A VPN creates an encrypted tunnel between your device and a remote server, hiding your IP address and reducing what local networks and ISPs can learn about your browsing.

Paid VPNs fund secure infrastructure, audits, and support. Free VPNs often monetize users via tracking or weak security. Paid options deliver stronger privacy and performance.

What a VPN doesn’t do

A VPN does not make you fully anonymous, stop malware or phishing, or remove the need to trust your provider. Combine it with good security hygiene.

Is using a VPN legal?

VPNs are legal in most countries (61% of tracked countries) but restricted or banned in some. Check local rules and set up your service before traveling.

How should we choose a VPN?

Look for audited no-logs, RAM-only servers, modern protocols, a leak-safe kill switch, ownership transparency, and clear incident response. Then compare speed and app quality.

Should I build my own VPN?

It depends on your goal. For a fixed, controlled internet exit (allow-lists, public Wi-Fi privacy), rent a VPS and install WireGuard. For private networking between devices, use a mesh VPN like Tailscale or Netmaker. For anonymity or streaming at scale, a commercial VPN is usually better than DIY.

How do you test and score VPNs?

We use a 28-category scoring system covering encryption, audits, transparency, trust, and true cost. Scores are NIST-aligned for enterprise contexts and track post-quantum readiness. All assessments are evidence-based with publicly verifiable sources.

Privacy Policy

How we collect, use, and protect your information

Information We Collect

Types of data we collect and how we collect it

1. Automatically Collected Technical Data

When you visit our website, we automatically collect certain technical information necessary for the website to function:

IP Address: Collected in server access logs for security and abuse prevention. IP addresses may be retained for up to 90 days.
Browser and Device Information: Browser type, version, operating system, device type
Usage Data: Anonymous page views and navigation patterns (collected automatically, no cookies or personal identifiers used)
Referrer Information: The website that referred you to our site
Timestamp Data: Date and time of your visit

Legal Basis (GDPR): Legitimate interest (Article 6(1)(f)) for security, abuse prevention, and website functionality.

2. Cookies and Similar Technologies

We use cookies and local storage technologies. For detailed information, please see our Cookie Policy.

Essential cookies for website operation (session management, security)
No analytics cookies used (we use cookie-free analytics that don't collect personal data)
Preference cookies to remember your settings (theme, cookie preferences)
Affiliate tracking cookies (to attribute purchases when you click VPN provider links)

3. Information You Provide Voluntarily

When you contact us via social media:

Social Media Handle: If you contact us via Instagram, we may receive your username
Name: If you provide it in your message
Message Content: The content of your message
Additional Information: Any other personal information you choose to include

Legal Basis (GDPR): Consent (Article 6(1)(a)) when you initiate contact, or legitimate interest (Article 6(1)(f)) for responding to inquiries.

Retention: Social media communications are retained for up to 24 months after the last correspondence, or as required by applicable law.

4. Subscription and Payment Information

If you subscribe to premium features through our website:

Subscription Plan Information: Selected plan, subscription status, dates
Payment Information: Processed by third-party payment processors (we do not store full credit card numbers)
Billing Information: Billing address if required by payment processor

Legal Basis (GDPR): Contract performance (Article 6(1)(b)) for subscription services.

Third-Party Processors: Payment processing is handled by secure third-party payment gateways with their own privacy policies. We only receive confirmation of payment status, not full payment details.

What We Do NOT Collect

We do not require account registration for basic website access
We do not collect social media account information
We do not collect health information or special category data (GDPR Article 9)
We do not track users across other websites (no cross-site tracking)
We do not sell personal data to third parties
We do not use personal data for marketing communications (unless you explicitly opt-in)

How We Use Your Information

Purposes of Processing

We use your personal information for the following purposes:

Website Operation: To provide, maintain, and improve our website functionality and user experience
Security: To detect and prevent fraud, abuse, security incidents, and protect our users and services
Communication: To respond to your inquiries, comments, or requests when you contact us
Analytics: To understand how visitors use our website using privacy-friendly analytics that collect anonymous data without cookies or personal identifiers
Affiliate Attribution: To track referrals when you click VPN provider affiliate links (enables us to earn commissions)
Subscription Management: To manage premium subscriptions, process payments, and provide subscribed features
Legal Compliance: To comply with applicable laws, regulations, and legal processes
Preference Storage: To remember your settings (theme, language, cookie preferences)

Legal Basis for Processing (GDPR Article 6)

Legitimate Interest (6(1)(f)): Privacy-friendly analytics using anonymous data (no cookies or personal data collected - GDPR compliant without requiring consent)
Contract (6(1)(b)): Processing necessary for subscription services you've requested
Legitimate Interest (6(1)(f)): Website security, abuse prevention, responding to inquiries, and affiliate attribution
Legal Obligation (6(1)(c)): Compliance with applicable laws and regulations

Our Privacy Commitment

We process only the minimum data necessary for the stated purposes
We do not sell, rent, or trade your personal information to third parties
We do not use your data for marketing unless you explicitly opt-in
We do not track you across other websites
We anonymize or pseudonymize data where possible

Data Protection & Security

Technical Safeguards

Encryption in Transit: HTTPS/TLS 1.2+ encryption (TLS 1.3 where supported)
Access Controls: Restricted access to authorized personnel with multi-factor authentication
Security Monitoring: Regular security audits and vulnerability assessments
Dependency Management: Routine patching and automated vulnerability alerts during development
Backup Systems: Version-controlled infrastructure with regular secure backups
Incident Response: Procedures for detecting, reporting, and responding to data breaches

Data Retention Policies

We retain personal data only for as long as necessary to fulfill the purposes outlined in this policy:

Server Access Logs: IP addresses retained for up to 90 days for security purposes
Essential Cookies: Session duration only (deleted when browser closes)
Analytics Data: Anonymous analytics data with daily reset of identifiers (no personal data retained)
Preference Cookies: Until manually cleared or expired (typically 12 months)
Email Communications: Up to 24 months after last correspondence, or as required by law
Subscription Data: For duration of subscription plus 7 years for tax/legal compliance
Affiliate Tracking: Attribution windows typically 30-90 days

After retention periods expire, data is securely deleted or anonymized.

Data Breach Notification

In the event of a data breach that poses a risk to your rights and freedoms, we will:

Notify the relevant supervisory authority within 72 hours (GDPR Article 33)
Notify affected users without undue delay if the breach poses a high risk (GDPR Article 34)
Provide clear information about the nature of the breach and steps being taken
Follow applicable breach notification laws (including CCPA requirements where applicable)

Data Sharing & Third-Party Processors

Third-Party Service Providers

We use trusted third-party service providers to help operate our website. These processors are contractually obligated to protect your data:

Hosting & Infrastructure

Our website is hosted on cloud infrastructure providers. They process IP addresses and access logs as necessary for hosting services.

Analytics Provider

We use Vercel Analytics, a privacy-focused analytics service that collects anonymous data without using cookies or personal identifiers. Vercel Analytics:

• Does not use cookies
• Does not collect personal data or IP addresses
• Creates anonymous hashes that reset daily (no cross-site tracking)
• Collects only aggregated metrics: page views, device type, country-level location, browser type
• Is GDPR compliant and does not require user consent under Article 6(1)(f) legitimate interest

Vercel Analytics Privacy Information

Payment Processors

For subscription payments, we use secure payment gateways. We do not store full payment card details. Payment processors have their own privacy policies.

Affiliate Networks

When you click VPN provider links, affiliate networks may set tracking cookies to attribute purchases. This is necessary for affiliate program participation.

Our Commitment

We do not sell, rent, or trade your personal information
We only share data with third parties necessary for website operation, with appropriate safeguards
All third-party processors are contractually bound to protect your data
We conduct due diligence on third-party processors to ensure they meet privacy and security standards

International Data Transfers

Some of our service providers may be located outside the European Economic Area (EEA) or your country of residence. When we transfer data internationally:

We use appropriate safeguards, such as Standard Contractual Clauses (SCCs) approved by the European Commission
We ensure processors are certified under adequacy decisions where applicable (e.g., UK Extension to EU-US Data Privacy Framework)
We verify that data transfers comply with GDPR Chapter V requirements and applicable local laws

Children's Privacy

Age Restrictions

Our website is not intended for children under the age of 13 (under 16 in the EU/UK). We do not knowingly collect personal information from children without appropriate parental consent.

COPPA Compliance (US): We comply with the Children's Online Privacy Protection Act (COPPA)
GDPR Article 8: For children under 16 in the EU/UK, we require verifiable parental consent
If you are a parent/guardian: If you believe your child has provided us with personal information, please contact us immediately on @thevpnmatrix

If we discover that we have collected personal information from a child without appropriate consent, we will delete that information promptly.

Your Rights & Choices

GDPR Rights (EU/UK Users)

Under the General Data Protection Regulation (GDPR) and UK GDPR, you have the following rights:

Right of Access (Article 15): Request a copy of personal data we hold about you
Right to Rectification (Article 16): Correct inaccurate or incomplete data
Right to Erasure (Article 17): Request deletion of your personal data ("right to be forgotten")
Right to Restrict Processing (Article 18): Limit how we use your data
Right to Data Portability (Article 20): Receive your data in a structured, machine-readable format
Right to Object (Article 21): Object to processing based on legitimate interests (note: our analytics do not collect personal data, so this right may not apply to analytics)

CCPA Rights (California Users)

Under the California Consumer Privacy Act (CCPA) and CPRA, you have the following rights:

Right to Know: Request disclosure of categories and specific pieces of personal information collected
Right to Delete: Request deletion of personal information (subject to certain exceptions)
Right to Opt-Out: Opt-out of the "sale" or "sharing" of personal information (we do not sell data)
Right to Non-Discrimination: We will not discriminate against you for exercising your rights
Right to Correct: Request correction of inaccurate personal information
Right to Limit Use: Limit use of sensitive personal information

How to Exercise Your Rights

To exercise any of your rights, please contact us:

Contact: Reach out to us on @thevpnmatrix
Subject Line: Include "Privacy Request" and specify which right you're exercising
Verification: We may need to verify your identity before processing your request
Response Time: We will respond within 30 days (one month under GDPR, or as required by local law)

You can also manage cookie preferences using our cookie consent banner or browser settings. For cookie-specific requests, see our Cookie Policy.

Right to Lodge a Complaint

If you believe we have not adequately addressed your privacy concerns, you have the right to lodge a complaint with your local data protection authority:

EU: Your local data protection authority (DPA) - Find your DPA
UK: Information Commissioner's Office (ICO)
California: California Attorney General

Cookies & Tracking

We use minimal cookies to provide essential website functionality:

Essential Cookies

Required for website functionality

Privacy-Friendly Analytics

Anonymous metrics collected without cookies or personal identifiers to help us improve the site

Preference Cookies

Remember your settings

You can manage cookie preferences in your browser settings or using our cookie consent banner.

Note: Our analytics service (Vercel Analytics) does not use cookies and collects no personal data. We do not currently set marketing or additional functional cookies. Those categories remain off unless we introduce new features and collect fresh consent.

Data Controller Information

Who We Are

Cosmocodex Ltd (trading as The VPN Matrix) is the data controller responsible for processing your personal information.

Contact Information:

Company: Cosmocodex Ltd
Website: thevpnmatrix.com
Substack: thevpnmatrix.substack.com (leave a comment or subscribe)
Instagram: @thevpnmatrix

Updates to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or website functionality. Material changes will be communicated by:

Updating the "Last Updated" date at the top of this policy
Posting a prominent notice on our website homepage
Sending email notifications to users who have provided email addresses (for significant changes)

We encourage you to review this Privacy Policy periodically. Continued use of our website after changes constitutes acceptance of the updated policy.

Questions About Privacy?

If you have questions about this Privacy Policy, wish to exercise your rights, or have privacy concerns, please contact us:

Contact: @thevpnmatrix

Last Updated: January 28, 2025

This Privacy Policy is designed to comply with:

• General Data Protection Regulation (GDPR) - EU/UK
• California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA)
• Children's Online Privacy Protection Act (COPPA) - US
• Other applicable privacy laws and regulations

Related Policies: Cookie Policy • Terms of Service • Affiliate Disclosure