Privacy Policy
Last updated: April 18, 2026
1. Introduction
StreamLeaf Media Inc. ("StreamLeaf", "we", "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, store, and safeguard your personal information when you use our services, including the StreamLeaf website, browser extensions (Chrome, Edge, Firefox), mobile applications, and desktop applications (collectively, the "Service").
2. Information We Collect
We collect the following types of information:
- Account Information: Email address and password (hashed with bcrypt) when you register using an invite code. We also store your display name if you choose to set one.
- Payment Information: Subscription and payment data is processed and stored by Stripe, our third-party payment processor. We do not store your credit card numbers on our servers. We receive transaction metadata (plan type, billing status, invoice history) from Stripe.
- VPN Session Data: When you connect to the VPN, we record session start/end times and bandwidth usage (bytes transferred) for service management and abuse prevention. We do not log, monitor, inspect, or store your browsing activity, DNS queries, or the content of your internet traffic.
- Device and Technical Information: Device type, operating system, browser type, and IP address for authentication, security, and service delivery. Your IP address is not logged after authentication.
- Communications: Support inquiries and feedback you submit to us.
3. Browser Extension (Chrome, Edge, Firefox) — Data Handling Disclosure
This section describes how the StreamLeaf VPN browser extension (also known as ObfusNet VPN, extension ID: ohbnamlchbohicpegdonedmnaohmakko) collects, uses, stores, and shares user data. The extension's single purpose is to function as a VPN (Virtual Private Network) client that encrypts and routes your web traffic through StreamLeaf's secure servers.
3.1 Data the Extension Collects
| Data Type | Collected? | Purpose | Stored Where | Shared? |
|---|
| Email address | Yes | Account authentication (login) | Locally in chrome.storage.local | Sent to StreamLeaf server (streamleaf.net) for login only |
| Authentication tokens (JWT) | Yes | Maintaining login session | Locally in chrome.storage.local | Sent to StreamLeaf server for API authentication only |
| VPN connection preferences | Yes | Remembering user's selected server/protocol | Locally in chrome.storage.local | No — never leaves the device |
| Browsing history | No | — | — | — |
| Search queries | No | — | — | — |
| Page content | No | — | — | — |
| Cookies | No | — | — | — |
| Form data | No | — | — | — |
| IP address | No | Seen transiently during authentication but not logged or stored | — | — |
| Location data | No | — | — | — |
| Personally identifiable information | Only email | Login | Locally + server (hashed password) | No third parties |
3.2 How the Extension Uses Data
- Authentication: Your email and password are sent to
streamleaf.net via HTTPS to authenticate your account. Upon successful login, a JWT token is stored locally in chrome.storage.local to keep you signed in.
- VPN Proxy Routing: The extension uses Chrome's
proxy API to configure a PAC script that routes your web traffic through StreamLeaf's encrypted proxy servers. The proxy connection is authenticated using your session token. The extension does not read, intercept, modify, or log any web page content or URLs.
- Session Management: The extension uses the
alarms API to periodically refresh authentication tokens and send heartbeat signals to the VPN server to keep the connection alive.
- Status Notifications: The extension uses the
notifications API to inform you when the VPN connects, disconnects, or encounters an error.
- Web Requests: The
webRequest permission is used to add authentication headers to proxy connections. The extension does not read or modify request/response bodies.
3.3 Data Sharing and Third Parties
The extension communicates only with StreamLeaf servers at streamleaf.net. Specifically:
- No data is sent to advertising networks
- No data is sent to analytics or tracking services
- No data is sold, rented, or traded to any third party
- No data is shared with any entity other than StreamLeaf's own servers for the purpose of providing the VPN service
3.4 Data Storage and Retention (Extension)
- Local data: Authentication tokens, email, and user preferences are stored in
chrome.storage.local on your device. This data is automatically removed when you uninstall the extension.
- Server-side data: Your account information (email, hashed password) is stored on StreamLeaf servers. VPN session metadata (connection timestamps, bytes transferred) is retained for 90 days, then automatically deleted. No browsing activity or traffic content is ever stored on our servers.
- Deletion: You can delete your account and all associated data at any time via the Settings page at
streamleaf.net/settings or by contacting privacy@streamleaf.net.
3.5 Permissions Justification
proxy: Required to configure the browser's proxy settings to route traffic through the VPN.webRequest: Required to attach authentication headers to proxy connections.storage: Required to persist login state and user preferences locally.notifications: Required to display VPN connection status alerts.alarms: Required for periodic token refresh and connection keepalive.
3b. Android Application Data Practices
Our Android VPN application uses the following permissions:
- VPN Service (android.net.VpnService): Required to create and manage the encrypted VPN tunnel. All network traffic is routed through the tunnel while connected.
- Internet: Required to connect to StreamLeaf VPN servers and authenticate your account.
- Foreground Service: Required to keep the VPN connection active while the app is in the background. A persistent notification is shown while the VPN is running.
- Notifications: Used to display VPN connection status (connected, disconnected, errors).
- Query Installed Packages: Used solely for the split tunneling feature, which lets you choose which apps route traffic through the VPN. The list of installed apps is displayed locally and is never transmitted to our servers or any third party.
The Android application does not collect, transmit, or store: your browsing history, DNS queries, traffic content, contact list, call logs, SMS messages, photos, files, location, or any sensor data.
4. How We Use Your Information
We use your information to:
- Provide, maintain, and improve the VPN service
- Authenticate your identity and manage your account
- Process payments and manage subscriptions via Stripe
- Communicate service updates, security alerts, and account notifications
- Detect and prevent fraud, abuse, and unauthorized access
- Comply with applicable legal obligations
5. Information Sharing
We do not sell, rent, or trade your personal information. We may share data with:
- Stripe (Payment Processor): To handle subscription billing securely. Stripe's privacy policy governs its use of your payment data.
- Infrastructure Providers: Cloud hosting and CDN services that help deliver the VPN service. These providers process data on our behalf under strict data processing agreements.
- Legal Authorities: When required by law or to protect our rights, provided that as a VPN service, we have minimal data to share since we do not log browsing activity.
6. Data Storage and Retention
Your data is stored as follows:
- Account data: Stored in our encrypted database for as long as your account is active.
- VPN session logs: Session metadata (timestamps, bandwidth) is retained for 90 days for service quality and abuse prevention, then automatically deleted.
- Payment records: Retained by Stripe in accordance with their data retention policy and financial regulations.
- Browser extension data: Stored locally on your device. Uninstalling the extension removes all locally stored data.
Upon account deletion (available via your account settings or by contacting us), we remove your personal data within 30 days, except where retention is required by law.
7. Data Security
We employ industry-standard security measures including:
- Encryption in transit (TLS 1.3) for all API communications
- Encrypted VPN tunnels (VLESS-over-WebSocket with TLS)
- Password hashing with bcrypt (12 rounds)
- JWT-based authentication with short-lived access tokens (15 minutes)
- Regular security audits
No system is completely secure, but we strive to protect your data with industry best practices.
8. Children's Privacy
Our Service is not intended for children under the age of 13 (or the applicable minimum age in your jurisdiction). We do not knowingly collect personal information from children. If we become aware that a child has provided us with personal information, we will take steps to delete such information promptly.
9. Your Rights
Depending on your jurisdiction, you may have the right to:
- Access the personal data we hold about you
- Request correction of inaccurate data
- Request deletion of your data (available via Settings or by contacting us)
- Export your data in a portable format (available via your account settings, limited to once per day)
- Withdraw consent for data processing
- Object to processing or request restriction of processing
- Lodge a complaint with a supervisory authority
10. Cookies
We use essential cookies for authentication and session management on the StreamLeaf website. We do not use third-party advertising or analytics cookies. The browser extension does not use cookies; it uses the browser's extension storage API instead.
11. International Data Transfers
Your data may be processed in countries other than your own, as our VPN relay servers are located in multiple regions (including Finland, the Netherlands, and Turkey). We ensure appropriate safeguards are in place for international data transfers in compliance with applicable data protection laws.
12. Changes to This Policy
We may update this Privacy Policy periodically. We will notify you of material changes via email or through the Service at least 30 days in advance. The "Last updated" date at the top of this page indicates when the policy was last revised.
13. Contact Us
For privacy-related inquiries, contact our Data Protection Officer at privacy@streamleaf.net.