Privacy Policy

Effective date: May 4, 2026 · Applies to: all openlawsvpn apps and clients

Short version: The openlawsvpn app does not collect, store, or transmit any personal data to openlawsvpn servers. In direct mode, your VPN traffic goes directly to your own AWS endpoint. Relay mode requires minimal data to transit the relay service by its nature — see section 3 for details.

1. What we collect

Nothing. The app does not collect any personal information, usage analytics, crash reports, or telemetry. There are no SDKs in the app that phone home.

2. Data stored on your device

The following data is stored locally on your device only:

VPN profiles (.ovpn files) — stored in app-private storage with restricted permissions (mode 600 on Linux; excluded from Android Auto Backup on Android).
Connection logs — held in memory while the app is open; cleared when the process ends. Never written to disk.

No data from any client is accessible to other apps or synchronized to any cloud service.

3. Data transmitted

The only network traffic initiated by the app is:

VPN tunnel traffic — encrypted and routed directly to your organization's AWS Client VPN endpoint. openlawsvpn servers are never in the data path.
SAML authentication — your identity provider's login page opens in a system browser (a separate process). The app receives only the resulting SAML token; it never sees your credentials or the login page content.
Relay mode (optional) — if you use the relay feature, only the data required by its nature to deliver VPN auth to the remote agent transits the openlawsvpn relay service. This data is not stored beyond the duration of the session (60-second TTL). Direct connections never touch openlawsvpn servers.

4. Logging

Direct connections — the app connects directly to your AWS endpoint. No openlawsvpn infrastructure is involved and no connection data is logged by us.

Relay mode (optional) — relay traffic passes through the openlawsvpn relay service (AWS API Gateway). Standard access logs are retained for 30 days in AWS CloudWatch for security and abuse-prevention purposes. These logs may include your IP address, timestamp, and request metadata. They are not sold or shared with third parties and are deleted automatically after 30 days.

5. Third-party services

The app does not integrate any third-party analytics, advertising, crash-reporting, or data-processing services.

6. Permissions

Each client requests only the permissions required to operate as a VPN client. On Android:

INTERNET — required to establish the VPN tunnel.
BIND_VPN_SERVICE / VpnService — required by Android to create a VPN tunnel interface.
FOREGROUND_SERVICE / FOREGROUND_SERVICE_SPECIAL_USE — keeps the VPN running while the app is in the background.
POST_NOTIFICATIONS — displays the persistent "Connected" notification and Disconnect action (Android 13+).
ACCESS_NETWORK_STATE — detects network loss so the app can update its status when the tunnel drops.

On Linux the CLI and GUI require no special permissions beyond the network capabilities needed to create a tunnel interface (CAP_NET_ADMIN+CAP_NET_RAW or run as root).

No location, contacts, camera, microphone, or unnecessary storage permissions are requested on any platform.

7. Children's privacy

The app is not directed at children under 13 and does not knowingly collect information from children.

8. Changes to this policy

If this policy changes materially, the updated version will be posted at this URL with a revised effective date. The app is open source — all changes are visible in the public repository.

9. Contact

Questions about this policy: security@openlawsvpn.com