Privacy Policy

Effective: April 12, 2026 Last updated: April 12, 2026 Version: 1.0

GDPR Compliant CCPA Compliant No-Log VPN

Plain-English Summary: We provide a WireGuard VPN service. We do not log your VPN traffic, browsing activity, or DNS queries. We collect only what is necessary to operate the service and comply with our legal obligations. You are always in control of your data.

01 Who We Are

NetTunnel Pro ("we", "us", "our") is a WireGuard-based VPN service operated under the brand 2QR Link. We provide encrypted VPN tunnels that route your internet traffic through our servers, protecting your online privacy.

This Privacy Policy explains how we collect, use, store, and disclose information when you use our Android application and related services. It applies to all users globally and has been drafted to comply with the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA/CPRA), and other applicable privacy laws.

By using NetTunnel Pro you acknowledge that you have read and understood this policy.

02 Data We Collect

2.1 Account Data

Data Point	Purpose	Legal Basis (GDPR)
Email address	Account creation, authentication, service communications	Contract performance
Firebase UID	Unique identifier for your account	Contract performance
Account type (free / paid)	Determining service tier and session limits	Contract performance
Device model & OS	Troubleshooting and service optimisation	Legitimate interest
Android ID (hashed)	Associating a device with an account for simultaneous connection enforcement	Contract performance

2.2 Payment Data

Subscription purchases are processed entirely through Google Play Billing. We receive only a purchase token and subscription status — we never see or store your payment card details.

2.3 Usage & Diagnostic Data

Data Point	Purpose	Retention
Session start & end timestamps	Enforcing free-tier session limits (30 min per ad-watched session)	Deleted when session ends
Active connection count	Enforcing simultaneous connection limits (max 3 for paid accounts)	Real-time only, not persisted
Firebase Analytics events	Understanding feature usage and app stability	14 months (Google default)
Crash reports (if enabled)	Identifying and fixing bugs	90 days

We do NOT collect: browsing history, DNS queries, VPN traffic content, destination IP addresses, bandwidth usage per user, or any data that could identify what websites or services you use while connected.

03 How We Use Your Data

We use collected data solely for the following purposes:

Providing the VPN service — authenticating you, routing your tunnel, and enforcing tier limits.
Account management — creating and maintaining your account, processing subscription status changes.
Security — detecting abuse, preventing unauthorised access, and protecting our infrastructure.
Service improvement — understanding aggregate usage patterns (never individual traffic) to improve performance and add features.
Legal compliance — meeting our legal obligations and responding to lawful requests.
Support — responding to your queries and resolving technical issues.

We never sell your personal data to third parties, use it for targeted advertising, or share it with data brokers.

04 No-Logs Policy

Our VPN servers do not log: your originating IP address during a VPN session, the destination IP addresses you connect to, DNS queries made through the tunnel, the content or metadata of your traffic, or timestamps of individual connections beyond what is required for session limit enforcement (which is deleted immediately when the session ends).

Our VPN nodes operate in a minimal-state mode. The only information a VPN server holds at any moment is the active WireGuard public key and assigned tunnel IP for currently connected clients. This data exists only in memory and is never written to disk or any log file.

We believe privacy is a right, not a feature. We have designed our infrastructure so that we are technically unable to produce logs of your VPN activity even if compelled by a court order.

05 Third-Party Services

We integrate the following third-party services. Each has its own privacy policy.

Service	Purpose	Data Shared	Privacy Policy
Firebase Auth (Google)	Authentication	Email, UID	firebase.google.com
Firebase Analytics (Google)	App analytics	Anonymous usage events, user ID	policies.google.com
Google Play Billing	In-app purchases	Purchase tokens only (no payment details)	payments.google.com
Google AdMob	Rewarded ads (free tier)	Device advertising ID (free users only)	policies.google.com
Linode (Akamai)	VPN server hosting	No user data — infrastructure provider only	linode.com

AdMob note: The Google Mobile Ads SDK may collect and process device data for ad personalisation when you watch rewarded ads on the free tier. You can opt out of personalised ads in your Android device settings under Google → Ads.

06 Data Retention

We retain personal data only as long as necessary:

Account data — retained for the lifetime of your account and deleted within 30 days of account deletion.
Session state — held in memory only; cleared when the session ends or the server restarts.
Analytics data — retained for 14 months per Google's default Firebase Analytics retention period.
Support communications — retained for up to 2 years or as required by applicable law.
Legal obligation data — retained for the period required by the applicable law (typically 5–7 years for financial/tax records).

You can request deletion of your account and associated personal data at any time by contacting us at [email protected].

07 Your Rights

Depending on your location, you have the following rights over your personal data:

Access

Request a copy of the personal data we hold about you.

Rectification

Ask us to correct inaccurate or incomplete data.

Erasure

Request deletion of your personal data ("right to be forgotten").

Portability

Receive your data in a structured, machine-readable format.

Restriction

Ask us to limit how we process your data in certain circumstances.

Objection

Object to processing based on legitimate interest.

Withdraw Consent

Withdraw consent at any time where processing is based on consent.

Non-Discrimination

CCPA: we will not discriminate against you for exercising your rights.

How to exercise your rights: Email [email protected] with the subject line "Privacy Rights Request". We will respond within 30 days (GDPR) or 45 days (CCPA). We may ask you to verify your identity before processing your request.

CCPA / CPRA (California Residents)

California residents have the additional rights to know the categories of personal information sold or disclosed (we do not sell personal information), to opt out of sale (not applicable), and to limit the use of sensitive personal information. To submit a verifiable consumer request, contact [email protected].

EU / EEA Residents — GDPR

The legal bases we rely on for processing your data are: contract performance (providing the VPN service), legitimate interest (security, fraud prevention, analytics), and legal obligation. You have the right to lodge a complaint with your local supervisory authority.

08 Children's Privacy

NetTunnel Pro is not directed at children under the age of 13 (or 16 in the EU/EEA). We do not knowingly collect personal data from children. If you believe a child has provided us with personal information, please contact [email protected] and we will delete it promptly.

09 International Data Transfers

We are a global service. Your data may be processed in countries outside your own, including the United States, where our service providers (Google, Akamai/Linode) operate. When transferring data outside the EU/EEA, we rely on:

Standard Contractual Clauses (SCCs) adopted by the European Commission.
Adequacy decisions where available.
The Data Privacy Framework (DPF) for US-based providers that are certified.

You may request a copy of the relevant safeguards by contacting us.

10 Security

We implement industry-standard technical and organisational measures to protect your data:

All VPN traffic is encrypted using the WireGuard protocol (ChaCha20, Poly1305, Curve25519, BLAKE2s).
All API communications are encrypted with TLS 1.3.
Passwords are never stored — authentication is handled by Firebase Auth using industry-standard hashing.
Our infrastructure is hosted on Linode with firewall rules restricting access to authorised systems only.
We conduct periodic security reviews of our codebase and infrastructure.

No system is 100% secure. In the event of a data breach that is likely to result in a risk to your rights and freedoms, we will notify you and the relevant authorities within 72 hours as required by GDPR.

11 Policy Changes

We may update this Privacy Policy from time to time. When we make material changes, we will:

Update the "Last updated" date at the top of this page.
Notify you via in-app notification or email at least 14 days before changes take effect.
For significant changes, ask for your explicit consent where required by law.

Continued use of the service after the effective date of a revised policy constitutes your acceptance of the changes.

12 Contact Us

Data Controller

2QR Link / NetTunnel Pro
Email: [email protected]
Website: 2qr.link/vpn

Privacy Requests

For data access, deletion, or any privacy-related enquiry:
[email protected]
Response time: up to 30 days