting traffic measurement. Data is stored on our own servers.
• ip-api.com (IP geolocation) – Our VPN leak test and What’s My IP tools use ip-api.com to look up the geographic location and ISP associated with detected IP addresses. We send IP addresses to this service to identify your approximate location and internet provider. Results are cached and not stored beyond the test session. ip-api.com Terms.
• bash.ws (DNS leak detection) – Our DNS leak test uses bash.ws STUN servers to detect which DNS resolvers your browser is using. This is necessary for the DNS leak test to function.
• v6.ident.me (IPv6 detection) – Our What’s My IP tool makes a client-side request to v6.ident.me to check whether your connection supports IPv6. Only your IP address is visible to this service during the request.
• Have I Been Pwned (password breach checking) – Our password generator uses the Have I Been Pwned k-anonymity API to check whether a password has appeared in known data breaches. Only the first 5 characters of the password hash are sent – never the full password. HIBP Privacy Policy.
• QR Server API (goqr.me) – When you share VPN leak test results, we generate a QR code via the QR Server API. The URL of your results page is sent to this service to produce the image. QR Server API Documentation.
• Affiliate networks – When you click an affiliate link to a VPN provider, that provider’s site may set its own cookies to track the referral. We do not control their data practices.
• Postmark (transactional email) – If you subscribe to emails or request test results by email, we use Postmark to deliver them. Postmark Privacy Policy.
• Anthropic and OpenAI  – We use AI language models for internal admin tasks. No user data is sent to these services.

Cookies

Cookies are small text files stored on your device. We use them as follows:

Most browsers allow you to control cookies through their settings. Blocking cookies may affect some site functionality but will not prevent you from using our VPN testing tools.

Local Storage

In addition to cookies, we use your browser’s localStorage (a client-side storage mechanism) for:

• User preferences – Remembering settings like dark mode or tool configurations so you do not have to set them each visit.
• A/B testing – Storing which variant of a page layout you have been assigned, so your experience is consistent across visits.
• Tool state – Remembering your last-used settings in tools like the password generator.

localStorage data stays entirely on your device and is never transmitted to our servers. You can clear it at any time through your browser settings.

Data Retention

• Contact form messages – Retained until your inquiry is resolved, then deleted within 12 months.
• Email subscriptions – Retained until you unsubscribe.
• Analytics data – Aggregated data retained for up to 26 months.
• Server logs – Automatically purged after 90 days.
• VPN test results – Anonymised results retained for up to 24 months for aggregate analysis, then deleted.
• Rate limiting data – Auto-expires within minutes.

Your Rights

Depending on your location, you may have specific rights regarding your personal data:

Under GDPR (European Economic Area and UK)

• Access – Request a copy of any personal data we hold about you.
• Rectification – Request correction of inaccurate data.
• Erasure – Request deletion of your data (“right to be forgotten”).
• Restriction – Request that we limit how we use your data.
• Portability – Receive your data in a structured, machine-readable format.
• Objection – Object to data processing based on legitimate interests.

Under CCPA (California, USA)

• Right to know – Request what personal information we collect and how it is used.
• Right to delete – Request deletion of your personal information.
• Right to opt out – Opt out of the sale of personal information. (We do not sell personal information, so this right is already satisfied.)
• Non-discrimination – We will not discriminate against you for exercising your rights.

To exercise any of these rights, contact us using the details below. We will respond within 30 days.

International Data Transfers

Our servers and service providers may be located in different countries. By using the site, you acknowledge that your information may be transferred to and processed in countries other than your own. We ensure appropriate safeguards are in place for any such transfers.

Children’s Privacy

VPNTesting.com is not directed at children under the age of 13 (or 16 in the EEA). We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact us and we will promptly delete it.

Governing Law

This privacy policy and any disputes arising from it are governed by the laws of the State of Delaware, United States, without regard to its conflict of law provisions.

Changes to This Policy

We may update this privacy policy from time to time. Material changes will be indicated by updating the “Last updated” date at the top of this page. We encourage you to review this policy periodically. Your continued use of the site after changes are posted constitutes acceptance of the updated policy.

Contact

If you have questions about this privacy policy or wish to exercise your data rights, please contact us through our contact page.