A year inside our transparency report: every government request, summarised
2025 calendar year retrospective. Fourteen subpoenas served. Zero we could comply with — because there was nothing to produce. The one weird quarter, the warrant canary, and what we are adding to the 2026 report.
We publish a transparency report twice a year. This post is a single, annotated walk through the 2025 calendar year — every government request we received, what jurisdiction it came from, how it was served, and what we did with it. The numbers are dry. That is the point. Excitement in this section of the business is bad news.
The headline numbers
- 14 government requests received over the year, across 9 jurisdictions.
- 11 validly served (correct entity, correct procedure for the requesting jurisdiction).
- 3 invalidly served (wrong entity — typically directed at our Panama parent via a foreign subpoena that has no force in Panama, or addressed to a subsidiary that does not handle user data).
- 0 requests we could comply with by producing user data, because there was no user data to produce.
- 0 National Security Letters or equivalent gag-order instruments received during the year. The warrant canary, last updated April 1 2026, continues to confirm this.
How requests reach us
Most arrive by certified mail to our registered agent in Panama City. A handful arrive by email to our legal address from law-enforcement liaisons in countries where we operate pops. A small number arrive through MLAT — mutual legal assistance treaty — channels, which is the proper way to get something from a Panamanian entity if you are a foreign government.
We log the existence of each request (date, jurisdiction, type) in our internal request register. We do not log the substance — we cannot, because the substance often names members or destinations, and we have a policy of not retaining anything tied to identifiable members beyond the immediate response cycle. Once the response is sent, the request file is sealed.
What we did with each
In every one of the 14 cases, the response had the same structure: an explanation of our architecture, a statement that no responsive records exist, and (for the 11 valid requests) an offer to provide a sworn declaration to that effect if the requesting authority needed one for their case file. Three did. Eleven did not.
This is the boring, durable shape of our compliance posture: we do not refuse requests. We respond to valid ones honestly. The honest answer is that our exit nodes run from RAM, our control plane does not retain session data, our payment system does not link to session data, and we cannot produce what we do not have. The auditor verified this posture in the most recent infrastructure review.
The one weird quarter
Q3 was unusual. A provincial court in Brazil sent us three separate requests over a six-week period asking for member records associated with an IP address that resolved to our São Paulo upstream during a window in which we did not operate a São Paulo pop yet — São Paulo was on the planning list, not the operating list. The IP belonged to an upstream peer, not to us.
We responded to each request explaining the architecture, the corporate structure (Panama-domiciled, no Brazilian subsidiary handling user data), and the specific factual matter that the IP in question was not ours during the asked-about window. By the third request our local counsel suggested, gently, that we offer to send someone to court to explain in person. The court declined and the matter closed.
We are not being flippant about this. A court that genuinely needed to investigate a serious matter ran into our architecture three times, and each time we answered as clearly as we could. The pattern — multiple requests, same factual misunderstanding, escalating frustration on both sides — is a real cost of running an audit-public privacy product. Members benefit from the architecture; investigators occasionally hit it as a wall.
The warrant canary
A warrant canary is a public statement, updated at a fixed cadence, that a company has not received certain classes of secret legal process — typically National Security Letters under US law, or equivalent gag-bound instruments in other jurisdictions. The mechanism is negative: if we have received one and are gagged from saying so, we stop updating the canary. The absence of an update on schedule is the signal.
Our canary is updated quarterly on the first business day of each quarter. April 1 2026 was the most recent update. The statement reads, in part: "PlanetProxy has not received a National Security Letter, FISA order, or equivalent gag-bound legal process from any jurisdiction in which the company operates." That statement is signed by two officers, including our Head of Privacy. If you ever load our transparency page and the canary is older than expected, that is a signal worth paying attention to.
The pattern over time, and what we are adding next
Over three years of reporting, the volume has trended up modestly — from single-digit requests in 2023, to 11 in 2024, to 14 in 2025. Most of the growth is law enforcement in jurisdictions where we have added pops, which is expected. The shape has not changed: roughly four-fifths validly served, zero compliable, zero gag-bound. We expect 2026 to look similar.
There is also one category we do not currently publish that we will start publishing in the mid-2026 report: takedown requests against our domain — DMCA notices, ccTLD-level domain complaints, and similar. We have always logged these internally. We did not initially include them in the transparency report because they are not member-data requests. We have since heard from researchers and journalists that the volume and shape of those requests is itself useful signal — it shows what kind of pressure a privacy operator faces on the infrastructure side, separate from the user-data side.
So starting with the H1 2026 report, we will publish takedown counts, by category and by jurisdiction, alongside the existing user-data request table. We will not publish the substance — many of these notices are spurious and naming the senders would attract a different category of trouble — but the totals will be there.
Things this report cannot tell you
It cannot tell you what happens in countries where we do not operate. It cannot tell you about requests served on upstream providers, transit networks, or datacenter operators about traffic that happened to pass through our exits. Those are not our records to disclose; the upstream operators have their own transparency obligations.
It also cannot prove the absence of something we are gagged from disclosing. That is what the warrant canary is for, imperfectly. If you are a member who needs higher assurance than the canary provides, the honest answer is that no commercial VPN can give it to you — defense in depth (Tor, isolated devices, careful operational security) is the right answer for those threat models.
For everyone else, the report is what it is: 14 requests, 0 produced records, one weird quarter, and a canary that is still chirping. Same time next year.
Run PlanetProxy for seven days, on us.
Same purple tile cards you see on this page, plus the green lock and a 50 ms hop to wherever you want to be.
Start the trial →More from the dispatch
Inside Planet ProxyPP · DispatchWhy we are domiciled in Panama (it is not the cliché)Inside Planet Proxy · 5 minWhy we are domiciled in Panama (it is not the cliché)
Privacy companies always seem to be from Switzerland, the British Virgin Islands, or Panama. Here is the actually-substantive reason we picked Panama, and the trade-offs that came with it.
Inside Planet ProxyPP · DispatchWe rebuilt our mobile app this spring. Here's what changed.Inside Planet Proxy · 6 minWe rebuilt our mobile app this spring. Here's what changed.
A note from inside the design team. Why we threw out two years of UI, what we replaced it with, and the hard choices we made about what to leave on the cutting room floor.
- Inside Planet ProxyPP · DispatchWhy we run our servers from RAM (and what that bought us)Inside Planet Proxy · 7 min
Why we run our servers from RAM (and what that bought us)
Diskless boot, tmpfs everything, every reboot wipes the box. The structural reason we can tell auditors there is nothing to log to — and the operational tax we pay for that property.