Legal · Acceptable Use

Privacy is not a licence for abuse

We don't ask who you are. That anonymity exists to protect legitimate privacy — not to shelter the handful of things that harm real people. Here is what you may never host on HushVPS, in plain terms.

Last updated: 14 July 2026

HushVPS exists for journalists, activists, researchers, developers, and anyone who simply doesn't want their infrastructure tied to their real-world identity. Our no-KYC signup and no-logs posture are deliberate privacy features. They are not an invitation to do harm. In fact, minimal data and strong anonymity make us a poor shield for wrongdoing, because we cannot and will not turn those properties into cover for the categories below.

This policy is short on purpose. If you are unsure whether your use case fits, read it carefully, then reach out through our encrypted contact channel before you deploy. The bright lines here are non-negotiable and apply to every plan, every region, and every customer.

Strictly prohibited

The following are banned outright. There is no grey area, no appeal on the merits, and no configuration in which they become acceptable:

  • Child sexual abuse material (CSAM) — any content that sexualises or exploits minors. Zero tolerance. Confirmed cases are terminated immediately and reported to the relevant authorities and hotlines.
  • Malware, botnets and command-and-control — hosting, building, distributing, or operating malicious software, ransomware, stealers, or C2 infrastructure that coordinates compromised machines.
  • Spam and phishing — unsolicited bulk email, snowshoe operations, credential-harvesting pages, fake login portals, and the fraud infrastructure that feeds them.
  • Attacks originating from our network — DDoS or amplification sources, mass port scanning, brute-forcing, credential stuffing, or intrusion attempts aimed at third parties.
  • Trafficking and violent exploitation — human trafficking, sale or coordination of violence against people, and content that facilitates it.

This list is illustrative of intent, not an exhaustive catalogue of every unlawful act. If a use is criminal against people under the law of our hosting jurisdiction, treat it as prohibited here.

What no-KYC does — and does not — mean

Understanding the boundary is easier when you separate two ideas that are often confused.

What it does mean: we do not collect government ID, we do not demand your legal name, and we do not build a profile that links your server to your identity. We accept Monero specifically so that payment cannot become a paper trail. We keep the logs we hold to the practical minimum. That is genuine, structural privacy — the kind you can verify rather than merely trust.

What it does not mean: we are not a "bulletproof" host, and we make no promise to ignore every takedown. HushVPS is an offshore-legal, data-minimising provider — not a lawless one. We operate lawfully in our hosting jurisdiction and we respond to valid legal orders from a competent court in that jurisdiction. When such an order arrives, our answer is bounded by exactly one thing: the little data we actually hold. We cannot hand over what we never collected, but we will not pretend the rule of law does not exist.

Enforcement

We act on credible, well-founded abuse reports for the prohibited categories above. Where a violation is confirmed, we may suspend or terminate the service without refund, and CSAM is reported onward without exception. Because we deliberately minimise the data we hold, suspension of the offending service is frequently our most effective remedy — there is rarely a rich account history to mine, so we stop the harm at its source.

We do not fish for reasons to police lawful, private activity. Running a Tor relay, a VPN endpoint, an anonymous blog, or a personal cloud is exactly what this platform is for. Enforcement is reserved for the genuine abuse this policy names.

To report abuse, reach us through the contact page. PGP-encrypted reports are welcome — the contact page has our key and preferred channel. Please include timestamps, the affected IP or hostname, and enough evidence for us to verify the claim.

How this fits together

This policy is one of three documents that govern your account. The terms of service set out the wider agreement between us, and the privacy policy explains the narrow set of data we do and do not keep. Read together, they describe a simple bargain: strong privacy for people acting in good faith, and firm limits against the few uses that hurt others.

Voice line, and the whole point in eight words: you don't exist, we don't ask — but abuse is where anonymity ends.

Questions about a use case?

If you're unsure whether your project fits within this policy, ask before you deploy.

Reach the team Read the terms