Privacy Policy

Last updated: 13 April 2026

Latens is operated by Mitch Callinan (ABN 78 733 747 904), trading as "Latens", an Australian sole trader based in New South Wales. This policy explains what data we collect, what we do not collect, and how we handle the limited information we hold.

The short version: we collect the bare minimum needed to run the service and process payments. We do not log your browsing activity. Ever.

If you have questions about anything in this policy, email privacy@latens.net. A human will respond.

1. What we collect

When you create a Latens account and subscribe, we collect:

  • Email address — used for account authentication (magic link login), billing receipts, and critical service notices such as security alerts. We never send marketing email unless you explicitly opt in.
  • Payment information (via Stripe) — Stripe processes your card details directly. We receive a tokenised reference to your payment method, your subscription status, and your Stripe customer ID. We never see or store your card number, expiry, or CVC. Stripe is PCI DSS Level 1 certified.
  • WireGuard public key — generated on your device during setup. This is a cryptographic key used to establish your encrypted VPN tunnel. It is not a personal identifier.
  • Device metadata — a device name you choose (e.g. "Mum's iPhone"), the platform type (iOS, Android, etc.), and the VPN protocol in use. This is so you can manage your devices in the app.
  • Aggregated traffic statistics — category-level bandwidth totals (e.g. "streaming: 2.4 GB", "ads blocked: 347") bucketed by hour. These contain no domains, URLs, or IP addresses. They power the dashboard charts in the app.

That is the complete list. There is no analytics SDK, no tracking pixels, no fingerprinting, and no behavioural profiling.

2. What we do NOT collect

Latens is architected so that we cannot observe your activity, even if compelled to do so:

  • Browsing history or URLs visited
  • DNS queries (AdGuard DNS filtering occurs on the exit node but no query logs are stored)
  • Source or destination IP addresses
  • Connection timestamps or session durations
  • Per-session bandwidth usage
  • Traffic content or packet metadata
  • Your real IP address (we do not log the IP you connect from)

Our exit node infrastructure is configured to disable traffic logging at the operating system level. WireGuard kernel logs are set to minimal (errors only). We cannot hand over data that does not exist.

3. WireGuard private keys

When you register a device, a WireGuard keypair (public + private) is generated. The private key is included in your configuration file and then permanently deleted from our servers after the first download. After that point, only you have the private key. If you lose it, you will need to register a new device.

4. On-device data

The Latens app includes features such as Traffic Transparency, Time Machine, and Privacy Audit that display information about your network activity. All of this data is generated and stored locally on your device only. It never leaves your device and is never transmitted to our servers. If you delete the app, this data is deleted with it.

5. Internet Weather Map

The Internet Weather Map feature collects anonymous ISP performance data (speed measurements, DNS latency, detection of DNS hijacking and tracking headers). This data is not linked to any customer account — it contains only the ISP name (e.g. "Telstra"), the Australian state or region, and the measurement values. No customer UUID, email, IP address, or device identifier is included. This data is aggregated to produce the public weather map and is deleted after 90 days.

6. How data is stored

Account data (email, WireGuard public key, subscription status, device metadata) is stored in Cloudflare D1, a serverless SQL database. All data is encrypted at rest using AES-256. Access is restricted to authenticated API calls from our own Cloudflare Workers.

Our API layer runs on Cloudflare Workers, which are ephemeral and stateless — they do not accumulate log files. Exit nodes store only bandwidth counters (bytes per customer UUID) for fair-use enforcement, rotated every 30 days. No traffic content or destination information is stored on exit nodes.

7. Third parties and data processors

We share data with the following third-party processors, and only to the extent necessary to deliver the service:

Stripe (payments)

Processes all card payments under PCI DSS Level 1 compliance. We receive only a token and subscription status. Data processed: email, card details (by Stripe directly), billing address if provided. Stripe's privacy policy.

Resend (email delivery)

Delivers magic link authentication emails and critical service notices. Data processed: your email address and the email content. Emails are transactional only. Resend's privacy policy.

Cloudflare (infrastructure)

Hosts our API (Workers), database (D1), DNS, and CDN for the website. Cloudflare processes HTTP requests to deliver these services but does not have access to decrypted VPN tunnel contents. Cloudflare's privacy policy.

Hetzner, Contabo, LightNode (exit node infrastructure)

Provide the physical or virtual servers that run our exit nodes in the US, EU, JP, and TR regions. These providers have access to the server hardware but not to the encrypted tunnel traffic. No customer-identifiable data is stored on these servers beyond bandwidth counters keyed by anonymous UUID.

We do not sell, rent, or share your data with any other party. We do not use advertising networks, analytics platforms, or data brokers. No customer data is transferred to countries outside the jurisdictions where our exit nodes operate (Australia, United States, European Union, Japan, and Turkey).

8. Australian Privacy Principles (APP 1-13)

Latens complies with the Australian Privacy Principles (APPs) set out in the Privacy Act 1988 (Cth). While sole traders with annual turnover below $3 million are generally exempt from the APPs, we voluntarily adhere to them because we believe privacy compliance should be a baseline, not a legal obligation.

APP 1 — Open and transparent management: This policy describes our data practices in plain English. It is publicly available at latens.net/privacy.

APP 2 — Anonymity and pseudonymity: Our service requires an email address for authentication. You may use any email address, including a pseudonymous one.

APP 3 — Collection of solicited personal information: We only collect information that is reasonably necessary to provide the service (email, payment token, device metadata).

APP 4 — Dealing with unsolicited personal information: We do not solicit or accept personal information beyond what is listed in Section 1. If we receive unsolicited personal information (e.g. via a support email), we assess whether we could have collected it under APP 3. If not, we delete it.

APP 5 — Notification of collection: This policy serves as our collection notice. You are informed at or before the time of collection what data we collect and why.

APP 6 — Use or disclosure: We use personal information only for the purpose for which it was collected (providing the VPN service). We do not disclose it to third parties except as described in Section 7.

APP 7 — Direct marketing: We do not use personal information for direct marketing unless you have explicitly opted in. You can opt out at any time.

APP 8 — Cross-border disclosure: Customer data may be processed in jurisdictions where our infrastructure operates (US, EU, JP, TR). All data is encrypted in transit and at rest. We have assessed these jurisdictions and ensure substantially similar privacy protections.

APP 9 — Adoption, use, or disclosure of government identifiers: We do not collect, use, or store any government-related identifiers (tax file numbers, Medicare numbers, etc.).

APP 10 — Quality of personal information: We take reasonable steps to ensure personal information is accurate and up to date. You can update your email address at any time via the app or by contacting us.

APP 11 — Security of personal information: We protect personal information through encryption at rest (AES-256), encryption in transit (TLS 1.3), access controls (authenticated API only), and deletion of data no longer needed (WireGuard private keys deleted after first download, account data deleted 30 days after cancellation).

APP 12 — Access to personal information: You can request access to all personal information we hold about you at any time by emailing privacy@latens.net. We will respond within 30 days.

APP 13 — Correction of personal information: You can request correction of any personal information we hold about you. We will correct it within 30 days of receiving the request, or explain why we believe the information is accurate.

9. For users in the European Union (GDPR)

If you are located in the EU or EEA (including if you connect through our EU exit node), you have additional rights under the General Data Protection Regulation (GDPR):

  • Lawful basis for processing: We process your data on the basis of contract performance (providing the VPN service you subscribed to) and legitimate interest (preventing abuse).
  • Right of access: You may request a copy of all data we hold about you.
  • Right to rectification: You may request correction of inaccurate data.
  • Right to erasure: You may request deletion of your data. We will comply within 30 days.
  • Right to data portability: You may request your data in a machine-readable format (JSON).
  • Right to object: You may object to processing based on legitimate interest.
  • Right to lodge a complaint: You may lodge a complaint with your local data protection authority.

To exercise any of these rights, email privacy@latens.net.

10. Data retention and deletion

  • Active accounts: account data is retained for as long as your subscription is active.
  • After cancellation: all account data (email, devices, subscription records) is permanently deleted from our systems within 30 days.
  • Traffic statistics: aggregated, anonymous traffic stats are deleted after 90 days.
  • Weather map data: anonymous ISP measurements are deleted after 90 days.
  • WireGuard private keys: deleted from our servers immediately after first config download.

You can request immediate deletion of all your data at any time by emailing privacy@latens.net. We will process deletion requests within 5 business days.

11. Law enforcement requests

We will only disclose customer information in response to a valid Australian warrant or court order, served in compliance with Australian law. We will:

  • Require a valid warrant or court order before disclosing any data.
  • Disclose only the minimum data necessary to comply with the specific order.
  • Notify the affected customer unless legally prohibited from doing so.
  • Challenge overbroad or vague requests.

Because we do not log traffic, the only data we could provide is account information (email, subscription status, device names). We cannot provide browsing history, DNS queries, or traffic content because this data does not exist in our systems. All law enforcement requests are recorded in our Transparency Report.

12. Cookies and local storage

The Latens website uses only essential cookies and localStorage for authentication (storing your session token after magic link login). We do not use any tracking cookies, analytics cookies, or third-party advertising cookies. Cloudflare may set a __cf_bm cookie for bot protection — this is a security measure, not tracking.

13. Children's privacy

Latens accounts require a minimum age of 16 (or 18 if required by your jurisdiction). We do not knowingly collect personal information from children under 16. If we become aware that a child under 16 has provided us with personal information, we will delete the account and associated data immediately.

Children under 18 may use Latens on a Family plan with parental consent, using a device managed by a parent or guardian.

14. Data breach notification

In the event of a data breach that is likely to result in serious harm to affected individuals, we will:

  • Notify affected customers within 72 hours of becoming aware of the breach.
  • Notify the Office of the Australian Information Commissioner (OAIC) as required by the Notifiable Data Breaches scheme under Part IIIC of the Privacy Act 1988.
  • Provide clear information about what data was affected, what we are doing about it, and what steps you should take.

15. Changes to this policy

We may update this policy from time to time. Material changes (anything that affects your rights, what data we collect, or who we share it with) will be communicated via email to all active subscribers at least 30 days before taking effect. The "last updated" date at the top of this page will always reflect the most recent revision.

16. Contact

If you have questions about this policy, wish to exercise your privacy rights, or want to make a complaint, contact us at:

Mitch Callinan

Privacy Officer, Latens

ABN 78 733 747 904

Email: privacy@latens.net

If you are not satisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC).