Table Of Contents

Surfshark Privacy Policy

Since our Privacy Policy is a few hundred words over 5k, we thought you might appreciate a short & easy breakdown. These highlighted bits will do precisely that! Note: the framed explanations aren’t legally binding and are meant to help you understand the legal language.

This Privacy Policy explains how Surfshark B.V., address: Kabelweg 57, 1014BA Amsterdam, the Netherlands processes your personal data when you use our Services or interact with our Website. The Privacy Policy will remain in effect until a new policy supersedes it. We may choose to update this policy at our discretion, so you should check this page periodically as the terms may change from time to time. The most recent version of the policy will be reflected by the “last updated” date noted at the bottom of the page. Your continued use of the Website and our Services will constitute your acknowledgment of the policy in its current version and your understanding of the terms of the policy.

1. What information is collected and why?

We’re established in the Netherlands and we keep our Services logs-free. We don’t collect any information that could lead us to know what you’re up to online.

Surfshark respects your privacy, therefore we are committed to not process any information related to the online activity of our users. Surfshark is based in the jurisdiction, which does not require information storage or reporting. We do not collect any information about what you do online (your visited IP addresses, browsing history, session information, used bandwidth, connection time stamps, network traffic or any other similar information).

Our servers do store information about your connection to a particular VPN server (user ID and/or IP address and connection time stamps), BUT this information is automatically deleted within 15 minutes after termination of your session. And be assured that no information is stored about the websites you visit.

  • When you visit our Website or navigate within our app (collectively referred to as ‘Website’), we collect and use some information to improve the performance of our Website. The information we collect on our Website may include anonymous “traffic information” provided by the host or similar provider of such information (e.g. Google Analytics) that does not personally identify you. This information is statistical and includes information about which pages on Surfshark’s Website visitors visit and how long visitors stay on a particular page. It also provides information about what browser, network, or device is used to visit our Website. To learn more about Google Analytics and how to opt out, please visit https://chrome.google.com/webstore/detail/google-analytics-opt-out/fllaojicojecljbmefodhfapmkghcbnh?hl=en. Also, when you visit our Website, we may retain your IP address and a unique identifier of your device. This helps us identify problems with our server, to administer our Website, or to display the content according to your preferences. The legal basis for such processing is our legitimate interest to analyse and improve the performance of our Website and user experience. That does not mean that we track your online activity while you use our Services.

When you use our Services, we collect and use the information for the following purposes:

  • To provide our Services.

We process limited information related to the use of our Services (registration information: e-mail, account registration date, information about subscription, encrypted password, when you use our Smart DNS feature – your IP address, when you use our Search tool – aggregated number of performed searches).

For provision of our antivirus service (currently available for Windows, macOS and Android users) we also collect information about your devices on which you use the antivirus service. This information is needed to ensure the compliance with a limitation for the number of devices that one client may use for the antivirus service as provided in our Terms of Service. If you choose to use the Webcam Protection feature, we will not have access to your webcam, microphone, apps or files on your device. We will retain statistical information about the usage of this feature, including the number of times you received a request to access your camera or microphone, which preference you selected, whether this feature is turned on or off, how many apps you have included in the exclusion list. To provide statistics on what malware was detected, we will process malware name and type, country, OS, user ID; this information will be anonymized after 1 year.

If you use our Alert service, you may enter email addresses which you would like to monitor for breaches. In such case we will retain this information. You may also enter your personal identity number (or social security number) and/or credit card number to monitor for related security breaches. When you choose to monitor your email address, you authorize us to look up additional information (usernames, passwords, full names, country, physical address or IP addresses) related to that email in known data breaches, which, if found, is provided to you in the platform. We do not look up for such additional information when you choose to monitor your credit card or social security numbers. As regards this data, we retain it in encrypted form and even we cannot use or review it.

If you use the Dedicated IP service, we will process your email address, therefore, certain online activities can be traced back to your account information as long as you don’t select an anonymous Dedicated IP option after the Dedicated IP installation process. Anonymous Dedicated IP option removes any information we have in our database about your Dedicated IP address.

If you use the Alternative ID service, we will process your email address. To be able to use this service, you will have to verify your email address. The emails you receive via Alternative ID along with sender and recipient email server IP address, sender email address, recipient email address and timestamps are deleted as soon as they are forwarded to your email address. We use a trusted email service provider to facilitate this service.

Legal basis for the processing of information is performance of a contract to which you are a party. Please note that this information is necessary to enter into a contract and if you do not provide this information (or if we cannot retain this information), we will not be able to provide you with our Services.

  • Analysing and improving the performance of our Services and user experience (when you use our Services).

To maintain a perfect quality of our Services and provide you with efficient support, we collect diagnostics information and monitor crash reports on our apps and extensions. The information we collect contains aggregated performance information, the frequency of use of our Services, unsuccessful connection attempts and other similar information. Please note that diagnostics information does not contain uniquely identifiable information. However, if you face some problems when using our apps, to solve these problems we may require your device information. We will access this information only if you provide a separate consent for that.

When you permit us through a pop-up within our app, we collect your location data, i.e. only your WiFi name (Service Set Identifier), which is stored on your device for the purpose of enabling “Auto-connect” feature, which extends to “Trusted WiFi” networks. This feature allows our app to automatically connect to a server without your worry about it. However, please rest assured that we do not share this information to any third party. In fact we do not store this information on our end and it is stored only on your device.

In case we would process your personal information, legal basis for such processing is our legitimate interest to analyse and improve the performance of our Website/Services and user experience.

  • Offering our Services.

We may contact you via email for this purpose, but we also encourage you to contact us via our online contact form to get the best VPN offer for you. For us to be able to address your requests effectively, we may ask you to provide some information about you. We will also use the provided information to contact you regarding any future offers that may be of interest to you.

If you do not wish to receive emails from us, you can opt-out from receiving emails or unsubscribe at [email protected] or click “unsubscribe” at the bottom of any correspondence. If you have multiple email addresses, you will need to opt-out for each address in order to be removed from our active database.

Legal basis for the processing of personal information is your consent, your relationship with Surfshark or our legitimate interest to conduct marketing activities.

  • Communicating with users and customer support.

We use user email address to: i) send important updates and announcements related to the use of our Services; ii) respond to user requests or inquiries. In addition to user email, we process your inquiry and other information that is provided by you during the conversation.

When a user contacts us through a live chat on our website, we are able to see the user’s IP address. This information is needed to determine if the user is connected to our servers so that we can assist in solving related issues.

Legal basis for the processing of personal information is performance of contract with you (in case of important communication related to our Services) or your consent (in case you submit an inquiry with our customer support).

  • To interact with you via social media.

Where you interact with us via social media, we will process social media profile information, inquiry information, post information and other information you provide us with.

Legal basis for the processing of personal information is your consent.

  • Advertising.

We may receive certain information about you (cookie id, mobile device id, advertising IDs; and in case you use our Trust DNS app – in app events, such information about what browser, network, or device is used to access and use Trust DNS) from certain advertisers and advertising partners for analytical and advertising purposes. Our advertising partners help us attribute sales, deliver more relevant ads and promotional messages to you, which may include interest-based advertising and account-based advertising.

Legal basis for the processing of personal information is our legitimate interest to deliver relevant ads and promotional messages to you, and to attribute sales.

  • Accounting, payment, legal requirements and legal processes.

We are subject to accounting, tax and other statutory requirements. We may have to protect our legitimate interests and legal rights. In these cases we may be required to collect and store a limited amount of certain information: email address, subscription information, payment related information, legal documents.

As for payment related information, our payment processing partners collect usual data necessary for payment processing and/or refund requests (transaction date, payer’s IP address, credit card number, credit card owner’s full name, in some jurisdictions also personal identity code, passport or identity card number and/or residence address). We process only very small part of this payment related information (part of the credit card number, payer’s IP address, payment amount, currency, date of payment and card expiry date) for solving payment related issues (such as fraud prevention cases). We also collect information about your residence country (and your state) as this information is needed to calculate applicable VAT/sales tax. If you elect so, we may retain your data which is used to generate and issue invoice for the rendered Services. If you choose the open banking payment method to pay for our Services, we will collect your name and surname, as well as your bank details.

Legal basis for the processing of personal information is a legal obligation to which we are subject (in case we need to collect your information statutorily) and our legitimate interest to defend our rights and interests (in case of other legal processes related to you, if any).

2. How long do we store your personal information?

Information Retention

Please keep in mind, that one of our most important principles is No-logs Policy (see more in our Terms of Service), therefore we collect only the minimum amount of information about you, which is required to provide you with our Services.

We apply different retention periods depending on the purpose for which your personal information is processed as detailed in Clause 1 of this Policy:

  • Personal information which is needed to provide our Services is processed for as long as you use Surfshark and no more than 2 years after you stop.
  • Personal information which is needed to provide our Smart DNS services (i.e. your IP address) is processed for as long as you use our Services.
  • Personal information which is needed to provide our Trust DNS service is processed for as long as you use Trust DNS service.
  • Personal information which is needed for analysing and improving the performance of our Website/Services and user experience is processed until the deletion of your account.
  • Personal information which is needed to offer you our Services is processed as long as you use them or have given us a consent and 2 years thereafter.
  • Personal information which is needed to communicate with users and provide customer support is processed for no longer than 2 years following the last communication with the exception of the device information (collected with your consent to solve your problems with the app), which we store for no longer than 7 days.
  • Personal information which is needed to interact with you via social media is processed for as long as you are registered on a specific social media network.
  • Personal information which is needed for internet advertising purposes is processed for 30 days unless provided otherwise in the section „Cookie and web beacons”.

When you use Surfshark Alert, we do not store monitored data (or any related additional information) on our platform, unless you choose to save it there for consistent monitoring.

If you request, we will delete your personal information specified in Clause 1, unless, we are legally required to maintain certain personal information, including situations such as the following:

  • If there is an unresolved issue relating to your account, such as an outstanding credit on your account or an unresolved claim or dispute, we will retain the necessary personal information about you until the issue is resolved;
  • Where we are required to retain the personal information about you for our legal, tax, audit, and accounting obligations, we will retain only the necessary personal information for the period required by applicable law; and/or,
  • Where necessary for our legitimate business interests such as fraud prevention or to maintain the security of our users.

3. How does our Website interact with third party services and content?

Information Transfers

Your information from Clause 1 may travel around the world a bit, but we always take extra care to keep it safe and sound.

Your information as specified in Clause 1 may be stored and processed in any country where we have facilities or in which we engage service providers. Please note that we use standard contractual clauses approved by the European Commission (you can access it here) to transfer your personal information from the EEA to other countries or we transfer personal information to countries that the European Commission has recognised as ensuring an adequate level of information protection (you can access the list of countries here).

Information recipients

It takes a village to keep our Services up and running. We need third-party tools and services for things like marketing, payments, live chat, and so forth. Since these don’t belong to us, we urge you to read their terms & policies on their sites.

Surfshark shares personal information with information recipients only in cases where necessary for the purposes described in Clause 1 and allowed in accordance with applicable laws. We do not sell or trade your information with anyone.

We only disclose personal information to law enforcement authorities or courts of competent jurisdiction when we are asked and legally obliged to do so (our Warrant Canary page will display if we’re ever asked to do so).

Information recipient or category of information recipientPurpose of personal information transferCountry of the recipient
Marketing service providers, such as Iterable, Taboola and Appsflyerwe use them to manage our contacts and automate our marketingUnited States, Sweden, Ireland, United Kingdom
Third-party payment providers, such as Stripe, Checkout, Coingate and similarthey help us to process payments together with our own authorized payment processing companiesUnited States, Ireland, BVI
Storage and infrastructure service providers, such as BigQuery (by Google), Stitch (by Talend)they help us to deliver targeted advertising to the Website visitorsUnited States
Live chat and support service providers, such as Zendeskwe use them to provide live chat technology and provide support to our usersUnited States
Security service providers, such as Cloudflarewe work with them to provide improved security and performanceUnited States
Attorneys, notaries, bailiffswe transfer personal information in cases when we seek to defend our rights and legal interestsUnited States, United Kingdom, the Netherlands

4. What choices do you have over how your information is used?

We respect GDPR and other privacy laws, and you can ask us to delete stuff or implement any other of your rights by emailing us at [email protected].

You may be aware that the General Data Protection Regulation or “GDPR” and other privacy laws give certain rights to individuals in relation to their personal information. Accordingly, we have implemented additional transparency to help users take advantage of those rights. As available and except as limited under applicable law, individuals have the rights described below:

  • You can access your personal information or receive a copy of it by contacting us.
  • You can object to processing of your personal information, ask us to restrict processing of your personal information or request portability of your personal information where it is technically possible.
  • You can demand the correction of inaccurate personal information and, subject to the nature of the collection and use, the completion of incomplete personal information (right to rectification).
  • Right to deletion of your personal information specified in Clause 1, unless, we are legally required or we have a legal basis to maintain certain personal information.
  • If we have collected and processed your personal information with your consent, then you can withdraw your consent at any time. Withdrawing your consent will not affect the lawfulness of any processing we conducted prior to your withdrawal, nor will it affect processing of your personal information conducted in reliance on lawful processing grounds other than consent.
  • You have the right to complain to a data protection authority.

If you wish to implement any of the above-mentioned rights, please contact us at [email protected].

5. Do we engage in automated individual decision-making, including profiling?

No.

Automated decision-making is the process of making a decision by automated means without any human involvement. Profiling analyses aspects of individual’s personality, behaviour, interests and habits to make predictions or decisions about them. We assure you, that we do not make decisions based solely on automated processing, including profiling, which would produce legal effects concerning you.

6. Cookies and web beacons

Most of the sites on the internet use cookies, as they’re pretty convenient. If you want to, you can reject those, but some things may not work completely or as well as they should. We also use web beacons, but if you reject cookies, they won’t work either.

A cookie is a small string of data that transfers to your computer for identification purposes. Cookies can be used to follow your activity on the Website and that data helps websites to understand your preferences and improve your website experience. You can turn off all cookies in the event you prefer not to receive them. You can also have your computer warn you whenever cookies are being used. There are also software products available that can manage cookies for you. Please be aware, however, that when you choose to reject cookies, this choice may limit the functionality of the Website and you may lose access to some of its features.

A web beacon is an invisible pixel-sized graphic image on a web page, web-based document or e-mail message. It helps us do things like view the URL of the page on which the beacon appears and the time the Website, document or email in question is viewed. They can be used to confirm the receipt of, and response to, our emails, including those that you forward to friends and family; and they help deliver a more personalized online experience.

Some links may take you outside of our Website and are beyond our control. Please note that these other sites may send their own cookies to users, collect data, or solicit personal information. We urge you to review the equivalent data protection, privacy, and cookie policies available on their websites. We do not accept any responsibility or liability for the data protection of privacy practices of third parties in relation to such websites and your use of third party websites is entirely at your own responsibility.

We use cookies on our Website as described in the table below. Please note that from time to time we may test additional analytical cookies on our Website. The table below is updated with the relevant analytical cookies once there is a final decision to use them permanently.

Cookie nameCookie expiryProvenancePurposeCookie Category
surfshark-locale29 daysSurfsharkIt stores user selected website languageNecessary (functional)
surfshark-currency29 daysSurfsharkIt stores user selected currency
surfshark-couponSessionSurfsharkIt stores the coupon which will be used during the purchase
surfshark-experiments1 yearSurfsharkIt stores data for our user experience testing
surfshark-exp1 yearSurfsharkIt stores data for our user experience testing
surfshark-skip-upgrade1 monthSurfsharkUsed to store post sale upgrade feature state
surfshark-alert-couponSessionSurfsharkUsed to store coupon which will be used during purchase Alert service
_sstk2 hoursSurfsharkUsed for authentication purposes
_ssexp2 hoursSurfsharkUsed for authentication purposes
_ssrtk2 hoursSurfsharkUsed for authentication purposes
sf-la30 daysSurfsharkLanding page tracking cookie which indicates the source of the last visit
sf-fi30 daysSurfsharkLanding page tracking cookie which indicates the source of the last visit
sf-rf30 daysSurfsharkReferral tracking cookie
__zlcmidPersistentThird party (Zendesk)To store unique user ID (for chat purposes)
surfshark-cookies-consent6 monthsSurfsharkUsed to store user cookie consent
_cq_duid3 monthsThird party (Cheq)Used to detect domain sessions per device
_cq_suidSessionThird party (Cheq)Used to detect browser sessions per domain and device
_cq_tuidSessionThird party (Cheq)Used to detect tab sessions per device
_cq_checkDeleted immediately after insertionThird party (Cheq)Used to detect if the device supports cookies
cg_uuid365 daysThird party (Cheq)Hosted by cheqzone.com. Used to detect when the same device is used in a separate browser session, to ensure that once a session is identified as fraudulent or malicious, it can be consistently blocked from access to the relevant customer’s website
__cf_bm1 dayThird party (Cloudflare)Used to read and filter requests from bots
surfshark-uuid2 yearsSurfsharkIt identifies the same user for our user experience testing
is_euSessionThird party (Pinterest)Determines whether the user is located within the EU and therefore is subject to EU's data privacy regulations.
st-sh13 monthsSurfsharkNecessary to facilitate the search functionality throughout our website
surfshark-sticky-cta-closedSessionSurfsharkThis cookie stores information about the website visitor’s actions on our promotional pop-ups
_gat1 minuteThird party (Google)It is used to distinguish usersAnalytic
collectSessionThird party (Google)It is used to send data to Google Analytics about the visitor’s device and on-site behaviour
_gid1 dayThird party (Google)It is used to distinguish users
_ga2 yearsThird party (Google)It is used to distinguish users
pll_language1 yearsSurfsharkPolylang uses this cookie to remember the language selected by the user when he comes back to visit again the website
_gat_surfsharkTracker1 minuteThird party (Google Tag Manager)Is used to throttle the request rate
sf-re30 daysSurfsharkIt tracks user retention
_gat_UA-116900630-11 minuteThird party (Google Tag Manager)Is used to throttle the request rate
surfshark-aff-stack1 monthSurfsharkIt helps to track which users come from which affiliatesAffiliate
sf-af30 daysSurfsharkAffiliate network tracking cookie
_uetvid16 daysThird party (Bing)It stores and tracks visits across websitesMarketing
_uetvid_expPersistentThird party (Bing)It stores and tracks visits across websites
pagead/landingSessionThird party (Google)Collects data on visitor behaviour from multiple websites, in order to present more relevant advertisement – This also allows the website to limit the number of times that the user is shown the same advertisement.
IDE1 yearThird party (Google DoubleClick)These cookies set by a third party (DoubleClick) and are used for serving targeted advertisements that are relevant to you across the web. Targeted advertisements may be displayed to you based on your previous visits to this website. For example, advertisements about a topic you have expressed an interest in while browsing our site may be displayed to you across the web. In addition, these cookies measure the conversion rate of ads presented to the user.
pagead/1p-conversion/#SessionThird party (Google)Tracks if the user has shown interest in specific products or events across multiple websites and detects how the user navigates between sites. This is used for measurement of advertisement efforts and facilitates payment of referral-fees between websites.
test_cookie1 dayThird party (Google DoubleClick)These cookies set by a third party (DoubleClick) and are used for serving targeted advertisements that are relevant to you across the web. Targeted advertisements may be displayed to you based on your previous visits to this website. For example, advertisements about a topic you have expressed an interest in while browsing our site may be displayed to you across the web. In addition, these cookies measure the conversion rate of ads presented to the user.
MUID1 yearThird party (Microsoft)It stores and tracks visits across websites
_ttp13 monthsThird party (TikTok)Serves targeted advertising and measures the performance of advertising campaigns.
personalization_id2 yearsThird party (Twitter)This cookie is set by Twitter to measure the performance of advertising campaigns through Twitter, across different browsers and devices used by a visitor.
muc_ads2 yearsThird party (Twitter)This is a cookie that is set by Twitter. It is used for optimizing ad relevance by collecting visitor navigation data.
_pin_unauth365 daysThird party (Pinterest)This cookie is used by Pinterest to track usage of their services.
_pinterest_sess1 yearThird party (Pinterest)Pinterest login cookie
guest_id_marketing2 yearsThird party (Twitter)Used to detect whether a user is logged into Twitter.
guest_id2 yearsThird party (Twitter)Unique ID that identifies the user’s session.
_uetsid1 dayThird party (Bing)Used to store and track visits across websites.
_uetsid_expPersistentThird party (Bing)Contains the expiry-date for the cookie with corresponding name.
guest_id_ads2 yearsThird party (Twitter)This cookie is set due to Twitter integration and sharing capabilities for social media.
eng_mtPersistentThird party (Taboola)Tracks the conversion rate between the user and the advertisement banners
CIf C=1 - 60 daysIf C=3 - 3650 daysThird party (Adform)Identifies if user’s browser accepts cookies.1 – Cookies are allowed3 – Opt-out
TPC14 daysThird party (Adform)Identifies if user’s browser accepts third party cookies
GCM1 dayThird party (Adform)Identifies if there is a need to re-check partner‘s cookie matching existence
CM1 dayThird party (Adform)Identifies if there is a need to re-check partner‘s cookie matching existence (set by AdServing)
CM1414 daysThird party (Adform)Identifies if there is a need to re-check partner‘s cookie matching existence (set by Cookie Matching)
tokenSessionThird party (Adform)Security token for opt out functionality
otsid3650 daysThird party (Adform)Advertiser specific opt-out
uid60 daysThird party (Adform)Unique identifier
SR<RotatorID>1 dayThird party (Adform)Sequential rotator information – contains total impressions, daily impressions, total clicks, daily clicks, and last impression date
CT<TrackingSetupID>1 hourThird party (Adform)Identifies last click membership for 3rd party pixels on advertiser’s pages
EBFCD<BannerID>7 daysThird party (Adform)Identifies daily frequency capping for expanding banner
EBFC<BannerID>7 daysThird party (Adform)Identifies total frequency capping for expanding banner
CFFC<TagID>7 daysThird party (Adform)Compound banner frequency capping

7. How do we secure your information?

We really care about your security & privacy and do a lot to protect it. However, anyone who tells you that 100% anything-proof security is possible either doesn’t know much about it or is trying to mislead you. Please keep that in mind.

We have implemented various security measures, including SSL/TLS encryption for data transfers, hashed passwords, firewalls, and regular audits. We take all steps reasonably necessary to ensure that your information is treated securely.

While we implement security measures on our Website and through our Services, you should be aware that 100% security is not always possible. Whenever you give out your information online there is a risk that a third party may intercept and use that information. While we strive to protect your information and privacy, we cannot guarantee the security of any information you disclose online. By using the Services, you expressly acknowledge and agree that we cannot guarantee the security of any information provided to or received by us through the Services and that any general information, other information or information received from you through the Website or our Services is provided at your own responsibility.

8. Does our Website respond to do-not-track signals?

Currently, it doesn’t. You can tweak your specific browser settings to achieve very similar things.

At this time Surfshark does not recognize automated browser signals regarding tracking mechanisms, which may include ‘do-not-track’ instructions. However, you can change your privacy preferences regarding the use of cookies and similar technologies through your browser. You may set your browser to accept all cookies, block certain cookies, require your consent before a cookie is placed in your browser, or block all cookies. Please note that blocking all cookies will affect your online experience and may prevent you from enjoying the full features offered by our Website.

9. What if I access the Website or your Services from my mobile phone, tablet or laptop?

The same things stand that we talked about in section “What information is collected and why?” at the very top of this Privacy Policy. Basically, we don’t collect much, and you can opt out of most of it.

If you are a visitor of our Website, but not a user of our Services, we collect and use information about you in the same way and for the same purposes as specified above in Clause 1 notwithstanding the device or application you use. If you are a user of our Services and access our Website using one or more of our applications notwithstanding the device, application, or browser extensions, we collect and use information in the same way and for the same purposes as specified above in Clause 1.

10. Who should you contact with questions or concerns?

Our 24/7 Customer Success Team will help you out as soon as they can.

If you have any questions or comments relating to Surfshark Services, send an email to [email protected] or chat with us on the Website.

11. Other terms

The English version of this Privacy Policy prevails.

While translations of this Privacy Policy may be provided in other languages, they may not be fully up-to-date or comprehensive. Thus, in case of any conflict between the English version and the translated versions of this Privacy Policy, the English version shall take precedence.

12. When was this policy last updated?

Keep in mind that we can update this Policy in the future & check it regularly.

July 24, 2023.