For the other 2 recommended public VPN providers, Proton & Mullvad, their official apps on Play Store point to their respective HQs (in Genève & Göteborg).
My point was, if the company selling iVPN’s services (on the Play Store, if no where else) is in Zug, Switzerland, is it then not subject to Swiss laws? Can it be said to be based in Gibraltar?
I understand that Proton also has multiple office around the globe, but their service on Play Store are not sold by those subsidiaries, but (from the looks of it) by the Geneva HQ.
Maybe @viktorivpn wishes to clarify? Or we can email them.
I was wondering if this is a Google Play limitation, but it seems apps can be transferred to new accounts if your business relationship changes in a pretty straightforward way.
When government or law enforcement has served legal process on IVPN by email, a duplicate hard copy must be personally served at the IVPN headquarters at:
We do have a Swiss company which was set up to provide an alternative to Gibraltar if necessary. We used that company to publish our Android app as Google does not accept merchants (ie. can’t receive payouts) based in Gibraltar:
The Swiss GmbH is also 100% owned by the IVPN founder and owner Nicholas Pestell.
The important part here is that the coreIVPN Service is operated by the Gibraltar company. As such, we treat each and every legal requests the same if it’s coming from outside of Gibraltar, and we don’t consider ourselves having “dual jurisdiction”.
I figured you would not be subject to Swiss jurisdiction in terms of server-side logging/changes (since that is what your legal page says), but I wonder if it’s possible for a Swiss court to compel client-side changes on Android? I don’t know if there is any precedent for this in Swiss legislation or case law.
In terms of this being a Site Development post I think we could note this somewhere anyways (not as a warning), and link to viktor’s reply here as an explanation.
I am not sure this really matters outside of just being more precise on our site, but I suppose the extra-paranoid can use a generic WireGuard client with IVPN’s servers if they only want to have business dealings with IVPN Limited exclusively for whatever reason.
The dual-jurisdiction would matter in terms of iVPN’s Gibraltar as the only legal seat claim. PG discourages jurisdiction shopping, but it does demand a transparent ownership structure for this particular category. Also, it comes to down to just how much such marketing claims must be put under scrutiny.
imo, as a community-driven project, PG would do well to hold its recommended products to a higher bar in some of the categories, if not all. Especially since PG is usually hesitant in replacing existing recommendations.
May be that discussion needs its own thread.
And I keep going back to what @epoberezkin suggested about “privacy impact assessments”, too:
Regarding your “dual jurisdiction” assessment. Yes we operate in two jurisdictions, that’s a legal fact, but the majority of our operations (including operations of Gibraltar company and core VPN service) are not affected by Swiss laws. The basis of my argument was that Swiss authorities cannot directly compel the Gibraltar company to log or hand over data, just as they could not directly compel Mullvad to hand over data or change their infrastructure to support a logging mandate through a Swiss operated white label. You could say this means IVPN has “dual jurisdictions”, I would rather characterise it as IVPN Limited, a Gibraltar based service having a Swiss sister company (what a weird term) that handles the distribution of its open-source Android app in an app store, which is a severely limited mandate and implies a different threat model for the business and the customers.
While I won’t provide specifics here, all requests to the Gibraltar company have been treated in accordance with the legal guidelines linked above. If a legally enforceable order comes to the GmbH that prevents us from honoring our privacy policy (still limited to the Android application published in the Play Store), we would use all available avenues to fight it, and if that’s not possible we would stop publishing the Android app under the GmbH. That hasn’t happened yet and it’s not a material threat as the current Swiss legal framework is favorable to VPNs and there is no statutory requirement for retaining traffic logs (currently, and we are closely monitoring the VÜPF ordinance and its fate).
To reiterate, we have stated many times regarding Gibraltar, if we were to get into any situation where our promises cannot be kept, we’d move jurisdictions in compliance with exit obligations (sans logging data). If that’s not possible we would shut down the business before compromising our customers. Same applies to the Android app (jonah’s scenario), and we feel that’s a sufficient guarantee.
I think that’s a fair request and my key takeaway here. We will find a way in alignment with the actual potential impact on users ie. mention on the Android app page vs. modifying legal guidelines which are not impacted by it.
IANAL: Depends on whether Mullvad’s home country and the whitelabeller’s have any mutual agreements in place (which is indeed that case for Sweden and Switzerland as members of EU+EFTA and European Council)?
As for Gibraltar (by the way of the UK) and EFTA (Switzerland, Iceland, and Norway), the 2007 Lugano Convention was in effect until Brexit in 2020 (though, the UK wants to rejoin), but for now, the UK (and thus Gibraltar) will rely on the Hague Convention of 2019, which also allows for enforcement and recognition of foreign judgements in Gibraltar for commercial and civil matters (that said, it seems like isn’t as comprehensive as Lugano)?
Appreciate it.
Nice. Thanks. Even better if this makes it to legal part of your agreement with consumers.