Legal · Privacy Policy

What we know about you, and what we do with it.

Last updated May 12, 2026
Version 2.3
Applies to StekVPN iOS & Android
Section 01

Overview

StekVPN is a one-tap VPN client for iOS and Android, operated by Stek B.V. (Rotterdam, the Netherlands). This document describes what data the app and our servers collect when you use the service, and what we do with that data.

We try to keep this policy short and honest. Where we collect something, we say so plainly. Where the industry norm is to mumble, we've tried not to.

In plain English

We keep connection logs (timestamps and the amount of data your session moved) and basic crash & diagnostic data. We do not keep a record of which websites you visit or what your traffic contains. We do not sell any of this to anyone.

Section 02

Data we collect

StekVPN is not a no-logs VPN. We collect a small amount of operational data because we need it to run the service, diagnose problems, and prevent abuse. Specifically:

Connection metadata

Session timestamp
When your VPN session started and ended, rounded to the nearest minute.
Bytes transferred
Total upload and download volume per session. We do not break this down by destination.
VPN server
Which of our servers you connected to. We currently operate one location.
Source IP (truncated)
The first two octets of the IP you connected from, used for rate-limiting and abuse prevention. Full IPs are dropped at the edge.

Device & app diagnostics

  • App version, OS version, and device model (e.g. "iPhone 15, iOS 18.4").
  • Crash reports including the stack trace at the time of the crash. No traffic data is attached.
  • Anonymous in-app events (e.g. "connect tapped", "settings opened"). No identifiers are attached.

Support correspondence

If you email us, we keep the email and our reply for as long as is reasonably needed to resolve your issue and as legally required for our records.

Section 03

Data we don't collect

To be clear about the negative space:

  • We do not log the destinations of your traffic — no DNS queries, no domains, no URLs.
  • We do not inspect, store, or analyse the contents of your traffic. The VPN tunnel is end-to-end encrypted with WireGuard.
  • We do not require an account, an email address, or a phone number to use the free tier.
  • We do not embed third-party advertising or analytics SDKs in the app.
  • We do not sell, rent, or trade any data we hold to data brokers, advertisers, or marketing partners.
Section 04

Why we keep what we keep

Each piece of data above earns its place:

Session timestamps & bytes
Capacity planning. We need to know whether a server is at 30% or 95% utilisation before it starts dropping connections.
Truncated source IP
Abuse prevention. Without it, a single attacker can DoS the service and we have no way to stop them.
Crash reports
Fixing crashes. We can't fix what we can't see.
Anonymous events
Product decisions. Knowing that 12% of users open Settings helps us know whether a feature is discoverable.
Section 05

Who we share data with

We share data with three kinds of recipient, and only when necessary:

  • Infrastructure providers. Our VPN servers and databases are hosted with a tier-1 European provider under a standard data-processing agreement. They process traffic for the duration of your session and do not retain it.
  • Crash reporting. Crash stack traces are sent through a self-hosted Sentry instance. No third party receives them.
  • Law enforcement. If we receive a valid, legally binding request from Dutch authorities, we will comply with it — but we can only hand over the metadata listed in Section 02. We cannot produce traffic content because we do not retain it.
Sibling brands

StekVPN is operated by the same team as Stek Casino. The two products do not share user accounts or session data. The casino card you may see in the app is a marketing link only.

Section 06

How long we keep your data

Connection metadata
14 days, then permanently deleted.
Crash reports
90 days, or until the underlying issue is closed — whichever is sooner.
In-app events
13 months, in aggregate form only (no per-user records).
Support emails
24 months from your last reply.
Section 07

Your rights (GDPR)

Because we operate from the Netherlands, the EU General Data Protection Regulation applies to every user, regardless of where you live. You have the right to:

  • Access the data we hold about you.
  • Correct anything that is wrong.
  • Delete all your data ("right to be forgotten").
  • Export a machine-readable copy.
  • Object to specific processing, and withdraw consent at any time.
  • Lodge a complaint with the Autoriteit Persoonsgegevens (the Dutch data-protection authority).

To exercise any of these, email privacy@stekvpn.com. We'll respond within 30 days. Because we don't collect identifiers, you'll need to send us the request from the email address tied to any support correspondence — or, if there is none, we can only offer a blanket deletion.

Section 08

Children

StekVPN is not directed at children under 16. We do not knowingly collect data from anyone we know to be under 16. If you are a parent or guardian and believe your child has used the app, contact us and we will delete any associated records.

Section 09

Changes to this policy

When we change anything material in this policy, we'll:

  • Bump the version number at the top of this page.
  • Update the "Last updated" date.
  • Show a notice inside the app on next launch summarising what changed.

Minor wording fixes won't trigger a notice. The version history is available on request.

Section 10

Contact us

Questions, requests, or complaints about privacy go to:

Email
privacy@stekvpn.com
Post
Stek B.V., Attn: Privacy Officer — Wijnhaven 65, 3011 WJ Rotterdam, the Netherlands
Supervisory authority
Autoriteit Persoonsgegevens

For general support (a server that won't connect, a billing question, a feature request) please use the contact form instead — it gets to the right team faster. Contact