PlatoVPN

Company Background

Location: Based in Shanghai

PlatoVPN is developed by MongoTech, a company based in Shanghai. While the location of a VPN provider might not seem immediately relevant, it can be a factor when considering privacy laws and regulations. China has stringent data retention and surveillance laws, which could potentially affect the privacy of users. Being in a jurisdiction with such policies should be a point of consideration for those concerned about privacy and anonymity.

Advertising and Marketing Scripts

Embedded Scripts: A Privacy Red Flag

Upon initial inspection, one of the standout features of PlatoVPN’s software is the presence of numerous advertising and marketing scripts embedded within it. These scripts not only consume additional bandwidth but also have the potential to compromise user privacy. They can collect a range of data from user behavior to device information, and there’s no guarantee this information is kept secure or confidential. During our testing, we found numerous connections to

• appsflyer.com
• facebook.com
• doubleclick.net

No Independent Audit

A Blind Spot in Credibility

Independent audits are a crucial factor in establishing the credibility and reliability of a VPN service. An audit typically assesses whether the VPN is doing what it claims in terms of privacy and security. Unfortunately, PlatoVPN has not undergone any independent audits. This lack of verification leaves users to rely solely on the company’s claims without any third-party validation.

Privacy Policy: What You Should Know

Collection and Sharing of Personal Information

Perhaps the most alarming revelation comes from PlatoVPN’s privacy policy. The company openly admits to collecting and sharing personal information with third parties. For a service that is essentially designed to protect and privatize your online activities, this admission is a significant blow to its credibility as a privacy-focused tool.

Personal Data Collection

1. Broad Definition of Personal Data: The policy defines personal data very broadly. It can include your name, business name, email, physical address, telephone number, activity and performance information, payment information, and government ID or tax-related information.
2. Collection from Third Parties: The policy explicitly states that your personal data may be collected not just directly from you but also from third parties, affiliates, and subsidiaries. This implies that your data may be aggregated from multiple sources.
3. Automatic Collection: Your device and system information, including device IDs and IP addresses, are automatically collected. This can potentially be used for tracking.

Usage of Personal Data

1. Consent vs Legitimate Interest: The policy states that they either get your consent or rely on “legitimate interest” for data processing. The term “legitimate interest” is a bit vague and could be a catch-all justification for various types of data usage.
2. Marketing and Telemarketing: The policy states that with your consent or sometimes for their “legitimate interest”, they may contact you for marketing purposes, including telemarketing calls.
3. Sharing for Business and Legal Purposes: The policy says your data might be used for security, to prevent fraud, and for legal obligations. This could potentially be another broad category under which data might be shared or used.

Sharing of Personal Data

1. Affiliates and Service Providers: Your data can be shared with affiliates and third-party vendors, potentially increasing the surface area for data mishandling or breaches.
2. Advertisers: Your personal data may be shared with advertisers. This could mean targeted advertising, possibly based on profiling.
3. Law Enforcement: Data may be shared with law enforcement agencies based on the company’s “sole judgment,” which is a somewhat subjective criteria.
4. Business Transfers: Your data can be transferred to a third party in case of a sale, merger, or reorganization of the company. This may be of concern if the acquiring company has a different privacy stance.
5. Legal Processes: Your data can be shared in response to legal processes, which is pretty standard but worth noting.

Other Aspects

1. Cookies and Web Beacons: The policy indicates the use of tracking technologies like cookies and web beacons. While common, this enables tracking your behavior across services.
2. Tailoring User Experience: Your data may be used to personalize your experience, which could include profiling.
3. Consent for Third-Party Sharing: It mentions that with your consent, data may be disclosed to “certain third parties,” but it doesn’t specify who these third parties are.
4. Notification of Business Transfers: The policy claims they will use “reasonable efforts” to notify you if your personal data is transferred to an unaffiliated third party. The term “reasonable efforts” is not clearly defined.

Conclusion

PlatoVPN, developed by MongoTech, fails to meet several critical benchmarks that are essential for a VPN service aiming to provide privacy and security. From its base location in Shanghai, embedded advertising scripts, absence of audits, to its explicit admission of collecting and sharing personal information, the service raises multiple red flags for anyone serious about online privacy.

See also: