Surfshark Privacy Policy
Since our Privacy Policy is quite lengthy, we thought you might appreciate a short & easy breakdown. These highlighted bits will do precisely that! Note: the framed explanations aren’t legally binding and are meant to help you understand the legal language.
1. What information is collected and why?
We’re established in the Netherlands and we keep our Services logs-free. We don’t collect any information that could lead us to know what you’re up to online.
Surfshark respects your privacy, therefore we are committed to not process any information related to the online activity of our users. Surfshark is based in the jurisdiction, which does not require information storage or reporting. We do not collect any information about what you do online (your visited IP addresses, browsing history, session information, used bandwidth, connection time stamps, network traffic or any other similar information).
Our servers do store information about your connection to a particular VPN server (user ID and/or IP address and connection time stamps), BUT this information is automatically deleted within 15 minutes after termination of your session. And be assured that no information is stored about the websites you visit.
When you visit our Website or navigate within our app (collectively referred to as ‘Website’), we collect and use some anonymized information to improve the performance of our Website. The information we collect on our Website may include anonymous “traffic information” that does not personally identify you. This information is statistical and includes information about which pages on Surfshark’s Website visitors visit and how long visitors stay on a particular page. It also provides information about what browser, network, or device is used to visit our Website. Also, when you visit our Website , we may retain your IP address and a unique identifier of your device. This helps us identify problems with our server, to administer our Website, or to display the content according to your preferences. The legal basis for such processing is our legitimate interest to analyse and improve the performance of our Website and user experience. That does not mean that we track your online activity while you use our Services.
When you use our Services, we collect and use the information for the following purposes:
- To provide our Services.
We process limited information related to the use of our Services (registration information: e-mail, account registration date, information about subscription, encrypted password, when you use our Smart DNS feature – your IP address, when you use our Search tool – aggregated number of performed searches).
For provision of our antivirus service (currently available for Windows, macOS and Android users) we also collect information about your devices on which you use the antivirus service. This information is needed to ensure the compliance with a limitation for the number of devices that one client may use for the antivirus service as provided in our Terms of Service. If you choose to use the Webcam Protection feature, we will not have access to your webcam, microphone, apps or files on your device. We will retain statistical information about the usage of this feature, including the number of times you received a request to access your camera or microphone, which preference you selected, whether this feature is turned on or off, how many apps you have included in the exclusion list. To provide statistics on what malware was detected, we will process malware name and type, country, OS, user ID; this information will be anonymized after 1 year.
To use our Alert service for detecting personal data leaks, you can submit your email address, personal identity number (or a social security number), or credit card number for monitoring. We'll securely retain this information, encrypting personal identity and credit card numbers. When you enter your email, you authorize us to find and provide you with additional leaks-related details, for example, usernames, passwords, full names, country, physical address, IP addresses. For credit card or social security number leaks, we'll only show you data categories (e.g., credit card details, name, address, password, nationality) for security reasons, rather than the specific compromised data.
If you use the Dedicated IP service, we will process your email address, therefore, certain online activities can be traced back to your account information as long as you don’t select an anonymous Dedicated IP option after the Dedicated IP installation process. Anonymous Dedicated IP option removes any information we have in our database about your Dedicated IP address.
If you use the Alternative Email service, we will process your email address, email mask and its description, also we will process the content of the email only for technical reasons (i.e. to forward it), email forwarding status, user profile data, metadata associated with the email. To be able to use this service, you will have to verify your email address to which emails are forwarded. The emails you receive via Alternative ID along with sender and recipient email server IP address, sender email address and timestamps are deleted as soon as they are forwarded to your email address. We use a trusted email service provider to facilitate this service. If you use the Alternative Number service, we will process the telephone number that has been assigned to you by Surfshark, as well as your call and SMS log, your content. We use a trusted VoIP service provider to facilitate this service. We respect your privacy and we do not access your private content.
Legal basis for the processing of information is the performance of a contract to which you are a party. Please note that this information is necessary to enter into a contract and if you do not provide this information (or if we cannot retain this information), we will not be able to provide you with our Services.
- Analysing and improving the performance of our Services and user experience (when you use our Services).
To maintain a perfect quality of our Services and provide you with efficient support, we collect diagnostics information and monitor crash reports on our apps and extensions. The information we collect contains aggregated performance information, the frequency of use of our Services, unsuccessful connection attempts and other similar information. Please note that diagnostics information does not contain uniquely identifiable information. However, if you face some problems when using our apps, to solve these problems we may require your device information. We will access this information only if you provide a separate consent for that.
When you permit us through a pop-up within our app, we collect your location data, i.e. only your WiFi name (Service Set Identifier), which is stored on your device for the purpose of enabling “Auto-connect” feature, which extends to “Trusted WiFi” networks. This feature allows our app to automatically connect to a server without your worry about it. However, please rest assured that we do not share this information to any third party. In fact we do not store this information on our end and it is stored only on your device.
In case we process your personal information, legal basis for such processing is our legitimate interest to analyse and improve the performance of our Website/Services and user experience.
- Offering our Services.
We may contact you via email for this purpose, but we also encourage you to contact us via our online contact form to get the best VPN offer for you. For us to be able to address your requests effectively, we may ask you to provide some information about you. We will also use the provided information to contact you regarding any future offers that may be of interest to you.
If you do not wish to receive emails from us, you can opt-out from receiving emails or unsubscribe at support@surfshark.com or click “unsubscribe” at the bottom of any correspondence. If you have multiple email addresses, you will need to opt-out for each address in order to be removed from our active database.
Legal basis for the processing of personal information is your consent, your relationship with Surfshark or our legitimate interest to conduct marketing activities.
- Communicating with users and customer support.
We use user email address to: i) send important updates and announcements related to the use of our Services; ii) respond to user requests or inquiries. In addition to user email, we process your inquiry and other information that is provided by you during the conversation.
When a user contacts us through a live chat on our website, we are able to see the user’s IP address. This information is needed to determine if the user is connected to our servers so that we can assist in solving related issues.
Legal basis for the processing of personal information is performance of contract with you (in case of important communication related to our Services) or your consent (in case you submit an inquiry with our customer support).
- To interact with you via social media.
Where you interact with us via social media, we will process social media profile information, inquiry information, post information and other information you provide us with.
Legal basis for the processing of personal information is your consent.
- To enhance user experience.
We may use an automated decision-making, including profiling, process to evaluate whether to apply a discount to the price of the subscription a user purchases.
Legal basis for the processing of personal information is our legitimate interest to enhance user experience.
- Advertising.
We may receive certain information about you (cookie id, mobile device id, advertising IDs; and in case you use our Trust DNS app – in app events, such information about what browser, network, or device is used to access and use Trust DNS) from certain advertisers and advertising partners for analytical and advertising purposes. Our advertising partners help us attribute sales, deliver more relevant ads and promotional messages to you, which may include interest-based advertising and account-based advertising.
Legal basis for the processing of personal information is our legitimate interest to deliver relevant ads and promotional messages to you, and to attribute sales.
- To ensure the security of your account.
To enhance the security of your account, when you log in to the Surfshark app, we collect information about your device (such as device name, operating system, and Surfshark app version installed), including the last login date. This helps us recognize your trusted devices and allows us to provide better security for your account. We collect this information on the basis of our legitimate interest in ensuring our users’ security. As part of this, we'll notify you by email if you log in from a new device that differs from your last used devices.
This email will provide you with the login details. If you did not log in from this new device, it is crucial to change your password immediately to secure your account. We also strongly encourage you to enable two-factor authentication for enhanced protection. By promptly notifying you of logins from unfamiliar devices, we empower you to take swift action if anything appears suspicious, thereby helping to ensure your account's safety.
- Accounting, payment, legal requirements and legal processes.
We are subject to accounting, tax and other statutory requirements. We may have to protect our legitimate interests and legal rights. In these cases we may be required to collect and store a limited amount of certain information: email address, subscription information, payment related information, legal documents.
As for payment related information, our payment processing partners collect usual data necessary for payment processing and/or refund requests (transaction date, payer’s IP address, credit card number, credit card owner’s full name, in some jurisdictions also personal identity code, passport or identity card number and/or residence address). We process only a very small part of this payment related information (part of the credit card number, payer’s IP address, payment amount, currency, date of payment and card expiry date) for solving payment related issues (such as fraud prevention cases). We also collect information about your residence country (and your state) as this information is needed to calculate applicable VAT/sales tax. If you elect so, we may retain your data which is used to generate and issue invoice for the rendered Services. If you choose the open banking payment method to pay for our Services, we will collect your name and surname, as well as your bank details.
Legal basis for the processing of personal information is a legal obligation to which we are subject (in case we need to collect your information statutorily) and our legitimate interest to defend our rights and interests (in case of other legal processes related to you, if any).
2. How long do we store your personal information?
Information Retention
Please keep in mind that one of our most important principles is No-logs Policy (see more in our Terms of Service), therefore we collect only the minimum amount of information about you, which is required to provide you with our Services.
We apply different retention periods depending on the purpose for which your personal information is processed as detailed in Clause 1 of this Policy:
- Personal information which is needed to provide our Services is processed for as long as you use Surfshark and no more than 2 years after you stop.
- Personal information which is needed to provide our Smart DNS services (i.e. your IP address) is processed for as long as you use our Services.
- Personal information which is needed to provide our Trust DNS service is processed for as long as you use Trust DNS service.
- Personal information which is needed to provide our Alternative ID service is processed for as long as you use Alternative ID and 2 years after the end of this service.
- Personal information which is needed for analysing and improving the performance of our Website/Services and user experience is processed until the deletion of your account.
- Personal information which is needed to offer you our Services is processed as long as you use them or have given us consent and 2 years thereafter.
- Personal information which is needed to enhance your experience (i.e. to perform automated decision making, including profiling) is processed for as long as you use Surfshark and no more than 2 years after you stop.
- Personal information which is needed to communicate with users and provide customer support is processed for no longer than 2 years following the last communication with the exception of the device information (collected with your consent to solve your problems with the app), which we store for no longer than 7 days.
- Personal information which is needed to interact with you via social media is processed for as long as you are registered on a specific social media network.
- Personal information which is needed for internet advertising purposes is processed for 30 days unless provided otherwise in the section „Cookie and web beacons”.
When you use Surfshark Alert, we do not store monitored data (or any related additional information) on our platform, unless you choose to save it there for consistent monitoring.
If you request, we will delete your personal information specified in Clause 1, unless, we are legally required to maintain certain personal information, including situations such as the following:
- If there is an unresolved issue relating to your account, such as an outstanding credit on your account or an unresolved claim or dispute, we will retain the necessary personal information about you until the issue is resolved;
- Where we are required to retain the personal information about you for our legal, tax, audit, and accounting obligations, we will retain only the necessary personal information for the period required by applicable law; and/or,
- Where necessary for our legitimate business interests such as fraud prevention or to maintain the security of our users.
3. How does our Website interact with third party services and content?
Information Transfers
Your information from Clause 1 may travel around the world a bit, but we always take extra care to keep it safe and sound.
Your information as specified in Clause 1 may be stored and processed in any country where we have facilities or in which we engage service providers. Please note that we use standard contractual clauses approved by the European Commission (you can access it here) to transfer your personal information from the EEA to other countries or we transfer personal information to countries that the European Commission has recognised as ensuring an adequate level of information protection (you can access the list of countries here).
Information recipients
It takes a village to keep our Services up and running. We need third-party tools and services for things like marketing, payments, live chat, and so forth. Since these don’t belong to us, we urge you to read their terms & policies on their sites.
Surfshark shares personal information with information recipients only in cases where necessary for the purposes described in Clause 1 and allowed in accordance with applicable laws. We do not sell or trade your information with anyone.
We only disclose personal information to law enforcement authorities or courts of competent jurisdiction when we are asked and legally obliged to do so (our Warrant Canary page will display if we’re ever asked to do so).
| Information recipient or category of information recipient | Purpose of personal information transfer | Country of the recipient |
|---|---|---|
| Marketing service providers, such as Iterable, Firebase Analytics (by Google), Taboola and Appsflyer | we use them to manage our contacts and automate our marketing | United States, Sweden, Ireland, United Kingdom |
| Third-party payment providers, such as Stripe, Checkout, Coingate and similar | they help us to process payments together with our own authorized payment processing companies | United States, Ireland, BVI |
| Storage and infrastructure service providers, such as BigQuery (by Google), Stitch (by Talend) | they help us to deliver targeted advertising to the Website visitors | United States |
| Live chat and support service providers, such as Zendesk | we use them to provide live chat technology and provide support to our users | United States |
| Security service providers, such as Cloudflare | we work with them to provide improved security and performance | United States |
| Providers that help us deliver the Alternative ID service, such as Telnyx | we work with them to provide you Alternative ID services (such as Alternative Number) | United States |
4. What choices do you have over how your information is used?
You may be aware that the General Data Protection Regulation or “GDPR” and other privacy laws give certain rights to individuals in relation to their personal information. Accordingly, we have implemented additional transparency to help users take advantage of those rights. As available and except as limited under applicable law, individuals have the rights described below:
- You can access your personal information or receive a copy of it by contacting us.
- You can object to processing of your personal information, ask us to restrict processing of your personal information or request portability of your personal information where it is technically possible.
- You can demand the correction of inaccurate personal information and, subject to the nature of the collection and use, the completion of incomplete personal information (right to rectification).
- Right to deletion of your personal information specified in Clause 1, unless, we are legally required or we have a legal basis to maintain certain personal information.
- If we have collected and processed your personal information with your consent, then you can withdraw your consent at any time. Withdrawing your consent will not affect the lawfulness of any processing we conducted prior to your withdrawal, nor will it affect processing of your personal information conducted in reliance on lawful processing grounds other than consent.
- You have the right to complain to a data protection authority.
If you wish to implement any of the above-mentioned rights, please contact us at support@surfshark.com.
5. Do we engage in automated individual decision-making, including profiling?
We may use automated decision-making, including profiling, to enhance your experience with our Services.
Profiling means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person. Automated decision-making is the process of making a decision by automated means without any human involvement. Our system may automatically generate decisions using a very limited amount of your personal information (for example, information related to your subscription). For instance, we may use an automated decision-making, including profiling, process to evaluate whether to apply a discount to the price of the subscription you purchase.
Please note that we will not engage in automated decision-making, including profiling, that involves a decision with legal or similarly significant effects solely based on automated processing, including profiling, of personal information, unless you explicitly consented to the processing, or the processing is necessary for entering into a contract, or when otherwise authorized by applicable law. Automated decision-making, including profiling, will not be used to increase the price of the subscription you want to purchase.
Do not forget that You have rights in relation to automated decision making, including profiling, e.g. the ability to object to such processing and / or request a manual decision-making process instead or contest a decision based solely on automated processing.
6. Cookies and web beacons
Most of the sites on the internet use cookies, as they’re pretty convenient. If you want to, you can reject those, but some things may not work completely or as well as they should. We also use web beacons, but if you reject cookies, they won’t work either.
A cookie is a small string of data that transfers to your computer for identification purposes. Cookies can be used to follow your activity on the Website and that data helps websites to understand your preferences and improve your website experience. You can turn off all cookies in the event you prefer not to receive them. You can also have your computer warn you whenever cookies are being used. There are also software products available that can manage cookies for you. Please be aware, however, that when you choose to reject cookies, this choice may limit the functionality of the Website and you may lose access to some of its features.
A web beacon is an invisible pixel-sized graphic image on a web page, web-based document or e-mail message. It helps us do things like view the URL of the page on which the beacon appears and the time the Website, document or email in question is viewed. They can be used to confirm the receipt of, and response to, our emails, including those that you forward to friends and family; and they help deliver a more personalized online experience.
Some links may take you outside of our Website and are beyond our control. Please note that these other sites may send their own cookies to users, collect data, or solicit personal information. We urge you to review the equivalent data protection, privacy, and cookie policies available on their websites. We do not accept any responsibility or liability for the data protection of privacy practices of third parties in relation to such websites and your use of third party websites is entirely at your own responsibility.
We use cookies on our Website as described in the table below. Please note that from time to time we may test additional analytical cookies on our Website. The table below is updated with the relevant analytical cookies once there is a final decision to use them permanently.
| Cookie name | Cookie expiry | Provenance | Purpose | Cookie Category |
|---|---|---|---|---|
| surfshark-locale | 29 days | Surfshark | It stores user selected website language | Necessary (functional) |
| surfshark-experiments | 1 year | Surfshark | It stores data for our user experience testing | |
| surfshark-alert-coupon | Session | Surfshark | Used to store coupon which will be used during purchase Alert service | |
| _sstk | 2 hours | Surfshark | Used for authentication purposes | |
| _ssexp | 2 hours | Surfshark | Used for authentication purposes | |
| _ssrtk | 2 hours | Surfshark | Used for authentication purposes | |
| sf-la | 30 days | Surfshark | Landing page tracking cookie which indicates the source of the last visit | |
| sf-fi | 30 days | Surfshark | Landing page tracking cookie which indicates the source of the last visit | |
| sf-rf | 30 days | Surfshark | Referral tracking cookie | |
| __zlcmid | Persistent | Third party (Zendesk) | To store unique user ID (for chat purposes) | |
| surfshark-cookies-consent | 6 months | Surfshark | Used to store user cookie consent | |
| _cq_duid | 3 months | Third party (Cheq) | Used to detect domain sessions per device | |
| _cq_suid | Session | Third party (Cheq) | Used to detect browser sessions per domain and device | |
| _cq_tuid | Session | Third party (Cheq) | Used to detect tab sessions per device | |
| _cq_check | Deleted immediately after insertion | Third party (Cheq) | Used to detect if the device supports cookies | |
| cg_uuid | 365 days | Third party (Cheq) | Hosted by cheqzone.com. Used to detect when the same device is used in a separate browser session, to ensure that once a session is identified as fraudulent or malicious, it can be consistently blocked from access to the relevant customer’s website | |
| __cf_bm | 1 day | Third party (Cloudflare) | Used to read and filter requests from bots | |
| surfshark-uuid | 2 years | Surfshark | It identifies the same user for our user experience testing | |
| is_eu | Session | Third party (Pinterest) | Determines whether the user is located within the EU and therefore is subject to EU's data privacy regulations. | |
| surfshark-sticky-cta-closed | Session | Surfshark | This cookie stores information about the website visitor’s actions on our promotional pop-ups | |
| surfshark-cf-uuid | 30 min | Surfshark | This cookie is used to prevent fraud | |
| sf-af | 30 days | Surfshark | Affiliate network tracking cookie | Affiliate |
| _uetvid | 16 days | Third party (Bing) | It stores and tracks visits across websites | Marketing |
| _uetvid_exp | Persistent | Third party (Bing) | It stores and tracks visits across websites | |
| IDE | 1 year | Third party (Google DoubleClick) | These cookies set by a third party (DoubleClick) and are used for serving targeted advertisements that are relevant to you across the web. Targeted advertisements may be displayed to you based on your previous visits to this website. For example, advertisements about a topic you have expressed an interest in while browsing our site may be displayed to you across the web. In addition, these cookies measure the conversion rate of ads presented to the user. | |
| MUID | 1 year | Third party (Microsoft) | It stores and tracks visits across websites | |
| _ttp | 13 months | Third party (TikTok) | Serves targeted advertising and measures the performance of advertising campaigns. | |
| personalization_id | 2 years | Third party (Twitter) | This cookie is set by Twitter to measure the performance of advertising campaigns through Twitter, across different browsers and devices used by a visitor. | |
| muc_ads | 2 years | Third party (Twitter) | This is a cookie that is set by Twitter. It is used for optimizing ad relevance by collecting visitor navigation data. | |
| _pin_unauth | 365 days | Third party (Pinterest) | This cookie is used by Pinterest to track usage of their services. | |
| _pinterest_sess | 1 year | Third party (Pinterest) | Pinterest login cookie | |
| guest_id_marketing | 2 years | Third party (Twitter) | Used to detect whether a user is logged into Twitter. | |
| guest_id | 2 years | Third party (Twitter) | Unique ID that identifies the user’s session. | |
| _uetsid | 1 day | Third party (Bing) | Used to store and track visits across websites. | |
| _uetsid_exp | Persistent | Third party (Bing) | Contains the expiry-date for the cookie with corresponding name. | |
| guest_id_ads | 2 years | Third party (Twitter) | This cookie is set due to Twitter integration and sharing capabilities for social media. | |
| eng_mt | Persistent | Third party (Taboola) | Tracks the conversion rate between the user and the advertisement banners | |
| C | If C=1 - 60 daysIf C=3 - 3650 days | Third party (Adform) | Identifies if user’s browser accepts cookies.1 – Cookies are allowed3 – Opt-out | |
| TPC | 14 days | Third party (Adform) | Identifies if user’s browser accepts third party cookies | |
| GCM | 1 day | Third party (Adform) | Identifies if there is a need to re-check partner‘s cookie matching existence | |
| CM | 1 day | Third party (Adform) | Identifies if there is a need to re-check partner‘s cookie matching existence (set by AdServing) | |
| CM14 | 14 days | Third party (Adform) | Identifies if there is a need to re-check partner‘s cookie matching existence (set by Cookie Matching) | |
| token | Session | Third party (Adform) | Security token for opt out functionality | |
| otsid | 3650 days | Third party (Adform) | Advertiser specific opt-out | |
| uid | 60 days | Third party (Adform) | Unique identifier | |
| SR<RotatorID> | 1 day | Third party (Adform) | Sequential rotator information – contains total impressions, daily impressions, total clicks, daily clicks, and last impression date | |
| CT<TrackingSetupID> | 1 hour | Third party (Adform) | Identifies last click membership for 3rd party pixels on advertiser’s pages | |
| EBFCD<BannerID> | 7 days | Third party (Adform) | Identifies daily frequency capping for expanding banner | |
| EBFC<BannerID> | 7 days | Third party (Adform) | Identifies total frequency capping for expanding banner | |
| CFFC<TagID> | 7 days | Third party (Adform) | Compound banner frequency capping |
7. How do we secure your information?
We really care about your security & privacy and do a lot to protect it. However, anyone who tells you that 100% anything-proof security is possible either doesn’t know much about it or is trying to mislead you. Please keep that in mind.
We have implemented various security measures, including SSL/TLS encryption for data transfers, hashed passwords, firewalls, and regular audits. We take all steps reasonably necessary to ensure that your information is treated securely.
While we implement security measures on our Website and through our Services, you should be aware that 100% security is not always possible. Whenever you give out your information online there is a risk that a third party may intercept and use that information. While we strive to protect your information and privacy, we cannot guarantee the security of any information you disclose online. By using the Services, you expressly acknowledge and agree that we cannot guarantee the security of any information provided to or received by us through the Services and that any general information, other information or information received from you through the Website or our Services is provided at your own responsibility.
8. Does our Website respond to do-not-track signals?
Currently, it doesn’t. You can tweak your specific browser settings to achieve very similar things.
At this time Surfshark does not recognize automated browser signals regarding tracking mechanisms, which may include ‘do-not-track’ instructions. However, you can change your privacy preferences regarding the use of cookies and similar technologies through your browser. You may set your browser to accept all cookies, block certain cookies, require your consent before a cookie is placed in your browser, or block all cookies. Please note that blocking all cookies will affect your online experience and may prevent you from enjoying the full features offered by our Website.
9. What if I access the Website or your Services from my mobile phone, tablet or laptop?
The same things stand that we talked about in section “What information is collected and why?” at the very top of this Privacy Policy. Basically, we don’t collect much, and you can opt out of most of it.
If you are a visitor of our Website, but not a user of our Services, we collect and use information about you in the same way and for the same purposes as specified above in Clause 1 notwithstanding the device or application you use. If you are a user of our Services and access our Website using one or more of our applications notwithstanding the device, application, or browser extensions, we collect and use information in the same way and for the same purposes as specified above in Clause 1.
10. Who should you contact with questions or concerns?
Our 24/7 Customer Success Team will help you out as soon as they can.
If you have any questions or comments relating to Surfshark Services, send an email to support@surfshark.com or chat with us on the Website.
11. Other terms
The English version of this Privacy Policy prevails.
While translations of this Privacy Policy may be provided in other languages, they may not be fully up-to-date or comprehensive. Thus, in case of any conflict between the English version and the translated versions of this Privacy Policy, the English version shall take precedence.
12. When was this policy last updated?
Keep in mind that we can update this Policy in the future & check it regularly.
August 5, 2025.