Privacy policy
Last updated:
All of our policies regarding data and its storage
- No logging of user activity policy
- Cookie policy
- Privacy policy (including GDPR)
- Swedish legislation relevant to us as a VPN provider
- Terms of service
Policy overview
Our underlying policy is that we want you to remain anonymous when using our service. It is therefore our policy to never store any activity logs or metadata and to have as minimal data retention as possible. However, in some situations we might process your personal data if you, for example, are making payments by a bank wire or sending an e-mail or reporting a problem. In those cases, we might process your personal data and the General Data Protection Regulation (“GDPR”) and other data protection laws may apply to the processing.
The purpose and legal basis for each processing
Payments
Payment information are processed for the purpose of providing you with the service we offer, to pay out refunds and for accounting purposes. The processing of payment data for the first two purposes are necessary for us to be able to handle the payment (i.e. performance of contract) Payment information processed for accounting purposes are necessary for the compliance of a legal obligation to which we are subject.
Support and problem report
Processing of e-mails and problem reports via our app/client are made for the purpose of answering questions, resolve problems, and provide general support to customers. The processing is based on our legitimate interest to help you.
Categories of personal data
We are processing the following categories of personal data. Mullvad can access the personal data below through our payment service providers but that does not necessarily mean that Mullvad are storing the data anywhere else than in the service. See our No-logging of user activity policy to see details about what data we store.
Payments
- Bank wire: sender name, address, bank account number
- PayPal: transaction-ID, sender name, origin country and e-mail address
- Swish: Swish-ID, name and phone number
- Stripe: Stripe charge ID, expire date, last 4 digits of the card, card type and origin country
Support and problem report
- Support by e-mail: your e-mail address and other information which you have written in the e-mail.
- Problem reported by the app: Redacted program logs, app version and operating system are sent. IP-addresses, account numbers, sensitive path and other PII are not sent. Please refrain from entering any personal data when reporting a problem by the app.
How long is the personal data saved?
The time periods for which the personal data will be saved are the following.
Payment data
Since we support 14-day refunds, and because we encounter certain transaction issues (for example, double payments and subscription problems), we need to be able to track payments (i.e. if you use PayPal or Stripe) in order to give customers the service we offer. Transaction_id is permanently deleted after 20 days.
Certain payment data must be kept for the statutory retention period described in applicable local laws such as the Swedish Accounting Act (some information must be stored for seven years from the end of the fiscal year). If not required by law or stated above, the data will be stored for no longer than necessary for the purpose. After the statutory retention periods, the data will be permanently deleted.
Support and problem report
After "solving" or "closing" a support case/problem report, all related emails/problem reports are archived (removed from the inbox). After 70 days, all emails/problem reports sent to our support address are automatically, permanently erased (from inbox, deleted items, sent items, trash, and archives).
Third-party recipients
Your personal data will only be shared with third party suppliers who are performing services on our behalf and for the purposes stated above. The categories of such recipients are e-mail service providers and payment solution suppliers (which are subject to confidentiality).
Is any transfer made to a third country?
No. We only store and process your personal data within the EU/EEA.
Automated decision making
No automated decision making (including profiling) takes place.
The rights of individuals
You have the right, in certain situations, to request us to correct or delete  personal data regarding you and/or restrict the processing as well as a right to data portability (if applicable). Where the legal basis for the processing is based on a weighing of interests you are as a data subject entitled to object at any time to the processing of your data. You also have the right to request for a copy of your personal data and a registry extract.
However, in most cases we will not be able to provide you with any data since we not store data except payment data which we cannot give out since the purpose of processing the payment data do not require identification of the data subject and would require disproportionate effort for us to further acquire or process additional information to identify the data subject (article 11 in the GDPR).
You have the right to make a complaint to the Swedish Authority for Privacy Protection (Integritetsskyddsmyndigheten, “IMY”, www.imy.se).
If you would like to exercise your rights, please contact support@mullvadvpn.net for more information.
Please note that exercising some rights may limit our ability to provide support that requires such information, for example issuing a refund or finding a lost account. We are also unable to approve some request due to legal requirements or that the processing of personal data might be based on a legal basis to which the right do not apply.
Data controller contact information
Mullvad VPN AB
Reg. no. 559238-4001
Box 53049
400 14 Gothenburg
Sweden
support@mullvadvpn.net
To exercise your rights under the GDPR or if you have any questions regarding our processing of your personal data, please send your inquiry to the e-mail address above.
Updates
This Privacy policy may be updated and, in such case, a new version will be published on Mullvad’s website.