If you’ve spent any time researching VPNs, you’ve seen the phrase “no-log policy” repeated so many times it starts to blur into background noise. Every provider has one. Every homepage leads with it. Every comparison article lists it as a feature the way you’d list the number of servers or the price per month. It’s become so ubiquitous that most people skip past it entirely — which is exactly the wrong thing to do.
A no-log policy is arguably the single most important thing to understand about any VPN you’re considering. Not because the phrase itself means anything — it doesn’t, not on its own — but because what’s behind it, or not behind it, determines whether the service actually protects you or simply creates the impression of protection while quietly doing the opposite.
Let’s get into what this actually means, why the details matter so much, and how to tell the difference between a policy that’s worth something and one that’s marketing dressed up as a privacy commitment.
What Logging Actually Means in This Context
Before getting into what a no-log policy promises, it helps to understand what logging is and why VPN providers might do it in the first place.
When you connect to a VPN, a series of events happen on the provider’s infrastructure that could, in theory, be recorded. Your IP address connects to one of their servers. A session begins. Data flows through that session — websites visited, files downloaded, searches run, messages sent. The session ends. Those events generate data, and that data can either be recorded or discarded.
There are legitimate operational reasons why a provider might record some of this. Bandwidth monitoring helps manage network capacity. Connection timestamps can help diagnose technical issues. Aggregate usage statistics inform decisions about where to add servers. None of those things require recording what individual users are doing, but they do require some level of data collection, and the line between operational data and privacy-invasive data is blurrier than most providers admit.
The categories worth understanding are connection logs, which record metadata about when you connected, from where, and for how long, and activity logs, which record what you actually did while connected. A provider that keeps neither is genuinely not logging. A provider that keeps connection logs but not activity logs occupies a middle ground that’s less protective than it sounds. And a provider that keeps activity logs — regardless of what their homepage says — is not a privacy tool.
Why the Same Words Mean Different Things
Here is where the no-log conversation gets genuinely complicated. Two VPN providers can both publish no-log policies using nearly identical language, and one of them might be telling the truth while the other is technically complying with the letter of their own policy while completely violating its spirit.
The mechanism for this is definitional flexibility. A provider might define “logs” narrowly to mean only detailed activity records, while still retaining connection metadata that can be used to identify users and their behavior. They’re not lying, exactly — they’re using a definition of the word “logs” that serves their marketing rather than their users’ privacy.
Some providers retain data for what they describe as short periods — hours or days rather than months — and use this to claim they’re effectively no-log. But data that exists for 24 hours can still be subpoenaed or seized in that window. A warrant doesn’t check whether your retention policy is short. If the data exists when someone asks for it, it can be handed over.
Others collect what they call “anonymized” data and argue this doesn’t count as logging user activity. Anonymization is a meaningful protection when done properly, but research has repeatedly shown that anonymized datasets can often be re-identified by combining them with other available information. “Anonymized” doesn’t reliably mean “cannot be traced back to you.”
This is why reading the actual privacy policy — carefully, looking for the specific language described in a previous post — matters more than taking the marketing at face value.
The Proof Is in What Happens Under Pressure
There’s a version of evaluating a no-log policy that doesn’t require reading legal documents or understanding cryptography. It just requires looking at history.
Real no-log policies have been tested in the real world, and the results are instructive. When ExpressVPN’s server was seized by Turkish authorities in 2017 investigating a serious criminal case, investigators found nothing useful. The server contained no logs that could identify the user they were looking for. That’s what a functioning no-log policy looks like when it matters.
PureVPN had the opposite experience in 2017. The company had publicly claimed a strict no-log policy. When the FBI requested data related to a cyberstalking case, PureVPN provided connection logs that helped identify and convict the suspect. The logs included the user’s real IP address and the timestamps of their connections — exactly the kind of data a no-log policy is supposed to mean doesn’t exist. PureVPN’s defense was that their policy only covered browsing activity, not connection data. Which is technically a coherent position and completely misses the point.
IPVanish had a similar experience, also in 2017, providing detailed session logs to Homeland Security despite a publicly advertised no-log policy. The pattern across these cases is consistent: providers whose policies contained ambiguous language or definitional loopholes turned out to have data when authorities came looking for it.
The providers with the cleanest track records — Mullvad, ProtonVPN, and more recently NordVPN following its post-2018 infrastructure overhaul — have either been tested and held up, or have made architectural decisions that make it genuinely difficult to log user activity even if someone wanted to.
What Architecture Has to Do With It
This brings up a point that doesn’t get enough attention in most discussions of no-log policies: the technology matters as much as the promise.
A provider can genuinely want to honor a no-log policy and still fail to do so if their technical infrastructure doesn’t support it. Conversely, a provider can make logging technically impossible — not just policy-prohibited — by building their systems in ways that don’t retain data in the first place.
Mullvad is a good example of the latter approach done seriously. The company has moved toward running servers entirely in RAM rather than on persistent storage drives. When a server is powered off or rebooted, everything on it is wiped. There are no logs because there is no persistent medium on which logs could be stored. That’s a fundamentally different security guarantee than “we promise not to look at the logs we’re technically capable of keeping.”
RAM-only servers, also sometimes called diskless servers, are increasingly offered by privacy-focused providers. NordVPN’s colocated server infrastructure now runs entirely on RAM. ProtonVPN has implemented similar approaches on portions of its network. It’s worth checking whether a provider you’re evaluating uses this approach, because it transforms a policy promise into a technical reality.
Open-source apps are another meaningful signal. When a VPN provider publishes the source code for its applications, independent security researchers can inspect that code for logging mechanisms or data collection practices that contradict the stated policy. ProtonVPN and Mullvad have both open-sourced their apps. That doesn’t guarantee perfect privacy, but it does mean the provider can’t hide data collection in client-side code without someone noticing.
Jurisdiction Shapes What a No-Log Policy Can Protect You From
Even a genuinely no-log VPN has limits, and understanding those limits matters for having realistic expectations.
A provider that truly keeps no logs cannot hand over data it doesn’t have. But a provider operating in a country with aggressive surveillance laws might be compelled to start logging going forward — to install monitoring infrastructure on their servers at the request of government authorities. This is sometimes called a gag order scenario, and it’s one reason why jurisdiction matters alongside logging policy.
Switzerland’s legal framework provides strong protections against this kind of compelled surveillance. Panama, Iceland, and the British Virgin Islands offer similar advantages. Providers based in these jurisdictions face meaningfully higher legal barriers to being turned into surveillance tools against their will than providers based in the United States, the United Kingdom, or other 14 Eyes member countries.
This doesn’t mean a US-based VPN is automatically untrustworthy — several have strong track records. But it adds a variable to the equation that’s worth factoring in alongside the logging policy itself.
What to Actually Look For
Pulling this together into practical guidance: a credible no-log policy in 2026 should include explicit statements covering both connection logs and activity logs, not just one or the other. It should be backed by at least one recent independent audit, with the report publicly available. Ideally, the provider uses RAM-only servers or other technical mechanisms that make logging difficult or impossible at the infrastructure level. And the provider’s history — whether they’ve ever been tested by legal demands and what happened — should be part of your research.
No-log policies matter. They’re just not all the same, and the difference between a real one and a marketing one is the difference between meaningful privacy and a false sense of security.
Choose a VPN That Has Actually Earned Your Trust
The providers that consistently meet the bar described here are a short list: Mullvad, ProtonVPN, and NordVPN lead it. Each has done the work — audits, architecture, transparency — to back up what their policies claim.
→ Related: How to Choose a VPN That Doesn’t Log Your Data (And How to Verify It)
→ Also worth reading: NordVPN vs ExpressVPN vs Surfshark: Which One Is Actually Worth Paying For
If you have a specific VPN you’re trying to evaluate against these criteria, drop the name in the comments. We’ll give you an honest take based on what’s publicly known about their logging practices and audit history.