The phrase “no-log VPN” gets thrown around so often that it’s started to lose meaning. Almost every VPN provider on the market uses it somewhere in their marketing — on their homepage, in their app description, in the ads that follow you around the internet. It’s become the industry equivalent of a restaurant calling its food “fresh.” Technically it might be true. But it tells you almost nothing without more context.
The frustrating reality is that a no-log policy is only as good as the company behind it, the technical architecture supporting it, and the independent verification confirming it. Getting all three right is rarer than the marketing would have you believe. And since the whole point of a VPN is that you’re routing your internet traffic through someone else’s servers, picking the wrong one doesn’t just fail to protect you — it actively hands your data to a third party you never properly vetted.
So here’s how to actually evaluate a VPN’s logging claims, step by step, without needing a computer science degree to do it.
Start With What “No Logs” Actually Means
Not all logging is equal, and VPN providers don’t always make clear distinctions between the types of data they might or might not collect. Understanding the categories helps you read privacy policies with more discernment.
Connection logs are records of when you connected, from what IP address, for how long, and how much data you used. Some providers collect these for network management purposes and claim they’re harmless because they’re not tied to your browsing activity. In practice, connection logs can still be used to link activity to a specific person at a specific time — which is a problem if you’re relying on a VPN for meaningful privacy.
Activity logs are the more serious category. These are records of what websites you visited, what searches you ran, what files you downloaded. A VPN that keeps activity logs is not a privacy tool by any reasonable definition. It’s a surveillance system you’re paying for.
Minimal operational data — things like aggregate bandwidth usage across a server, or anonymized performance metrics — is less concerning and often collected by providers who genuinely don’t log the things that matter. The key word is anonymized: data that cannot be traced back to an individual user.
When a VPN says “no logs,” what you want to know is whether that applies to connection logs and activity logs, not just the latter. The distinction matters.
Read the Privacy Policy — Really Read It
Privacy policies are deliberately tedious. They’re written by lawyers and designed to be comprehensive rather than readable, which means most people skip them entirely. That’s exactly the behavior that allows vague or misleading policies to go unnoticed.
You don’t have to read every word, but there are specific things worth looking for. Search for the words “may collect,” “we retain,” and “third parties.” These phrases often appear near the parts of a policy where providers carve out exceptions to their no-log claims. A policy that says “we do not log browsing activity” but also says “we may share data with third parties for service improvement purposes” is not giving you the protection the headline suggests.
Look for specific language about what is and isn’t collected, rather than vague assurances. A strong privacy policy will tell you exactly what data categories are collected, for how long, and under what circumstances they might be shared. A weak one will use broad language that sounds reassuring but commits to very little.
Also look for what happens when the provider receives a legal request — a subpoena, a court order, a demand from law enforcement. The best providers state explicitly that they cannot comply with such requests because they don’t have the data to hand over. That’s only a credible claim if the technical architecture backs it up, which brings us to the next point.
Independent Audits Are the Only Real Verification
A privacy policy is a promise. An independent audit is evidence. The difference is significant, and it’s the single most important factor separating trustworthy VPN providers from ones that are simply good at marketing.
A proper security audit involves a third-party firm — ideally one with a credible reputation in the security industry — being given access to the VPN provider’s systems, code, and infrastructure. The auditors look for discrepancies between what the privacy policy claims and what the technical systems actually do. They look for logging mechanisms that shouldn’t exist, data retention that contradicts stated policies, and vulnerabilities that could expose user information.
NordVPN has been audited multiple times, with assessments by both PwC and Deloitte that specifically examined its no-log claims. ProtonVPN has undergone infrastructure audits and open-sourced its apps, which allows independent security researchers to inspect the code directly. Mullvad has a strong audit record and is particularly transparent about its technical architecture. These are the kinds of verifiable credentials worth looking for.
When evaluating a VPN, check whether it has been audited, who conducted the audit, when it was done, and whether the report is publicly available. An audit from three years ago is better than no audit, but an annual audit program is significantly more credible than a one-time exercise a company did when it was trying to build a reputation and never repeated.
Be skeptical of providers who claim audits are in progress, or who reference internal reviews rather than independent third-party assessments. The word “independent” is doing a lot of work in this context.
Real-World Tests Matter More Than Marketing
Some of the most valuable evidence about a VPN’s logging practices comes not from audits but from real-world incidents — moments when authorities came looking for user data and either found it or didn’t.
ExpressVPN’s servers were seized by Turkish authorities in 2017 during an investigation into a political assassination. They found nothing useful. That’s a no-log policy being tested under genuine legal pressure, which is far more convincing than a press release.
IPVanish, by contrast, claimed a strict no-log policy for years before it was revealed in 2016 that the company had provided detailed connection logs to Homeland Security in a criminal investigation. The logs included timestamps, IP addresses, and session information — exactly the kind of data a no-log policy is supposed to mean doesn’t exist. IPVanish has since changed ownership and updated its practices, but the incident is a useful reminder that claims without verification are worth very little.
These case studies aren’t just historical footnotes. They’re the only situations where a no-log policy gets tested in conditions that actually matter. Researching whether a VPN has ever been involved in a legal case — and what happened — is one of the most informative things you can do before making a decision.
Jurisdiction: Where the VPN Is Based Matters
Even a VPN with a perfect audit record and genuine no-log architecture can be undermined if it’s based in the wrong country. Jurisdiction determines which laws the provider operates under, which governments can compel it to cooperate with, and what legal protections exist for user data.
The 14 Eyes alliance — an intelligence-sharing arrangement between the US, UK, Canada, Australia, New Zealand, and nine other countries — means that a VPN based in any of those nations could theoretically be required to assist with surveillance requests, even for users in other countries. That doesn’t automatically make such a VPN untrustworthy, but it’s a meaningful consideration.
Providers based in Switzerland, Panama, Iceland, or the British Virgin Islands operate under significantly more privacy-friendly legal frameworks. Switzerland in particular has strong statutory protections for user data that go beyond what most countries offer. This is one reason ProtonVPN’s Swiss base is considered an asset rather than just a geographic detail.
A Practical Checklist Before You Commit
Pulling this together into something actionable: before signing up for any VPN, it’s worth running through a short set of questions. Does the privacy policy clearly specify what is and isn’t collected, including connection logs? Has the service been independently audited, by whom, and how recently? Is the audit report publicly available? Has the provider ever been tested by real legal pressure, and what was the outcome? Where is the company based, and what does that mean for data protection?
No single factor is determinative on its own. A VPN based in Panama with no audit history is not automatically better than one based in the US with five years of clean audits. The full picture matters, and taking twenty minutes to research it before committing to a service you’ll route all your internet traffic through is time well spent.
Make an Informed Choice
The good news is that genuinely trustworthy VPNs exist. NordVPN, ProtonVPN, and Mullvad all have credible audit histories, clear privacy policies, and jurisdictions that work in users’ favor. None of them are perfect, but all of them have done the work to earn a reasonable level of trust.
The bad news is that the market is full of providers that haven’t, and their marketing is often just as polished as the legitimate ones.
→ Related: NordVPN vs ExpressVPN vs Surfshark: Which One Is Actually Worth Paying For
→ Also worth reading: Free VPNs Are a Trap — Here’s What They’re Not Telling You
If you’ve already got a VPN and want to know how it holds up against these criteria, drop the name in the comments. We’ll take a look and give you an honest assessment.