Nautilus VPN: Building a Legal Service in a Regulated Market (and What I Learned)

Projects· 5 min read

Nautilus VPN: Building a Legal Service in a Regulated Market (and What I Learned)

The Problem: VPNs and Regulation Aren't Friends (Or So It Seemed)

When I started Nautilus a few months ago, I had a clear problem: VPNs operate in a legal gray zone that scares most entrepreneurs. It's not that they're illegal, but they're not exactly well-regulated either.

Most VPN operators you see online? They simply ignore the issue. They buy servers, launch the product, and hope they don't run into legal trouble.

I decided the opposite: make legality my competitive advantage.

The Reality of Jurisdictions

Here's what nobody tells you about operating a VPN:

Spain and the EU have clear regulations (even though many operators ignore them). The ePrivacy Directive, GDPR, and local regulations aren't suggestions—they're obligations.

My first decisions were:

1. Where to host servers: You can't just put servers anywhere. Some countries have mandatory data retention laws. Others have information-sharing agreements that make your "privacy" theater.

2. Where to register the company: I decided to keep the company in Spain, not in an offshore jurisdiction. Yes, it's more complicated. But it also means I can look regulators in the eye.

3. What data to keep: This is where most VPNs fail. They say "we don't keep logs" but technically they're lying. Your ISP always knows you connected to a VPN. What I control is what information I collect *within* my infrastructure.

The Technical Stack: How to Build Real Privacy

Looking at the Nautilus repository, you see the typical architecture:

  • **Next.js + TypeScript (96% of the code)**: Fast, typed frontend and backend
  • **Supabase**: Database with GDPR-compliance built-in
  • **Stripe**: Payments, but only billing information—never browsing data
  • **Vercel**: Hosting that understands European regulations

But the most important technical decision isn't in the visible code:

Database architecture without connection logs. The VPN server and the subscriber database are intentionally separated. A VPN server never knows which user account is connected. It's a small architectural decision with enormous legal implications.

Transparency: The Secret Weapon

In December I updated Next.js to version 15.5.7 specifically to patch a vulnerability (CVE-2025-66478). Why mention this?

Because transparency is legal too. When you find a security problem, you fix it fast. And when you do, you communicate it.

Many VPNs have known vulnerabilities and simply don't fix them. I publish my commits. Anyone can see I take security seriously.

Transparency reports (which I mention in the theme but am still formally implementing) are your strongest legal defense:

  • What data requests you received from governments
  • How many were completed (probably zero if you did your architecture right)
  • What vulnerabilities you found and how you fixed them

This isn't marketing. It's proof you operated legally.

The Business Model: Sustainable and Legal

In October I updated pricing and added a newsletter model with a free trial. Why?

Because a sustainable VPN is a legal VPN. If you need money desperately, you start making compromises:

  • Sell user data
  • Accept government requests without resistance
  • Use servers in problematic jurisdictions

A clear business model means you can say "no" to dirty money.

Nautilus's structure:

  • Monthly subscription (transparent model)
  • Limited free trial (to validate it works)
  • No advertising (no incentive to collect data)
  • No third-party partners (no temptation to sell access)

What Most VPN Operators Ignore

1. Government Data Requests

Eventually, a government will ask for information about a user. The question is: what can you give them?

If you designed your system well, the answer is: nothing. You don't even know who's using which IP address at what moment.

If you designed it poorly, you have a legal problem.

2. Compliance with Local Regulations

Spain requires:

  • Clear privacy policy (I have one)
  • GDPR compliance (I do this)
  • Registration with the Spanish Data Protection Agency (pending formalization, but on my roadmap)
  • Ability to respond to user rights requests (I have this technical capability)

3. Security Audits

You can't just trust that your code is secure. You need third parties to verify it.

I'm planning an external audit in the next quarter. Yes, it costs money. But it's well-spent because:

  • It demonstrates due diligence
  • It finds vulnerabilities before an attacker does
  • It protects you legally

The Hidden Cost of Ignoring Legality

Many entrepreneurs think: "Why bother? Other big VPNs ignore it and they're fine."

They're fine *until they're not*. And when the problem comes:

  • Your company can be shut down
  • Your assets can be frozen
  • You personally can face legal consequences
  • You lose user trust

A security and compliance audit is profitable. A lawsuit is ruinous.

What's Coming: Radical Transparency

My plan for the next few months:

1. Publish transparency report: Document exactly what requests I received, how many I completed, how many I rejected 2. External security audit: Third parties verifying my architecture is as private as I claim 3. Compliance certification: Formally demonstrate I comply with GDPR and Spanish regulations 4. Open-source certain components: Let the community verify my code

This is costly. But it's the cost of operating honestly.

The Takeaway

Legality isn't an obstacle in VPNs. It's your competitive advantage.

While other operators play the "hope we don't have problems" game, you can build with confidence. You can look regulators in the eye. You can sleep at night.

And here's the interesting part: users notice. When they compare VPNs, they don't just see speed and price. They see who's honest about privacy and who's lying.

Nautilus won't be the cheapest VPN. But it'll be one of the few you can use without wondering if the operator is selling your data to someone.

That's worth more than any growth metric.

---

*I'm documenting all this publicly because I believe there's room for ethical VPN operators. If you're building something similar, learn from my mistakes. And if you have questions about navigating legality in privacy services, ask.*

Brian Mena

Brian Mena

Software engineer building profitable digital products: SaaS, directories and AI agents. All from scratch, all in production.

LinkedIn