Privacy Policy

Effective Date: March 5, 2026  ·  Last Updated: March 20, 2026

Overview

Nykto VPN is built on one principle: we cannot share what we do not have. This privacy policy explains exactly what we collect, what we do not collect, and how the technical architecture of Nykto makes it impossible for us to log your online activity — even if compelled by law.

We are a small team. We take privacy seriously enough to engineer it, not just promise it.

1. Who We Are

Nykto VPN is operated by Nyktora Group, LLC (“Nykto,” “we,” “us,” “our”). Our contact for privacy matters is privacy@nykto.app.

2. What We Collect

We collect the minimum information necessary to provide the service:

That is the complete list. We collect nothing else.

We do not collect your name, date of birth, phone number, payment card details, billing address, or any government-issued identification.

Authentication is handled entirely by Apple Sign-In or Google Sign-In via Supabase OAuth. We do not store or handle passwords.

3. What We Never Collect

The following data is never collected, stored, or transmitted to us under any circumstances:

• Browsing history. We do not log which websites or services you visit.
• DNS queries. Your DNS requests are resolved by our private Unbound DNS resolver inside the VPN tunnel. No query log is kept.
• Traffic content. We do not inspect, copy, or retain the content of any data passing through the VPN.
• Connection timestamps. We do not record when you connect or disconnect.
• Source IP addresses. We do not log your real IP address at any point in the connection flow.
• VPN server selection. We do not record which server you connected to.
• Session duration. We do not track how long you are connected.
• Bandwidth usage per user. We do not log how much data you transfer.
• WireGuard public or private keys. Your WireGuard private key is generated on your device and never transmitted. Your public key is used only to establish the tunnel and is discarded after the session ends.

This is not a policy commitment to delete logs later. The server is architecturally incapable of producing these logs. See Section 5 for the technical explanation.

4. How Your Data Is Used

The data we collect is used exclusively to:

• Authenticate your account
• Verify your subscription entitlement before issuing a connection token
• Enforce the 10-device limit
• Respond to your account management requests (account deletion)

We do not use your data for advertising, profiling, behavioural analysis, or any purpose other than providing the VPN service.

5. The Blind Token Architecture (How Zero Logs Works)

Most VPNs promise not to log. We built a system where logging is not possible.

When you connect to Nykto, the process works as follows:

1. You sign in via Apple Sign-In or Google Sign-In. Our Identity Server verifies your identity through Supabase OAuth.
2. The Identity Server verifies your subscription is active and issues a short-lived blind connection token — an opaque, cryptographically signed value containing only a random number and an expiry timestamp. The token contains no user identifier, no email, and no account information.
3. Your device generates a WireGuard encryption key pair locally. The private key never leaves your device.
4. Your device sends the blind token and your WireGuard public key to the Activity Server — a completely separate service that has no access to any user account data.
5. The Activity Server validates the token signature, adds your public key as a VPN peer, and returns connection configuration. It never learns who you are.
6. The token is discarded. No record links your identity to your VPN session.

The result: our Identity Server knows your account exists and has an active subscription. Our Activity Server knows a WireGuard peer with a particular public key connected. No system holds both pieces of information simultaneously. We cannot reconstruct who connected where, even if we wanted to.

This architecture is not just policy — it is the technical design of the system.

6. Logging and Server Configuration

Our server is configured to produce zero logs by design:

• WireGuard: native logging disabled
• DNS resolver (Unbound): verbosity: 0, log-queries: no
• Go backend API: no request logging, no access logs, no IP logging
• PostgreSQL: log_connections: off, log_statement: none
• /var/log is mounted as a RAM-backed tmpfs filesystem — nothing is written to disk

Logs are not disabled by policy. They are disabled at the software configuration level, and /var/log is a RAM volume that clears on every restart. There is no log data to retrieve, no archive to subpoena.

7. Third-Party Services

We use one third-party service with access to any user-related data:

RevenueCat (subscription management)

We use RevenueCat to process in-app subscription purchases on iOS, Android, and macOS. RevenueCat receives a randomly generated anonymous UUID as the user identifier — never your email address, never your internal account ID. This UUID is generated fresh on your device and is rotated when you log out. RevenueCat cannot connect your subscription to your Nykto account or your identity.

RevenueCat’s privacy policy: revenuecat.com/privacy

Apple App Store / Google Play Store

Distribution through the Apple App Store and Google Play Store is unavoidable for iOS and Android apps. Apple and Google may collect analytics about app downloads and purchases in accordance with their respective privacy policies. We do not control this data and receive only the anonymised purchase confirmation necessary to activate your subscription.

Cloudflare

Our marketing website (nykto.app) uses Cloudflare for DNS and DDoS protection. Cloudflare processes DNS queries for the domain nykto.app only. This does not affect VPN traffic, which is routed through our own infrastructure.

No other third parties receive any user data. We do not use advertising networks, analytics SDKs, crash reporting services, or any tool that would transmit user-identifying information to an external party.

8. Payment Processing

Subscription payments are processed entirely by Apple (App Store) and Google (Play Store) using their native in-app purchase systems. Nykto does not receive or store your payment card details, billing address, or any financial information. All payment data is held by Apple or Google under their respective privacy policies.

9. Data Retention

Account data (email, device records, subscription status) is retained for as long as your account exists. You may delete your account at any time from the Settings screen in the app or by emailing privacy@nykto.app. Account deletion is irreversible and permanent. All associated data is purged from our database immediately upon deletion.

Connection token nonces are retained for a maximum of 10 minutes to prevent replay attacks, then automatically deleted.

Activity logs do not exist. There is no activity data to retain or delete.

10. Warrant Canary

We publish a warrant canary at nykto.app/canary and within the app under Settings > About > Warrant Canary.

The canary will be signed with an Ed25519 key once the signing system is implemented. It is updated every 14 days and states that we have not received any National Security Letters, FISA court orders, gag orders, or government requests for user data.

If the canary is not updated within 28 days, or if the signed statement changes, you should assume the canary has been compromised.

11. Sign-In Privacy Options

Authentication is through Apple Sign-In or Google Sign-In. If you use Apple Sign-In, Apple offers a “Hide My Email” option that creates a random relay address, so Nykto never receives your real Apple ID email. This is the most private sign-in option available.

12. Children’s Privacy

Nykto VPN is not directed at children under the age of 13. We do not knowingly collect personal information from children under 13. If you believe a child under 13 has created an account, please contact us at privacy@nykto.app and we will delete the account immediately.

13. Your Rights

Regardless of where you live, you have the following rights with respect to your personal data:

Right to access: You may request a copy of the personal data we hold about you (email, device list, subscription status).

Right to deletion: You may delete your account at any time from the app, which permanently removes all personal data we hold. You may also request deletion by email.

Right to correction: Your email address is provided by your Apple or Google account and is not editable within the Nykto app. To change it, update your account with the respective identity provider.

Right to data portability: You may request an export of your account data in a machine-readable format.

Right to object: You may object to any processing of your personal data. Given the minimal nature of what we collect, the practical scope of this right is limited to account deletion.

To exercise any of these rights, contact privacy@nykto.app.

14. GDPR Compliance (European Users)

14.1 Legal Basis for Processing (GDPR Article 6)

For users in the European Economic Area (EEA), United Kingdom, and Switzerland, we process your personal data on the following legal bases:

• Contract performance (Article 6(1)(b)): Processing your email and authentication data is necessary to provide the VPN service you subscribed to.
• Legitimate interest (Article 6(1)(f)): Rate limiting and abuse prevention to protect our infrastructure and other users.
• Legal obligation (Article 6(1)(c)): Responding to valid legal process.

We do not process VPN traffic data, browsing history, or connection logs — these are never collected, so no legal basis is required for data that does not exist.

We do not process personal data for direct marketing or profiling.

14.2 International Data Transfers

Nyktora Group, LLC is based in the United States. If you access our service from the European Economic Area, United Kingdom, or Switzerland, your authentication data (email address) is transferred to the United States. We rely on the EU-U.S. Data Privacy Framework for lawful transfers. Where the Framework does not apply, we use Standard Contractual Clauses approved by the European Commission.

14.3 EU Representative

Users in the European Economic Area may contact our EU representative for privacy matters at eu-privacy@nykto.app. We are in the process of formally appointing an EU representative under GDPR Article 27 and will update this policy with their details.

You may lodge a complaint with your local data protection authority if you believe your rights under the GDPR have been violated.

15. CCPA/CPRA Rights (California)

California residents have additional rights under the California Consumer Privacy Act (CCPA/CPRA):

• Right to know: You may request disclosure of what personal information we collect, use, share, or sell.
• Right to delete: You may request deletion of your personal information.
• Right to opt out of sale: We do not sell personal information. We do not share personal information for cross-context behavioural advertising.
• Right to non-discrimination: We will not discriminate against you for exercising your privacy rights.

To exercise these rights, contact privacy@nykto.app.

16. Security

We implement the following security measures:

• All connections between the app and our server use TLS 1.3
• Authentication is delegated to Apple and Google via Supabase OAuth — no passwords are stored
• JWT tokens use Ed25519 signatures
• WireGuard uses ChaCha20-Poly1305 encryption with Curve25519 key exchange
• Our server does not accept SSH connections in production
• Rate limiting is applied to authentication endpoints (10 attempts per minute per IP)

Despite these measures, no system is perfectly secure. In the event of a security incident affecting your data, we will notify you as required by applicable law.

17. Changes to This Policy

If we make material changes to this privacy policy, we will notify you via the email address on your account before the changes take effect. The effective date at the top of this document will be updated. Your continued use of Nykto after the effective date constitutes acceptance of the revised policy.

18. Contact

Privacy matters: privacy@nykto.app
EU representative: eu-privacy@nykto.app
General support: support@nykto.app
Website: https://nykto.app/privacy

We aim to respond to all privacy enquiries within 5 business days.