1. The line we do not cross
FlyShield was built around a single editorial commitment: we do not keep a record of what you do inside the tunnel. No browsing history, no DNS queries, no connection timestamps tied to your identity, no register of which exit you chose on a particular evening. What we do hold is modest and practical. Your billing email and a payment reference are retained so that we can answer questions about your subscription and so the invoice reaches you each month. Anonymous diagnostic counters about aggregate server health tell us when a city needs more capacity. That, written plainly, is the whole of our inventory.
2. Who stands behind FlyShield
FlyShield VPN is operated by FlyShield Networks Ltd., an independent company registered in the Republic of Cyprus with offices in Limassol. Under the General Data Protection Regulation and the equivalent frameworks in the United Kingdom and Switzerland, we act as the data controller for every piece of information described on this page, which means the judgment calls and the obligations sit with us rather than with a subcontractor. Our privacy team is small, and the fastest route to reach it is privacy@flyvpnservice.org. Letters sent by post arrive more slowly but are still read carefully. You will hear back from a person, not from a ticket queue operated by a third party.
3. The grounds that let us hold anything at all
European law asks every company to name a lawful basis before it may keep personal data, and we think the answer should be stated plainly. When we hold your billing email and payment reference, we rely on Article 6(1)(b) of the GDPR, which covers the performance of the contract we have with you. When we retain anonymous diagnostic counters, we rely on Article 6(1)(f), the legitimate interests clause, because keeping the service reliable is in your interest as well as ours. Where a local law ever requires us to hand something over, Article 6(1)(c) would apply, and we would tell you what was requested.
4. The short life of every record
We are conservative about how long we keep anything. Billing records, including the email address that sits on your invoice, are retained for the length of your subscription and for a further twenty-four months after the final payment, which matches the period imposed on us by tax and accounting law in our jurisdiction. Anonymous diagnostic counters are aggregated nightly and the per-server raw data is purged within seven days. Support correspondence is kept for twelve months from the closing of the ticket, so a follow-up question a season later still has context. Nothing sits in our archives indefinitely; every class of record has a date attached to it.
5. The small circle we work with
A service of this shape cannot be run from a single office, so a few carefully chosen partners sit behind the scenes. Payments are handled by Stripe Payments Europe Limited, which sees your card details and returns us a token and a receipt. We never see the card number itself. An anti-abuse vendor, Cloudflare, Inc., screens our signup form for automated fraud, examining IP reputation signals for the brief moment it takes to decide whether a new account is a person or a script. Beyond those two, nobody else touches your data. No advertising networks, no analytics brokers, no resellers of email lists. The circle is deliberately small.
6. Cookies, and the ones we declined to bake
Our website uses a short, essential set of cookies and nothing resembling a marketing stack. A session cookie remembers that you are signed in, so that the dashboard does not ask for your password on every click. A preference cookie stores the language you chose and the theme of the page. We do not use Google Analytics, Meta Pixel, advertising trackers, or any device-fingerprinting library. The checkout page loads one script from Stripe, because the card field has to live inside an iframe controlled by the payment processor. When you clear cookies in your browser, the only change on our side is that you are asked to sign in again.
7. When data crosses a border
Our servers sit in several jurisdictions, and the short account is that your billing data never leaves the European Economic Area. Invoices are generated in Cyprus and stored on hardware in Frankfurt, with a disaster-recovery copy in Dublin. Support replies travel through the same European infrastructure. Where a partner falls outside this perimeter, as is the case with Stripe's parent company in the United States, the transfer is governed by the Standard Contractual Clauses published by the European Commission in June 2021, supplemented by the additional safeguards described in the EDPB guidance of the same period. We can send you the clauses on request; they are not a secret document.
8. The locks, and the habits that keep them honest
Security is not a single product; it is a set of small, repeated habits. Our tunnels use WireGuard and OpenVPN with modern cipher suites, reviewed against current cryptographic guidance each quarter. Servers run a hardened Linux image with full disk encryption, and the keys are held in a separate appliance that will refuse to release them if the hardware has been tampered with. Internal access is limited to a short list of engineers, authenticated with physical security keys, and every session is written to an append-only ledger that no single employee can rewrite. We commission an annual third-party penetration test, and the summary report is available to customers who ask.
9. Your rights, and what happens when this page changes
Under the GDPR you may request a copy of the data we hold about you, correct anything that looks wrong, ask us to delete it, receive it in a portable format, or object to a specific processing activity. Write to privacy@flyvpnservice.org and you will hear back within thirty days, usually sooner. If a reply leaves you unsatisfied, you may lodge a complaint with the Office of the Commissioner for Personal Data Protection in Cyprus, or with the equivalent authority in your own country. This page is reviewed each quarter and after any material change; when the text shifts in a way that matters, we email current subscribers and note the revision date at the top.
Contact
Questions about this policy? Write to support@flyvpnservice.org.