Privacy Policy

Last updated: April 2026

We're a privacy company. This document explains exactly what data we touch and what we don't.

The short version

We don't log your proxy traffic. We don't record your browsing history. We don't sell your data. We collect the minimum needed to run the service, keep your device online, and bill you accurately.

What We Collect

We collect information in three categories:

Account Information

  • Name and email address (when you create an account)
  • Password (stored as a bcrypt hash -- we never see your actual password)
  • Billing information (processed and stored by Stripe, not by us)
  • Subscription status and plan type

Device Telemetry

  • Device ID and firmware version
  • Online/offline status and last heartbeat timestamp
  • WiFi signal strength and connection quality metrics
  • CPU, memory, and temperature readings
  • Bandwidth usage totals (upload/download bytes per hour, not per-request)

Network Information

  • Your device's public IP address (this is your proxy IP, so we need it to route traffic)
  • IP addresses that connect to your proxy (connection metadata only, not traffic content)
  • VPN connection timestamps and data transfer totals

What We Don't Collect

This matters more than what we do collect:

  • No traffic logging: We don't inspect, record, or store the content of your proxy or VPN traffic. Period.
  • No browsing history: We don't know what websites you visit through your ProxyBox.
  • No DNS logs: We don't record DNS queries made through your device.
  • No request-level logging: We track bandwidth totals (e.g., "2.4 GB today"), not individual HTTP requests.
  • No third-party tracking: We don't embed analytics trackers, ad pixels, or social media widgets in our dashboard.
  • No data selling: We don't sell, rent, or share your personal information with data brokers or advertisers. Ever.

How We Use Your Data

  • Service operation: Routing proxy traffic, maintaining VPN connections, delivering firmware updates
  • Billing: Processing payments, managing subscriptions, calculating bandwidth usage
  • Support: Diagnosing issues when you contact us, sending service alerts
  • Product improvement: Aggregated, anonymized telemetry to improve firmware and service reliability
  • Security: Detecting abuse, preventing unauthorized access, protecting the network

Data Retention

  • Account data: Retained while your account is active. Deleted within 30 days of account closure.
  • Device telemetry: Granular metrics retained for 90 days, then rolled up into daily aggregates kept for 1 year.
  • Bandwidth records: Hourly records kept for 30 days, daily summaries kept for 1 year.
  • Connection metadata: VPN session records retained for 30 days, then deleted.
  • Billing records: Retained for 7 years as required by tax law.

Third-Party Services

We use a small number of third-party services:

  • Stripe: Payment processing. Stripe handles your credit card information directly -- it never touches our servers. See Stripe's Privacy Policy.
  • Infrastructure providers: Our servers run on cloud infrastructure. All data is encrypted at rest and in transit.

We don't use Google Analytics, Facebook Pixel, or any other advertising or tracking service.

Data Security

  • All web traffic is encrypted with TLS 1.3
  • Device authentication uses HMAC-based signatures with rotating tokens
  • Passwords are hashed with bcrypt (12 rounds)
  • VPN keys are encrypted at rest with AES-256-GCM
  • Database connections are encrypted
  • Refresh tokens use rotation with reuse detection (compromised tokens automatically revoke the entire session family)
  • Rate limiting on all authentication endpoints

Your Rights

You have the right to:

  • Access: Request a copy of all data we hold about you
  • Correction: Update or correct your personal information
  • Deletion: Request deletion of your account and associated data
  • Export: Download your data in a machine-readable format
  • Objection: Object to specific uses of your data

To exercise any of these rights, email privacy@proxybox.us. We'll respond within 15 business days.

Cookies

We use minimal cookies. Specifically: a session cookie to keep you logged in and a CSRF protection token. That's it. No tracking cookies, no analytics cookies, no advertising cookies. We don't use cookie banners because we don't do anything that requires consent beyond basic session management.

Children's Privacy

ProxyBox is not intended for anyone under 13 years of age. We don't knowingly collect personal information from children. If you believe we've inadvertently collected data from a child, please contact us immediately at privacy@proxybox.us and we'll delete it.

California Residents (CCPA)

If you're a California resident, you have additional rights under the California Consumer Privacy Act:

  • Right to know what personal information we collect and how we use it
  • Right to delete your personal information
  • Right to opt out of the sale of personal information (we don't sell it, so this doesn't apply)
  • Right to non-discrimination for exercising your privacy rights

European Residents (GDPR)

If you're in the European Economic Area, our legal basis for processing your data is:

  • Contract performance: Processing necessary to provide the ProxyBox service
  • Legitimate interests: Service security, fraud prevention, and product improvement
  • Legal obligations: Tax and billing record retention

You have the right to lodge a complaint with your local data protection authority. You also have the right to data portability and to restrict processing in certain circumstances.

Changes to This Policy

We'll notify you by email before making material changes to this policy. The "Last updated" date at the top tells you when it was last revised.

Contact

For privacy-related questions or requests, email privacy@proxybox.us.

For general inquiries, visit our contact page.