Legal

Privacy Policy

Last updated 17 May 2026.

1. Who we are

Axom VPN is a consumer virtual-private-network service operated by Dial Square Pty Ltd, a company registered in Australia. In this policy, "we", "us", "our" and "Axom VPN" mean Dial Square Pty Ltd. "You" means anyone who installs the Axom VPN app or signs up for an account at axomvpn.com.

This policy explains what personal information we handle, why, and what you can do about it. It is governed by Australian privacy law (the Privacy Act 1988 (Cth) and the Australian Privacy Principles) and, where applicable, the EU and UK GDPR for users in those regions.

2. What we collect

Account information

When you sign up we ask for:

• Your email address (or, if you sign in with Apple or Google, the email address that provider returns).
• A password, or a token from Apple Sign In / Google Sign In if you choose those.

Subscription & billing

• If you subscribe via our website or Android app, our payment processor Stripe handles your card details. We never see or store your card number. Stripe sends us a billing-state record (active, trialing, cancelled, etc.) and a Stripe customer ID that we keep against your account.
• If you subscribe through Apple's App Store (on iOS), Apple handles billing. Apple sends our server a signed receipt that confirms whether your subscription is active. We never see your Apple ID password or payment card.

Tunnel configuration audit

Each time the app asks us for a fresh WireGuard configuration (typically when you connect from a new device or after a long disconnect), our server writes a small audit record: the user ID, the country code requested, and a timestamp. We use it to prevent abuse and to debug connection issues. It does not contain anything about what you do while connected.

Threat Protection counters

If you have Threat Protection enabled, the DNS resolver on each of our VPN nodes counts how many ad/tracker/malware/phishing requests it blocked in the last 24 hours, in aggregate. Every five minutes the node posts those two numbers (blocked-last-24h and blocked-all-time) back to our central server. Individual queries are never logged. The aggregate numbers cannot be tied back to any specific user, device or website.

Dark Web Monitor

When you use the Password Checker, your password is hashed (SHA-1) on your device. We send only the first five characters of that hash to the Have I Been Pwned service to retrieve a list of matching hash prefixes. The full password and the full hash never leave your device. We do not log which passwords you check, or the results.

Operational logs

Our servers keep short-lived technical logs (HTTP request status codes, error stack traces, performance metrics) to keep the service running. These are retained for up to 30 days and do not contain VPN traffic, DNS queries, or browsing activity.

3. What we never collect

We do not log, collect or store:

• The websites or apps you visit while connected.
• Your DNS queries (only aggregate "blocked count" counters).
• The IP address you connect to.
• The contents of any traffic flowing through the tunnel.
• Connection start/stop times tied to your account.
• Your bandwidth usage tied to your account.
• Your real-world location (we infer the nearest country only when you ask).

4. Why we collect what we do

• Email — to identify your account, send you confirmation and password-reset links, and contact you about service issues or material changes to this policy.
• Subscription state — to know whether you have an active paid subscription and may use the VPN.
• Tunnel issuance audit — to detect and stop credential sharing, brute-force abuse, or runaway clients.
• Aggregate Threat Protection counters — to show you and other users a "blocked today" number and to confirm our filtering is working network-wide.
• Operational logs — to keep the service running.

We do not use your data to build advertising profiles, to sell to data brokers, or to train AI models.

5. Who else sees your data

We use a small number of carefully chosen service providers ("sub-processors"). They only get the data they need to do their job.

• Supabase Inc. hosts our account database and authentication. Region: Sydney, Australia. Sees: your email, password hash (never plaintext), subscription state, audit records.
• Stripe, Inc. processes web/Android subscription payments. Sees: your card details (directly, never through us), your billing address, your email.
• Apple Inc. processes iOS subscription payments and provides Sign In with Apple. Sees: your Apple ID and payment information (directly, never through us).
• Google LLC provides Sign In with Google (optional). Sees: that you used Google to sign in; receives the redirect URL.
• Cloudflare, Inc. hosts the marketing site and accelerates DNS for our domain.
• Quad9 and Cloudflare 1.1.1.2 act as upstream DNS resolvers for traffic that passes our Threat Protection filter. They each have published no-logs policies.
• Have I Been Pwned (Troy Hunt) serves the password breach lookup, via the k-anonymity range API. It receives only the first 5 characters of a hash, never your password.
• Hetzner Online GmbH and other VPN-node hosts physically host our servers. They do not have access to traffic flowing through the WireGuard tunnels.

Government and law-enforcement requests

If a law-enforcement agency or court compels us to hand over data, we will respond to lawful requests. Because we do not keep traffic logs or DNS query logs, the only data we can produce is account-level information (email, subscription state, audit records of when we issued tunnel configurations). We will publish material changes to this policy if our jurisdiction or legal obligations change.

6. How long we keep your data

• Account information — for as long as your account exists. If you close your account, we delete your profile within 30 days, except where we are legally required to keep certain records (e.g. tax records for invoices).
• Tunnel issuance audit records — 90 days.
• Aggregate Threat Protection counters — indefinitely (they are not personal data).
• Operational logs — up to 30 days.
• Closed-account email banlist — if you are closed for serious abuse or chargeback fraud, we keep a hash of your email indefinitely to prevent re-signup. We do not keep your password or any other data.

7. Your rights

You have the right to:

• Access the personal information we hold about you.
• Correct information you believe is inaccurate.
• Delete your account and the personal information we hold for it (subject to legal retention requirements).
• Object to processing where we rely on legitimate interests.
• Port your data to another service.
• Complain to a privacy regulator if you believe we have mishandled your data — the Office of the Australian Information Commissioner (oaic.gov.au) for Australian users, your local DPA in the EU/UK.

To exercise any of these rights, email support@axomvpn.com. We will respond within 30 days.

8. How we protect your data

• All traffic to axomvpn.com and to our API is encrypted in transit using TLS 1.2 or higher.
• Passwords are hashed with bcrypt before storage. We never store plaintext passwords.
• Our database is hosted in Sydney with at-rest encryption, automatic snapshots, and access restricted to a small team.
• VPN nodes run minimal services. The WireGuard daemon and our DNS resolver are the only services on each node that face the public internet.
• Access to production systems requires hardware-key two-factor authentication.

No system can be made perfectly secure. If we ever discover a breach affecting your data, we will notify you and the relevant privacy regulator as required by law, without unreasonable delay.

9. Children

Axom VPN is not directed at children under 13 (or under 16 in the EU/UK). We do not knowingly collect personal information from children. If you believe a child has signed up, please email support@axomvpn.com and we will delete the account.

10. Changes to this policy

If we make material changes to this policy we will email you at the address on file, and update the "Last updated" date at the top of this page. Continued use of Axom VPN after a material change constitutes acceptance of the updated policy.