NYKTO

Privacy Policy

Effective Date: March 5, 2026  ·  Last Updated: May 8, 2026

What changed on May 8, 2026: We added two new categories of data tied to the new Referral and Household features — the referral graph (who invited whom) and the household graph (which household a user belongs to). Both live in the Identity Zone and are never linked to VPN traffic. See §2.3 and §2.4 below for details. Use of either feature is voluntary; not using them means no data of either category is collected for your account.

Overview

Nykto VPN is built on one principle: we cannot share what we do not have. This privacy policy explains exactly what we collect, what we do not collect, and how the technical architecture of Nykto makes it impossible for us to log your online activity — even if compelled by law.

We are a small team. We take privacy seriously enough to engineer it, not just promise it.

1. Who We Are

Nykto VPN is operated by Nyktora Group, LLC (“Nykto,” “we,” “us,” “our”). Our contact for privacy matters is privacy@nykto.app.

2. What We Collect

We collect the minimum information necessary to provide the service:

Data Why We Collect It
Email address Account identification (provided by Apple or Google Sign-In).
Device name and platform To enforce the 10-device limit per subscription. For example: “iPhone 14 Pro” and “iOS.”
Subscription status and expiry date To determine whether your subscription is active.

That is the complete list of account data. We collect nothing else.

We do not collect your name, date of birth, phone number, payment card details, billing address, or any government-issued identification.

Authentication is handled entirely by Apple Sign-In or Google Sign-In. The Apple / Google identity token is verified by our self-hosted Cloudflare Worker (the Identity Zone) and exchanged for a short-lived session JWT. We do not store or handle passwords; we never see your Apple ID or Google password.

2.1 Bring Your Own Server (BYOS) data

If you choose the BYOS plan and provision a relay using the Nykto installer, the following additional data is recorded against your account:

BYOS data is collected only for users on a BYOS plan. It is deleted from our database immediately when you remove the server from the app or when your account is deleted.

BYOS install telemetry (anonymous). When you run the BYOS install script (setup.sh) we record an anonymous funnel event so we can identify where installs fail most often and prioritise fixes. Each event contains: a random UUID generated locally on your VPS (not tied to your account, not re-used across reinstalls); the cloud provider category, classified locally as one of aws, oracle, hetzner, digitalocean, vultr, gcp, or unknown; the names of any pre-flight checks that failed (e.g. port_443, memory_low); the final outcome class (preflight_failed, apt_failed, register_failed, verify_failed, or ok); and the total wall-clock duration of the run in seconds. We do not store the source IP — Cloudflare KV briefly holds a SHA-256 hash of it for the 1-hour rate-limit window and discards it thereafter. The data is read on a 30-day rolling window for product decisions and otherwise sits unused. You can opt out by setting NYKTO_TELEMETRY=0 when running the installer.

BYOS reachability checks. Right after install — and any time you tap "Re-verify" in the diagnostics screen — our Identity API opens a single TCP/443 connection to your VPS's public IP to confirm your security group is configured correctly. We store the outcome class (ok, tcp_blocked, tls_invalid, unreachable, or error) and a short human-readable reason on your server's database row, alongside the timestamp of the last probe. No body content from your relay's response is ever stored.

2.3 Referral graph (PRD §0.4)

If you generate or use a referral code, we record:

This data is stored in the Identity Zone D1 database. It is never joined to or correlated with any VPN traffic, server selection, DNS query, or activity record — those records do not exist in our infrastructure (see §3 and §5). The graph is used only to (a) post the referral credit on the 14-day window and (b) display your own earned-and-pending list inside the app.

The referee’s entry includes the referee’s user ID but is surfaced to the referrer only as a masked first name (derived from the referee’s email local part), never as the full email or any other identifier.

You can request deletion of your referral data at any time via privacy@nykto.app; deletion of an account also deletes all referral rows that reference it.

2.4 Household graph (PRD §0.5)

If you subscribe to the Household plan or accept a Household invite, we record:

This data is stored in the Identity Zone D1 database. It is never joined to or correlated with VPN traffic. Members and owners do not see each other’s activity, IP addresses, or device lists — only the existence of a household membership.

If a member chooses to leave, we set a left_at timestamp rather than deleting the row, so we can re-establish referral credit attribution if the member rejoins. Deletion of your account deletes all your household rows; explicit deletion of a household row is available via privacy@nykto.app.

2.2 Launch-notification email

While the marketing site is in pre-launch mode, the homepage offers a single optional form to be notified when Nykto launches. If you submit your email there, we record only:

This list is used for one transactional email at launch and nothing else — no newsletter, no marketing drip, no third-party sharing. We delete the address within 30 days of sending the launch announcement, unless by then you have become a Nykto subscriber, in which case the data is governed by Section 2 going forward. You can request earlier deletion at any time by emailing privacy@nykto.app. The form does not require an account; submitting it does not create one.

To filter out throwaway addresses and bots before storing, the form does two pre-flight checks: it queries Cloudflare’s public DNS resolver (1.1.1.1) for the email domain’s MX record, and it asks Cloudflare Turnstile to verify the submission is not automated. The MX query sends only the email’s domain (not the local part); Turnstile sees only the challenge token and the caller’s IP address. Neither service receives the full email address.

3. What We Never Collect

The following data is never collected, stored, or transmitted to us under any circumstances:

This is not a policy commitment to delete logs later. The server is architecturally incapable of producing these logs. See Section 5 for the technical explanation.

4. How Your Data Is Used

The data we collect is used exclusively to:

We do not use your data for advertising, profiling, behavioural analysis, or any purpose other than providing the VPN service.

5. The Blind Token Architecture (How Zero Logs Works)

Most VPNs promise not to log. We built a system where logging is not possible.

When you connect to Nykto, the process works as follows:

  1. You sign in via Apple Sign-In or Google Sign-In. Our Identity Zone, a Cloudflare Worker we wrote and control, verifies the Apple / Google identity token directly against the respective provider’s public keys.
  2. The Identity Server verifies your subscription is active and issues a short-lived blind connection token — an opaque, cryptographically signed value containing only a random number and an expiry timestamp. The token contains no user identifier, no email, and no account information.
  3. Your device generates a WireGuard encryption key pair locally. The private key never leaves your device.
  4. Your device sends the blind token and your WireGuard public key to the Activity Server — a completely separate service that has no access to any user account data.
  5. The Activity Server validates the token signature, adds your public key as a VPN peer, and returns connection configuration. It never learns who you are.
  6. The token is discarded. No record links your identity to your VPN session.

The result: our Identity Server knows your account exists and has an active subscription. Our Activity Server knows a WireGuard peer with a particular public key connected. No system holds both pieces of information simultaneously. We cannot reconstruct who connected where, even if we wanted to.

This architecture is not just policy — it is the technical design of the system.

6. Logging and Server Configuration

Our relay servers are configured to produce zero activity logs by design:

The Identity Zone (account + subscription state) runs on Cloudflare Workers with Cloudflare D1 as the database. D1 stores only the five fields listed in Section 2 (email, device name, platform, subscription status, expiry). The Identity Zone never receives your VPN traffic, the server you connect to, or your WireGuard keys — that data lives exclusively in the Activity Zone, which has no user identity.

Logs are not disabled by policy. They are disabled at the software configuration level, and /var/log is a RAM volume that clears on every restart. There is no activity log data to retrieve, no archive to subpoena.

7. Third-Party Services

Cloudflare (Identity Zone compute + storage, DNS, website hosting)

Cloudflare is our primary infrastructure partner for the Identity Zone:

Cloudflare is therefore a sub-processor for the account data we collect. Cloudflare does not see VPN traffic, DNS queries, or any data from the Activity Zone — VPN traffic is routed through our own relay servers (described in Section 6) and never passes through Cloudflare infrastructure.

Cloudflare’s privacy policy: cloudflare.com/privacypolicy

RevenueCat (subscription management)

We use RevenueCat to process in-app subscription purchases on iOS, Android, and macOS. RevenueCat receives a randomly generated anonymous UUID as the user identifier — never your email address, never your internal account ID. This UUID is generated fresh on your device and is rotated when you log out. RevenueCat cannot connect your subscription to your Nykto account or your identity.

RevenueCat’s privacy policy: revenuecat.com/privacy

Apple App Store / Google Play Store

Distribution through the Apple App Store and Google Play Store is unavoidable for iOS and Android apps. Apple and Google may collect analytics about app downloads and purchases in accordance with their respective privacy policies. We do not control this data and receive only the anonymised purchase confirmation necessary to activate your subscription.

No other third parties receive any user data. We do not use advertising networks, analytics SDKs, crash reporting services, or any tool that would transmit user-identifying information to an external party.

8. Payment Processing

Subscription payments are processed entirely by Apple (App Store) and Google (Play Store) using their native in-app purchase systems. Nykto does not receive or store your payment card details, billing address, or any financial information. All payment data is held by Apple or Google under their respective privacy policies.

9. Data Retention

Account data (email, device records, subscription status, and BYOS server records when applicable) is retained for as long as your account exists. You may delete your account at any time from the Settings screen in the app or by emailing privacy@nykto.app. Account deletion is irreversible and permanent. All associated data is purged from our database immediately upon deletion.

Connection token nonces are recorded by the Identity Zone, alongside the issuing user’s account ID, for a maximum of 10 minutes — long enough to refuse replays and to apply the per-user issuance rate limit described in Section 16. After 10 minutes the row is automatically deleted. The token that travels to the Activity Zone is a separate value and contains no user identifier (Section 5).

Launch-notification emails (Section 2.2) are deleted within 30 days of the launch announcement, unless the address belongs to a customer who has by then become a Nykto subscriber.

Activity logs do not exist. There is no activity data to retain or delete.

10. Warrant Canary

A warrant canary is a dated statement affirming that we have not received any National Security Letters, FISA court orders, gag orders, or government requests for user data. We commit to updating it at least once per month.

You can view the current canary, including its “last verified” date, inside the app at Settings > About > Warrant Canary.

The canary is cryptographically signed with an Ed25519 key (active since 2026-05-04). The signed statement, signature block, public key, and verification instructions are published at docs/warrant-canary.md in the Nykto source repository.

If the canary statement changes, or if more than 30 days pass without an update, you should assume its guarantee can no longer be relied upon.

11. Sign-In Privacy Options

Authentication is through Apple Sign-In or Google Sign-In. If you use Apple Sign-In, Apple offers a “Hide My Email” option that creates a random relay address, so Nykto never receives your real Apple ID email. This is the most private sign-in option available.

12. Children’s Privacy

Nykto VPN is not directed at children under the age of 13. We do not knowingly collect personal information from children under 13. If you believe a child under 13 has created an account, please contact us at privacy@nykto.app and we will delete the account immediately.

13. Your Rights

Regardless of where you live, you have the following rights with respect to your personal data:

Right to access: You may request a copy of the personal data we hold about you (email, device list, subscription status).

Right to deletion: You may delete your account at any time from the app, which permanently removes all personal data we hold. You may also request deletion by email.

Right to correction: Your email address is provided by your Apple or Google account and is not editable within the Nykto app. To change it, update your account with the respective identity provider.

Right to data portability: You may request an export of your account data in a machine-readable format.

Right to object: You may object to any processing of your personal data. Given the minimal nature of what we collect, the practical scope of this right is limited to account deletion.

To exercise any of these rights, contact privacy@nykto.app.

14. GDPR Compliance (European Users)

14.1 Legal Basis for Processing (GDPR Article 6)

For users in the European Economic Area (EEA), United Kingdom, and Switzerland, we process your personal data on the following legal bases:

We do not process VPN traffic data, browsing history, or connection logs — these are never collected, so no legal basis is required for data that does not exist.

We do not process personal data for direct marketing or profiling.

14.2 Service Availability in the EEA

Nykto VPN is not currently offered in the European Economic Area, United Kingdom, or Switzerland via the Apple App Store or Google Play Store. If you install the app from outside those regions and subsequently access it from within them, the following applies:

We may expand availability to the EEA at a later date, at which point this policy will be updated (including the designation of a representative under GDPR Article 27) before any material launch in those regions.

15. CCPA/CPRA Rights (California)

California residents have additional rights under the California Consumer Privacy Act (CCPA/CPRA):

To exercise these rights, contact privacy@nykto.app.

16. Security

We implement the following security measures:

Despite these measures, no system is perfectly secure. In the event of a security incident affecting your data, we will notify you as required by applicable law.

17. Changes to This Policy

If we make material changes to this privacy policy, we will notify you via the email address on your account before the changes take effect. The effective date at the top of this document will be updated. Your continued use of Nykto after the effective date constitutes acceptance of the revised policy.

18. Contact

Privacy matters: privacy@nykto.app
General support: support@nykto.app
Website: https://vpn.nykto.app/privacy

We aim to respond to all privacy enquiries within 5 business days.