LEGAL · LAST UPDATED June 2026

Privacy Policy

We don't sell your data. We don't run third-party trackers. Here's exactly what we do log, and why.

Roamly is a privacy tool. We treat your data the same way we'd want ours treated: kept only when there's a real reason, encrypted in transit, deleted when no longer needed, and never sold.

The honest summary: No VPN with real servers can be "zero log." Every operator keeps some logs to run the service and respond to abuse. Anyone claiming otherwise is marketing, not engineering. We tell you exactly what we keep, why, and for how long. That's the deal.

Who we are

Roamly is operated by an independent vendor accessible at roamlyvpn.com. Contact: [email protected]. For legal/abuse: [email protected].

Data we collect

1. Account information

Your email address (for account, password reset, billing receipts)
Hashed password (Argon2id; we never see your plain password)
Account creation date, last login date, IP address at login

2. Connection data (while you're using the VPN)

Connection start and end times
Bandwidth used per session
Server you connected to
Your originating IP address (kept for the duration of the session, then truncated to /24)
The exit IP we assigned you

3. Domain & navigation logs

When you're connected to Roamly, our systems record basic navigation data to support service operation, abuse prevention, and lawful disclosure obligations:

Domain names (hostnames): e.g. example.com
URL path: e.g. /articles/page, without query strings, form data, or any content. Sensitive parameters (tokens, passwords, search terms) are automatically stripped before the data reaches our servers.
Connection time and duration
Source IP (your IP at session start, truncated to /24 after 7 days)
Exit IP (the server IP we assigned you)

This data comes from two sources that see the same information: (a) our proxy exit servers processing your tunneled traffic, and (b) the browser extension forwarding aggregated domain-level activity in batches. Both sources record only what's listed above. We use this for: debugging connection issues, identifying abuse, and responding to lawful requests.

What we DO NOT collect:

Query strings, form submissions, or search terms (these are stripped)
Page titles or page contents
Any browsing activity when the VPN is disconnected
Data from sites you visit outside the tunneled connection

The extension uses Chrome's built-in declarativeNetRequest API to block known dangerous domains at the browser level, this blocking happens locally, before any request leaves your machine.

4. Built-in fraud/phishing/CSAM filtering

The extension ships with, and periodically updates, a list of known dangerous and restricted domains. When you try to visit a domain on this list, the request is blocked at the browser level, before any data leaves your machine. Examples of categories we block:

Known phishing sites (fake bank, fake exchange, fake e-government domains)
Malware distribution and crack/keygen pages
CSAM (child sexual abuse material), legal requirement
Turkish banks, e-government, and crypto exchanges (preventing inappropriate VPN usage that could lock your account or violate KYC requirements)

These rules are loaded into Chrome's filtering engine. The extension itself never sees what you're trying to access, Chrome handles matching internally. This is fundamentally more privacy-respecting than older filtering approaches.

5. Optional: user reports

If you choose to click "Report this site" in the extension popup, the domain you report is sent to our backend, only when you explicitly click that button. This is opt-in.

6. Payment data

Cards: processed by Polar, our Merchant of Record. We never see your card number, only the transaction ID, last 4 digits, and the result.

The browser extension itself never handles payment data. When you start a purchase, the extension simply opens our checkout page in a new browser tab, where the payment processor collects your details. No card numbers, wallet addresses, or financial data ever pass through the extension, it only sends which plan you selected.

7. Anonymous usage statistics (browser extension)

To understand how many people actively use Roamly, the extension sends a small anonymous heartbeat while your browser is open, roughly every 10 minutes. It contains only:

A random device identifier generated locally on your machine (a random UUID, not your account, not your email, not a hardware ID)
The extension version you're running

This heartbeat carries no browsing data, no account information, and no personal data, and it is not linked to your account. We use it solely to count active installations and detect outdated versions. It is sent whether or not the VPN is connected, counting active users is its only purpose, but it never includes anything about the sites you visit.

Data we do not collect

The contents of your encrypted traffic (we can't, it's encrypted end-to-end with the destination)
Form submissions, message bodies, file uploads/downloads
Any browsing, connection, or domain data when the VPN is disconnected, no sites, IPs, or traffic are recorded while you're off. The only signal the extension may send while disconnected is the anonymous usage heartbeat described above (a random ID + version number), which never contains browsing data.
Browsing activity on sites that don't pass through the Roamly tunnel
Cross-device or cross-account behavioral profiles for advertising

Third parties

We share data only with operational service providers, and only the minimum needed:

Polar: our Merchant of Record; processes card payments and handles billing, receipts, and sales tax/VAT. They see your payment details (we don't), not your VPN activity.
VPS / proxy infrastructure providers: operate the actual VPN exit servers. They see encrypted traffic, source/destination IPs, and bandwidth. They do not see your account identity.
Hosting providers: host our backend and database. Subject to their security and privacy practices.

We do not share data with: advertising networks, data brokers, analytics platforms, or social media trackers.

How long we keep data

Account data: until you delete your account, then 30 days for backup rotation, then permanent deletion
Connection logs (times, IPs, bandwidth): up to 24 months (operational + abuse response window)
URL/domain access logs: up to 24 months
Payment records: per applicable accounting law (typically 5–7 years)
Email logs (sent receipts, password resets): 12 months

Lawful disclosure

We comply with valid legal requests from courts of competent jurisdiction. We do not respond to informal requests, requests from non-governmental parties, or requests from jurisdictions where we have no legal nexus.

We will fight requests we believe are overbroad or fishing. We will publish (anonymized) annual transparency reports beginning in our second year of operation.

Your rights

You may, at any time:

Request a copy of all data we hold about you
Request deletion of your account and all associated data (subject to legal retention obligations on payments)
Correct inaccurate information
Withdraw consent (which will close your account)
File a complaint with your local data protection authority

To exercise any of these: [email protected]. We respond within 14 days.

Security

We use TLS 1.2+ for all client-to-server traffic. Passwords are hashed with Argon2id. Database connections are TLS-encrypted. Server access uses key-based SSH only, passwords are disabled. We monitor for intrusion and run regular security audits.

If we discover a data breach, we will notify affected users within 72 hours of confirming it.

Children

Roamly is not directed at children under 16. We do not knowingly collect data from minors. If you believe a minor has registered, please email [email protected] and we will delete the account.

Changes

Material changes to this policy will be announced via email to all active accounts at least 14 days before taking effect. Minor clarifications may be made at any time and noted at the top of this page.

Questions?

Email [email protected]. Real human, usually responds in under 48 hours.