← Avocado

Privacy Policy

Avocado · avocadovpn.link

Effective date

This privacy policy is effective as of January 2026 and applies to all Avocado users. We update this policy periodically to reflect changes in our practices or applicable law. Material changes are communicated via in-app notification or email. Your continued use of Avocado constitutes acceptance of this updated policy. We encourage you to review this policy regularly to stay informed about how we protect your privacy and data security practices.

Who we are

Avocado is a privacy-first VPN application developed by Avocado Privacy Inc., a company dedicated to protecting user privacy and digital freedom. We operate independently from internet service providers and advertising networks. We do not sell data to marketers, trackers, or any commercial entities. Avocado is built on the foundational principle that your online activity is your business alone. We provide infrastructure for secure, private internet access while maintaining transparency about our operations, data practices, and commitment to user autonomy.

Data we collect

When you use Avocado, we collect minimal information necessary for service delivery: VPN connection timestamps (connection and disconnection times) to prevent abuse and maintain service stability; the VPN server location you selected; your connection session duration; your device type and iOS version for compatibility testing; and anonymized bandwidth metrics showing aggregate data transferred (never content). We explicitly do not collect websites visited, DNS queries, application usage patterns, assigned IP addresses, or content of any communications. All data collection follows a strict minimization principle to protect user privacy.

How we use it

Connection timestamps and server locations are used solely to optimize network performance, prevent account abuse, and balance server loads. Bandwidth metrics help us identify capacity issues before they impact service quality. Device information enables compatibility testing and feature optimization across iOS versions. Critically, this data serves no marketing, profiling, or advertising purpose. We never use collected information to build user profiles, target advertisements, understand browsing behavior, or infer personal preferences. Data is used exclusively for internal service operations and security.

Data handling commitment

We do not sell, use, or disclose user data to third parties for any purpose. All data is encrypted at rest using industry-standard encryption and transmitted over secure TLS 1.3 channels. Access is restricted to essential Avocado operations staff bound by confidentiality agreements. We apply security controls comparable to financial institutions and conduct quarterly security audits with third-party firms. Data is isolated from all other business systems. User privacy is our highest operational priority.

Third-party processors

We use the following third-party service providers: Amazon Web Services (AWS) for secure server infrastructure and encrypted data storage with DDoS protection; Stripe for payment processing and fraud detection; and Bugsnag for anonymized crash reporting and error diagnostics. Each processor is contractually required to maintain confidentiality and implement data protection measures. All processors undergo annual security audits. We confirm these third parties provide the same or equal protection for user data as outlined in this policy.

Retention schedule

Connection timestamps are retained for 30 days to detect abuse patterns and maintain service stability, then permanently deleted. Server location data is retained for 30 days for the same purpose. Bandwidth metrics are aggregated and anonymized after 7 days, removing all identifying information. Device information is retained only while your app remains installed. Upon account deletion or app uninstall, all personal data is purged within 14 days. Encrypted backups are deleted within 90 days. Aggregate statistics are retained indefinitely for product improvement.

International data transfers

Avocado operates a global server network across multiple countries. When you connect to a VPN server, your encrypted data routes through international infrastructure. We transfer data only to countries and regions with adequate legal data protection frameworks, including the US, EU, and APAC regions. For transfers outside these regions, we implement Standard Contractual Clauses approved by European authorities. You control which server location you connect to, giving you visibility over data routing.

Your GDPR rights

If you are located in the European Union, the General Data Protection Regulation grants you specific rights over your personal data: the right to access all information we hold about you; the right to rectification of any inaccurate data; the right to erasure, commonly known as the 'right to be forgotten'; the right to restrict processing of your data; the right to data portability in machine-readable format; and the right to object to processing. To exercise any of these rights, contact privacy@avocadovpn.link with 'GDPR Request' in the subject line. We will verify your identity and respond within 30 days.

California privacy rights

California residents have rights under the California Consumer Privacy Act (CCPA): the right to know what personal information is collected about you; the right to delete your personal information; the right to correct inaccurate information; the right to opt-out of the sale of personal information (Avocado does not sell data); and the right to non-discrimination for exercising CCPA rights. To exercise these rights, email privacy@avocadovpn.link with 'California Privacy Request' in the subject line. We will verify your identity and respond within the legally required timeframe.

Security and breach notification

We implement industry-standard security controls including AES-256 encryption, TLS 1.3 for all communications, secure key management systems, and multi-factor authentication for staff systems. We conduct quarterly security audits and annual penetration testing by third-party security firms. In the unlikely event of a data breach, we will notify affected users within 72 hours via email and in-app notification, disclosing the nature of the breach, data affected, and remediation steps. Notification to relevant authorities follows all applicable legal requirements and regulatory timelines.

Contact and complaints

For privacy questions, concerns, or formal complaints, contact us at privacy@avocadovpn.link with 'Privacy Request' in the subject line. You may also file a complaint with your national data protection authority if you believe we have violated your privacy rights. In the EU, contact your local Data Protection Authority. In California, you may file a complaint with the California Privacy Protection Agency. We are committed to resolving concerns promptly, transparently, and in accordance with all applicable privacy laws.

Contact

Questions about this policy? Email support@avocadovpn.link.