Privacy Policy

NOOR IT SERVICES LIMITED (company number 16083731) is the data controller for personal data described in this policy. Registered office: 14 Havelock Court, Guru Nanak Road, Southall, England, UB2 4NR. Correspondence may be sent to the same address.

Privacy requests: privacy@noorvpn.com. General support: support@noorvpn.com. Legal: legal@noorvpn.com.

We are subject to the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. Where EU GDPR applies to you (e.g. you are in the EEA), equivalent rights generally apply; contact us to discuss your jurisdiction.

This policy covers our public website, customer dashboard, desktop and mobile applications (Windows today; Linux and iOS on roadmap), payment and checkout flows, referral programme, Discord community links, status page (status.noorvpn.cc), and customer support channels.

It does not cover third-party websites or services you access through the VPN tunnel — those operators have their own privacy policies. It also does not cover third-party payment processors beyond the data we receive from them to confirm your subscription.

NoorVPN is designed so that we cannot see what you do online. We do not log, store, or analyse:

Your original IP address while connected to the VPN.

IP addresses of websites, apps, or services you access through the tunnel.

DNS queries made through the tunnel.

Contents of your communications (pages, messages, files, streams).

Session start or end times linked to your identity.

Bandwidth usage per user or per session.

We do not sell VPN usage data and we do not respond to requests for browsing history we do not possess. VPN gateway nodes are operated with RAM-first, minimal-retention architecture as described on our No Log VPN Policy page.

To provide the service we process: your NoorVPN account number (stored to authenticate dashboard and app sessions), optional 6-digit PIN (stored using appropriate hashing for verification), optional device labels you assign in the dashboard, and technical session tokens that keep you logged in to the website. We do not require an email address to create an account.

Device registration records enforce the three-connection limit. They include device identifiers generated by our systems, not browsing activity. You may remove devices from the dashboard at any time.

If you lose your account number, recovery uses our invoice-based flow: you submit a paid invoice ID from a prior purchase and receive a new account key if matched. We do not operate a traditional password reset by email because we do not collect email at signup unless you optionally add one later for PIN recovery.

We strongly recommend saving your account number and payment invoices offline. Never share your account number in public channels or with untrusted resellers.

Subscriptions are paid in cryptocurrency through third-party payment processors (e.g. NOWPayments). We receive payment status, plan duration, cryptocurrency type, and transaction references needed for accounting and fraud prevention. We do not store traditional card numbers because we do not accept card payments on this service.

You may have at most three open pending payment sessions at a time; metadata about those sessions (expiry, amount, status) is stored until completion or expiration.

Payment records required for tax and audit purposes may be retained for up to 7 years under UK law, separate from VPN activity data. Billing enquiries: billing@noorvpn.com.

If you participate in referrals, we process your referral code, link clicks, conversion events, commission balances, and payout history. This is billing-related data, not VPN traffic. Referral statistics are visible in your dashboard. Abuse (self-referral, fraud) may result in forfeiture of commissions and account action under our Terms.

If you email us or contact Discord, we process the content you send, your email address (if used), Discord username (if visible), and metadata needed to reply (timestamps, ticket references). We use this only to resolve your request, not for advertising profiles or sale to third parties.

Support retention: typically up to 24 months unless a longer period is needed for an open dispute or legal obligation.

Login and registration use Cloudflare Turnstile to mitigate automated abuse. Turnstile may process browser signals as described in Cloudflare's privacy documentation. We use Turnstile only on authentication flows, not inside the VPN tunnel.

Our website uses minimal cookies necessary for session management and security. See our Cookie Policy. We do not use Google Analytics or advertising trackers on noorvpn.com.

Servers may process aggregate, non-identifying metrics (for example total load on a location, packet loss, uptime) to maintain performance. These metrics are not linked to individual users or browsing behaviour.

Error logs on client and server systems may contain diagnostic information (app version, OS type, error codes). We configure these to avoid user browsing content and minimise personal data. Where IP addresses appear in transient error logs for DDoS mitigation, they are not correlated to VPN accounts for activity profiling.

Contract performance — running your subscription, authenticating sessions, and providing downloads and support you request.

Legitimate interests — security, fraud prevention, abuse detection (including payment limits and Turnstile), network reliability, and improving the service without profiling users for ads. We balance these interests against your rights.

Legal obligation — tax, accounting, and regulatory record-keeping where UK law requires.

Consent — only where we explicitly ask (for example optional marketing, which we currently do not run). You may withdraw consent without affecting the lawfulness of prior processing.

Account data: for the life of your account plus up to 30 days after confirmed deletion request, unless law requires longer retention of related billing records.

Support emails: typically up to 24 months unless a longer period is needed for an open dispute.

Payment records: as required by UK tax and company law (generally up to 7 years).

VPN session data: not retained in an identifiable form linked to your account.

Referral ledgers: for the life of the programme participation plus statutory retention for tax where commissions were paid.

Under UK GDPR you have the right to access, rectify, erase, restrict processing, data portability, and to object to certain processing based on legitimate interests. You may lodge a complaint with the Information Commissioner's Office (ICO) in the UK: ico.org.uk. EEA residents may complain to their local supervisory authority.

To exercise your rights, email privacy@noorvpn.com. We respond within 30 days unless the request is complex or numerous, in which case we will inform you of an extension up to two further months where permitted.

Erasure requests may be limited where we must retain billing records by law or where data is necessary to establish, exercise, or defend legal claims.

Our primary infrastructure is in the UK and EU/EEA. VPN servers may be located in multiple countries to provide the service; those locations do not receive browsing logs from us because we do not generate them.

If personal data (e.g. support email) is processed outside the UK/EEA, we use appropriate safeguards such as UK International Data Transfer Agreement addendum or Standard Contractual Clauses where required.

TLS 1.3 for website traffic, AES-256-GCM in the VPN tunnel, access controls on production systems, hashed credentials, separation of billing and VPN operations, and regular review of permissions. No method is 100% secure; report suspected vulnerabilities responsibly to legal@noorvpn.com.

NoorVPN is not directed at users under 18. We do not knowingly collect data from minors. Contact privacy@noorvpn.com if you believe a minor has created an account and we will take appropriate steps to delete it.

We may update this Privacy Policy. Material changes will be announced on our website and, where we hold your email and the change affects you directly, by email at least 14 days before they take effect when feasible. The date at the top shows the latest version. Continued use after the effective date constitutes acceptance where permitted by law.

Terms of Service, No Log VPN Policy, Cookie Policy, Imprint, Contact.