1. What information is collected and why?
We’re established in the Netherlands and we keep our Services logs-free. We don’t collect any information that could lead us to know what you’re up to online.
Surfshark respects your privacy, therefore we are committed to not process any information related to the online activity of our users. Surfshark is based in the jurisdiction, which does not require information storage or reporting. We do not collect any information about what you do online (your visited IP addresses, browsing history, session information, used bandwidth, connection time stamps, network traffic or any other similar information).
Our servers do store information about your connection to a particular VPN server (user ID and/or IP address and connection time stamps), BUT this information is automatically deleted within 15 minutes after termination of your session. And be assured that no information is stored about the websites you visit.
- When you visit our Website or navigate within our app (collectively referred to as ‘Website’), we collect and use some information to improve the performance of our Website. The information we collect on our Website may include anonymous “traffic information” provided by the host or similar provider of such information (e.g. Google Analytics) that does not personally identify you. This information is statistical and includes information about which pages on Surfshark’s Website visitors visit and how long visitors stay on a particular page. It also provides information about what browser, network, or device is used to visit our Website. To learn more about Google Analytics and how to opt out, please visit https://chrome.google.com/webstore/detail/google-analytics-opt-out/fllaojicojecljbmefodhfapmkghcbnh?hl=en. Also, when you visit our Website, we may retain your IP address and a unique identifier of your device. This helps us identify problems with our server, to administer our Website, or to display the content according to your preferences. The legal basis for such processing is our legitimate interest to analyse and improve the performance of our Website and user experience. That does not mean that we track your online activity while you use our Services.
When you use our Services, we collect and use the information for the following purposes:
- To provide our Services.
We process limited information related to the use of our Services (registration information: e-mail, account registration date, information about subscription, encrypted password, when you use our Smart DNS feature – your IP address, when you use our Search tool – aggregated number of performed searches).
For provision of our antivirus service (currently available for Windows, macOS and Android users) we also collect information about your devices on which you use the antivirus service. This information is needed to ensure the compliance with a limitation for the number of devices that one client may use for the antivirus service as provided in our Terms of Service. If you choose to use the Webcam Protection feature, we will not have access to your webcam, microphone, apps or files on your device. We will retain statistical information about the usage of this feature, including the number of times you received a request to access your camera or microphone, which preference you selected, whether this feature is turned on or off, how many apps you have included in the exclusion list. To provide statistics on what malware was detected, we will process malware name and type, country, OS, user ID; this information will be anonymized after 1 year.
If you use our Alert service, you may enter email addresses which you would like to monitor for breaches. In such case we will retain this information. You may also enter your personal identity number (or social security number) and/or credit card number to monitor for related security breaches. When you choose to monitor your email address, you authorize us to look up additional information (usernames, passwords, full names, country, physical address or IP addresses) related to that email in known data breaches, which, if found, is provided to you in the platform. We do not look up for such additional information when you choose to monitor your credit card or social security numbers. As regards this data, we retain it in encrypted form and even we cannot use or review it.
If you use the Dedicated IP service, we will process your email address, therefore, certain online activities can be traced back to your account information as long as you don’t select an anonymous Dedicated IP option after the Dedicated IP installation process. Anonymous Dedicated IP option removes any information we have in our database about your Dedicated IP address.
If you use the Alternative ID service, we will process your email address. To be able to use this service, you will have to verify your email address. The emails you receive via Alternative ID along with sender and recipient email server IP address, sender email address, recipient email address and timestamps are deleted as soon as they are forwarded to your email address. We use a trusted email service provider to facilitate this service.
Legal basis for the processing of information is performance of a contract to which you are a party. Please note that this information is necessary to enter into a contract and if you do not provide this information (or if we cannot retain this information), we will not be able to provide you with our Services.
- Analysing and improving the performance of our Services and user experience (when you use our Services).
To maintain a perfect quality of our Services and provide you with efficient support, we collect diagnostics information and monitor crash reports on our apps and extensions. The information we collect contains aggregated performance information, the frequency of use of our Services, unsuccessful connection attempts and other similar information. Please note that diagnostics information does not contain uniquely identifiable information. However, if you face some problems when using our apps, to solve these problems we may require your device information. We will access this information only if you provide a separate consent for that.
When you permit us through a pop-up within our app, we collect your location data, i.e. only your WiFi name (Service Set Identifier), which is stored on your device for the purpose of enabling “Auto-connect” feature, which extends to “Trusted WiFi” networks. This feature allows our app to automatically connect to a server without your worry about it. However, please rest assured that we do not share this information to any third party. In fact we do not store this information on our end and it is stored only on your device.
In case we would process your personal information, legal basis for such processing is our legitimate interest to analyse and improve the performance of our Website/Services and user experience.
- Offering our Services.
We may contact you via email for this purpose, but we also encourage you to contact us via our online contact form to get the best VPN offer for you. For us to be able to address your requests effectively, we may ask you to provide some information about you. We will also use the provided information to contact you regarding any future offers that may be of interest to you.
If you do not wish to receive emails from us, you can opt-out from receiving emails or unsubscribe at [email protected] or click “unsubscribe” at the bottom of any correspondence. If you have multiple email addresses, you will need to opt-out for each address in order to be removed from our active database.
Legal basis for the processing of personal information is your consent, your relationship with Surfshark or our legitimate interest to conduct marketing activities.
- Communicating with users and customer support.
We use user email address to: i) send important updates and announcements related to the use of our Services; ii) respond to user requests or inquiries. In addition to user email, we process your inquiry and other information that is provided by you during the conversation.
When a user contacts us through a live chat on our website, we are able to see the user’s IP address. This information is needed to determine if the user is connected to our servers so that we can assist in solving related issues.
Legal basis for the processing of personal information is performance of contract with you (in case of important communication related to our Services) or your consent (in case you submit an inquiry with our customer support).
- To interact with you via social media.
Where you interact with us via social media, we will process social media profile information, inquiry information, post information and other information you provide us with.
Legal basis for the processing of personal information is your consent.
We may receive certain information about you (cookie id, mobile device id, advertising IDs; and in case you use our Trust DNS app – in app events, such information about what browser, network, or device is used to access and use Trust DNS) from certain advertisers and advertising partners for analytical and advertising purposes. Our advertising partners help us attribute sales, deliver more relevant ads and promotional messages to you, which may include interest-based advertising and account-based advertising.
Legal basis for the processing of personal information is our legitimate interest to deliver relevant ads and promotional messages to you, and to attribute sales.
- Accounting, payment, legal requirements and legal processes.
We are subject to accounting, tax and other statutory requirements. We may have to protect our legitimate interests and legal rights. In these cases we may be required to collect and store a limited amount of certain information: email address, subscription information, payment related information, legal documents.
As for payment related information, our payment processing partners collect usual data necessary for payment processing and/or refund requests (transaction date, payer’s IP address, credit card number, credit card owner’s full name, in some jurisdictions also personal identity code, passport or identity card number and/or residence address). We process only very small part of this payment related information (part of the credit card number, payer’s IP address, payment amount, currency, date of payment and card expiry date) for solving payment related issues (such as fraud prevention cases). We also collect information about your residence country (and your state) as this information is needed to calculate applicable VAT/sales tax. If you elect so, we may retain your data which is used to generate and issue invoice for the rendered Services. If you choose the open banking payment method to pay for our Services, we will collect your name and surname, as well as your bank details.
Legal basis for the processing of personal information is a legal obligation to which we are subject (in case we need to collect your information statutorily) and our legitimate interest to defend our rights and interests (in case of other legal processes related to you, if any).
2. How long do we store your personal information?
Please keep in mind, that one of our most important principles is No-logs Policy (see more in our Terms of Service), therefore we collect only the minimum amount of information about you, which is required to provide you with our Services.
We apply different retention periods depending on the purpose for which your personal information is processed as detailed in Clause 1 of this Policy:
- Personal information which is needed to provide our Services is processed for as long as you use Surfshark and no more than 2 years after you stop.
- Personal information which is needed to provide our Smart DNS services (i.e. your IP address) is processed for as long as you use our Services.
- Personal information which is needed to provide our Trust DNS service is processed for as long as you use Trust DNS service.
- Personal information which is needed for analysing and improving the performance of our Website/Services and user experience is processed until the deletion of your account.
- Personal information which is needed to offer you our Services is processed as long as you use them or have given us a consent and 2 years thereafter.
- Personal information which is needed to communicate with users and provide customer support is processed for no longer than 2 years following the last communication with the exception of the device information (collected with your consent to solve your problems with the app), which we store for no longer than 7 days.
- Personal information which is needed to interact with you via social media is processed for as long as you are registered on a specific social media network.
- Personal information which is needed for internet advertising purposes is processed for 30 days unless provided otherwise in the section „Cookie and web beacons”.
When you use Surfshark Alert, we do not store monitored data (or any related additional information) on our platform, unless you choose to save it there for consistent monitoring.
If you request, we will delete your personal information specified in Clause 1, unless, we are legally required to maintain certain personal information, including situations such as the following:
- If there is an unresolved issue relating to your account, such as an outstanding credit on your account or an unresolved claim or dispute, we will retain the necessary personal information about you until the issue is resolved;
- Where we are required to retain the personal information about you for our legal, tax, audit, and accounting obligations, we will retain only the necessary personal information for the period required by applicable law; and/or,
- Where necessary for our legitimate business interests such as fraud prevention or to maintain the security of our users.
3. How does our Website interact with third party services and content?
Your information from Clause 1 may travel around the world a bit, but we always take extra care to keep it safe and sound.
Your information as specified in Clause 1 may be stored and processed in any country where we have facilities or in which we engage service providers. Please note that we use standard contractual clauses approved by the European Commission (you can access it here) to transfer your personal information from the EEA to other countries or we transfer personal information to countries that the European Commission has recognised as ensuring an adequate level of information protection (you can access the list of countries here).
It takes a village to keep our Services up and running. We need third-party tools and services for things like marketing, payments, live chat, and so forth. Since these don’t belong to us, we urge you to read their terms & policies on their sites.
Surfshark shares personal information with information recipients only in cases where necessary for the purposes described in Clause 1 and allowed in accordance with applicable laws. We do not sell or trade your information with anyone.
We only disclose personal information to law enforcement authorities or courts of competent jurisdiction when we are asked and legally obliged to do so (our Warrant Canary page will display if we’re ever asked to do so).
|Information recipient or category of information recipient||Purpose of personal information transfer||Country of the recipient|
|Marketing service providers, such as Iterable, Taboola and Appsflyer||we use them to manage our contacts and automate our marketing||United States, Sweden, Ireland, United Kingdom|
|Third-party payment providers, such as Stripe, Checkout, Coingate and similar||they help us to process payments together with our own authorized payment processing companies||United States, Ireland, BVI|
|Storage and infrastructure service providers, such as BigQuery (by Google), Stitch (by Talend)||they help us to deliver targeted advertising to the Website visitors||United States|
|Live chat and support service providers, such as Zendesk||we use them to provide live chat technology and provide support to our users||United States|
|Security service providers, such as Cloudflare||we work with them to provide improved security and performance||United States|
|Attorneys, notaries, bailiffs||we transfer personal information in cases when we seek to defend our rights and legal interests||United States, United Kingdom, the Netherlands|
4. What choices do you have over how your information is used?
You may be aware that the General Data Protection Regulation or “GDPR” and other privacy laws give certain rights to individuals in relation to their personal information. Accordingly, we have implemented additional transparency to help users take advantage of those rights. As available and except as limited under applicable law, individuals have the rights described below:
- You can access your personal information or receive a copy of it by contacting us.
- You can object to processing of your personal information, ask us to restrict processing of your personal information or request portability of your personal information where it is technically possible.
- You can demand the correction of inaccurate personal information and, subject to the nature of the collection and use, the completion of incomplete personal information (right to rectification).
- Right to deletion of your personal information specified in Clause 1, unless, we are legally required or we have a legal basis to maintain certain personal information.
- If we have collected and processed your personal information with your consent, then you can withdraw your consent at any time. Withdrawing your consent will not affect the lawfulness of any processing we conducted prior to your withdrawal, nor will it affect processing of your personal information conducted in reliance on lawful processing grounds other than consent.
- You have the right to complain to a data protection authority.
If you wish to implement any of the above-mentioned rights, please contact us at [email protected].
5. Do we engage in automated individual decision-making, including profiling?
Automated decision-making is the process of making a decision by automated means without any human involvement. Profiling analyses aspects of individual’s personality, behaviour, interests and habits to make predictions or decisions about them. We assure you, that we do not make decisions based solely on automated processing, including profiling, which would produce legal effects concerning you.
6. Cookies and web beacons
A cookie is a small string of data that transfers to your computer for identification purposes. Cookies can be used to follow your activity on the Website and that data helps websites to understand your preferences and improve your website experience. You can turn off all cookies in the event you prefer not to receive them. You can also have your computer warn you whenever cookies are being used. There are also software products available that can manage cookies for you. Please be aware, however, that when you choose to reject cookies, this choice may limit the functionality of the Website and you may lose access to some of its features.
A web beacon is an invisible pixel-sized graphic image on a web page, web-based document or e-mail message. It helps us do things like view the URL of the page on which the beacon appears and the time the Website, document or email in question is viewed. They can be used to confirm the receipt of, and response to, our emails, including those that you forward to friends and family; and they help deliver a more personalized online experience.
Some links may take you outside of our Website and are beyond our control. Please note that these other sites may send their own cookies to users, collect data, or solicit personal information. We urge you to review the equivalent data protection, privacy, and cookie policies available on their websites. We do not accept any responsibility or liability for the data protection of privacy practices of third parties in relation to such websites and your use of third party websites is entirely at your own responsibility.
|Cookie name||Cookie expiry||Provenance||Purpose||Cookie Category|
|surfshark-locale||29 days||Surfshark||It stores user selected website language||Necessary (functional)|
|surfshark-currency||29 days||Surfshark||It stores user selected currency|
|surfshark-coupon||Session||Surfshark||It stores the coupon which will be used during the purchase|
|surfshark-experiments||1 year||Surfshark||It stores data for our user experience testing|
|surfshark-exp||1 year||Surfshark||It stores data for our user experience testing|
|surfshark-skip-upgrade||1 month||Surfshark||Used to store post sale upgrade feature state|
|surfshark-alert-coupon||Session||Surfshark||Used to store coupon which will be used during purchase Alert service|
|_sstk||2 hours||Surfshark||Used for authentication purposes|
|_ssexp||2 hours||Surfshark||Used for authentication purposes|
|_ssrtk||2 hours||Surfshark||Used for authentication purposes|
|sf-la||30 days||Surfshark||Landing page tracking cookie which indicates the source of the last visit|
|sf-fi||30 days||Surfshark||Landing page tracking cookie which indicates the source of the last visit|
|sf-rf||30 days||Surfshark||Referral tracking cookie|
|__zlcmid||Persistent||Third party (Zendesk)||To store unique user ID (for chat purposes)|
|surfshark-cookies-consent||6 months||Surfshark||Used to store user cookie consent|
|_cq_duid||3 months||Third party (Cheq)||Used to detect domain sessions per device|
|_cq_suid||Session||Third party (Cheq)||Used to detect browser sessions per domain and device|
|_cq_tuid||Session||Third party (Cheq)||Used to detect tab sessions per device|
|_cq_check||Deleted immediately after insertion||Third party (Cheq)||Used to detect if the device supports cookies|
|cg_uuid||365 days||Third party (Cheq)||Hosted by cheqzone.com. Used to detect when the same device is used in a separate browser session, to ensure that once a session is identified as fraudulent or malicious, it can be consistently blocked from access to the relevant customer’s website|
|__cf_bm||1 day||Third party (Cloudflare)||Used to read and filter requests from bots|
|surfshark-uuid||2 years||Surfshark||It identifies the same user for our user experience testing|
|is_eu||Session||Third party (Pinterest)||Determines whether the user is located within the EU and therefore is subject to EU's data privacy regulations.|
|st-sh||13 months||Surfshark||Necessary to facilitate the search functionality throughout our website|
|surfshark-sticky-cta-closed||Session||Surfshark||This cookie stores information about the website visitor’s actions on our promotional pop-ups|
|_gat||1 minute||Third party (Google)||It is used to distinguish users||Analytic|
|collect||Session||Third party (Google)||It is used to send data to Google Analytics about the visitor’s device and on-site behaviour|
|_gid||1 day||Third party (Google)||It is used to distinguish users|
|_ga||2 years||Third party (Google)||It is used to distinguish users|
|pll_language||1 years||Surfshark||Polylang uses this cookie to remember the language selected by the user when he comes back to visit again the website|
|_gat_surfsharkTracker||1 minute||Third party (Google Tag Manager)||Is used to throttle the request rate|
|sf-re||30 days||Surfshark||It tracks user retention|
|_gat_UA-116900630-1||1 minute||Third party (Google Tag Manager)||Is used to throttle the request rate|
|surfshark-aff-stack||1 month||Surfshark||It helps to track which users come from which affiliates||Affiliate|
|sf-af||30 days||Surfshark||Affiliate network tracking cookie|
|_uetvid||16 days||Third party (Bing)||It stores and tracks visits across websites||Marketing|
|_uetvid_exp||Persistent||Third party (Bing)||It stores and tracks visits across websites|
|pagead/landing||Session||Third party (Google)||Collects data on visitor behaviour from multiple websites, in order to present more relevant advertisement – This also allows the website to limit the number of times that the user is shown the same advertisement.|
|IDE||1 year||Third party (Google DoubleClick)||These cookies set by a third party (DoubleClick) and are used for serving targeted advertisements that are relevant to you across the web. Targeted advertisements may be displayed to you based on your previous visits to this website. For example, advertisements about a topic you have expressed an interest in while browsing our site may be displayed to you across the web. In addition, these cookies measure the conversion rate of ads presented to the user.|
|pagead/1p-conversion/#||Session||Third party (Google)||Tracks if the user has shown interest in specific products or events across multiple websites and detects how the user navigates between sites. This is used for measurement of advertisement efforts and facilitates payment of referral-fees between websites.|
|test_cookie||1 day||Third party (Google DoubleClick)||These cookies set by a third party (DoubleClick) and are used for serving targeted advertisements that are relevant to you across the web. Targeted advertisements may be displayed to you based on your previous visits to this website. For example, advertisements about a topic you have expressed an interest in while browsing our site may be displayed to you across the web. In addition, these cookies measure the conversion rate of ads presented to the user.|
|MUID||1 year||Third party (Microsoft)||It stores and tracks visits across websites|
|_ttp||13 months||Third party (TikTok)||Serves targeted advertising and measures the performance of advertising campaigns.|
|personalization_id||2 years||Third party (Twitter)||This cookie is set by Twitter to measure the performance of advertising campaigns through Twitter, across different browsers and devices used by a visitor.|
|muc_ads||2 years||Third party (Twitter)||This is a cookie that is set by Twitter. It is used for optimizing ad relevance by collecting visitor navigation data.|
|_pin_unauth||365 days||Third party (Pinterest)||This cookie is used by Pinterest to track usage of their services.|
|_pinterest_sess||1 year||Third party (Pinterest)||Pinterest login cookie|
|guest_id_marketing||2 years||Third party (Twitter)||Used to detect whether a user is logged into Twitter.|
|guest_id||2 years||Third party (Twitter)||Unique ID that identifies the user’s session.|
|_uetsid||1 day||Third party (Bing)||Used to store and track visits across websites.|
|_uetsid_exp||Persistent||Third party (Bing)||Contains the expiry-date for the cookie with corresponding name.|
|guest_id_ads||2 years||Third party (Twitter)||This cookie is set due to Twitter integration and sharing capabilities for social media.|
|eng_mt||Persistent||Third party (Taboola)||Tracks the conversion rate between the user and the advertisement banners|
|C||If C=1 - 60 daysIf C=3 - 3650 days||Third party (Adform)||Identifies if user’s browser accepts cookies.1 – Cookies are allowed3 – Opt-out|
|TPC||14 days||Third party (Adform)||Identifies if user’s browser accepts third party cookies|
|GCM||1 day||Third party (Adform)||Identifies if there is a need to re-check partner‘s cookie matching existence|
|CM||1 day||Third party (Adform)||Identifies if there is a need to re-check partner‘s cookie matching existence (set by AdServing)|
|CM14||14 days||Third party (Adform)||Identifies if there is a need to re-check partner‘s cookie matching existence (set by Cookie Matching)|
|token||Session||Third party (Adform)||Security token for opt out functionality|
|otsid||3650 days||Third party (Adform)||Advertiser specific opt-out|
|uid||60 days||Third party (Adform)||Unique identifier|
|SR<RotatorID>||1 day||Third party (Adform)||Sequential rotator information – contains total impressions, daily impressions, total clicks, daily clicks, and last impression date|
|CT<TrackingSetupID>||1 hour||Third party (Adform)||Identifies last click membership for 3rd party pixels on advertiser’s pages|
|EBFCD<BannerID>||7 days||Third party (Adform)||Identifies daily frequency capping for expanding banner|
|EBFC<BannerID>||7 days||Third party (Adform)||Identifies total frequency capping for expanding banner|
|CFFC<TagID>||7 days||Third party (Adform)||Compound banner frequency capping|
7. How do we secure your information?
We really care about your security & privacy and do a lot to protect it. However, anyone who tells you that 100% anything-proof security is possible either doesn’t know much about it or is trying to mislead you. Please keep that in mind.
We have implemented various security measures, including SSL/TLS encryption for data transfers, hashed passwords, firewalls, and regular audits. We take all steps reasonably necessary to ensure that your information is treated securely.
While we implement security measures on our Website and through our Services, you should be aware that 100% security is not always possible. Whenever you give out your information online there is a risk that a third party may intercept and use that information. While we strive to protect your information and privacy, we cannot guarantee the security of any information you disclose online. By using the Services, you expressly acknowledge and agree that we cannot guarantee the security of any information provided to or received by us through the Services and that any general information, other information or information received from you through the Website or our Services is provided at your own responsibility.
8. Does our Website respond to do-not-track signals?
Currently, it doesn’t. You can tweak your specific browser settings to achieve very similar things.
9. What if I access the Website or your Services from my mobile phone, tablet or laptop?
If you are a visitor of our Website, but not a user of our Services, we collect and use information about you in the same way and for the same purposes as specified above in Clause 1 notwithstanding the device or application you use. If you are a user of our Services and access our Website using one or more of our applications notwithstanding the device, application, or browser extensions, we collect and use information in the same way and for the same purposes as specified above in Clause 1.
10. Who should you contact with questions or concerns?
Our 24/7 Customer Success Team will help you out as soon as they can.
If you have any questions or comments relating to Surfshark Services, send an email to [email protected] or chat with us on the Website.
11. Other terms
12. When was this policy last updated?
Keep in mind that we can update this Policy in the future & check it regularly.
July 24, 2023.