Overview
StekVPN is a one-tap VPN client for iOS and Android, operated by Websorcery (Veenendaal, the Netherlands). This document describes what data the app and our servers collect when you use the service, and what we do with that data.
We try to keep this policy short and honest. Where we collect something, we say so plainly. Where the industry norm is to mumble, we've tried not to.
We keep connection metadata per VPN profile (your last connection timestamp, bytes transferred, and source IP). We do not keep a record of which websites you visit or what your traffic contains. We do not sell any of this to anyone.
Data we collect
StekVPN is not a no-logs VPN. We collect a small amount of operational data per VPN profile because we need it to run the service and prevent abuse:
Connection metadata (per VPN profile)
- Last connection timestamp
- The date and time of your most recent VPN connection.
- Bytes transferred
- Total cumulative upload and download volume. Not broken down by destination or session.
- Source IP address
- Your full public IP address at the time of your last connection, used for abuse prevention.
- VPN profile public key
- A cryptographic identifier for your VPN profile. Required by the WireGuard protocol. Not linked to your real identity.
Data we don't collect
To be clear about the negative space:
- We do not log the destinations of your traffic — no DNS queries, no domains, no URLs.
- We do not inspect, store, or analyse the contents of your traffic. The VPN tunnel is end-to-end encrypted with WireGuard.
- We do not require an account, email address, or phone number to use the app.
- We do not embed third-party advertising or analytics SDKs in the app.
- We do not sell, rent, or trade any data we hold to data brokers, advertisers, or marketing partners.
Why we keep what we keep
Each piece of data above earns its place:
- Timestamp & bytes
- Capacity planning. We need to know whether a server is at 30% or 95% utilisation before it starts dropping connections.
- Source IP address
- Abuse prevention. Without it, a single attacker can flood the service and we have no way to stop them. We store the full IP address (not a truncated version) because a partial IP does not allow us to reliably identify individual connections for blocking or investigation. No less privacy-invasive alternative achieves the same security outcome.
- VPN profile public key
- Protocol requirement. WireGuard needs this to route encrypted traffic back to your device.
How long we keep your data
Connection metadata is tied to your VPN profile on our server:
- All connection metadata
- Retained for as long as your VPN profile exists on our server. Uninstalling the app does not delete your profile or data — we have no way of detecting an uninstall. To request deletion, email info@websorcery.nl. To help us verify your request, please email from the device you use with StekVPN, or include your VPN profile's assigned internal IP address (visible in the app). We reserve the right to decline requests we are unable to verify. We will action verified requests within 30 days.
Your rights (GDPR)
Because we operate from the Netherlands, the EU General Data Protection Regulation applies to every user, regardless of where you live. You have the right to:
- Access the data we hold about your VPN profile.
- Correct anything that is wrong.
- Delete your VPN profile and all associated data.
- Export a machine-readable copy.
- Object to processing based on legitimate interests.
- Lodge a complaint with the Autoriteit Persoonsgegevens (the Dutch data-protection authority).
To exercise any of these rights, email info@websorcery.nl. We'll respond within 30 days. We do not use automated decision-making or profiling.
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the Autoriteit Persoonsgegevens within 72 hours. If the breach poses a high risk to you personally, we will also notify you directly without undue delay. Websorcery has not appointed a Data Protection Officer, as we do not meet the thresholds set out in GDPR Article 37 at our current scale of operations.
California rights (CCPA/CPRA)
If you are a California resident, you have additional rights under the CCPA and CPRA. The personal information we collect falls into these categories: Identifiers (IP address, VPN profile public key) and Internet or other electronic network activity (connection timestamp, bytes transferred). We do not sell or share this information. Your California rights include:
- Right to know — request the categories and specific pieces of personal information we have collected about you.
- Right to delete — request deletion of your personal information, subject to certain exceptions.
- Right to correct — request correction of inaccurate personal information.
- Right to limit use of sensitive personal information — your IP address may qualify as sensitive PI under the CPRA. We use it solely to operate the VPN service.
- Right to non-discrimination — we will not discriminate against you for exercising any of these rights.
To exercise your California rights, email info@websorcery.nl. We will respond within 45 days as required by law.
Do Not Track (CalOPPA)
StekVPN's app does not respond to browser-level "Do Not Track" (DNT) signals, as the WireGuard VPN protocol operates independently of browser tracking preferences. We do not track users across third-party websites, and we do not embed any third-party advertising or analytics services in the app.
Children
StekVPN is not directed at children under 16. We do not knowingly collect data from anyone we know to be under 16. If you are a parent or guardian and believe your child has used the app, contact us at info@websorcery.nl and we will delete any associated records.
Changes to this policy
When we change anything material in this policy, we'll:
- Bump the version number at the top of this page.
- Update the "Last updated" date.
- Show a notice inside the app on next launch summarising what changed.
Minor wording fixes won't trigger a notice. The version history is available on request.
Contact us
Questions, requests, or complaints about privacy go to:
- info@websorcery.nl
- Post
- Websorcery, Bachlaan 68, 3906 ZL Veenendaal, the Netherlands
- Supervisory authority
- Autoriteit Persoonsgegevens
For general support (a server that won't connect, a feature request) please use the contact form instead — it gets to the right team faster. Contact