Legal
Privacy Policy
Last updated 19 June 2026.
The short version. We do not keep logs of your browsing, the websites you visit, the apps you use, or your DNS queries. We collect the minimum needed to give you a working account: your email address, your subscription state, and a small audit record each time we hand your device a fresh tunnel configuration.
Contents
1. Who we are
Axom VPN is a consumer virtual-private-network service operated by Dial Square Pty Ltd, a company registered in Australia. In this policy, "we", "us", "our" and "Axom VPN" mean Dial Square Pty Ltd. "You" means anyone who installs the Axom VPN app or signs up for an account at axomvpn.com.
This policy explains what personal information we handle, why, and what you can do about it. It is governed by Australian privacy law (the Privacy Act 1988 (Cth) and the Australian Privacy Principles) and, where applicable, the EU and UK GDPR for users in those regions.
2. What we collect
Account information
When you sign up we ask for:
- Your email address (or, if you sign in with Apple or Google, the email address that provider returns).
- A password, or a token from Apple Sign In / Google Sign In if you choose those.
Subscription & billing
- Subscriptions are purchased on our website, and our payment processor Stripe handles your card details. We never see or store your card number. Stripe sends us a billing-state record (active, cancelled, etc.) and a Stripe customer ID that we keep against your account.
Tunnel configuration audit
Each time the app asks us for a fresh WireGuard configuration (typically when you connect from a new device or after a long disconnect), our server writes a small audit record: the user ID, the country code requested, and a timestamp. We use it to prevent abuse and to debug connection issues. It does not contain anything about what you do while connected.
Threat Protection counters
If you have Threat Protection enabled, the DNS resolver on each of our VPN nodes counts how many ad/tracker/malware/phishing requests it blocked in the last 24 hours, in aggregate. Every five minutes the node posts those two numbers (blocked-last-24h and blocked-all-time) back to our central server. Individual queries are never logged. The aggregate numbers cannot be tied back to any specific user, device or website.
Dark Web Monitor
When you use the Dark Web Monitor, the password you type is checked on your device against a third-party breach-record database. Only a short, non-identifying fragment is ever sent for the lookup — your actual password never leaves your device. We do not log which passwords you check, or the results.
Security tools (link, file & message checker)
When you use the on-demand security tools:
- Link checker — the link you paste is sent to our server and checked against a public malware/phishing list. We do not keep a record of the links you check.
- File checker — your file is fingerprinted (hashed) on your device; only that fingerprint is sent for a malware lookup. The file itself never leaves your device.
- Message checker — the message text is analysed on your device and stays there. Only any web links found inside it are checked, exactly like the link checker above.
- Device scan (Mac, Windows & Android) — files and apps are fingerprinted on your device and only the fingerprints are looked up. Your files never leave your device.
These threat lookups are powered by a public threat-intelligence service.
Call Protection
Call Protection compares an incoming caller's number against a scam/telemarketer list on your device — the numbers that call you are never sent to us. The app periodically downloads the latest list from our server. If you choose to report a number as a scam, that single number is sent to us so it can be added to the shared list. We do not access, listen to, or record any call, and we never read your call history or contacts.
Operational logs
Our servers keep short-lived technical logs (HTTP request status codes, error stack traces, performance metrics) to keep the service running. The app may also report a crash or error record so we can fix bugs. These are retained for up to 30 days and do not contain VPN traffic, DNS queries, or browsing activity.
Website analytics & advertising measurement
On our website only, we record anonymous funnel events (for example, "reached the pricing page", "started checkout") so we can understand where the sign-up flow can be improved. These are not tied to your VPN usage and are kept in aggregate.
Also on our website only, we use the Meta Pixel and Meta's Conversions API to measure how well our ads perform. When you visit the site, start checkout, or subscribe, we share that event with Meta — together with a one-way scrambled (hashed) version of your email and your ad-click identifiers — so Meta can tell us which ads led to sign-ups. We never share what you do inside the app, or anything about your use of the VPN. You can limit this through your browser settings and your Facebook/Instagram ad preferences.
We use Google Ads conversion tracking and remarketing in the same way. When you visit the site or subscribe, we share that event with Google — and, when you subscribe, a one-way scrambled (hashed) version of your email (Google calls this "enhanced conversions") — so Google can tell us which ads led to sign-ups. As with Meta, we never share what you do inside the app or anything about your use of the VPN. You can limit this through your browser settings and your Google ad settings at adssettings.google.com.
Browser extension
The Axom VPN browser extension routes your browser's traffic through the same Axom VPN servers as the app. To do that, it stores your sign-in session (an access token) locally in your browser and sends it to our servers only to fetch your connection credentials and confirm your subscription is active. The extension does not read, log, collect or transmit the pages you visit, your browsing history, or anything you type. The broad site access the browser asks you to approve is used solely to apply the secure connection to every site and to supply the server password when your browser is challenged — never to collect or send your activity anywhere.
3. What we never collect
We do not log, collect or store:
- The websites or apps you visit while connected.
- Your DNS queries (only aggregate "blocked count" counters).
- The IP address you connect to.
- The contents of any traffic flowing through the tunnel.
- Connection start/stop times tied to your account.
- Your bandwidth usage tied to your account.
- Your real-world location (we infer the nearest country only when you ask).
This is a hard architectural constraint, not just a policy choice. Our systems are built so your activity is never logged in the first place — there is no traffic data for us to hand over, even if compelled.
4. Why we collect what we do
- Email — to identify your account, send you confirmation and password-reset links, and contact you about service issues or material changes to this policy. Unless you opt out (and, where the law requires, only with your consent), we may also send you occasional Axom product news and promotional emails. Every marketing email includes an unsubscribe link, and unsubscribing never stops the essential service emails about your account.
- Subscription state — to know whether you have an active paid subscription and may use the VPN.
- Tunnel issuance audit — to detect and stop credential sharing, brute-force abuse, or runaway clients.
- Aggregate Threat Protection counters — to show you and other users a "blocked today" number and to confirm our filtering is working network-wide.
- Operational logs — to keep the service running.
We do not sell your data to data brokers, use it to train AI models, or share your email address with third-party advertisers. We use your data for our own marketing in two first-party ways only: (1) sending you Axom product news and promotional emails, which you can unsubscribe from at any time; and (2) measuring the performance of our own ads on this marketing website — described under "Website analytics & advertising measurement" above. Neither ever involves your use of the VPN.
Our promise on your VPN data. We do not, and will not, sell, use, or disclose to any third party any data about your use of the VPN — your traffic, the sites you reach, your DNS queries, or your connection metadata — for any purpose. The only parties who ever touch your account data are the named sub-processors below, each strictly to operate the service.
5. Who else sees your data
We use a small number of carefully chosen service providers ("sub-processors"). They only get the data they need to do their job, and each is contractually bound to protect it to a standard at least equal to this policy.
- Supabase Inc. hosts our account database and authentication. Region: Sydney, Australia. Sees: your email, password hash (never plaintext), subscription state, audit records.
- Stripe, Inc. processes subscription payments made on our website. Sees: your card details (directly, never through us), your billing address, your email.
- Resend (Plus Five Five, Inc.) delivers our account emails (sign-in links, confirmations). Sees: your email address and the contents of those messages.
- Apple Inc. processes subscription purchases made inside the iOS app, through the App Store's In-App Purchase. Apple handles the payment directly; we receive only your subscription status (active or expired) and never see your card details.
- Google LLC provides Sign In with Google (optional). Sees: that you used Google to sign in; receives the redirect URL.
- Cloudflare, Inc. hosts the marketing site and accelerates DNS for our domain.
- Meta Platforms, Inc. measures the performance of our ads. On our website only, it receives website events (such as page views, checkout starts and subscriptions), a one-way hashed version of your email, and ad-click identifiers. It never receives any VPN usage data or anything from inside the app.
- Quad9 and Cloudflare 1.1.1.2 act as upstream DNS resolvers for traffic that passes our Threat Protection filter. They each have published no-logs policies.
- A breach-record database provider serves the lookup behind Dark Web Monitor. It only ever receives a short, non-identifying fragment, never your password.
- A threat-intelligence provider powers the malware/phishing lookups behind the Security Tools. It receives a link you choose to check, or a file/app fingerprint — never your files.
- Hetzner Online GmbH and other VPN-node hosts physically host our servers. They do not have access to traffic flowing through the WireGuard tunnels.
Government and law-enforcement requests
If a law-enforcement agency or court compels us to hand over data, we will respond to lawful requests. Because we do not keep traffic logs or DNS query logs, the only data we can produce is account-level information (email, subscription state, audit records of when we issued tunnel configurations). We will publish material changes to this policy if our jurisdiction or legal obligations change.
6. How long we keep your data
- Account information — for as long as your account exists. If you close your account, we delete your profile within 30 days, except where we are legally required to keep certain records (e.g. tax records for invoices).
- Tunnel issuance audit records — 90 days.
- Aggregate Threat Protection counters — indefinitely (they are not personal data).
- Operational logs — up to 30 days.
- Closed-account email banlist — if you are closed for serious abuse or chargeback fraud, we keep a hash of your email indefinitely to prevent re-signup. We do not keep your password or any other data.
7. Your rights
You have the right to:
- Access the personal information we hold about you.
- Correct information you believe is inaccurate.
- Delete your account and the personal information we hold for it (subject to legal retention requirements).
- Object to processing where we rely on legitimate interests.
- Port your data to another service.
- Complain to a privacy regulator if you believe we have mishandled your data — the Office of the Australian Information Commissioner (oaic.gov.au) for Australian users, your local DPA in the EU/UK.
To exercise any of these rights, email support@axomvpn.com. We will respond within 30 days.
8. How we protect your data
- All traffic to
axomvpn.comand to our API is encrypted in transit using TLS 1.2 or higher. - Passwords are securely hashed before storage. We never store plaintext passwords.
- Our database is hosted in Sydney with at-rest encryption, automatic snapshots, and access restricted to a small team.
- VPN nodes run minimal services — only what's needed to carry your encrypted traffic is exposed to the internet.
- Access to production systems requires hardware-key two-factor authentication.
No system can be made perfectly secure. If we ever discover a breach affecting your data, we will notify you and the relevant privacy regulator as required by law, without unreasonable delay.
9. Children
Axom VPN is not directed at children under 13 (or under 16 in the EU/UK). We do not knowingly collect personal information from children. If you believe a child has signed up, please email support@axomvpn.com and we will delete the account.
10. Changes to this policy
If we make material changes to this policy we will email you at the address on file, and update the "Last updated" date at the top of this page. Continued use of Axom VPN after a material change constitutes acceptance of the updated policy.
11. Contact us
For any privacy question or to exercise your rights:
Email: support@axomvpn.com
Post: Dial Square Pty Ltd, Australia
We aim to reply to every privacy enquiry within 30 days.