Folden Grond LLC ("we", "us") operates the Folden Grond VPN service. This policy explains what data we collect, how we use it, and your rights.
Anonymity By Design
Your account is not tied to your real identity. Here's why:
- No email required - Your account is a randomly generated number. We never ask for or store your email address.
- Payment handled externally - Payments are processed by Stripe (card) or our self-hosted BTCPay Server (cryptocurrency). We receive only a confirmation that payment succeeded—no billing details, no email, no name. Wire transfers are processed manually with no personal information stored beyond the transaction record.
- IP addresses are not stored - We do not store your originating IP address. Abuse detection correlates activity using your device's WireGuard public key hash, not your IP.
- Device identifiers are hashed - Your device's WireGuard public key is hashed before storage.
The data we store (account number, connection metadata, bandwidth usage) cannot be linked to your real-world identity because we never collect that identity in the first place.
What We Don't Collect
We do not log or store:
- Browsing history or traffic content
- DNS queries
- Your originating IP address
What We Do Collect
Account Data
Your account is a randomly generated 10-character number. We do not require email, name, or phone number.
Data linked to your account:
- Account number
- Subscription status and expiry date
- WireGuard public key (for VPN connection)
- Registered device count (up to 5)
Connection Data
- First and last connection timestamps
- Last server used
- Connection count
Bandwidth
We track bandwidth usage per account:
- Rolling usage (24 hour, 7 day, 30 day, total)
- Used for fair use enforcement
Device Information
When you connect, we store your WireGuard public key hash to:
- Enforce the 5-device limit
- Route your traffic to VPN servers
The hash cannot be reversed to identify your device.
Abuse Prevention
To protect the service, we track:
- Abuse score (automated metric)
- Abuse flags if suspicious activity is detected
- Device hash (WireGuard public key hash) associated with abuse events
Abuse event data is automatically deleted after 14 days.
Payment Data
We accept three payment methods:
Card Payments (Stripe)
Processed by Stripe. We do not receive or store credit card numbers or billing addresses. See Stripe's Privacy Policy.
Cryptocurrency (BTCPay Server)
Processed by our self-hosted BTCPay Server instance. We accept Bitcoin (on-chain and Lightning) and Monero. No third-party payment processor is involved. We do not store wallet addresses used for payment.
Wire Transfers
Processed manually. We do not store sender bank details beyond what is necessary to confirm receipt.
For all payment methods, we store only:
- Transaction ID
- Payment method used
- Payment status (success/failed)
- Amount and subscription period
Data Retention
We retain data only as long as necessary. Automatic deletion enforced daily.
Active Accounts
- Account number & expiry - While subscription/credit is active
- Device registrations - While account exists
- Bandwidth - Monthly aggregated totals only (for fair use); no detailed logs
Automatic Deletion
- Connection timestamps - 48 hours
- Abuse events - 14 days
- Detailed bandwidth reports - 30 days
- Server logs - None (RAM-only, wiped on restart)
Inactive Accounts
- Expired accounts - Deleted after 90 days
- Never-activated accounts - Deleted after 7 days
- Ban records - 1 year after expiry
Legal Requirements
- Transaction IDs - 7 years (US Tax Law/IRS)
- Does NOT include payment details or personal data (held by Stripe)
Deletion Requests
Email [email protected] to request immediate deletion. All data deleted within 48 hours except transaction records (legally required).
Transparency & Law Enforcement
If we receive a legal request, we can only provide:
- Account number
- Subscription status and expiry
- Transaction IDs
We cannot provide browsing history, IP addresses, or traffic content because we do not store this data.
Third Parties
We do not sell or share your data. Data is only shared with:
- Stripe for card payment processing
- Cloudflare for DDoS protection and CDN (sees website traffic metadata, not VPN traffic)
- Infrastructure providers (Hetzner, Vultr, DigitalOcean) necessary to operate VPN servers
Cryptocurrency payments are processed on our own self-hosted BTCPay Server—no third-party payment processor is involved.
Legal Basis for Processing (GDPR)
We process data under the following legal bases as defined by the EU General Data Protection Regulation:
- Contract performance - Account data, device registration, and connection data are necessary to provide the VPN service you subscribed to.
- Legitimate interest - Abuse prevention and fair use enforcement are necessary to protect the service and other users.
- Legal obligation - Transaction ID retention (7 years) is required under US tax law.
We do not process data based on consent, as all data collection is either contractually necessary or legally required.
International Data Transfers
Our VPN servers are located in multiple countries. Since we do not collect personally identifiable information, cross-border data transfer provisions under GDPR (Chapter V) have limited applicability. The operational data processed on servers (WireGuard keys, bandwidth counters) cannot be linked to an identified natural person.
EU/EEA Residents (GDPR)
Under the General Data Protection Regulation, you have the right to:
- Access - Request a copy of data we hold about your account
- Rectification - Request correction of inaccurate data
- Erasure - Request deletion of your data
- Restriction - Request we limit processing of your data
- Data portability - Request your data in a machine-readable format
- Object - Object to processing based on legitimate interest
To exercise any of these rights, contact [email protected] with your account number. Due to our anonymous account design, we may be unable to verify requests without your account number.
You may also lodge a complaint with a supervisory authority in your country of residence.
California Residents (CCPA)
Under the California Consumer Privacy Act, you have the right to:
- Know what personal information we collect and how it is used (described in this policy)
- Delete your personal information
- Non-discrimination for exercising your privacy rights
Categories of personal information collected: Account identifiers (random account number), internet activity information (bandwidth usage, connection timestamps), device identifiers (hashed WireGuard public key).
We do not sell personal information. We do not share personal information for cross-context behavioral advertising. We do not collect sensitive personal information as defined by the CCPA.
Security
- VPN traffic encrypted with WireGuard (ChaCha20-Poly1305)
- API connections secured with TLS
- Private keys stored locally on your device only
RAM-Based Server Architecture
Our VPN servers store all sensitive operational data exclusively in volatile memory (RAM), not on disk:
- WireGuard private keys - Generated fresh on each server boot, stored only in RAM
- Server logs - Written only to volatile memory, never to persistent storage
- Connection data - Maintained only in RAM during operation
- Certificates and configs - Loaded into RAM-based filesystems
When a server restarts or loses power, all operational data is automatically and irreversibly wiped. This means even physical access to a server yields no user connection history or cryptographic keys.
Swap is disabled on all servers to prevent memory contents from being written to disk.
Changes
We may update this policy. Material changes will be noted on our website.
Contact
Folden Grond LLC
30 N Gould St Ste N
Sheridan, WY 82801
Email: [email protected]