Skip to main content

eduVPN privacy policy

go to eduvpn webpage

This is the privacy statement of eduVPN, a service provided by GARR, the National Research and Education Network of Italy. By choosing to use eduVPN, you acknowledge that you have read, understood, and agree with this privacy statement and GARR's Acceptable Use Policy. GÉANT, the cooperation of European National Research Networks, facilitates the eduVPN service and has a privacy overview published here https://www.eduvpn.org/privacy-overview/.

1. Overview and Service Description

GARR offers the eduVPN service to enable students, faculty, and researchers to securely and seamlessly connect to the internet, including over public networks or when working outside their institutions. eduVPN has been designed with privacy and security in mind since the very beginning because these two aspects are considered inseparable within the eduVPN service.

GARR collects, stores and logs certain data to provide and ensure the proper operation of eduVPN. We also use the data for auditing and analysis purposes to maintain, protect and improve the service. Our principles regarding data collection are:

  • Minimization: GARR collects only the personal data necessary to operate the service.
  • Purpose Limitation: Personal data are used solely for the purposes for which they were collected.
  • Trust: GARR does not sell personal data to third parties and does not access or monitor the content of VPN traffic except for limited purposes related to debugging and secure maintenance operations.
  • Transparency: GARR is transparent about the processing of personal data and logging.

The legal ground for processing personal data is GARR's legitimate interest in providing the eduVPN service and preventing misuse of the GARR network. Users have the right to inspect the personal information and the data that are collected to provide the service, and, in some cases rectify it, request its deletion, or restrict its processing. Requests can be sent to privacy@garr.it. In case of disagreement with GARR's handling of personal data, users may file a complaint with the Italian Data Protection Authority.

2. Detailed Information

2.1 Contacts

The Data Controller for this service is Consortium GARR, Via dei Tizii, 6 - I-00185 Roma - Italy. Email: privacy@garr.it.

The Data Protection Officer (DPO) is Davide Vaghetti. Email: dpo@garr.it.

2.2 Jurisdiction and Supervisory Authority

This service falls under the jurisdiction of the Italian Data Protection Authority: https://www.garanteprivacy.it.

2.3 Categories of Processed Personal Data

GARR collects and logs personal data and user traffic for the operation of the eduVPN service.

2.3.1 eduVPN Service Logs

To provide and debug the eduVPN service, GARR collects the following user data:

  • Used profile (e.g., 'Secure Internet')
  • UserID (e.g., 'b466f1047193791ga9aop7224a98fd24a1ce4551')
  • Configuration file name (e.g., 'Android_1478521025')
  • Assigned VPN IP addresses (e.g., '131.114.20.11 and 2001:610:188:71::1008')
  • Connection start timestamp (e.g., '2025-01-01 13:17:19')
  • Connection end timestamp (e.g., '2025-01-01 13:23:40')

These logs are retained for 180 days.

2.3.2 Access Logs

All client requests are logged by the access logs of the web server of the eduVPN service to be able to provide, secure, and debug the service. The collected information are:

  • Real IP address of the visitor
  • Timestamp of the request
  • Client request line (e.g., 'GET / HTTP/1.0')
  • Status code returned by the server (e.g., 200, 404)
  • Response size in bytes
  • Requested page/URL

These logs are retained for 180 days.

2.3.3 Error Logs

In case of errors, GARR collects the following information:

  • Timestamp of the error
  • Error category (low - severe)
  • Client's IP address
  • Error code or message

These logs are retained for 180 days.

2.3.4 User Traffic Logging

While GARR does not actively monitor or view the content of user traffic under normal conditions, user traffic (including traffic content) may be logged in specific cases for debugging and maintenance purposes. These logs are treated with strict confidentiality and are only accessed for the necessary duration to resolve technical issues.

2.3.5 Statistics

eduVPN servers generate general, anonymous statistics such as:

  • Total number of unique users
  • Highest number of concurrent connections

No personal data are included in these statistics.

2.4 Purpose and Legal Ground for Processing Personal Data

GARR offers the eduVPN service to enable students, faculty, and researchers to connect to the internet securely and seamlessly, even when using public networks or working outside their institution.

GARR processes the personal data outlined above to provide the eduVPN service. The legal ground for this processing is GARR's legitimate interest in ensuring the service functions correctly, maintaining its security, and preventing abuse on the GARR network.

2.5 Third Parties to whom the data are communicated

GARR does not share personal data with third parties for commercial purposes. However, since user authentication is handled by the user's Home Organization, it will be aware that the user accessed the eduVPN service.

For purposes related to the legitimate interests of the Controller or the fulfilment of legal obligations, some log data may be processed by third parties (e.g., CERT, CSIRT, or Judicial Authorities).

2.6 User Rights

Users have the right to inspect the personal information and the data that are collectected to provide the service and, in some cases, the user can rectify or delete the data and or restrict the processing of the data. The user may also object to the the processing of the personal information.

Requests can be sent to privacy@garr.it or dpo@garr.it.

If users do not agree with how GARR handles personal data, they have the option to file a complaint with the Italian Data Protection Authority.

go to eduvpn webpage