Privacy-first VPN

We log domains.
Not lives.

No URLs. No page content. No cookies. No fingerprints. No name, no email, no card. Four data points, every one disclosed below — and why each one is there.

Install — Free See the full list

GDPR · UK GDPR · CCPA · UA data law · No account required

The pledge

No marketing claims. Just the source list.

Most "no-logs" VPNs make a strong claim and ask you to trust it. That's the default in this category — and there's a reason most audits, when they happen, find more retention than advertised.

Piligrim doesn't promise a perfect zero. We tell you exactly what we collect, why each piece is necessary for the product to work, and what we deliberately leave out. If something on this list ever changes, it'll be a public commit and a Privacy Policy version bump.

What we collect

The full list. Four items.

01

Anonymous install ID

Why we store it: Generated on your device the first time you install. Used as the key to your wallet ledger (free quota balance, earned Steps, ad-view receipts). No real identity is attached or recoverable.

What we deliberately leave out: Uninstalling and reinstalling on the same machine restores the wallet via this key. Uninstalling without reinstalling permanently revokes everything we have.

02

Country code (ISO-3166)

Why we store it: Detected from your real IP via ipapi.co at install time and once every 24 hours. Used to set ad rates fairly — Tier-1 countries earn more megabytes per ad than Tier-4.

What we deliberately leave out: Country is a single two-letter code (e.g. "DE"), not city, region, or ISP. The lookup bypasses your active proxy so it always reflects your real location, never the exit you chose.

03

Bare domain names

Why we store it: While the VPN is on, the extension matches each page you visit against our ad-network rule set (26 networks). To do that match we store the registrable domain — e.g. "example.com" — not the URL, path, or query string.

What we deliberately leave out: No URLs, no parameters, no page content, no cookies, no form data, no anchors, no titles. Just the domain root. Servers see this batched, not individually correlated to your browsing rhythm.

04

Ad-view events

Why we store it: When an ad we replaced is actually visible on screen (≥50% in viewport for ≥1 second), the extension signs a report with your ECDSA P-256 install key and POSTs it. That receipt credits megabytes to your wallet and proves to us the impression wasn't spoofed.

What we deliberately leave out: A receipt records: ad slot ID, format, your install ID, a timestamp. Not the page URL, not the page content, not user behavior around the ad.

What we do not collect

Things absent from the receipt.

  • Page URLs, query parameters, path, anchors
  • Page content, titles, form data, cookies
  • Browsing rhythm or session timelines
  • Name, email, phone, payment, account
  • Cross-site behavioral profiles
  • Device fingerprints (canvas, WebGL, fonts)
  • IP-to-identity links (we never join your IP to a user)
  • Ad-tech identifiers, MAID, IDFA, cookie syncs
  • Anything from sites on the premium-news blocklist
  • Anything from sites on the ad-network self-domain list

The revenue path, end to end

How we make money, in 90 seconds.

Piligrim is a free VPN funded by ad replacement. While the extension is on, our content script identifies a small number of display ad slots on pages you visit (max 3 per page) and swaps them for our own creatives, served from our ad server.

Advertisers pay us per viewable impression. We split that revenue with you: every ad you actually see credits megabytes to your wallet, which buys premium residential VPN traffic. The rest pays for proxy bandwidth, hosting, and the runway.

That's the entire model. There's no upsell, no premium tier, no waitlist for "pro features," no data brokerage, no subscriber list sold to third parties.

Premium news publishers and ad-network self-domains are never modified — hardcoded in the extension, not toggleable by us. The blocklist is auditable in our Privacy Policy.

Privacy that's enforced, not promised

Architecture, not policy.

The strongest privacy guarantees are the ones we can't break even if we wanted to. Here are the five we ship in code.

ECDSA-signed impression reports

Each ad-view receipt is signed with a P-256 private key generated on your device at install time and never leaves it. The server verifies every claim cryptographically — bots can't forge receipts to drain our budget, and we can't fabricate receipts attributed to you.

Sandboxed creative iframes

Replacement ads load in a chrome-extension:// iframe with a strict sandbox. They cannot read cookies, access the parent page, or set tracking pixels — they're structurally incapable of fingerprinting you.

MV3 declarativeNetRequest (no traffic interception)

We block third-party ad-network requests via declarative rules, not by intercepting traffic in a background script. The browser enforces the rules; we never see your request bodies.

Country lookup bypasses your active proxy

When we check your country code, the request goes via your real IP — not your selected Sanctum. This means we always know your true country (so we can pay you fair rates), but we deliberately never know what country your active proxy is in.

No cross-site session continuity

Receipts go to our ad server batched. We don't correlate ad views to a behavioral timeline — there is no graph of "the user with install ID X visited domain A then B then C." Per-domain counts only.

Legal posture

Compliance under four regimes.

GDPR (EU)

Lawful basis: legitimate interest for ad-funded operation; explicit consent for ad replacement. Right of access, rectification, erasure honored within 30 days — uninstall is the fastest path.

UK GDPR

Mirrors GDPR. UK representative listed in Privacy Policy. ICO complaints accepted.

CCPA / CPRA (California)

We do not sell personal information. "Do Not Sell" toggle is structurally unnecessary — there is no sale path. We honor verifiable consumer requests under the act.

Ukraine — Law on Personal Data Protection

Piligrim's operating entity is Ukraine-registered. We comply with Article 8 transparency and Article 14 cross-border processing requirements.

Full Privacy Policy and Terms of Service list every processor (Webshare for proxy, ipapi.co for country, our ad server) and their jurisdictional footprint. Both are versioned; you'll see a notice in the extension popup when either changes.

When NOT to use Piligrim

Piligrim is a road, not a fortress.

If your threat model includes a state-level adversary — journalism in an authoritarian regime, whistleblowing, evading targeted surveillance — Piligrim is the wrong tool. We are a casual-use, free VPN for the open web. We don't operate the proxy infrastructure ourselves (we lease it from Webshare), we don't run hardened anonymity hops like Tor, and we don't pretend to.

Use a paid commercial VPN built for that purpose, or Tor, or both. Piligrim is for the millions of cases that aren't life-and-death — keeping ad networks out of your head, watching content from elsewhere, getting privacy that doesn't cost forty dollars a year you don't have.

FAQ for skeptics

Hard questions. Straight answers.

Why should I trust an ad-funded VPN?
You shouldn't trust any VPN on the marketing claim alone. Read our architecture: privacy guarantees are enforced in code (sandboxed creatives, signed receipts, MV3 declarative blocking, country lookup that bypasses your own proxy) — not in a Privacy Policy paragraph. If the model lets us cheat, the policy doesn't matter. We've designed the model so the cheat path is closed.
Can law enforcement get my data?
We can hand over what we have, which is the four items listed above: install ID, country code, bare domains visited while VPN was on, signed ad-view events. We don't have URLs, content, identity, payment, or behavioral timelines — because we never collected them. A subpoena cannot produce data that doesn't exist.
Who owns the company?
Piligrim is operated by a Ukrainian legal entity. Full corporate details are listed in the Terms of Service. The product is closed-source by intention — we believe a freely-distributed, ad-funded VPN is a serious target for clones and we prefer not to make that trivial.
Where is your jurisdiction?
Operating entity: Ukraine. Servers (proxy network): leased from Webshare, multi-region. Ad server and wallet ledger: Switzerland (Bern). Our jurisdictional answer to a foreign legal request is constrained by Ukrainian law first.
What about an independent privacy audit?
Not yet. Audits are expensive (typically $40K–$100K for a respected firm) and we're not at the install volume that justifies the spend. When we are, the audit and the auditor's findings will be public. Until then: read the code paths we describe and the Privacy Policy, and decide whether the architecture is credible.
Can you change the Privacy Policy quietly?
No. Policy changes show a notice in the extension popup on next open, with a clear summary of what changed. You're prompted to re-consent before the new policy applies; declining keeps you on the prior version until you uninstall.
What's the catch?
You see a few replaced display ads while browsing — same number you'd see anyway, just funding your VPN instead of an ad network. That's the entire trade.

Privacy you can verify, not just trust.

Install in one click. The receipt for what we know about you is on this page.

Install — Free