Every VPN says no-logs. Here is what that claim actually means technically, what a real audit covers, what to look for in a privacy policy, and what questions to ask before trusting a provider.
9 min read
A no-logs policy means the VPN provider does not retain records of your activity that could be used to reconstruct what you did online. At minimum this means they do not log the websites you visit, the content of your traffic, or the timestamps of individual connections.
The reason this matters is straightforward: a VPN only protects your privacy from surveillance if there is nothing for someone to find. If a government agency, law enforcement body, or attacker can subpoena or seize server data and find records of your activity, the VPN failed its core purpose. A no-logs policy, if genuinely implemented, means there is nothing to hand over.
The phrase "no-logs" has become marketing noise. Nearly every VPN uses it. The actual question is not whether a VPN claims no-logs, but whether the claim holds up when you look at the specifics.
Understanding the claim requires understanding what a VPN technically could log, because policy language often distinguishes between types of data. The categories are:
Activity logs: What you actually did: websites visited, DNS queries, content of traffic. These are the most sensitive. A VPN that logs these is not a private VPN in any meaningful sense.
Connection logs: Records of when you connected, from which IP, to which server, for how long. These do not reveal what you did, but they can place you at a VPN server at a specific time, which may be enough for legal purposes.
Bandwidth or volume data: How much data you transferred in a session. Less identifying than connection logs, but still a form of metadata.
Aggregate or diagnostic data: Some providers log anonymised statistics about server load, connection counts, or error rates. Done correctly this does not identify individuals. Done poorly, or if the anonymisation is weak, it can.
Account data: Your email address, payment method, and subscription details. These exist by necessity for billing. They are separate from activity data but are still data the provider holds about you.
A provider can honestly claim "no activity logs" while still keeping connection logs. Read policies carefully for exactly which categories are and are not retained.
Independent audits are the closest thing to external verification of a no-logs claim. Security firms like Cure531 review a VPN provider's server configurations, logging infrastructure, and internal policies, then publish a report on what they found.
A good audit report will: name the specific systems examined, describe the methodology used, list the servers or configurations tested, and clearly state what evidence of logging was or was not found. It should be published publicly, not just summarised.
What audits cannot do is guarantee future behaviour. An audit is a snapshot. It verifies that at the time of the audit, the systems inspected were not logging the data the provider claims not to log. A provider could theoretically change their configuration after an audit. This is why the cadence of audits matters: a provider audited once in 2019 and not since is a weaker claim than one audited annually.
Be sceptical of vague audit references. "We have been audited" with no named firm, no published report, and no date tells you nothing. The audit report itself should be findable and readable.
A privacy policy that is written to be unreadable is a red flag in itself. Legitimate no-logs policies are specific. Here is what to watch for:
Vague aggregate language: "We may collect anonymised, aggregated data for analytics purposes." This covers a lot of ground. What data? Aggregated how? Shared with whom? Policies that rely on vague aggregate carve-outs are leaving room for something.
"We do not log browsing activity" without specifying connection logs: Activity logs and connection logs are different things. A policy that only addresses activity logs and says nothing about connection logs may be keeping them.
Data shared with parent companies or affiliates: Some VPN providers are owned by larger companies with ad-focused business models. Check ownership. A privacy policy with broad sharing permissions for affiliates undermines the whole point.
Jurisdiction that creates legal risk: A VPN provider headquartered in a country with mandatory data retention laws or strong intelligence-sharing agreements is under legal pressure to retain data regardless of their policy. The no-logs claim is harder to maintain when the law requires the opposite.
History of disclosure: IPVanish claimed no-logs in 2016 but provided connection logs to US Homeland Security when subpoenaed.<Ref n={3} /> A no-logs claim that has already been contradicted by a disclosed court case tells you the policy is not what it says.
The EFF recommends treating VPN evaluation as a matter of assessing who you are transferring trust to.2 When a VPN replaces your ISP as the observer of your traffic, the question becomes whether you have better reasons to trust the VPN than your ISP. These questions help answer that:
What specific categories of data are retained, and for how long?
Have they published an independent audit report? By which firm? When was it conducted?
Where is the company incorporated, and what data retention laws apply to them?
What is their business model? If the service is free, what are they selling?
Have they ever received a legal request for user data? How did they respond?
Does the privacy policy clearly state that connection logs are not kept, not just activity logs?
A provider that answers these questions clearly, in their public documentation, is in a different category from one that deflects with marketing language.
BuycatVPN does not log your browsing activity, DNS queries, connection timestamps, or session data. The full details of what is and is not collected are in the privacy policy.4 It is written to be readable, not to obscure things.
Account data (email, payment) is kept for billing purposes. This is standard and unavoidable if you have a subscription. What is not kept is any record that connects your account to what you did while connected.
Berlin-based security firm that has audited several major VPN providers including Mullvad and ProtonVPN.
Electronic Frontier Foundation guidance on evaluating VPN providers, including logging policies.
IPVanish claimed a no-logs policy but provided connection logs to US Homeland Security in 2016. A commonly cited case for why policy language must be read carefully.
BuycatVPN's full privacy policy detailing what data is and is not collected.
