Privacy Policy

Last updated: 14 May 2026 · Effective for all users worldwide

This Privacy Policy describes how Hopto Networks Ltd., a company incorporated under the laws of the Republic of Seychelles (registered office: Suite 23, Global Gateway 8, Rue de la Perle, Providence, Mahé, Seychelles), and operating the website and service known as Proxy Hopto (the “Service”), collects, uses, retains and discloses information.

Proxy Hopto was built on the principle of data minimisation. We collect the strictly necessary amount of information required to operate the Service, and not a single byte more. We do not run third-party analytics on this site, we do not embed third-party trackers, and we do not share data with advertising networks. If you read nothing else, read this: we cannot disclose what we do not have.

1. Who we are & how to contact us

Data controller: Hopto Networks Ltd., Mahé, Seychelles.
Email: privacy@proxyhopto.io
Abuse reports: abuse@proxyhopto.io
We do not maintain a postal address for service of process. All correspondence is electronic.

2. What we collect

The total list of personal data we hold about a customer is as follows:

• Email address, provided by you at registration. You may use a pseudonymous or burner email — we do not verify it.
• Salted bcrypt password hash, derived from the password you choose. We never have access to your plaintext password.
• Order metadata: order ID, plan, EUR price, BTC amount in satoshi, the public Bitcoin receiving address we generated, the public transaction ID (txid) once paid, and timestamps.
• Session cookie: a randomly-generated session identifier, valid for 7 days, stored in your browser to keep you signed in.
• Provisioned credentials: a SOCKS5/HTTPS username and password generated server-side and tied to your account.

We do not collect or store any of the following:

• Your real name, postal address, phone number, government ID or any KYC document.
• The IP address you used to register, sign in, or use the Service. Web server access logs are discarded in memory and never written to persistent storage.
• Connection logs, DNS logs, bandwidth meters, destination websites, or any payload from your proxy traffic.
• Browser fingerprints, device identifiers, or third-party advertising identifiers.

3. How traffic is handled on our network

Proxy Hopto is a decentralized mesh of residential and datacenter exit nodes. When you send traffic through the Service, it is routed across one or more hop nodes and emitted from an exit node in the country you have configured. Metadata is deliberately dropped at each hop:

• Hop nodes do not write source/destination tuples to disk.
• Exit nodes do not retain DNS queries, TLS SNI, HTTP host headers or any portion of the payload.
• Our control plane authenticates your credentials and returns an entry node — but does not see what you do after.

Independent verification: a no-log audit by Cure53 was conducted on 12 February 2026 and is published at /audit-2026.pdf. A new audit is scheduled annually.

4. Bitcoin payments

We accept payment exclusively in Bitcoin (BTC) on the main chain. We do not use a third-party payment processor. Your transaction is broadcast to and verified against the public Bitcoin blockchain. We retain only the public txid and the satoshi amount. We do not link your Bitcoin address to your account beyond what is strictly necessary for invoice reconciliation; we do not perform on-chain analysis on our customers.

5. Cookies

We use a single first-party session cookie (phopto.sid). It is HTTP-only, SameSite=Lax, and not shared with any third party. We do not use marketing cookies, analytics cookies or social-media pixels. You can clear it at any time from your browser; clearing it will simply sign you out.

6. Legal basis & jurisdiction

Hopto Networks Ltd. is incorporated in the Republic of Seychelles, a non-EU and non-FATCA jurisdiction. The Service is operated from Seychelles and our infrastructure is distributed across multiple jurisdictions selected for privacy resilience.

We are not subject to the EU GDPR or to U.S. CLOUD Act compulsion. We will, however, voluntarily honour any reasonable individual rights request — see Your rights below.

7. Disclosure

We do not sell, rent or trade personal data with anyone, ever.

We will resist any subpoena, warrant, court order or governmental request that is not enforceable in our jurisdiction. Where an order is enforceable, we will disclose only the minimum we are technically able to produce — which, by design, is limited to the email address you provided, your bcrypt hash, your order metadata and the public txid. We will append every such enforced disclosure to our warrant canary.

8. Warrant canary

As of the “last updated” date above, Hopto Networks Ltd. has not received any subpoena, national-security letter, gag order, or order from any government, court or law-enforcement authority compelling disclosure of customer data, installation of surveillance equipment, or modification of our software. We commit to updating this statement no less than once per quarter. The absence of an update for more than 90 days should be considered a signal.

9. Security

Passwords are stored using bcrypt with a per-user salt and a configurable cost factor. Database backups are encrypted at rest with rotated keys. Servers run on hardened Debian images with kernel-level lockdown, full-disk encryption, and remote attestation. All inter-service traffic uses mTLS. The website is served over TLS 1.3 with HSTS preloaded.

10. Retention & deletion

Account-level data is retained while your account is active. You may request full deletion at any time by emailing privacy@proxyhopto.io from the address on the account. Deletion is unconditional and irreversible; it does not entitle you to a refund of past payments.

11. Your rights

Although we are not subject to the GDPR, we voluntarily extend to every user the rights of access, rectification, erasure, restriction, portability and objection. To exercise any of these, email privacy@proxyhopto.io from the account email. We will respond within 14 days.

12. Children

Proxy Hopto is not intended for users under 18. We do not knowingly accept registrations from minors and will delete any such account on notification.

13. Changes to this policy

We may update this Privacy Policy from time to time to reflect changes in law or in our practices. Material changes will be announced on this page at least 30 days before they take effect, and the “last updated” date will be revised. We will never update this policy in a way that retroactively reduces the privacy of data already collected.

14. Governing law

This Privacy Policy is governed by the laws of the Republic of Seychelles, without regard to its conflict-of-laws rules. The competent courts of Victoria, Mahé, have exclusive jurisdiction over any dispute arising from it.