I’ve read through over 120+ VPN logging policies to find out which VPNs keep which logs and can potentially endanger a user’s anonymity.
This analysis revealed that at least half of reviewed VPNs either keep some logs, are unclear about what logs they keep, or can compromise a user’s privacy in another way.
Here’s what I found:
- 47% of VPNs are based in 5/9/14 Eyes countries.
- 15% of VPNs don’t make it completely clear in their privacy policies which information they store.
- 14.4% of VPNs log traffic activity.
27% of VPNs log your IP address whilst you’re connected. - 50% of VPNs log your connection timestamps in one way or another.
- 42% of VPNs log your server location.
- 10% of VPNs log ALL OF THE ABOVE
What’s a No-Logs VPN?
How Can I Trust a VPN’s “No-Logs” Claim?
The first step to verify whether this claim is true is to check privacy policies or terms of use of a VPN provider. If they’re transparent and clear about which data they retain or don’t retain, there’s a lower risk of them misleading you about what happens to your data.
Go to our comparison table of VPN logging policies to see which VPNs keep which logs.
The second step is to check the VPNs’ commitment to their policies.
You can do that by checking whether the VPN logging policies have been independently audited or verified in another way.
Go to our table of audited VPN providers to see the list of verified providers.
As an additional step, you can also check which servers a VPN is using.
If it’s using RAM-only servers rather than hard drives, it means that any data is automatically erased each time a server is rebooted. In this case, there’s no possibility of VPN logging and therefore, no possibility of your data being recorded.
Go to our table of VPN providers that use RAM-only servers to see what those VPNs are.
What Kind of Data Can / Should VPNs Log?
Your Traffic Activity
So, if you don’t want your data to leak or be flooded with ads when you browse, I recommend opting for a VPN that doesn’t log your traffic activity.
"This analysis revealed that at least half of reviewed VPNs either keep some logs, are unclear about what logs they keep, or can compromise a user’s privacy in another way."
Your IP Address
A VPN that possesses logs of your originating IP address can easily match that address to you – which means that whoever else gets that data can do the same.
Similar to traffic logs, free VPNs often retain IP logs.
For instance, HMA’s privacy policy makes it clear that if you use their free browser extension, your IP address will be collected.
This is a significant issue for users concerned about their privacy – IP addresses are even considered “personal data” in some jurisdictions.
I’d recommend choosing a VPN that doesn’t log your IP address if you’re such a user.
Your Connection Timestamps and Server Location
VPN connection logs can include:
- Time and date of connection
- Connections to a specific server
- Bandwidth usage
The times you’ve connected to and disconnected from a VPN service using specific servers can also be recorded. Unlike VPN logging of IP addresses and traffic, however, this type of logging can help VPN solve network issues for users.
For instance, if too many users connect to a single server at the same time, a VPN can take steps to improve the user experience on that server or create other servers nearby to reduce overload.
However, connection timestamps can also be used to potentially identify a user, especially when paired with an IP address or traffic logging.
Data can be analyzed to match a user’s online activity at a specific time to a specific IP address, thus removing any kind of anonymity.
To prevent that, some VPNs use aggregate timestamp and server logs – anonymized aggregated data about usage. It’s important to pay attention to whether a VPN logging policy stipulates that that’s what’s happening, and if yes, how.
For instance, VPNhub’s privacy policy says that they may aggregate data to calculate a percentage of users accessing a certain feature.
Therefore, to ensure a logging policy prioritizes your privacy, it’s important to check how VPNs collect connection data together with other data.
VPN Logging Policies: Policies of 120+ Services Reviewed
VPN logging of traffic activity can include:
- Domain names and URLs of visited pages
- DNS requests
- Browser type
- Usage metadata
If a VPN logs the domain names or URLs of pages you visited and DNS requests, for however short a period, it’s a major red flag. The data about your online activities can be lost, stolen, requested by authorities, or simply sold to third parties like advertisers.
Free VPN providers are often guilty of the latter – that’s how they make money.
For instance, Hola VPN’s privacy policy explicitly states that their log data of free users may include browser type, web pages they visit, etc.
A no-logs VPN is a VPN service that doesn’t collect information a user transmits, or shares, through the network. If a VPN keeps logs that can potentially identify you as its user, that defeats the point of a VPN that promises to protect your privacy.
For that reason, many providers claim to be “no-logs” VPNs.
| Provider | Link to privacy policy, relevant provisions | Country | Which logs they keep/don’t keep | |||
| Traffic activity | IP address | Connection timestamps | Server location | |||
| NordVPN |
“Nord guarantees a strict no-logs policy for NordVPN Services, meaning that your internet activity while using NordVPN Services is not monitored, recorded, logged, stored or passed to any third party. We do not store connection time stamps, used bandwidth, traffic logs, IP addresses or browsing data.”
|
Panama | No | No | No | No |
| ExpressVPN |
“We ensure that we never log browsing history, traffic destination, data content, IP addresses, or DNS queries. Therefore:
|
BVI | No | No | No | No |
| IPVanish |
“We do not track user activities outside of our Site, nor do we track the website browsing or connection activities of users who are using our Services.”
|
USA (5-eyes) | No | No | No | No |
| CyberGhost |
“Connection Attempt: We collect this information to know the usage request directed to our Service on a particular hourly/ daily/ weekly/ monthly interval, the country of origin (but not your source IP address), your CyberGhost VPN version, etc. This metric allows us to properly adjust our infrastructure according to the demand.”
“Through our strict no-logs-policy, we ensure that we do NOT track user traffic performed inside the CyberGhost VPN tunnel such as: browsing history, traffic destination, search preferences, data content, IP addresses or DNS queries”.
|
Romania | No | No | Aggregate | No |
| Surfshark |
“We do not collect IP addresses, browsing history, session information, used bandwidth, connection time stamps, network traffic and other similar data.”
“The information we collect contain aggregated performance data, the frequency of use of our Services, unsuccessful connection attempts and other similar information. As you probably already understood, the data collected for diagnostic purposes does not contain uniquely identifiable information.”
|
BVI | No | No | No | No |
| ProtonVPN |
“In order to respect our users’ privacy, ProtonVPN enforces a strict no-logs policy. This means we keep no session usage logs of what you do online, and we do not log metadata that can compromise your privacy.
|
Switzerland | No | No | No | No |
| Kaspersky |
“URLs can be sent to be checked whether they are malicious. <...> Information about logins and passwords, if contained in the initial browser request from the user, is removed from the visited URL addresses up to the hostname or IP address.”
The data, which you provide <...> can include the following types of data:
URLs (network addresses) to be checked by the product based on the purpose of the product, including visited websites, addresses in the mail, etc.
Network addresses of client devices.”
|
Russia | Yes | Yes | Yes | Yes |
| Hola |
“We have a no logs policy for Hola Premium and Ultra Subscribers. We do not track nor store logs of your activity, including no logging of browsing history, traffic destination, data content, or DNS queries. Additionally, we never store connection logs, no logs of your IP address, your outgoing VPN IP address, connection timestamp, or session duration.
Free users Log Data: Log data may include the following information - browser type, web pages you visit, time spent on those pages, access times and dates.”
|
Israel | Free users only | No | Free users only | No |
| Aura (Hotspot Shield) |
“While we log what domain names that users visit (but not full URLs), we do not log them in combination with anything that identifies an individual or device”.
“Our VPN products do not log or otherwise record IP addresses, device identifiers, or any other form of identifier in combination with your VPN browsing activity.”
“Usage information. We collect information about how you interact with our services, such as how often you use our services, how much bandwidth you use, and when and for how long you use our services.
For example, we may collect device identifiers, browser types, device types and settings, operating system versions, mobile, wireless, and other network information (such as internet service provider name, carrier name and signal strength), and application version numbers.”
|
USA (5-eyes) | Domain names only | No | Yes | Yes |
| FastestVPN |
“We do not store your logs in any way. Any information or logs related to your browsing history - the websites you visit, the content you download or stream, your traffic destinations, or your DNS queries - stays with you and you alone”.
|
Cayman Islands | No | No | No | No |
| HMA |
“With our no-logging policy, you can use HMA VPN knowing that we’ll never collect, record, or see:
“If you use the free HMA VPN Proxy Unblocker for Chrome and Firefox browsers, this is the personal data that gets collected:
|
UK (5-eyes) | Domain names of free users only | Free users only | Free users only | No |
| Private Internet Access |
“The above-mentioned Personal Data is not, at any point, associated with any kind of activity done by the user inside the Private Internet Access VPN which is NOT recorded, logged or stored at all.”
|
USA (5-eyes) | No | No | No | No |
| Hidester |
“We may also collect your connection country, as well as dates (not times) when connected to the Service, choice of server location, and the total amount of data transferred per day. We do NOT collect log traffic data nor browsing activity from Users of the Service. When sending an auto-generated Error Report, neither the Member IP address nor his account information is sent to us.”
|
Hong Kong | No | No | Dates only | Yes |
| F-secure |
“We do not keep any logs about connections established through the VPN service to external addresses. We cannot link the IP address of your browsing destination to you”.
To protect the service against fraudulent use, we maintain temporary logs that contain the duration of the VPN sessions, the amount of data transferred, the device ID, public IP address, and host name from where the VPN client connects to our service. Traffic anomalies that look like a potential abuse of our service (such as port scanning, spamming, or DDoS attacks performed by our clients) are detected by our software and will be logged as well. The logs are stored for 90 days prior to deletion, and can be used to deal with any misuse of our service or attacks against us.”
|
Finland | No | Yes | Yes | Yes |
| AtlasVPN |
“We are no-logs VPN: we do not collect your real IP address and we do not store any information that identifies what you browse, view, or do online via that VPN connection. We may collect basic application usage data (app events). We use basic app analytics to measure performance of our app. That collects data on such app events as changing the application settings, opening settings screen or starting a trial of Atlas VPN Premium.
We do not store your real IP address or see and collect information on what you browse when connected.”
|
USA (5-eyes) | No | No | Yes | No |
| LimeVPN |
During our normal course of duties, we do not monitor, record or store logs for any single customers VPN activity.
We have absolutely No logs VPN on:
We will however record the following data:
|
Hong Kong | No | No | Yes | Yes |
| Smart DNS Proxy |
 “The Website does not, and will not, actively monitor user activity for inappropriate behavior, nor do we maintain direct logs of any customer's Internet activities. However, we reserve the right to investigate matters we consider to be illegal or violations of the terms of the Agreement. We may - but are not obligated - in our sole discretion, and without notice, remove, block, filter or restrict by any means any materials or information (including, but not limited to, e-mails) that we consider to be actual or potential violations of the restrictions set forth in the Agreement, and act to prohibit any other activities that may subject us, or our customers, to liability.
|
USA (5-eyes) | Unclear | Yes | Unclear | Unclear |
| StrongVPN |
“StrongVPN does not collect or log any traffic of its Services, making us a zero-logging VPN.
We do not track your activities outside of our Site, nor do we track your browsing activities when you’re logged into our VPN service.
StrongVPN uses cookies to:
|
USA (5-eyes) | No | No | Aggregate | No |
| Wachee |
We ensure you that we never log browsing history, traffic destination, data content, or DNS queries.
In order to maintain excellent customer support and quality of service, Wachee collects the following information related to your Services usage:
<...>
Successful connection
We collect information about whether you have successfully connect or disconnect, and from which country.”
|
USA (5-eyes) | No | No | Yes | Yes |
| Turbo VPN |
“We do not collect any data related to your online activities. We do not collect data logs of your activities, including:
1) Browsing history;
2) Traffic destination;
3) Data content; and
4) DNS queries.
We do not collect data of your connection logs, including:
1) Your IP address;
2) Your outgoing VPN IP address;
3) Connection timestamp; and
4) Session duration.
For free Turbo VPN, we work with third party advertising partners to offset the cost of providing our services. We do not target advertisements based on your data. We do not share or use your data in connection with third party advertisers without your prior consent.”
|
Singapore | No | No | No | No |
| Aura (TouchVPN) |
“While we log what domain names that users visit (but not full URLs), we do not log them in combination with anything that identifies an individual or device”.
“Our VPN products do not log or otherwise record IP addresses, device identifiers, or any other form of identifier in combination with your VPN browsing activity.”
“Usage information. We collect information about how you interact with our services, such as how often you use our services, how much bandwidth you use, and when and for how long you use our services.
For example, we may collect device identifiers, browser types, device types and settings, operating system versions, mobile, wireless, and other network information (such as internet service provider name, carrier name and signal strength), and application version numbers.”
|
USA (5-eyes) | Domain names only | No | Yes | Yes |
| VyprVPN |
“- We do not log a user's source IP address (typically assigned to the user by their ISP).
- We do not log the IP address assigned to the user when using VyprVPN.
- We do not log connection start or stop time.
- We do not log a user's traffic or the content of any communications.”
|
Switzerland | No | No | No | No |
| Windscribe |
“When you use Windscribe, we keep the following data associated with your account:
|
Canada (5-eyes) | No | No | Last activity | No |
| Le VPN |
“Your IP address is logged by us so that we can prevent any spam, fraud or abuse of our Site and our Le VPN Service.
We will store (i) a time stamp and IP address when you connect and disconnect to our Le VPN service, and (ii) the amount data transmitted (up- and download) during your session together with the IP address of the individual VPN server used by you. We do not store details of, or monitor, the websites you connect to when using our Le VPN Service.”
|
France (14-eyes) | No | Yes | Yes | Yes |
| OVPN |
“OVPN does not log any activity when connected to our VPN service. Therefore, we do not know who is connected to our service, what they are doing or when they are doing it. Nothing can be connected to an account:
|
Sweden (14-eyes) | No | No | No | No |
| PrivateVPN |
“We do not collect or store logs of your activity, including no logging of browsing history, traffic destination, connection time stamps, DNS queries, IP addresses (neither allocated IP nor connected IP), data content or bandwidth.”
|
Sweden (14-eyes) | No | No | No | No |
| SwitchVPN |
“INFORMATION COMPANY COLLECTS
For Google Analytics: anonymous Non-Personally Identifiable Information such as pages visited, geographical location of a user, conversion metrics, page loading times, and duration of web sessions related to order processing and not to VPN sessions; and Web server log (Nginx).
Company does not collect or log any traffic or use of its Virtual Private Network ("VPN") service or Proxy.”
|
USA (5-eyes) | No | No | Anonymized | Yes |
| Ghost Path |
“We do not log any data related to your VPN sessions.”
|
USA (5-eyes) | No | No | No | No |
| MyIP |
“We keep a bare minimum set of data like the date you connected and from which IP.
We do not keep logs of your browsing activities, sites visited, outgoing traffic or content accessed.”
|
USA (5-eyes) | No | Yes | Date only | Yes |
| CactusVPN |
“We do not store any IP addresses, traffic logs, connection timestamps, used bandwidth or session duration information that could be traced to a single person”.
|
Moldova | No | No | No | No |
| Seed4.Me |
“We do not keep logs on VPN nodes. VPN nodes only receive and forward traffic to the end user. General connection logs are stored on a secure server for 7 days to solve network issues if there are any. These logs are deleted after 7 days if there are no network problems.”
|
USA (5-eyes) | Aggregate | Aggregate | Aggregate | Yes |
| OneVPN |
“We do not track any physical addresses and locations, numbers, or any other personal information. We do not store or keep records of your IPs and your payment processes. We do not keep any track of your online activities because that is what we deliver the privacy and protection.”
|
Hong Kong | No | No | No | No |
| AirVPN |
“Activity traffic and/or traffic content and/or IP addresses of the customers or users are not inspected, logged or stored into any mass storage device.”
|
Italy (14-eyes) | No | No | No | No |
| Trust.Zone |
“All our VPN servers around the world ARE NOT storing any log files to keep your privacy safe.”
|
Seychelles | No | No | Unclear | Unclear |
| VPNSecure Trust |
“VPNSecure Trust will not monitor you or your use of the service, including its contents unless VPNSecure Trust has reason to believe that such action is necessary to conform to legal requirements or comply with legal process.
We do not log any personal information when connecting to our service.
'Any data' means but is not limited to the following:
|
Australia (5-eyes) | Potentially | No | No | No |
| Perfect Privacy |
“Specifically, we do not record or log any user traffic so potential sharing such data with third parties is technically impossible. We do not store IP addresses, access times or duration, nor bandwidth caused by individual users.”
|
Switzerland | No | No | No | Aggregate |
| Private WiFi |
“Most importantly, we do not store any information about your communications or the websites you visit connected to Private WiFi, and certainly do not sell that information to anyone else.
We collect the following information (what we refer to as “Personal Information”) from you:
<...>
Computer information, such as your IP address, browser type and operating system“.
|
USA (5-eyes) | No | Yes | No | Unclear |
| Identity Cloacker |
“While surfing the web through Identity Cloaker proxy or VPN servers, we do not store the addresses of the visited websites or other resources and we store no transported data for a period longer than necessary to finish the Internet data transfer handover. No caching on permanent record media (for example hard drives) is being utilized.”
|
Czechia | No | Unclear | Unclear | Unclear |
| iNinja |
“A summary of the Personal Data that We process, when We collect it, how We use it and why We use it (i.e. the legal basis for processing) is listed below:
- data on the use of Our Services - We use it to improve Your customer experience and provide bespoke services that satisfy Your needs and preferences
- Information about Your connections (time and duration of connection) - We use it to compile logs of Your connections. This is necessary to maintain the security of Our Services.
- IP address - We use it to provide access to Our Services and for the operation of the Services; We use it to know Our Users for ensure data protection requirements.”
|
UK (5-eyes) | Yes | Yes | Yes | Yes |
| VPNhub |
“When you connect to the VPNhub VPN, we collect your internet protocol (IP) address, which we pseudonymize, immediately encrypt it and store it only for the duration of your VPN session. Your IP address is deleted after you disconnect from the VPN without storing or logging it. We do not associate your IP address with your online activities and we do not store or log your IP address with your online activities.
|
USA (5-eyes) | No | For length of session | Aggregate | Aggregate |
| EarthVPN |
“Your IP address is logged by us so that we can prevent any spam, fraud or abuse of our site and our services.
EarthVPN neither logs VPN usage nor user activity. Neither us nor third parties are technically able to match an IP address to an account. Under no circumstances we will provide any personal or private information to third parties. We are located in the jurisdiction of Northern Cyprus. However in case of law enforcement agencies notify us that our IP is involving in criminal activities ( see terms of service for acceptable use of policy ) we reserve the right to investigate manually to find the cause of criminal activity.”
|
Northern Cyprus | No | Yes | No | Yes |
| VPNONLINE |
* The Supplier monitors the Client's activity in the form of system logs, which are designed to detect abuses related to the use of the Supplier's infrastructure. The provider stores the following logs:
- the date and time of the start and end of the VPN connection
- duration of the call
- the client's source IP address and the name of the VPN server it is using
- target IP address and port to which the client connects using the VPN server
Logs are stored for a period of 30 days for the above-mentioned purpose, then they are overwritten, which prevents their recovery. However, if abuse is noted, logs may be retained indefinitely for investigation.
* Translated from Polish with Google Translate
|
Poland | Yes | Yes | Yes | Yes |
| 5 Euro VPN |
“• 5 Euro VPN doesn’t keep logs or records of data traffic or activity of users when they use the app.
• 5 Euro VPN doesn’t log timestamps; we keep no records of users logging in or out.
• 5 Euro VPN doesn’t register IP addresses of users of the server. Not when you log in, and not during a session.
• 5 Euro VPN doesn’t log your DNS requests on our servers.
• 5 Euro VPN doesn’t log your number of sessions on our servers.”
|
Curaçao | No | No | No | No |
| IronSocket |
We DO NOT LOG or record in any manner the content you access while using our Services.
Upon Use of the Services, we additionally collect the following session information:
We use this data to manage your account, to provide the Services, and to prevent fraud and abuse. This session information is retained for a limited period of time, typically 72 hours, after which it is purged from our servers.
|
Hong Kong | No | Yes | Yes | Yes |
| VPN.Express |
“We do not collect or store users activity, browsing history, traffic, content, IP address, or any other sensitive information.
We collect information related to whether you have successfully established a VPN connection on a particular day (but not a specific time of the day), to which your VPN location (but not your assigned IP address), and from which country/ISP (but not your source IP address)”.
|
USA (5-eyes) | No | No | Date only | Yes |
| Mullvad |
“We log nothing whatsoever that can be connected to a numbered account's activity:
|
Sweden (14-eyes) | No | No | No | Aggregate |
| GooseVPN |
|
Netherlands (14-eyes) | No | No | No | No |
| PandaVPN |
“We do not collect logs of your activity, including no logging of browsing history, traffic destination, data content, or DNS queries. Also, we never store connection logs, meaning no logs of your IP address, connection timestamp, or session duration.”
|
Seychelles | No | No | No | No |
| Flow VPN |
“Portable Ltd collect and store only the data needed to operate a reliable network and meet regulatory / legislative requirements. We store IP addresses, names, email and postal addresses for account management purposes, processing payments and / or where users have given permission for Portable Ltd and Flow VPN to send marketing communications.
Upon installation of the client application all users are allocated an Account Name against which we reserve the rights to log subscription information (including transaction references), connecting IP address, authentication requests, session data (allocated IP, connection date, time, duration etc.).”
|
UK (5-eyes) | Yes | Yes | Yes | Yes |
| ZenVPN |
“When you use ZenVPN VPN service we collect and store your aggregate daily bandwidth usage.
When you connect to a VPN server, we record date and time of connection, your IP address and the duration of connection. This information is linked to your account and is retained for 6 (six) months.”
|
Cyprus | Aggregate | Yes | Yes | Yes |
| LibertyShield |
“We are committed to your privacy and do not collect or log traffic data or browsing activity from individual users connected to our VPN.
We may collect the following information: times when connected to our service, choice of server location, and the total amount of data transferred per day. We store this to be able to deliver the best possible network experience to you. We analyse this information generically and keep the data secure.”
|
UK (5-eyes) | No | No | Yes | Yes |
| CitizenVPN |
“No logging of IP addresses. Our VPN servers log information about connections that we use to troubleshoot problems and optimize the service. Whenever a log normally includes the IP address or hardware-address of a Clients computer these logs are automatically and continually 'anonymized' (the IP or hardware-address is immediately anonymized).”
|
Denmark (14-eyes) | Unclear | Anonymized | Yes | Yes |
| TorVPN |
“Our policy is to never log, dismantle or interfere with data you send to or receive from remote hosts on the internet. We do keep connection logs for a brief time in order to be able to put a stop to mass scans, denial of service attacks and other abuse of the system.”
|
UK (5-eyes) | No | Unclear | Yes | Unclear |
| FrostVPN |
“FrostVPN does not monitor, record or store logs for any VPN user. We do not log or Store web traffic data including Websites visited, files downloaded, etc.
We do however record the following data: - time, date and location VPN connection was made.
This information is collected to protect our service from abusive users, spammers and crimes. This information is cycled every 24 hours. All our servers utilize shared public IP address, which does not allow us to pinpoint a single activity to a single user. “
|
USA (5-eyes) | No | No | Yes | Anonymized |
| VPNArea |
“We do not monitor, record or store logs for any single customer's VPN activity. We do not monitor, record or store any login dates, timestamps, incoming and outgoing IP addresses, bandwidth statistics or any other identifiable data of any VPN users using our VPN servers”.
|
Bulgaria | No | No | No | No |
| VanishedVPN |
What Personal Data does VanishedVPN collect and why?:
Each time a user connects to VanishedVPN, we retain the following data for 30 days: the user’s source IP address, connection start and stop time and total number of bytes used.
What VanishedVPN Does Not Collect From user Sessions:
Does not log a user’s traffic or the content of any communications”
|
Australia (5-eyes) | No | Yes | Yes | Yes |
| DefenceVPN |
“DefenceVPN does not store or log any traffic or usage from its Virtual Private Network (VPN). We do not keep traffic (activity) logs or connection logs (incoming or outgoing timestamps, IP addresses or bandwidth consumption).”
|
Canada (5-eyes) | No | No | No | No |
| Faceless.Me |
“Faceless.Me does not collect or log any traffic or use of its VPN service, including OS system logs.
We cannot relate any specific activity with any specific user.
Do you keep logs of my online activity?
No! Absolutely not! We only track your data usage totals and your IP address, which is required for our internal bookkeeping. And even this data is kept on our servers for a limited time.”
|
Latvia | No | Yes | Yes | Yes |
| VPN in Touch |
“Our product will never store, log, or share your true IP address, and we always delete your true IP address after your VPN session is closed.
We never associate your email, true IP address, username, or unique mobile ID with your browsing information or online activities when you are using VPN in Touch apps”.
When you use VPN in Touch to access the internet, we collect only anonymous, aggregate data about which websites you visit and which apps you use. We do not attribute any specific website visits or app usage to any specific user.”
|
Germany (14-eyes) | Aggregate | No | Aggregate | Aggregate |
| ZorroVPN |
“Do you keep logs?
No we don't. No logs of IP address, bandwidth, connections, DNS requests and etc.”
|
Belize | No | No | No | No |
| Lamnia VPN |
“We do not save logs of any user activity (sites visited, DNS lookups, emails etc.) We only save logs of access attempts to our servers (for security and troubleshooting), session durations and bandwidth used. Those are kept for 5 days.”
|
UK (5-eyes) | No | No | Yes | Yes |
| VPNJack |
“Do you keep logs/records of customers' activity?
We only track the minimal information needed for proper accounting and system health monitoring, like the duration of your VPN connection and average bandwidth. We do NOT keep the track of web-sites you visit or the content of the data being transferred through your VPN connection.”
|
USA (5-eyes) | No | No | Yes | Yes |
| Wow VPN |
“During our normal course of duties, we do not monitor, record or store logs for any single customer's VPN activity. We will however record the following data:
1. Time, date and location VPN connection was made.
2. Duration of the VPN connection.
3. Bandwidth used during the connection.”
|
UK (5-eyes) | No | No | Yes | Yes |
| DoubleHop |
“No traffic logging
No DNS request logging
No timestamps logging
No bandwidth logging
No IP address logging”
|
Seychelles | No | No | No | No |
| Unspyable |
|
USA (5-eyes) | No | No | Unclear | Unclear |
| RayaVPN |
“During our normal course of duties, we do not monitor, record or store logs for any single customers VPN activity. We have absolutely No logs VPN on:
We will however record the following data:
|
Singapore | No | No | Yes | Yes |
| VPN Gold |
“Log file information:
When you use our Service, our servers automatically record certain log file information, including your web request, Internet Protocol (“IP”) address, browser type, referring / exit pages and URLs, number of clicks and how you interact with links on the Service, domain names, landing pages, pages viewed, and other such information. We may also collect similar information from emails sent to our Users which then help us track which emails are opened and which links are clicked by recipients”.
|
Estonia | Yes | Yes | Yes | Yes |
| BelkaVPN |
“DigiApp LLC guarantees a strict no-logs policy for BelkaVPN services, meaning that your activities using BelkaVPN Services are provided by automated technical process, are not monitored, recorded, logged, stored or passed to any third party. We do not store connection time stamps, session information, used bandwidth, traffic logs, IP addresses or other communications data.”
|
USA (5-eyes) | No | No | No | No |
| VPN Geeks |
“We do not collect logs of your activity, including no logging of browsing history, traffic destination, data content, or DNS queries. We also never store connection logs, meaning no logs of your IP address, your outgoing VPN IP address, connection timestamp, or session duration.”
|
Panama | No | No | No | No |
| VPN Technologies (VPN Logix) |
“I want to inform you that whenever you use my Service, in a case of an error in the app I collect data and information (through third party products) on your phone called Log Data. This Log Data may include information such as your device Internet Protocol (“IP”) address, device name, operating system version, the configuration of the app when utilizing my Service, the time and date of your use of the Service, and other statistics.”
|
Canada (5-eyes) | Unclear | Yes | Yes | Yes |
| Read Shield VPN (TgVPN) |
“We Do Not monitor user activity nor do we keep any logs. We therefore have no record of your activities such as which software you used, which websites you visited, what content you downloaded, which apps you used, etc. after you connected to any of our servers. Our servers automatically record the time at which you connect to any of our servers for the purposes of limiting connection count with same login. After you are disconnecting, this record deletes automatically. From here on forward, we do not keep any records of anything that could associate any specific activity to a specific user”.
|
Latvia | No | No | For length of session | For length of session |
| WasabiVPN |
“We may use other technical means to collect and analyze certain information about how you use the Software. This technical information includes Internet Protocol (IP) addresses, browser information, internet connection status (wifi/mobile). We may also keep a record of how long your device has been connected using our Software. It can also be used to help us understand your preferences based on previous or current Software activity, which enables us to provide you with improved Services. As well it can help us compile aggregate data about traffic and interaction with the Software, thus we will be able to provide You with better user experiences and tools in the future
In order to provide Services to you and to improve your experience, we may collect information that is absolutely necessary for us to know to provide you with the Services or is created, provided by you in connection with your use of the Services (collectively, “Service Information”), including location (real-time geographic location), network information, IP-address, device ID, device info, connection timestamp within using of the Software.”
|
USA (5-eyes) | Aggregate | Yes | Yes | Yes |
| SlickVPN |
“However, user activities outside of the SlickVPN site are not tracked nor do we track the browsing activities of user who are logged to the SlickVPN service.”
|
USA (5-eyes) | No | No | Unclear | Unclear |
| BunkerVPN |
“We do not collect any information on user activity, user IP addresses, user bandwidth usage, nor user log-in/log-out times. We do on the other hand collect information on raw bandwidth usage of our servers so that we can optimize our VPN service in order to provide the best possible speed to our customers.”
|
Switzerland | No | No | No | Aggregate |
| AceVPN |
“We do not log VPN traffic. We do not spy on our users nor monitor their bandwidth or Internet usage. Our VPN servers do not store any personal identifying information (PII)”.
|
USA (5-eyes) | No | No | Unclear | No |
| VPNLUX |
Statistics
When user uses VPN we collect the following data:
a. User ID number (assigned automatically upon registration);
b. User package ID number;
c. Session start time;
d. Session end time;
e. Bandwidth usage (in megabytes).
Logs
In order to ensure users security, as well to protect against infringement by third parties on the user's personal data, We do not store logs (visited resources and other network activity of users).”
|
Belize | No | No | Yes | Yes |
| RitaVPN |
“We do not log any user activity (sites visited, DNS lookups, emails etc.) We only log access attempts to our servers (for security and troubleshooting).”
|
Hong Kong | No | No | Yes | Yes |
| Anonine |
“Our users must be sure that we do NOT store the following data:
Traffic used, connected to a definite email or user ID
How it looks like Mbs (XXX Mbs)
Storage time 2 months
Resource received from our inner VPN system
|
Sweden (14-eyes) | Amount only | No | No | No |
| blackVPN |
|
Hong Kong | No | No | No | No |
| Keenow |
- “A time stamp when you connect and disconnect to our VPN service or Proxy servers.
- The IP address used by you to connect to our VPN or Proxy servers.
We DO NOT monitor nor store any of the data sent or received over the VPN tunnel.”
|
Israel | No | Yes | Yes | Yes |
| nVpn |
Things we do not keep to operate the service:
[-] No logging of connected IPs
[-] No logging of IPs placing an order or accessing the members area
[-] No logging of session duration times, neither the quantity of connected devices
[-] No logging of visited Websites, or any other activities on that matter
[-] No logging of consumed Traffic amounts”
|
Bosnia and Herzegovina | No | No | No | No |
| PandaPow |
“In addition to any personal information you provide us, we may store the following pieces of data: IP address, times when connected to our service, the total amount of data transferred, and transfer speed information. We store this data to be able to provide our users with the best possible service. This information is kept secure and private and never shared with any third party.”
|
Hong Kong | No | Yes | Yes | Yes |
| VPNCity |
“VPNCity provides a no-logs policy for VPNCity services, meaning that your activities using VPNCity Services are provided by automated technical process, are not monitored, recorded, logged, stored or passed to any third party. We do not store connection time stamps, session information, used bandwidth, traffic logs, IP addresses or other data. <...> Further, VPNCity have a strict no logs policy when it comes to seeing user activity online”.
“However, to limit the number of simultaneous sessions of an active user, an algorithm keeps their username and the timestamp of the last session status while the session is active.”
|
Hong Kong | No | No | For length of session (last timestamp only) | No |
| KeepSolid |
“KeepSolid does not monitor, store, or log your online activity, including your browsing history, connection times, metadata, downloads, server usage, or data content during your session in the VPN Services.
KeepSolid also never stores or logs your IP address after the end of your session in the VPN Services – KeepSolid always removes your IP address after your session ends.”
|
USA (5-eyes) | No | No | No | No |
| HideIPVPN |
“HideIPVPN keeps a no-logs policy, this means that activity whilst using VPN is not being stored nor shared in any form. Only data stored is client’s full name and billing activity. We do not store IP addresses, browsing history , traffic destination or DNS queries. HideIPVPN cannot be obligated to provide data that do not exist due to our log policy.”
|
USA (5-eyes) | No | No | Unclear | Unclear |
| SaturnVPN |
“We do NOT log any user activity (sites visited, DNS lookups, emails, etc.). We only log access attempts to our servers (for security and troubleshooting), session durations, bandwidth used and the user clicks made to our software (for features popularity tracking and improvements).”
|
USA (5-eyes) | No | No | Yes | Unclear |
| encrypt.me |
“When you use Encrypt.me to secure your connection, we collect:
We keep this information for at most sixteen (16) days, after which we permanently delete it.
Some related information is kept indefinitely in aggregated form:
|
USA (5-eyes) | Aggregate | Yes | Yes | Yes |
| tigerVPN |
“At no time, we store, read, analyze or in any other way process the traffic exchanged between you, our servers and the public internet. In other words, we do not save, read or have technical access to any DNS queries, websites you visit, data you transferred or communications.
While we do store a record when you connect to a server (for the sole purpose to provide troubleshooting and accounting, abuse prevention and network integrity) it does not allow us to single out an individual customer because your information overlaps with thousands of other customers at the same time.”
|
Slovakia | No | No | Anonymized | Anonymized |
| ZoogVPN |
“We have adopted 'Zero Logs' policy and are not required to collect any by our jurisdiction. This means we do not keep any logs of your online activity so you can browse with 100% privacy and confidence.
We strictly do not collect or keep any usage information on user activity, the websites or apps the user visits, timestamps, user IP addresses, or user log-in/log-out sessions. However, for the purpose of rendering VPN service we collect total data transferred on our servers as aggregated upload/download.”
|
Greece | No | No | No | No |
| VPNZone |
“RBCOM does not monitor, store, or log your online activity, including your browsing history, connection times, metadata, downloads, server usage, or data content during your session in the VPN Services.
RBCOM PTE also never stores or logs your IP address after the end of your session in the VPN Services – RBCOM always removes your IP address after your session ends.”
|
Singapore | No | No | No | No |
| BolehVPN |
“No, we do not keep logs of user activity including user access, DNS requests, timestamps, bandwidth usage or user’s IP addresses. We do monitor general overall traffic of the server and number of connections in which the server is pushing through but not on an individual level.
However as per our policy, if we do notice any unusual activity on our servers via our general monitoring (high bandwidth loading, high number of connections or cpu usage) or receive a specific complaint (hacking/spam) we may turn on logs temporarily to identify abuse of our services.”
|
Seychelles | No - but can be enabled | No - but can be enabled | No - but can be enabled | Aggregate |
| Freedom-IP VPN |
“Data kept by VPN Session:
|
France (14-eyes) | Yes | Yes | Yes | Yes |
| OctoVPN |
“OctoVPN does not collect or log any traffic or use of its Virtual Private Network service.
Site Visitors. We collect certain information automatically from visitors to our Site, such as IP (Internet protocol) address and pages viewed on our Site. For more information, see the "Cookies and Tracking" section below. However, we do not track user activities outside of our Site, nor do we track the browsing activities of users who are logged into our VPN service.”
|
Norway (9-eyes) | No | No | Unclear | Unclear |
| BulletVPN |
“BulletVPN does not collect logs of any user activity, nor can it link any other collected information to any specific user. We do not collect any logs of user browsing history, connection history, traffic and data transfer, or DNS queries, nor do we store VPN connection logs of any type. That means we do not store the user’s IP address and port, the VPN server’s IP address and port, or the VPN connection attempt, connection establishment or disconnection date and time.
BulletVPN collects usage information to provide the features offered with the service. Total data consumption is collected to ensure that performance is optimized for all connected users, prohibiting abuse of server resources by individual users. The data consumption metric doesn’t include any trace of accessed or transferred data content through the VPN connection. The number of active connections per user is also maintained during a minimum of one active connection and up to three active connections, without information on the user’s connected devices, their IP addresses and ports, the VPN server’s IP address and port, or the connection establishment date and time.”
|
Estonia | No | No | No | Aggregate |
| IVPN |
“We do not log any data relating to a user’s VPN activity (while connected or connecting to the VPN).
|
Gibraltar | No | No | No | No |
| VPN.ac |
|
Romania | No | Yes | Yes | Yes |
| VirtualShield |
“We do not monitor user activity in any way nor do we retain any logs for our ‘VPN’ service. Therefore, we have absolutely no record of any of your activities such as which websites you visited, what content you downloaded, which apps you used, which software you used, etc. when connected to any one of our servers in our VPN network. When a successful connection is established with one of our servers, it is counted as an “active connection” which is temporarily inserted into our database for the sole purpose of limiting an accounts simultaneous connections. This “active connection” data contains your Account ID and a randomly generated Connection ID. This “active connection” data is REMOVED from our database upon disconnection by the end-user from our VPN server. This “active connection” data does NOT contain the time at which you connected, which server you connected to, which location you connected from, which device you connected from, or any other information that could be used to track any activity back to a single user. “
|
USA (5-eyes) | No | No | No | No |
| FrootVPN |
“For the highest level of digital protection of our users, we NEVER store the following:
Logs
Connection duration
Connection timestamp
IP addresses
DNS requests
Locations and servers user connected to”
|
Seychelles | No | No | No | No |
| IPBurger |
“We do not collect logs of your activity, including no logging of browsing history, traffic destination, data content, or DNS queries. We also never store connection logs, meaning no logs of your IP address, your outgoing VPN IP address, connection timestamp, or session duration.
We collect information about whether you have successfully established a VPN connection on a particular day (but not a specific time of the day), to which VPN location (but not your assigned outgoing IP address), and from which country/ISP (but not your source IP address).”
|
USA (5-eyes) | No | No | Dates only | Yes |
| personalVPN |
“We, by default and design, absolutely do not monitor or store logs of a user’s internet activity, browsing, websites visited, or files downloaded.”
|
USA (5-eyes) | No | No | Unclear | Unclear |
| FinchVPN |
“What data we collect: We will store a time stamp, traffic amount and user id when you connect and disconnect to our VPN service. We do not store details of, or monitor, the websites you connect to when using our VPN service”
|
Malaysia | Yes | No | Yes | Yes |
| Star VPN |
“Senight LLC guarantees a strict no-logs policy for Star VPN Services, meaning that your internet activity while using Star VPN Services is not monitored, recorded, logged, stored or passed to any third party. We do not store connection time stamps, used bandwidth, traffic logs, IP addresses or browsing data.
Username and a timestamp of the last session status. This information is used to limit the amount of concurrent active user sessions and is automatically deleted within 15 minutes after a session is terminated.”
|
Panama | No | No | No | No |
| Whoer |
“We do not collect, store or log any of the following data:
|
Cyprus | No | No | Unclear | Aggregate |
| LiquidVPN |
“The websites you visit and the type of data you’re sending/receiving is your business. We do not monitor this kind of traffic.
What Account Information LiquidVPN can view from our VPN network.
|
USA (5-eyes) | No | Yes | Yes | Unclear |
| VPNBook |
“Our privacy policy is simple: We respect your privacy. We do not collect any personal information or store any user's internet data. The only thing we log is the IP address and time the connection was made. We log connection information in order to reduce abusive activities and keep this free VPN service online for all legitimate users. Connection logs are automatically deleted every week”.
|
Switzerland | No | Yes | Yes | Unclear |
| VPN4Games |
“Types of Data Collected When you use VPN4Games
|
Thailand | Yes | Yes | Yes | Yes |
| OpenVPN (Private Tunnel) |
“What Data OpenVPN Retains From Private Tunnel Sessions:
Each time a user connects to our Private Tunnel service, we retain the following data for 14-30 days: the user's source IP address, the Private Tunnel IP address used by the user, connection start and stop time and total number of bytes used.
What OpenVPN Does Not Collect From Private Tunnel Sessions:
We Do Not log a user's traffic or the content of any communications”
|
USA (5-eyes) | No | Yes | Yes | Yes |
| Speedify |
“When you use Speedify to communicate over the Internet we receive your IP address and Device ID. We also record at what time each connection begins, how long each connection lasts, and the amount of data used.
We have no record of the websites that you visit. We do not retain any of the data that you send or receive while using our services. All of that information vanishes from our systems as soon as it is transmitted.”
|
USA (5-eyes) | No | Yes | Yes | Yes |
| SecurityKISS |
“We do not monitor, record or store logs for any connection activity, except for the following:
Time, date and duration of your VPN connection
Bandwidth used during the connection”.
|
Ireland | No | No | Yes | Yes |
| Thunder VPN |
“When you use our app we may collect the following information: IP address, Internet service provider, OS version, language of the device, app identifier, app version, independent device identifier, ad identifier, device manufacturer and model, email address, the time zone and the network state (WiFi and so on), times when connected to our service, choice of server location, and the total amount of data transferred per day, etc. “
|
USA (5-eyes) | No | Yes | Yes | Yes |
| UrbanVPN |
“When you use our Services or visit our website, we will collect certain Online Identifiers such as Agent Id, UDID, Android ID, and your IP address.
We collect the URLs of visited websites and apps as well as search queries (meaning in the event the navigation event occurred on the page of a search engine or a website, the value of a URL’s query parameter responsible for a search term involved into the searching context). This data is deleted a short period following collection.
Technical Data When you use the Service, we will collect Non-Personal Data, such as technical information automatically transmitted by the user's device (for example, type of browser, the type of operating system, access time and date, approximate geographical location, etc.
Web Browsing Data - Anonymized immediately when data received”.
|
USA (5-eyes) | Anonymized | Yes | Yes | Yes |
| AstrillVPN |
1. “Our system keeps track of active sessions - connection time, IP address, device type and Astrill VPN application version during the duration of your VPN session. Once you disconnect from VPN this information is removed permanently from our system.
2. Astrill also counts amount of traffic used by clients in order to plan network expansions. No personally identifiable information is kept - only the total number of transferred bytes. The very design of our VPN server software does not allow us to see which clients accessed what websites even if we wanted to. No logs whatsoever are stored on VPN servers after connection is terminated.
3. Additionally to this, we keep last 20 connection records which include: connection time, connection duration, country, device type and Astrill client application version number. This information contains no personally identifiable information (for example we don't keep IP addresses or your physical location). This information is automatically removed in case of no activity in past 30 days.“
|
Seychelles | No | For length of session | Yes | Yes |
| X-VPN |
“We do not log how you utilize VPN connection, which means we do not see the applications, service or websites you use personally while connected to our Service nor do we store them.
We do not store your original IP address or the server IP address that you connect to which means we cannot share it to anyone no matter what happened.
<...> the connection timestamp, choice of the protocol, network type and error report;
This data is automatically collected during VPN connection and is used for troubleshooting & VPN service optimization only.”
|
Hong Kong | No | No | Yes | No |
| Avira (Phantom VPN) |
“If you use Avira Phantom VPN we do not collect any data about the web pages you visit or the services you use on the internet.”
|
Germany (14-eyes) | No | No | No | Unclear |
| UFO VPN |
“UFO VPN does not and will not collect or store traffic data, DNS queries, browsing history and VPN connection destination.”
“We do not track user activities outside of our Site, nor do we track the website browsing or connection activities of users who are using our Services.”
|
Hong Kong | No | No | No | No |
| Brocode Limited (uVPN) |
“uVPN guarantees a strict no-logs policy for uVPN Services, meaning that the uVPN Services are provided by an automated process, and your activities while using them are not monitored, recorded, logged, stored or passed to any third party. We do not store connection timestamps, session information, used bandwidth, traffic logs, IP addresses or other data. However, to limit the number of simultaneous sessions of an active user, an algorithm keeps their username and the timestamp of the last session status while the session is active. This data is wiped within 15 minutes after the session is terminated.”
|
Hong Kong | No | No | For length of session | No |
| PureVPN |
“Information Included in VPN Connection Logs
We know the day you connected to a specific VPN location and from which Internet Service Provider. This bare minimum set of data is required to help you with technical assistance, solving connecting problems, and overcoming region-specific problems.
We also know the connection length and how many connections you make when you use our VPN service, without connection timestamps, with the sole purpose of categorizing your profile as Power, Core or Casual user.
Details NOT Included In VPN Connection Logs:
|
Hong Kong | No | No | Date only | No |
| hidemy.name |
“A non-persistent log of connection data, that includes customers’ randomly generated username and internally assigned, non-public IP address, is maintained by us for troubleshooting purposes. We safely clear out the troubleshooting log every few hours. To lessen our legal liability, we purposely and strictly do not record any other data. Your browsing behavior is not monitored or recorded by us. It is impossible to log your browsing behavior with our technical backend. All the data you use remains anonymous and not connected to your real, public IP address.
In case we ever become legally obliged to keep a persistent log of our customers’ connections or any other personal data relating to their network activity, we will immediately inform our clients and do everything possible to move jurisdictions or terminate the service to protect those who entrust their privacy to us.”
|
Belize | No | No | No | No |
| VPN Gate |
“We always keep VPN Connections Logs of VPN Gate Public VPN Relay Servers for three or more months.
A VPN Connection Log entry contains:
|
Japan | Yes | Yes | Yes | Yes |
| Ivacy |
“We strictly do not log or monitor, online browsing activities, connection logs, VPN IPs assigned, original IP addresses, browsing history, outgoing traffic, connection times, data you have accessed and/or DNS queries generated by your end. We have no information that could associate specific activities to specific users.”
|
Singapore | No | No | No | No |
| hide.me |
“We do NOT keep logs of your VPN sessions, browsing behavior, websites you visit or any activity related to your VPN connection. In addition, we NEVER store VPN connection logs and timestamps that match your incoming and outgoing IP address or session duration.
We maintain a non-persistent log of connection data for troubleshooting purposes which includes customer’s randomly generated username and internally assigned (non-public) IP address. The troubleshooting log gets securely erased every few hours. We purposely and strictly do not log any other data to mitigate our legal liability. We do not monitor or log your browsing behavior. It is impossible to record your browsing behavior with our technical backend. All the usage data is anonymous and not connected to your real, public IP address.”
|
Malaysia | No | No | No | No |
| VPN Proxy Master |
“We do not collect any data related to your online activities. We do not collect data logs of your activity, including:
1) Browsing history;
2) Traffic destination;
3) Data content; and
4) DNS queries.
We do not collect data of your connection logs, including:
1) Your IP address;
2) Your outgoing VPN IP address;
3) Connection timestamp; and
4) Session duration.”
|
Singapore | No | No | No | No |
| Psiphon |
“We DO NOT collect or store any VPN data that is not mentioned here.
We DO NOT modify the contents of your VPN data.
We DO NOT share any sensitive or user-specific data with third parties.
We record what protocol Psiphon used to connect, how long the device was connected, how many bytes were transferred during the session, and what city, country, and ISP the connection came from.” |
Canada (5-eyes) | No | No | Yes | Yes |
| AzireVPN |
“AzireVPN does NOT log any traffic or user activity while using our service.
AzireVPN does NOT log timestamps or any information relating to when a user connects/disconnects from our service.
AzireVPN does NOT log or shape any bandwidth on our servers.
AzireVPN does NOT log the original IP addresses of our users when they connect OR their AzireVPN IP address when they are using our service.
AzireVPN does NOT log the number of your active sessions or total sessions.
AzireVPN does NOT log your DNS requests on our servers.”
|
Sweden (14-eyes) | No | No | No | No |
Audited or Otherwise Verified VPNs
When I read through the privacy policies, I saw that many were primarily for marketing purposes and not specific enough about the data they were / weren’t logging.
For instance, Identity Cloaker’s policy states “we do not store the addresses of the visited websites or other resources and we store no transported data for a period longer than necessary to finish the Internet data transfer handover”. It’s not clear which transported data they do store, even if they don’t store the addresses of webpages their users visit.
Also, a solid privacy policy isn’t a guarantee that a provider will follow it.
That’s why I recommend going a step beyond reading the policies in detail.
I’m referring to checking whether the specific providers’ policies and approach to security have been independently audited or verified as a result of a legal precedent.
It’ll help you make a more informed decision about how much your chosen provider cares about your privacy.
I collected the data about the VPNs that have been subject to an audit or verification of any other kind.
From the table below, you’ll see that 8% of VPNs I assessed have had an audit or undergone another kind of verification of their commitment to security and privacy.
Some of these audits covered just logging policies, whereas others were more about security vulnerabilities.
"Only 8% of VPNs we assessed have had an audit or undergone another kind of verification of their commitment to security and privacy."
Audited VPN Providers
A no-logs VPN is a VPN service that doesn’t collect information a user transmits, or shares, through the network. If a VPN keeps logs that can potentially identify you as its user, that defeats the point of a VPN that promises to protect your privacy.
For that reason, many providers claim to be “no-logs” VPNs.
| Provider | Auditing Organization / Case | Date of last Audit / Case | Result | Source |
|---|---|---|---|---|
| NordVPN | PwC | May 2020 |
Based on the audit, PwC believes that nothing in NordVPN’s no-log policy and its implementation contradicts its service description.
Therefore, the independent provider confirms that NordVPN’s no-logging policy is true to life.
|
Source (full report available to users only)
|
| ExpressVPN | PwC | Q2 2019 |
PwC confirmed that ExpressVPN’s TrustedServer technology is fully compliant with its no-logs policy – those logs simply don’t exist as the servers are RAM-only. |
Source (full report available to users only)
|
| Surfshark | Cure53 | April 2021 |
Cure53 audited the security of Surfshark’s server infrastructure. Since they’re RAM-only servers, they can’t keep logs by default, but it’s important to see that the servers themselves are secure.
The audit confirmed that the very few concerns were of a low level and that there were no server-side configurations that rely on insecure defaults.
|
Source |
| PIA | US District Court for the Southern District of Florida Case No. 16-8075-JMH | March 2016 |
The only information PIA’s owner could provide in a legal case upon a subpoena of IP addresses is a cluster of IPs used from US East Coast.
This shows that PIA doesn’t keep individual IP logs.
|
Source |
| HMA | VerSprite | August 2020 |
VerSprite audited HMA’s Android, iOS, Mac and Windows applications. They’re paid applications that don’t keep logs according to HMA’s policy. The cybersecurity firm gave those HMA apps a low risk user privacy impact rating for its no-logging policy.
HMA’s free extensions do, however, keep logs, according to the policy. They were NOT audited.
The report is not publicly available.
|
Source |
| VyprVPN | Leviathan Security | November 2018 |
Leviathan Security has confirmed that the VPN clients “produce no identifying logs without the user’s consent” and the issues they found were quickly fixed by the provider.
So, at the time of the audit, VyprVPN is a no-logs VPN.
|
Source |
| OVPN | Stockholm Patent and Market Court Case No. PMÄ 10204-20 | September 2020 |
The defendant was unable to prove that OVPN stores any logs.
The court also confirms that OVPN isn’t an Internet provider, which means a data retention law doesn’t apply to it.
This confirmation, in addition to OVPN’s RAM-only servers, means that OVPN indeed doesn’t keep logs.
|
Source |
| Mullvad | Cure53 | May-June 2020 |
Cure53 audited Mullvad’s Android, iOS, Windows, Ubuntu and macOS applications.
According to the report, Mullvad “does a great job protecting the end-user from common PII leaks and privacy related risks”, and no PII leaks were found.
|
Source |
| IVPN | Cure53 | March 2019 |
Cure53 confirmed that “neither privacy nor policy-related violations have been observed on the audited systems in the timeframe of the audit.”
Therefore, IVPN’s no-logging claims are truthful as of the date of the audit.
|
Source |
| Encrypt.me | Security Innovation | September 2019 |
The policy of this VPN states that it keeps at least aggregate logs.
The audit confirms that “logs created by the applications do not contain sensitive customer information or sensitive system information”.
|
Source |
However, independent audits only tell one side of a story on a given date.
Just because a VPN has passed an audit once, it’s not a guarantee they will again – policies may change, and new security threats may emerge. Also, VPNs are mostly owned by commercial companies, and any change in their ownership can easily lead to policy changes.
As a result, your activity whilst using VPN might not end up so private.
A possible solution to that problem is choosing a VPN with RAM-only servers.
VPNs With RAM-only Servers
For extra assurance of privacy, some VPNs use RAM-only servers.
Those servers erase any logs and user data as soon as they’re turned off.
A VPN that has RAM-only servers simply can’t keep any logs because they’d be wiped away at the end of a session, thus erasing any trace of your activity during it. Even if such a server is stolen, the malicious actors won’t be able to get their hands on your data for that reason.
For this reason, I also checked the structure and set-ups of the VPNs I reviewed to see which ones make it abundantly clear that they have such servers.
From the data below, you’ll see that 6% of providers I assessed have RAM-only servers, which shows their genuine commitment to not keeping logs.
"Only 6% of providers we assessed have RAM-only servers, which shows their genuine commitment to not keeping logs."
List of RAM-only VPNs
| Provider name | Number of RAM-only servers | Source |
|---|---|---|
| Surfshark | 3200+ in 65 countries | Source |
| NordVPN | 5540 in 59 countries | Source |
| ExpressVPN | 3000+ in 94 countries | Source |
| OVPN | 91 in 27 countries | Source |
| AzireVPN | 65 in 19 countries | Source |
| Perfect Privacy | 60+ in 25 countries | Source |
| CyberGhost | 7200+ in 91 countries | Source |
| VyprVPN | 700+ in 70 countries | Source |
Problems with VPNs’ Privacy Policies
VPN’s Jurisdiction (5/9/14 Eyes)
Some jurisdictions are very hostile for privacy. For instance, laws of the Russian Federation where Kaspersky is based require VPN providers to store user data – the opposite of what VPNs are about.
If a VPN is located in a country that’s part of the 5/9/14 eyes alliances, that’s also a concern.
They’re jurisdictions with mandatory data retention laws. A truly no-logs VPN would not be retaining any data – but if it’s located in a 5/9/14 country, it would most likely be obliged to. Its jurisdiction would be collecting the data of a VPN that keeps logs and share it with other members of the alliance.
Therefore, even if a VPN’s privacy policy stipulates that it’s a no-logs provider, I recommend checking where it’s located. If it’s a 5/9/14 country, privacy policy might be overruled by international law.
For that reason, I suggest checking whether such VPNs have the technical capacity to not keep logs – e.g. if they have RAM-only servers – before choosing a provider.
Unclear Presentation with Wrong Purpose
Some VPN logging and privacy policies I reviewed didn’t stipulate clearly what data they were retaining and when. For instance, SmartDNSProxy’s privacy policy seems to only apply to users’ activities on the website, and it’s not the only provider with such stipulations. I had to double-check via customer support whether the policy applied to users’ activities within the VPN (it does).
Other providers’ policies only seemed to focus on making the VPN look like a no-logs VPN by, for example, posting large “We don’t keep logs” statements at the very beginning. When I read through the small prints of those policies, however, I saw that that wasn’t the case at all.
For instance, F-Secure’s policy starts that way by promising they don’t read traffic, but later stating that they “analyze the traffic for suspicious or malicious files and destinations (i.e. URLs) and automatically screen the traffic to inhibit usage that is against our acceptable use policy”.
So, it contradicts itself in a legal document, which means that you’re not certain what’s happening with your activities when you’re connected to their VPN.
Wrapping Up
Before choosing a VPN provider, you need to know what’s happening with your data whilst you’re connected to it. VPN logging and privacy policies are a good place to start as they’d ideally stipulate whether or not the data is retained. However, as you can see, that’s not always clear.
Despite most VPNs claiming they don’t keep logs, many of them in fact do, in one way or another. And the way the policies are written doesn’t always answer the question one way or another.
Based on what I’ve discovered in the days of my research, I suggest that you:
- Choose VPNs that don’t keep traffic and IP logs.
- Consider VPNs with audited or verified logging policies and/or RAM-only servers.
- Be wary of VPNs in 5/9/14 countries or those with unclear privacy policies.
