Legal · Privacy Policy

What we know about you, and what we do with it.

Last updated June 29, 2026
Version 1.0
Applies to StekVPN iOS & Android
Section 01

Overview

StekVPN is a one-tap VPN client for iOS and Android, operated by Websorcery (Veenendaal, the Netherlands). This document describes what data the app and our servers collect when you use the service, and what we do with that data.

We try to keep this policy short and honest. Where we collect something, we say so plainly. Where the industry norm is to mumble, we've tried not to.

In plain English

We keep connection metadata per VPN profile (your last connection timestamp, bytes transferred, and source IP). We do not keep a record of which websites you visit or what your traffic contains. We do not sell any of this to anyone.

Section 02

Data we collect

StekVPN is not a no-logs VPN. We collect a small amount of operational data per VPN profile because we need it to run the service and prevent abuse:

Connection metadata (per VPN profile)

Last connection timestamp
The date and time of your most recent VPN connection.
Bytes transferred
Total cumulative upload and download volume. Not broken down by destination or session.
Source IP address
Your full public IP address at the time of your last connection, used for abuse prevention.
VPN profile public key
A cryptographic identifier for your VPN profile. Required by the WireGuard protocol. Not linked to your real identity.
Section 03

Data we don't collect

To be clear about the negative space:

  • We do not log the destinations of your traffic — no DNS queries, no domains, no URLs.
  • We do not inspect, store, or analyse the contents of your traffic. The VPN tunnel is end-to-end encrypted with WireGuard.
  • We do not require an account, email address, or phone number to use the app.
  • We do not embed third-party advertising or analytics SDKs in the app.
  • We do not sell, rent, or trade any data we hold to data brokers, advertisers, or marketing partners.
Section 04

Why we keep what we keep

Each piece of data above earns its place:

Timestamp & bytes
Capacity planning. We need to know whether a server is at 30% or 95% utilisation before it starts dropping connections.
Source IP address
Abuse prevention. Without it, a single attacker can flood the service and we have no way to stop them. We store the full IP address (not a truncated version) because a partial IP does not allow us to reliably identify individual connections for blocking or investigation. No less privacy-invasive alternative achieves the same security outcome.
VPN profile public key
Protocol requirement. WireGuard needs this to route encrypted traffic back to your device.
Section 05

Who we share data with

We share data with two kinds of recipient, and only when necessary:

  • Infrastructure provider. Our VPN server is hosted by Hostinger International UAB, a company incorporated in Lithuania (EU). We have a Data Processing Agreement with Hostinger under GDPR Article 28. Hostinger's infrastructure for this service is located in Indonesia; as our processor, Hostinger is contractually required to maintain adequate safeguards for all data processed on our behalf, including on infrastructure outside the EEA.
  • Law enforcement. If we receive a valid, legally binding request from Dutch authorities, we will comply — but we can only hand over the metadata listed in Section 02. We cannot produce traffic content because we do not retain it.
Section 06

How long we keep your data

Connection metadata is tied to your VPN profile on our server:

All connection metadata
Retained for as long as your VPN profile exists on our server. Uninstalling the app does not delete your profile or data — we have no way of detecting an uninstall. To request deletion, email info@websorcery.nl. To help us verify your request, please email from the device you use with StekVPN, or include your VPN profile's assigned internal IP address (visible in the app). We reserve the right to decline requests we are unable to verify. We will action verified requests within 30 days.
Section 07

Your rights (GDPR)

Because we operate from the Netherlands, the EU General Data Protection Regulation applies to every user, regardless of where you live. You have the right to:

  • Access the data we hold about your VPN profile.
  • Correct anything that is wrong.
  • Delete your VPN profile and all associated data.
  • Export a machine-readable copy.
  • Object to processing based on legitimate interests.
  • Lodge a complaint with the Autoriteit Persoonsgegevens (the Dutch data-protection authority).

To exercise any of these rights, email info@websorcery.nl. We'll respond within 30 days. We do not use automated decision-making or profiling.

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the Autoriteit Persoonsgegevens within 72 hours. If the breach poses a high risk to you personally, we will also notify you directly without undue delay. Websorcery has not appointed a Data Protection Officer, as we do not meet the thresholds set out in GDPR Article 37 at our current scale of operations.

Section 08

California rights (CCPA/CPRA)

If you are a California resident, you have additional rights under the CCPA and CPRA. The personal information we collect falls into these categories: Identifiers (IP address, VPN profile public key) and Internet or other electronic network activity (connection timestamp, bytes transferred). We do not sell or share this information. Your California rights include:

  • Right to know — request the categories and specific pieces of personal information we have collected about you.
  • Right to delete — request deletion of your personal information, subject to certain exceptions.
  • Right to correct — request correction of inaccurate personal information.
  • Right to limit use of sensitive personal information — your IP address may qualify as sensitive PI under the CPRA. We use it solely to operate the VPN service.
  • Right to non-discrimination — we will not discriminate against you for exercising any of these rights.

To exercise your California rights, email info@websorcery.nl. We will respond within 45 days as required by law.

Section 09

Do Not Track (CalOPPA)

StekVPN's app does not respond to browser-level "Do Not Track" (DNT) signals, as the WireGuard VPN protocol operates independently of browser tracking preferences. We do not track users across third-party websites, and we do not embed any third-party advertising or analytics services in the app.

Section 10

Children

StekVPN is not directed at children under 16. We do not knowingly collect data from anyone we know to be under 16. If you are a parent or guardian and believe your child has used the app, contact us at info@websorcery.nl and we will delete any associated records.

Section 11

Changes to this policy

When we change anything material in this policy, we'll:

  • Bump the version number at the top of this page.
  • Update the "Last updated" date.
  • Show a notice inside the app on next launch summarising what changed.

Minor wording fixes won't trigger a notice. The version history is available on request.

Section 12

Contact us

Questions, requests, or complaints about privacy go to:

Email
info@websorcery.nl
Post
Websorcery, Bachlaan 68, 3906 ZL Veenendaal, the Netherlands
Supervisory authority
Autoriteit Persoonsgegevens

For general support (a server that won't connect, a feature request) please use the contact form instead — it gets to the right team faster. Contact