Privacy

What we see. What we don't. What you can do about it.

The honest version: GlassBox VPN is built to operate on the absolute minimum information possible. Your WireGuard public key, your assigned tunnel IP, the email alias you give us, and a paid-up signal from Stripe. That's it on the GlassBox VPN side.

We are allergic to PII and we are actively working on ways to reduce what we see, including payment methods that do not transmit your real name. This page documents exactly what reaches us today, including the parts we wish were smaller.

This is the third pillar of GlassBox: nothing collected that we don't strictly need.

What OSS Actually Sees

The honest, specific version. Three columns: what we always see, what we see only when you pay with a card, and what we never see regardless.

Always (every paid subscription)

  • The email alias you provided at checkout
  • Your assigned tunnel IP (10.x.x.x)
  • Your WireGuard public key
  • Subscription status (active, canceled)
  • Active connection state on the server (live, not historical)
  • Current session bandwidth rate (live, not stored)

Only when you pay with a card

  • Cardholder name as printed on the card
  • Billing ZIP code
  • Last 4 digits of the card number

Card networks require name + ZIP for AVS fraud prevention. Stripe surfaces these to us in the transaction record. There is no way for any merchant to opt out of this and accept cards.

Never (regardless of payment method)

  • Your full card number
  • Your full billing address
  • Your phone number
  • Your real name (if paying via Cash App Pay)
  • Your home IP address
  • DNS queries (logging is disabled)
  • Browsing history
  • Historical traffic or bandwidth records
  • Connection logs or session history
  • Account passwords (no accounts)

You can verify the tunnel-side claims. The Unbound DNS configuration on the GlassBox VPN servers (with logging disabled) is published on Forgejo. The daily filesystem snapshots show every config file and hash. If we said we weren't logging and we actually were, the files would be there.

Paying with the Least PII

We took two configuration steps in Stripe to reduce what reaches us by default. Stripe Link is disabled account-wide, so saved-profile data from past Stripe purchases at other merchants does not leak into our records. Klarna and Affirm are disabled, which removes those buy-now-pay-later providers as data paths.

Beyond that, the choice of payment method controls how much we see:

For better privacy: Cash App Pay. Transmits your $cashtag instead of a legal name. No ZIP code. No card-derived PII. We see a paid signal and your $cashtag.

For maximum privacy: a prepaid Visa gift card. Buy one with cash at a convenience store, register it online with throwaway info (any name, any ZIP), and use it at our Stripe checkout. Stripe accepts it. We receive whatever throwaway info you put on the card. This is legal under US law.

We are telling you this because we believe in your right to privacy. Most VPN providers will not.

Coming when we can deliver it: USDC subscriptions. We want to accept stablecoin so the payment loop carries no card-network PII at all. We will turn it on when it works cleanly with the rest of the stack.

What Stripe Holds That We Don't

Stripe is the source of truth for billing data. They hold the full card number, the full billing address, and your full payment history across every Stripe merchant you have ever paid. They are bound by their own privacy policy and PCI compliance.

We do not have a database of customer payment data. We have transaction records that show: which subscription is active, which alias paid, the IP and pubkey custom fields the customer entered, and the AVS fields described above.

What the Tunnel Does and Does Not Do

WireGuard creates an encrypted tunnel between your device and the GlassBox VPN server. Beyond that, important nuances:

Encryption

All traffic in the tunnel is encrypted using WireGuard's standard cryptographic stack (Curve25519, ChaCha20, Poly1305, BLAKE2s). Your ISP cannot see the contents of your traffic. They can see that you are connected to a GlassBox VPN server, and that's it.

End-to-End TLS

Most modern web traffic (HTTPS, encrypted apps, messaging) is already end-to-end encrypted between your device and the destination. GlassBox VPN sees encrypted traffic going out and encrypted traffic coming back. The server cannot read what you are doing inside that traffic, even at the moment it is flowing through.

DNS Resolution

GlassBox VPN runs Unbound, a recursive DNS resolver, with blocklists applied and query logging disabled. When you ask "where is example.com," the resolver answers from cache or upstream sources. The query is processed and forgotten.

What GlassBox VPN Cannot See

Page content. Form submissions. Passwords. Anything inside an HTTPS connection. GlassBox VPN routes encrypted packets, it does not inspect them. We could not log what you type into a website even if we wanted to.

Subpoenas and Legal Process

GlassBox VPN is operated by Open Source Security, Inc., a Delaware S-Corporation, and is subject to United States law.

What Could Be Compelled From GlassBox VPN

  • The WireGuard public key associated with the subscription
  • The assigned tunnel IP
  • The server location
  • The email alias used at signup
  • That the peer was active at the time of the request

What Could Be Compelled From Stripe (Not From Us)

If law enforcement wanted card-network identity (real name on card, billing ZIP, full address, payment history), they would have to subpoena Stripe directly. We do not have that data to produce.

What Cannot Be Compelled From Anyone

Nothing that does not exist can be produced. There are no DNS query logs to subpoena. There is no browsing history. There is no historical traffic data. There are no connection logs. We cannot turn over what was never collected.

Warrant Canary

A warrant canary is published weekly at oss-blocklist.net/verify/warrant-canary.txt with a 14-day grace period. If the canary stops updating beyond that window, treat it as broken and act accordingly. The canary confirms that Open Source Security, Inc. has never received a government request for customer information, a court order to log user activity, a National Security Letter, or any directive to modify GlassBox VPN infrastructure.

Self-Hosted Infrastructure

Everything that runs GlassBox VPN is operated by OSS on infrastructure we control. We do not use third-party SaaS providers for any customer-facing system. The website, the WireGuard servers, the DNS resolvers, the support ticketing system, the membership portal, the source code repository, and the GlassBox transparency portal all run on servers we operate directly.

The only exception is payment processing through Stripe, which is required for accepting US billing.

Your Rights

If you want to know exactly what GlassBox VPN has on you, the answer is in this document. There is no hidden database to query. There is no "data export" we can run because there is nothing to export beyond what's listed in the "What OSS Actually Sees" section.

To cancel your subscription, visit the Stripe Customer Portal and enter the email alias you used at signup. Cancellation takes effect at the end of your current billing period. Your peer is removed from the WireGuard configuration and the public key entry is deleted from the server. That is the entire offboarding process.

To access billing data on file (real name, billing address, card history): contact Stripe support. GlassBox VPN does not have access to it.

Cookies and Web Analytics

OSS sets zero cookies on the glassboxvpn.com marketing site. No consent banner is needed because there is nothing to consent to.

Two minimal analytics layers run on the marketing site, both self-hosted by OSS, both open source, both disclosed honestly:

  • Self-hosted Umami for aggregate browser, device, and region stats. No cookies. No persistent identifier. No PII under any privacy framework. Never shared with anyone.
  • Caddy access logs for traffic monitoring and abuse response. Some IPs hit the server directly, many are masked by edge providers and CGNAT before they arrive. We do not save IPs long-term, do not link them to individuals, do not share them. Logs rotate out on a 30-day cycle.

The full cookie policy, including how to verify all of this in your browser's developer tools, is on the cookies page. The customer dashboard is reachable only through the WireGuard tunnel: access is enforced at the network layer by tunnel IP, not by session cookies or login forms. The dashboard sets no cookies either.

Privacy Questions?

For privacy-related inquiries:

privacy@opensourcesecurity.net

Last updated: May 2026