ExpressVPN is committed to protecting your privacy.
We want you to understand what information we collect, what we don’t collect, and how we collect, use, and store information. We do not collect logs of your activity, including no logging of browsing history, traffic destination, data content, or DNS queries. We also never store connection logs, meaning no logs of your IP address, your outgoing VPN IP address, connection timestamp, or session duration.
Our guiding principle toward data collection is to collect only the minimal data required to operate a world-class VPN service at scale. We designed our systems to not have sensitive data about our customers; even when compelled, we cannot provide data that we do not possess.
Table of contents
ExpressVPN collects four types of information:
(i) Information related to your account (“personal information”)
This information is collected for the purpose of administering your ExpressVPN subscription and includes your name, email address, and payment information, which you submit on our order page when you subscribe for the Services.
(ii) Aggregate Apps and VPN connection summary statistics
ExpressVPN collects minimal information about usage in order to maintain excellent customer support and quality of service. The section below specifies in detail what information we collect. These statistics never include anything about what the user did with the VPN: no data about the contents or destinations of VPN traffic, no DNS queries, and no IP addresses.
(iii) (User-controlled option): Anonymous app diagnostics, including crash reports
App diagnostic data, which include crash reports, usability diagnostics, and VPN connection diagnostics, are anonymized and cannot be tied back to individual ExpressVPN users. This feature is similar to a “send bug report” option. Users can specify in the settings menu of any ExpressVPN App whether to send these data to us.
(iv) Only for users who choose to use the MediaStreamer service: IP addresses authorized to use MediaStreamer
Separately from VPN services, we also provide our optional MediaStreamer service for devices such as Apple TV that do not support VPNs. Users who opt in to using MediaStreamer can choose to register specific IP addresses that should be authorized to use the service; these IP addresses are only used by ExpressVPN to provide the optional MediaStreamer service and not for any other purpose.
ExpressVPN collects personal information that you provide to us directly through the Site. We require that you provide personal information, such as an email address and payment information, in order to establish an ExpressVPN account, and so that we can email you, collect payments from you, and respond to support queries that you initiate. The specific information collected varies depending on the payment method you choose. To minimize the amount of personal information you submit to us, we recommend that you use Bitcoin payments when subscribing to our Service.
ExpressVPN uses your email address for the following reasons:
To send emails related to payment transactions.
To provide links to our Site, including password reset emails.
To send you updates and announcements.
To communicate with you about your VPN services or respond to your communications.
To send marketing information, such as ExpressVPN offers, surveys, invitations, and content about other matters in connection with ExpressVPN (“Marketing emails”). You may choose to not receive Marketing emails by following the opt-out procedure described in these emails.
Aggregate Apps and VPN Connection Summary Statistics
We ensure that we never log browsing history, traffic destination, data content, IP addresses, or DNS queries. Therefore:
We do not know which user ever accessed a particular website or service.
We do not know which user was connected to the VPN at a specific time or which VPN server IP addresses they used.
We do not know the set of original IP addresses of a user’s computer.
Should anyone try to compel ExpressVPN to release user information based on any of the above, we cannot supply this information because the data don’t exist.
In order to maintain excellent customer support and quality of service, ExpressVPN collects the following information related to your VPN usage:
Apps and Apps versions
We collect information related to which Apps and Apps version(s) you have activated. Knowing your current version of the Apps allows our Support Team to troubleshoot technical issues with you.
We collect information about whether you have successfully established a VPN connection on a particular day (but not a specific time of the day), to which VPN location (but not your assigned outgoing IP address), and from which country/ISP (but not your source IP address). This minimal information assists us in providing technical support, such as identifying connection problems, providing country-specific advice about how to best use our Service, and to enable ExpressVPN engineers to identify and fix network issues.
Aggregate sum of data transferred (in MB)
We collect information regarding the total sum of data transferred by a given user. Although we provide unlimited data transfer, if we notice that a single user pushes more traffic than thousands of others combined, thereby affecting the quality of service for other ExpressVPN users, we may contact that user for an explanation.
We collect minimal usage statistics to maintain our quality of service. We may know, for example, that our customer John had connected to our New York VPN location on Tuesday and had transferred an aggregate of 823 MB of data across a 24-hour period. John can’t be uniquely identified as responsible for any specific behavior because his usage pattern overlaps with thousands of other ExpressVPN customers who also connected to the same location on the same day.
We’ve engineered our systems to categorically eliminate storage of sensitive data. We may know THAT a customer has used ExpressVPN, but we never know HOW they have utilized our Service. We stand by our firm commitment to our customers’ privacy by not possessing any data related to a user’s online activities.
Anonymous App Diagnostics, including Crash Reports (can be turned off by the user)
With your permission, we collect anonymized app diagnostic data, which include crash reports, usability diagnostics, and VPN connection diagnostics. We use these data in our network operations tools to help optimize network speeds and to let us identify problems and areas for improvement related to specific apps, VPN servers, or ISPs. The information we receive is fully anonymized and cannot be tied back to individual ExpressVPN users (i.e., we do not store which user sent which data, and we do not store user IP addresses).
If you opt in to share this information with ExpressVPN, we will collect the following anonymized information:
Diagnostic information about if and how a VPN connection attempt failed.
Speed test data.
App diagnostics, including crash reports and usability diagnostics, also without any personally identifiable information. These are handled in an anonymized form by these third parties, dependent on the platform you are using ExpressVPN on:
Android: Firebase Crashlytics, owned by Google. See Firebase’s Privacy and Security documentation.
Upon activation of any ExpressVPN App, you will be asked if you would like to share these data. You can start or stop sharing these diagnostic data at any time in the App’s settings menu. On iOS, Apple’s crash reporting can be turned off in iOS settings.
MediaStreamer is our service for consoles like Apple TV and other devices that don’t support running a VPN. Because the service doesn’t run on an app and doesn’t have an option for username/password authorization, we rely on a system that authorizes specific IP addresses that you have chosen to register with us. You can register IP addresses by logging in to our website and using the “DNS Settings” page. Those IP addresses are then stored in our system in order to identify authorized devices for MediaStreamer, and are not used for any other purpose.
If you do not wish to use this service but have devices like an Apple TV that cannot run a VPN, we suggest using the ExpressVPN App for routers. Like all of our Apps and VPN Service, the App for routers does not require IP address registration. Please contact us, and we’ll guide you through the steps.
Jurisdiction and Applicable Law
ExpressVPN’s core mission is to keep your information private. In service of this mission, ExpressVPN’s headquarters and registered place of business is in the British Virgin Islands (BVI), which has stricter laws concerning information disclosure than most countries.
The BVI has no data retention laws, and any legal order requiring a BVI company to disclose customer records must come from the BVI Supreme Court. Under BVI law, information requests from foreign courts or law enforcement are subject to a “dual criminality” provision, meaning that the request is upheld by the BVI Supreme Court only if the same crime is punishable by at least a one-year prison sentence under BVI law, had it taken place in the BVI. Should we receive a valid legal order from the BVI Supreme Court, it is important to note that ExpressVPN does not collect any IP addresses, browsing history, traffic data, or DNS queries that could be used to identify any specific user.
Storing of Information Related to Email, Live Chat, and Feedback Forms
ExpressVPN keeps records of any correspondence, questions, complaints, or compliments you submit to us through our Site or Services, along with our response. Depending on how you contact ExpressVPN, we may collect your email address and any additional information you provide to us. Having full correspondence records enables our staff to provide the best possible customer support experience.
We use two different third-party platforms for support correspondence: Zendesk for emails and support tickets, and SnapEngage for live chat. When you correspond with us using these platforms, they will store your correspondence records—including your email address, as well as user and device attributes that help with troubleshooting, such as the country you are contacting us from and your device’s operating system. Both platforms utilize modern security practices and HTTPS encryption.
Security Measures to Protect Your Information
ExpressVPN uses best-in-class physical, procedural, and technical security with respect to our offices and information storage facilities so as to prevent any loss, misuse, unauthorized access, disclosure, or modification of information. Access to user information is restricted to staff who require such access to perform their job functions.
While we believe these systems are robust, it is important to understand that no data security measures in the world can offer 100% protection.
Servers are housed in data centers with strong security practices. None of these data centers require us to collect or store any traffic data or personal information related to your use of VPN Services. If any data center were to ask us to log such data, we would immediately cease operations with said data center and find alternative options.
Even if a government were to physically seize one of our VPN servers and manage to break its disk encryption, there would be no logs or information that would tie any individual user to a particular event, website, or behavior.
Cookies and Mobile Identifiers
What is a cookie?
A cookie is a small text file used to store information about your visit to the Site. Cookies let ExpressVPN optimize and improve the user experience of the Site by helping us deliver certain functionalities, such as website login and language settings. The cookies we use may vary over time as we continuously update and improve our Site.
You are free to change your cookie preferences at any time. You can do this in the settings panel for your browser. Depending on which browser and device you use, you may be able to control which cookies you allow, which cookies you want to block in the future, and delete cookies. For more information about these settings, please refer to the “help” section of your browser. Note that ExpressVPN’s Site may not work as intended if you choose to disable cookies.
The cookies set by ExpressVPN enable us to set your language preference, attribute visitors to a marketing channel, and, once you log in, securely show you information that is specific to your account. The cookies contain a user identifier, but no directly personally identifying information such as your name or email address, and do not track any activity outside of ExpressVPN’s domains.
ExpressVPN uses third-party services such as Google Analytics and Adwords. Cookies from such services are used to collect data for statistical reports. For example, we may generate reports regarding the amount of time users spend on the Site and the number of users who visit a particular page.
ExpressVPN uses Google AdWords remarketing to show advertisements on third-party websites (including Google) to users who have visited our Site. We may show such users advertisements on a Google search results page, or on a site in the Google Display Network.
A mobile identifier is an identifier provided by an Android or iOS device. It does not contain your name or email address. ExpressVPN uses mobile identifiers to generate statistics related to the marketing channels and advertising partners through which users learned about and signed up for ExpressVPN mobile apps.
Disabling or resetting mobile identifiers
Users may disable or reset the mobile identifiers associated with their devices at any time. For instructions, see Apple’s page on Advertising & Privacy on iOS devices and Google’s page on Managing your Google Settings on your Android device.
The Site may contain links to external websites that do not fall under ExpressVPN’s domain. ExpressVPN is not responsible for the privacy practices or content of such external websites.
Consent and Age Restrictions
The Services are intended for adults aged 18 and above. If you believe your child has provided information to us, please let us know immediately.
Users in the European Union
ExpressVPN is committed to user privacy globally, and our existing practices reflect that through minimal collection of data and ensuring users have control over their personal information. The General Data Protection Regulation (GDPR) of the European Union (EU) requires us to outline those practices in a specific manner for users in the EU.
For the purposes of fulfilling our contractual obligations to users, including:
Providing users with the Services and Apps they have requested.
Managing user subscriptions and processing payments.
Providing customer support.
For a legitimate interest associated with the operation of our business, including:
Enhancing the quality, reliability, and effectiveness of our Site, Services, and Apps.
Communicating with customers to provide information and seek feedback related to our Services and Apps.
With the consent of users, which users can withdraw at any time.
You can exercise your rights under the GDPR to access, transfer, correct, delete, or object to the processing of your personal information by contacting us at firstname.lastname@example.org.
How to Contact ExpressVPN