Privacy Policy

Last updated: May 2026

1. General

This privacy policy ("Privacy Policy") applies to all services operated by PremierVPN ("we", "us", "our"), including PremierVPN (VPN service), PrMail (private email), and Encrypted Vault (zero-knowledge file storage), collectively referred to as "Services".

This Privacy Policy explains what data we collect, what we don't collect, how we use the data we do collect, and your rights regarding your personal information. By using any of our Services, you agree to this Privacy Policy.

PremierVPN is registered and operated in the United Kingdom, governed by UK GDPR and the Data Protection Act 2018.

2. Our Core Principle

We collect the minimum data necessary to operate each service. We do not monetise your data, sell it to third parties, or use it for advertising. Where technically possible, we design our services so that we cannot access your data even if we wanted to.

We NEVER keep VPN activity logs, read your emails, or access your encrypted vault files. We cannot — our infrastructure is designed to make this technically impossible.

3. Data We Collect — All Services

The following data is collected across all PremierVPN services:

Account Information — Email address and password hash for portal authentication. Required for login, billing, and support.

Payment Data — Transaction identifiers, billing cycle, and plan type. We do not store credit card numbers — payments are processed by third-party payment processors.

Support Communications — Content of support tickets and emails you send to us. Used only for providing customer support.

Website Analytics — Anonymised visitor metrics on our marketing website only. IP addresses are fully masked. No analytics are present in the customer portal or any of our service interfaces.

Session Cookies — Used exclusively for authentication and session management in the customer portal. We do not use advertising or tracking cookies.

We do not require your name, physical address, phone number, or any other personal identifying information beyond your email address.

4. VPN Service — Data Practices

PremierVPN does not log your VPN activity.

What we do NOT collect or log:

  • Browsing activity or websites visited
  • DNS queries
  • Connection or disconnection timestamps
  • Your source IP address while connected
  • Bandwidth usage per session
  • VPN server IP assignments

What we do collect:

  • VPN credentials (username and password hash) for connection authentication
  • Real-time active session count (in memory only, not logged to disk) to enforce plan connection limits

For full technical details on our logging infrastructure, see our No-Log Policy.

5. PrMail (Private Email) — Data Practices

PrMail is designed to protect your email privacy with multiple layers of protection.

What we store:

  • Your email address(es) and alias addresses
  • Email messages in your mailbox (stored on encrypted infrastructure)
  • Email metadata: sender/recipient addresses, subject lines, timestamps, and message sizes
  • Email settings: display name, signature, privacy level, folder structure, and email rules
  • Disposable reply address mappings (alias-to-real-address, auto-deleted on expiry)
  • Sending statistics for abuse prevention (daily send counts)

What we do NOT do:

  • Scan or read your emails for advertising or profiling
  • Inject tracking pixels into outbound emails
  • Share your email data with any third party
  • Include your IP address in outgoing email headers
  • Log which emails you open or read

Privacy features that protect you:

  • Tracking pixel stripping — invisible trackers are removed before emails reach your inbox
  • Remote font blocking — fonts from external servers (which can log your IP) are replaced with system fonts
  • Link defanging — shortened URLs are resolved and tracking parameters are stripped, suspicious domains are flagged
  • Disposable reply addresses — replies use temporary aliases so external parties never see your real address
  • Send-time randomisation — outgoing emails are delayed by a random interval to prevent traffic analysis
  • Zero IP leakage — your IP address never appears in outgoing email headers

Self-destructing messages: Content is encrypted with AES-256-CBC using a key derived from a password you set. We store only the encrypted blob and a hash for verification. We cannot read the message content. After the configured number of views or time limit, the encrypted content is permanently deleted from our database.

6. Encrypted Vault — Data Practices

Encrypted Vault is a zero-knowledge service. Files are encrypted in your browser before upload. We cannot access your file contents under any circumstances.

What we store:

  • Encrypted file blobs (AES-256-GCM, encrypted client-side — we cannot decrypt these)
  • Encrypted file name metadata (encrypted client-side)
  • File size, upload timestamp, and encryption initialisation vector
  • Folder structure and organisation metadata
  • Share link metadata: token, download count, expiry time, and password hash (if set)
  • Dead man's switch settings: enabled status, inactivity period, action preference, and emergency contact email
  • Geo-destruction rules: list of approved countries

What we can NEVER access:

  • File contents — all files are encrypted in your browser before upload using AES-256-GCM
  • Your vault passphrase — it never leaves your browser; we do not store it or any derivative of it
  • Encryption keys — derived locally from your passphrase using PBKDF2 with 100,000 iterations
  • Decrypted file names — file names are encrypted client-side with the same key

If you forget your vault passphrase, your files cannot be recovered. We do not have a copy of your passphrase or encryption keys. This is by design — it ensures true zero-knowledge storage.

Geo-location checks: If you enable geo-destruction rules, we check your IP address against a geolocation service when you access the vault. This lookup is cached for 24 hours and used solely to enforce your configured country restrictions. We do not log or store your IP-to-country mapping beyond the cache period.

7. Infrastructure and Subprocessors

We use carefully selected infrastructure providers located within the European Union and the United Kingdom to deliver our services. All providers are bound by data processing agreements and are GDPR-compliant.

We use third-party payment processors to handle transactions. We do not store credit card details on our servers.

A full list of subprocessors is available on request by contacting our data controller.

8. Data Retention

  • Account data: Retained while your account is active. Deleted within 30 days of account closure upon request.
  • Payment records: Retained as required by UK financial regulations (typically 6 years).
  • PrMail emails: Retained until you delete them or close your account. Auto-purge settings for trash and spam are configurable.
  • Disposable reply addresses: Automatically deleted after the configured expiry period (7–90 days).
  • Self-destructing messages: Permanently deleted after the configured view limit or time expiry.
  • Vault files: Retained until you delete them, they reach their expiry date, or a dead man's switch triggers. Deleted files are permanently removed from storage.
  • Support tickets: Retained for 2 years after the last communication, then deleted.
  • VPN activity data: Not applicable — we do not collect or store VPN activity data.

9. Your Data Rights

Under UK GDPR, you have the right to:

  • Access — request a copy of all personal data we hold about you
  • Rectification — request correction of inaccurate personal data
  • Erasure — request deletion of your personal data (subject to legal retention requirements)
  • Portability — request your data in a machine-readable format
  • Object — object to processing of your data for specific purposes
  • Restrict — request restriction of processing in certain circumstances

To exercise any of these rights, contact our data controller at the address below. We will respond within 30 days.

Note: For Encrypted Vault, we cannot provide your file contents in response to a data access request because we cannot decrypt them. We can provide the file metadata we hold (encrypted file names, sizes, timestamps).

Data Controller Contact: privacy [at] premiervpn.net

10. Third-Party Disclosure

We do not sell, trade, or otherwise transfer your personal data to third parties. We may disclose account information (email address, payment records) if required to comply with a valid UK legal process. We cannot disclose VPN activity data, email content, or vault file contents because we either do not collect it or cannot access it.

11. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email to registered users and posted on this page. The "last updated" date at the top of this page indicates when the policy was last revised.

12. Contact

For privacy-related questions, data requests, or to report a concern, contact us at [email protected].

For general support enquiries, contact [email protected].

Stay Ahead of Online Threats

Get VPN tips, security insights, and exclusive offers delivered straight to your inbox. No spam — just the essentials.

Unsubscribe at any time. We respect your privacy.