This is the kicker here. Nothing else matters.

A business dedicated to privacy is completely incompetent if they can’t even use HTTPS.

I cancelled my sub minutes after learning about the news. I would hope the PIA engineer can see through what buyout propaganda they are being fed and see the writing on the wall.

The user seemed to only omit HTTPS. It certainly is configured for SSL.

https://investors.kape.com/about-us

The company is still incompetent if they're not forcing that HTTP request to HTTPS.

Server sided redirection mistake. Most likely crappy developers were hired, or they don't care about their website in general.

Incompetent seems a bit harsh. Sloppy or careless is more accurate

Defaulting*, forcing it can ocasionally be an issue.