View this report’s Sources Appendix for URLs of iOS App Store listings and privacy policies of individual apps, along with archived PDF versions.
VPN Proxy Master & Turbo VPN
VPN Details
VPN Developer: ALL Connected Co., Ltd
VPN Proxy Master:
- 800,000 new monthly VPN installs
- 4.5 star rating
- 10.8K reviews
Turbo VPN:
- 600,000 new monthly VPN installs
- 4.8 star rating
- 59.8K reviews
VPN Privacy Policy:
Both apps use the same privacy policy at the same URL
Verdict: Non-compliant
The privacy policy may state we won’t share the advertisers any your personal information or any usage information without your prior consent, but there is nevertheless a long list of data sharing practices identified with the most relevant as follows:
How we share information… Aggregate Information. Where legally permissible, we may use and share information about users with our partners in aggregated or de-identified form that can’t reasonably be used to identify you.
Third-Party Partners. We also share information about users with third-party partners in order to receive additional publicly available information about you.
Guideline 5.4 is very clear that no data sharing is permissible, which renders this policy non-compliant.
More broadly, this is a privacy policy that has been much improved since our previous investigation with a lot more detail, although question marks over Chinese ownership and international data transfers remain.
Note: ALL Connected immediately published an updated privacy policy on June 11, the day after we contacted them regarding our findings. However the clauses noted above remain in place.
[Update 13 June] We received a polite email from the developer’s lawyers that was at pains to emphasize that as they do not collect any sensitive data in the first place, they are unable to share anything.
They also stated that they “never share any information about users with third-party beyond the Privacy Policies, APPLE Guidelines, US laws related to personal data protection or GDPR.”
They went on to say, “For the avoidance to doubt, the statement cited in your email has been deleted from the latest Privacy Policies.”
To clarify, what has been removed is the clause above beginning “Third-Party Partners”. The other clause remains in place.
While the data being shared may well be not personally-identifiable, given Apple’s guidelines clearly state that VPN apps may not share any data whatsoever then these apps appear to remain non-compliant.
Hotspot Shield Free, Betternet, TouchVPN, Hexatech
VPN Details
VPN Developer: AnchorFree, Inc.
Hotspot Shield:
- 800,000 new monthly VPN installs
- 4.5 star rating
- 97.3K reviews
Betternet:
- 700,000 new monthly VPN installs
- 4.6 star rating
- 137.5K reviews
TouchVPN:
- 70,000 new monthly VPN installs
- 4.6 star rating
- 7.4K reviews
Hexatech:
- 70,000 new monthly VPN installs
- 4.5 star rating
- 33.5K reviews
VPN Privacy Policy:
The privacy policies for Hotspot Shield, Betternet and TouchVPN are hosted individually but are substantively the same. Hexatech directs users to the Betternet policy and does not have its own individual policy.
Verdict: Non-compliant
The following clause that appears in all these privacy policies, with the relevant name of the app referenced, is clearly in breach of Guideline 5.4.
We may share your general (city level) location. Additionally, advertisers may be able to collect certain information independently from you or your device when serving ads from the Hotspot Shield application, including your device’s advertising ID, IMEI, MAC address, and wireless carrier.
Arguably the additional clause below might avoid being in non-compliance as third parties collect the data directly rather than it being provided to them. We would argue it’s certainly against the spirit of the guidelines and not privacy-friendly.
Our service providers may collect IP addresses for marketing attribution purposes.
Overall, AnchorFree products do have comprehensively transparent privacy policies. This makes it possible at least to make an informed decision about the privacy trade-off required for access to a high-quality free service even if that service is more aggressively monetized than we are generally comfortable with.
UPDATE: AnchorFree responded and rather than provide any explanation of the targeted advertising in their apps, instead stated that we were “misinterpreting Apple guidelines” and that Apple didn’t really mean the ban literally. This was a very disappointing response compared to previous efforts to be transparent.
VPN – Super Unlimited Proxy & VPN – Unlimited Best VPN Proxy
VPN Details
VPN Developer: Mobile Jump
VPN – Super Unlimited Proxy:
- 800,000 new monthly VPN installs
- 4.7 star rating
- 159.4K reviews
VPN – Unlimited Best VPN Proxy:
- 80,000 new monthly VPN installs
- 4.7 star rating
- 7K reviews
VPN Privacy Policy:
The same privacy policy applies to both apps and users are directed to the same URL.
Verdict: Non-compliant
The following clause appears to breach Guideline 5.4 prohibition on sharing any data at all with third parties:
We may share your data with other MobileJump’s affiliate companies in or outside Europe. We may also share your data with third parties, to help manage our business and deliver services.
Overall, Mobile Jump has improved its privacy policy since our previous investigation by making it much more comprehensive – which is positive.
However, there remain a number of privacy issues and question marks regarding this policy in addition to its compliance or otherwise with the new Apple guidelines. There are also unanswered questions about the company being based in mainland China despite the strict VPN ban in that country.
Mobile Jump neither responded to our communication of our findings nor updated their policies.
X-VPN
VPN Details
VPN Developer: Free Connected Ltd
- 500,000 new monthly VPN installs
- 4.6 star rating
- 13.1K reviews
VPN Privacy Policy:
Verdict: Compliant
The X-VPN privacy policy does not contain any elements that would cause compliance issues with Apple’s new guidelines. Nor are there any broader privacy policy issues with this VPN.
Note that there do remain potential red flags however due to the Chinese ownership of the company (registered in Hong Kong but with owners based in mainland China) and lack of corporate transparency.
VPN 360 – Unlimited VPN Proxy
VPN Details
VPN Developer: TouchVPN
- 400,000 new monthly VPN installs
- 4.5 star rating
- 21.2K reviews
VPN Privacy Policy:
Verdict: Non-compliant
The following privacy policy clause appears to violate Guideline 5.4, as while it may not relate to data that can be traced back to individuals, it is nevertheless user data:
However, non-personally identifiable visitor information may be provided to other parties for marketing, advertising, or other uses.
We would also highlight the following:
We do not sell, trade, or otherwise transfer to outside parties your personally identifiable information. This does not include trusted third parties who assist us in operating our website, conducting our business, or servicing you, so long as those parties agree to keep this information confidential.
Given that the policy is hosted on a free WordPress domain and has not been updated since 2017 despite the app’s enduring popularity, we do not feel the VPN provider has done enough to earn the degree of trust required to take this policy at face value.
This harsh assessment is compounded by the fact the developer has quietly changed its name on the App Store from Infinity Software Co., Limited to TouchVPN.
Of course, it may be coincidence that this new name featured in a prominent position on its App Store listing is the same as that of a more established and trusted product.
However, we don’t find it reassuring that there’s no explanation of how “TouchVPN” relates to the existing brand, references to which remain on the page in several instances: for copyright, a support email address domain and in the domains of the terms of service and a second privacy policy buried in the small print of the store listing.
This second policy has the same text as the main policy linked to from the App Store listing but this time is hosted on a customer support platform domain (Zendesk)[2] and was created more recently, as it was last updated at the end of 2018.
TouchVPN / Infinity Software neither responded to our communication of our findings nor updated their policies.
VPN Proxy Vault – Unlimited VPN
VPN Details
VPN Developer: Appsverse Inc.
- 400,000 new monthly VPN installs
- 4.6 star rating
- 9.2K reviews
VPN Privacy Policy:
Verdict: Compliant
The VPN Proxy Vault privacy policy does not contain any elements that would cause compliance issues with Apple’s new guidelines. Nor are there any broader privacy policy issues with this VPN.
Secured VPN Pro
VPN Details
VPN Developer: Contrast Media Inc
- 300,000 new monthly VPN installs
- 4.4 star rating
- 218 reviews
VPN Privacy Policy:
Verdict: Non-compliant
This privacy policy is in clear violation of the guidelines as it shares location data with advertisers (although not current specific location) and upsells to a paid version of the product on the basis of withholding that data.
When you visit the mobile application, we may use GPS technology (or other similar technology) to determine your current location in order to determine the city you are located within and display a location map with relevant advertisements. If you are subscribed to the use of the Premium package, then no single piece of information will be shared with advertisers.
There are further apparent breaches as specified in the following:
We may disclose User provided and Automatically Collected Information: …. With our trusted services providers who work on our behalf, do not have an independent use of the information we disclose to them, and have agreed to adhere to the rules set forth in this privacy statement.
Aside from the above issues of non-compliance, this policy – which is hosted on a public Google Doc – raises a number of privacy red flags. It not only logs user browsing data, which is severely anti-privacy, but also has an unreasonably long data retention policy. This is an app to absolutely avoid and it should not be available for download in our view.
Contrast Media Inc neither responded to our communication of our findings nor updated their policies.
VPN 24: Hotspot VPN for iPhone
VPN Details
VPN Developer: 24apps GmbH
- 300,000 new monthly VPN installs
- 4.5 star rating
- 8.5K reviews
VPN Privacy Policy:
Verdict: Non-compliant
There are two aspects of this policy in conflict with Guideline 5.4:
The first appears clear cut in that it explicitly states that user data is shared with third parties involved in “marketing [and] advertising” and other companies that share the developer’s parent company.
… the main sharing of users’ information is with service providers and partners who assist us in operating the services, with other IAC Group companies …
With our service providers and partners. We use third parties to help us operate and improve our services. These third parties assist us with various tasks, including data hosting and maintenance, analytics, marketing, advertising and security operations. We follow a strict vetting process prior to engaging any service provider or working with any partner.
With other IAC Group companies …
The second potentially-infringing area relates to personalized ads. It is possible that this does not breach the guidelines on a technicality, ie by virtue of the fact that the third-parties collect the user data directly from within the app itself via embedded ad tech, but it certainly contradicts the spirit of the new rules.
It should be noted though that this a very comprehensive and transparent policy, which is commendable as it allows potential users to make more of an informed choice about their privacy.
24apps GmbH neither responded to our communication of our findings nor updated their policies.
Free VPN by FreeVPN.org
VPN Details
VPN Developer: FreeVPN.org
- 200,000 new monthly VPN installs
- 4.3 star rating
- 10.2K reviews
VPN Privacy Policy:
Verdict: Non-compliant
FreeVPN.org may state that they don’t “sell trade, or otherwise transfer to outside parties your personally identifiable information” but the following practices relating to advertising would appear to fall foul of the new rules.
Our apps may include third-party advertising networks. These networks determine independently how to use your information, so review their linked privacy policies to learn more.
However, non-personally identifiable visitor information may be provided to other parties for marketing, advertising, or other uses.
The policy overall is sorely lacking in detail about VPN-specific privacy matters, such as any sort of logging or data retention policies and should not be considered acceptable for a VPN app.
FreeVPN.org neither responded to our communication of our findings nor updated their policies.
SkyVPN
VPN Details
VPN Developer: Sentry Secure Communication
- 100,000 new monthly VPN installs
- 4.7 star rating
- 16K reviews
VPN Privacy Policy:
Verdict: Compliant
The SkyVPN privacy policy does not contain any elements that would cause compliance issues with Apple’s new guidelines.
There are outstanding questions to answer, however, from our earlier investigation due to the highly opaque nature of this VPN provider that we revealed to be secretly owned by Tengzhan Hongkong Limited (騰展香港有限公司). This is a company registered in Hong Kong whose sole shareholder is based on the Chinese mainland, where VPNs are strictly banned.
Psiphon
VPN Details
VPN Developer: Psiphon, Inc.
- 100,000 new monthly VPN installs
- 4.0 star rating
- 3.3K reviews
VPN Privacy Policy:
Verdict: Non-compliant
While Psiphon should be commended for its professionalism and transparency, Guideline 5.4 does not make allowances based on the granularity of data shared with third parties.
The following is therefore in apparent breach of the rules:
When sharing with third parties, Psiphon only ever provides coarse, aggregate domain-bytes statistics. We never share per-session information or any other possibly-identifying information.
This sharing is typically done with services or organizations we collaborate with — as we did with DW a few years ago. These statistics help us and them answer questions like, “how many bytes were transferred through Psiphon for DW.com to all users in Iran in April?”
Again, we specifically do not give detailed or potentially user-identifying information to partners or any other third parties.
While part of our prior investigation, there are no significant red flags outstanding for Psiphon.
Psiphon, Inc. neither responded to our communication of our findings nor updated their policies.
TunnelBear VPN & WiFi Proxy
VPN Details
VPN Developer: TunnelBear, LLC
- 100,000 new monthly VPN installs
- 4.6 star rating
- 27.2K reviews
VPN Privacy Policy:
Verdict: Compliant
The TunnelBear privacy policy does not contain any elements that would cause compliance issues with Apple’s new guidelines. There are no broader issues with this service’s policies or corporate transparency that we have found.
#VPN
VPN Details
VPN Developer: Apalon Apps
- 80,000 new monthly VPN installs
- 4.5 star rating
- 18.3K reviews
VPN Privacy Policy:
Verdict: Non-compliant
#VPN appears to contravene Guideline 5.4 through its sharing of location data with third parties for advertising.
When we collect your precise geolocation data (subject to your consent) (which may be via the device’s cellular, Wi-Fi, Global Positioning System (GPS) networks and/or Bluetooth information), we do so to provide you with our location-related products and services, for example to provide you with forecast and weather alerts for your location, and also to facilitate, measure, or otherwise support advertising by third parties (through our apps or third parties’ apps) that may be related to your location over time.
Overall, our previous view on the #VPN privacy policy, in that it’s a well-intention but flawed, still stands.
Apalon Apps neither responded to our communication of our findings nor updated their policies.
VPN for iPhone
VPN Details
VPN Developer: Brain Craft Ltd
- 70,000 new monthly VPN installs
- 4.5 star rating
- 18.3K reviews
VPN Privacy Policy:
Verdict: Non-compliant
Brain Craft rushed through an updated privacy policy the day after we contacted them to notify them our findings.
Compare the original policy with the updated version and the difference is so stark that it’s hard to take seriously the developer’s claims that they had already changed the policy before we contacted them. The updated date on the new policy being one day later than the date of our email also suggests otherwise.
The original policy was barely 250 words and lacked any substantive detail to back up its claims of not sharing data. For this reason we deemed it non-compliant despite there being no admission of data-sharing, simply due to a lack of any explanation of how their business practices enabled them to make such a claim.
The new policy may be a big improvement on what it has replaced and as such, does now appear compliant with Guideline 5.4.
However the policy is still much shorter than best practice examples and continues to make data privacy claims that need better substantiation before we could recommend this app in good conscience.
HOTSPOT VPN: Unlimited HotSpot
VPN Details
VPN Developer: HotSpot VPN Ltd
- 70,000 new monthly VPN installs
- 4.7 star rating
- 3.3K reviews
VPN Privacy Policy:
Verdict: Non-compliant
The privacy policy for the confusingly-named HOTSPOT VPN (which has nothing to do with Hotspot Shield or AnchorFree) features the following very broad data-sharing clause that contravenes Guideline 5.4:
Hotspot VPN may disclose automatically collected and other aggregate non-Personal Information with interested third parties to assist such parties in understanding the usage, viewing, and demographic patterns for certain programs, content, services, advertisements, promotions, and/or functionality on the Service.
The developer grants itself significant leeway not just in terms of with whom it can share user data but also for what purpose. The terms “usage” and “viewing” really stand out as providing scope for logging browser activity, which is highly concerning and a clear infringement of the new rules.
This developer is another that has quietly changed its name since we exposed it as having mainland Chinese-ownership despite being registered in Hong Kong along with a shockingly poor privacy policy. Formerly known as HiMobi Tech Ltd, this name has since disappeared from the App Store listing.
The privacy policy continues to have very grave issues that should exclude it from the App Store, such as exposing users’ real IP addresses.
“As described in our Terms, however, we may not provide a virtual IP Address for every web site you may visit and third-party web sites may receive your original IP address when you are visiting those web sites.”
HOTSPOT VPN Ltd neither responded to our communication of our findings nor updated their policies.
