You're paying for a VPN, so your privacy must be covered, right?
The truth is — not necessarily.
I'm Xiaolu, a former KPMG cybersecurity consultant and now an independent security blogger. I previously wrote about the privacy risks of free VPNs, and a lot of readers came back asking: "So I'm safe if I just pay for one, right?"
Sorry to disappoint: Paid VPNs can absolutely still be logging your browsing history. And some have been caught doing exactly that.
This article will teach you 7 concrete methods to figure out whether your VPN is secretly tracking your every move.
What Is a No-Log Policy? And Why Most of Them Are Empty Promises
Nearly every VPN plasters "No-Log Policy" or "Zero-Log Policy" across their website. The message: we don't record your connection times, we don't record the sites you visit, we don't record your IP address — we don't record anything.
Sounds great, right? The problem is — that statement has zero legal binding force.
What you may not realize is that "No-Log" has no legal definition and no regulatory standard. Any VPN company can write "we don't keep logs" on their website, then bury a line in 8-point font on page 47 of their privacy policy: "We may collect certain connection data to improve service quality."
A No-Log policy is fundamentally a self-declaration — like a restaurant hanging a sign that says "Best Food in Town." You can't take it at face value just because they wrote it. What actually matters is: has anyone verified this claim? And what did they find?
VPNs That Claimed No-Log But Got Caught
Before teaching you how to check, let's look at some classic cases of "saying one thing and doing another." These aren't scare tactics — they're all well-documented real events.
UFO VPN: 20 Million Records Exposed in 2020
UFO VPN had it in black and white on their website: "We do not track user activities." Then in July 2020, security research team Comparitech discovered that UFO VPN's Elasticsearch database had no password protection at all — sitting wide open on the public internet, containing over 20 million user log entries, including plaintext passwords, connection IPs, session tokens, and even websites visited.
To make matters worse, the same investigation found that FAST VPN, Free VPN, Super VPN, Flash VPN, Secure VPN, and Rabbit VPN — six other VPN brands — all shared the same backend server. Every single one was compromised. These apps looked like different brands but were the same company wearing different skins.
IPVanish: Cooperated with the FBI and Handed Over User Data
IPVanish also claimed a strict No-Log policy. But in 2016, when the U.S. Department of Homeland Security (DHS) investigated a child exploitation case, IPVanish proactively provided the suspect's connection logs, including IP addresses and connection timestamps.
Court documents clearly state: IPVanish not only had logs, they cooperated eagerly. The company was later acquired and the management changed, claiming "now we really don't log" — but once trust is broken, how do you rebuild it?
PureVPN: "Zero Logs" Yet Helped the FBI Locate a Suspect
In 2017, the FBI was investigating a cyberstalking case, and PureVPN provided the suspect's real IP address and connection time records. At the time, PureVPN's privacy policy explicitly stated "We do NOT keep any logs."
PureVPN later argued that what they recorded were "connection logs" rather than "activity logs" — but from the user's perspective, if logs can be used to trace your real identity, what's the difference?
VPNpro Investigation: 97 VPN Brands Owned by Just 23 Parent Companies
A 2019 VPNpro study revealed another problem: 97 VPN brands on the market actually belonged to just 23 parent companies. Many seemingly independent VPN brands are owned by the same entity. This means when you think you're comparing different products, you might just be choosing between different packaging from the same company.
7 Ways to Check: Is Your VPN Actually Logging Your Data?
Alright, case studies done. Now let's get practical — pull up the VPN you're currently using and check it against each item.
Method 1: Read the Privacy Policy with a Magnifying Glass — Look for "Red Flag" Words
Yes, you need to read the privacy policy. Nobody wants to read that stuff, I know, but it's the most direct approach.
The point isn't what it says — it's what it doesn't say and what vague language it uses.
Here are common red flag words:
- "may collect" — "may" means "will"
- "aggregated data" — sounds harmless, but aggregated data combined with timestamps can be reverse-engineered to identify individuals
- "improve our services" — a catch-all excuse; any data can be justified under this
- "connection logs" vs "activity logs" — this distinction is wordplay. Connection logs (IP, timestamps, connection duration) are enough for law enforcement to locate you
- "third-party analytics" — means your behavioral data is being sent to external platforms like Google Analytics or Firebase
If the privacy policy doesn't contain a clear list of "what we do NOT collect," or if the entire document is vague legalese, that's a red flag.
Method 2: Check the Company's Jurisdiction
Where a VPN company is registered determines what laws govern it — and whether the government can legally demand your data.
High-risk jurisdictions (intelligence-sharing alliances):
- Five Eyes (US, UK, Canada, Australia, New Zealand): Member states share intelligence; laws can compel companies to hand over user data
- Nine Eyes: Add Denmark, France, Netherlands, Norway
- Fourteen Eyes: Add Germany, Belgium, Italy, Sweden, Spain
Relatively privacy-friendly jurisdictions:
- Panama: NordVPN's registered location; no mandatory data retention laws
- British Virgin Islands (BVI): ExpressVPN's registered location; not part of any intelligence alliance
- Switzerland: Proton VPN's registered location; strict privacy protection laws
- Sweden: Mullvad's registered location; though part of Fourteen Eyes, Swedish law doesn't require VPNs to retain logs
Note: Jurisdiction isn't the only factor, but it's definitely an important first filter. If your VPN is registered in the United States, no matter how loudly it claims No-Log, a single court order from the US government forces compliance (IPVanish is a textbook example).
Method 3: Confirm Whether It Has Passed a Third-Party Independent Audit
This is currently the most reliable verification method. An independent audit means an external, reputable accounting or cybersecurity firm has actually gone into the VPN company's servers and systems to check whether it's really logging user data.
VPNs that have passed independent audits (as of 2026):
| VPN |
Audit Firm |
Number of Audits |
Notes |
| NordVPN |
Deloitte |
4 |
Latest in 2024, confirmed no logs |
| ExpressVPN |
KPMG, Cure53 |
Multiple |
TrustedServer architecture audited by KPMG |
| Surfshark |
Deloitte |
2 |
Completed second audit in 2023 |
| Mullvad |
Assured AB |
Multiple |
Swedish police raided their office in 2023 and found zero user data |
| Proton VPN |
Securitum |
2 |
Open-source client, high transparency |
| Private Internet Access (PIA) |
Deloitte |
1 |
Passed first audit in 2023 |
Not having passed an audit doesn't necessarily mean they're logging, but passing an audit is at least a verifiable, objective fact — not just an empty marketing slogan.
Method 4: Check the Server Architecture — RAM-Only or Hard Drives?
This one is more technical but critically important.
Traditional VPN servers use hard drives for storage. Once data is written to disk, it persists even after a reboot. If a server is seized, forensic tools can recover data from the hard drive.
RAM-only servers are different: all data runs in memory, and the moment a server is rebooted, all data is permanently erased. Even if someone physically takes the entire server, the instant the power is cut, the data is gone.
VPNs currently using RAM-only architecture:
- ExpressVPN (TrustedServer): Industry pioneer, started in 2019
- NordVPN: Began full transition in 2020
- Surfshark: All servers converted to RAM-only
- Mullvad: Fully RAM-only
If your VPN's website says nothing about RAM-only or diskless servers, it's very likely still running on traditional hard drives — meaning it's technically capable of retaining your logs.
Method 5: Search for a Warrant Canary
A warrant canary is a clever legal workaround. In countries like the United States, when a company receives a National Security Letter (NSL), the law prohibits them from disclosing it publicly. But the law doesn't require companies to lie.
So some VPNs post a statement on their website: "As of this date, we have not received any secret government requests for user data." That's a warrant canary — if the statement disappears one day, it means they received one but can't say so.
How to check:
1. Go to your VPN's website and search for "warrant canary" or "transparency report"
2. Confirm the statement is regularly updated (with dates)
3. If it used to exist but is now gone — that's a red flag
VPNs with warrant canaries include NordVPN, Surfshark, and Private Internet Access. ExpressVPN and Mullvad opt for transparency reports instead.
Method 6: Run a DNS Leak Test
Even if your VPN claims No-Log, if it has a DNS leak, your browsing history is still fully visible to your ISP (Internet Service Provider).
Testing steps:
1. Connect to your VPN
2. Open dnsleaktest.com or ipleak.net
3. Click "Extended Test"
Reading the results:
- If the DNS servers shown belong to your VPN provider — OK, no leak
- If they show your ISP — you have a DNS leak, and your ISP can see which websites you're visiting
DNS leaks are a common problem with many VPNs, especially smaller or less technically capable ones. No matter how impressive the privacy policy reads, if DNS leaks, the whole No-Log claim is worthless.
Method 7: Check the App's Permissions and Embedded Trackers
The final method: look under the hood of the VPN app itself.
Permission check (Android users):
- Go to Settings → Apps → your VPN app → Permissions
- Reasonable VPN permissions: network access, VPN connection
- Unreasonable permissions: contacts, SMS, camera, microphone, location (precise location), phone state
- If it wants access to your contacts or SMS, delete it immediately
Tracker check:
- Go to Exodus Privacy and search for your VPN app name
- This tool lists how many trackers are embedded in the app
- 0-2 trackers is normal (likely just crash reporting)
- More than 5? They're probably tracking your usage behavior, device information, and even geolocation — then selling that data to advertisers
When Can VPN Logs Hurt You Most?
You might think: "Even if my VPN logs, so what? I'm not doing anything wrong."
The truth is, the risk of logs goes way beyond "getting caught":
- Data breaches: Like UFO VPN — their database got hacked, and your browsing history, IP address, and account credentials all ended up on the dark web
- Cross-border government data requests: Think your VPN is out of reach because it's overseas? Intelligence sharing between Five Eyes countries is no joke
- Company acquisitions: The VPN company you trust today might be acquired by a data company tomorrow, and your historical logs become part of the acquisition assets
- Bypassing censorship in China: If your VPN keeps logs and its servers are in Five Eyes countries or jurisdictions within China's reach — the risk speaks for itself. To understand the legal risks of bypassing internet censorship, check out Is using a VPN illegal in China?
Quick Reference Table: Rate Your VPN's Privacy Level
| Check Item |
Safe |
Caution |
Danger |
| Privacy policy |
Explicitly lists what is NOT collected |
Vague language, lots of "may collect" |
No privacy policy found or all legal boilerplate |
| Jurisdiction |
Panama, BVI, Switzerland |
Fourteen Eyes country |
China, Russia, undisclosed |
| Independent audit |
Passed multiple times by reputable firms |
Audited only once |
Never audited |
| Server architecture |
RAM-only |
Not clearly stated |
Confirmed hard drive usage |
| Warrant Canary |
Present and regularly updated |
Present but not updated in a long time |
Never had one / had one but it disappeared |
| DNS leak test |
No leaks |
Occasional leaks |
Persistent leaks |
| App trackers |
0-2 |
3-5 |
More than 5 |
If your VPN falls into "Caution" or "Danger" for most items — seriously consider switching.
(Quick plug time) Speaking of not keeping logs, the VPN built into Sunset Browser takes a straightforward approach: it doesn't log your browsing history, doesn't log connection data, and doesn't collect any personally identifiable information. The server architecture is designed from the ground up to make log storage impossible. Open the app, tap to connect — no account registration required for the free plan. If you're looking for a tool that genuinely takes privacy seriously, check out the full review in China VPN Recommendations. Alright, plug over.
FAQ
Can you trust a VPN's No-Log policy?
You can't just take their word for it — look for verification through third-party independent audits. UFO VPN, IPVanish, and PureVPN all claimed No-Log but were proven to have kept records. VPNs audited by reputable firms like Deloitte, KPMG, and Cure53 are relatively more trustworthy.
Are paid VPNs always safer than free VPNs?
Not necessarily. Paying only means you spent money — it doesn't guarantee the privacy policy is more reliable. IPVanish was a paid VPN and still cooperated with the FBI to hand over user logs. Focus on objective indicators like jurisdiction, audit reports, and server architecture rather than price. For more on free vs. paid, see Are Free VPNs Safe?.
How do I know if my VPN has a DNS leak?
After connecting to your VPN, go to dnsleaktest.com or ipleak.net and run an Extended Test. If the DNS servers shown are your ISP's rather than your VPN provider's, you have a leak. With a DNS leak, your internet service provider can still see which websites you've been visiting.
Did Mullvad really have no data after the Swedish police raid?
Yes. In April 2023, Swedish police raided Mullvad's office with a search warrant, demanding user data. Mullvad stated they had no user data to provide, and the police left empty-handed. This remains one of the most compelling real-world verifications of a No-Log claim to date.
Why do VPN companies use vague language in their privacy policies?
Because collecting absolutely zero data is technically challenging (e.g., server load monitoring), and vague language provides legal buffer. However, good VPNs clearly distinguish between "we collect nothing at all" and "we collect data but don't link it to individuals," and they use independent audits to prove they follow through. If a VPN's privacy policy is all vague language with no specific commitments, that's a red flag.
Conclusion: Trust Should Be Built on Verification, Not Marketing
When it comes to VPN privacy, the biggest issue isn't technology — it's trust.
Every VPN claims to be the safest, the most private, with absolutely no logging — but from UFO VPN to IPVanish to PureVPN, history has proven time and again: words alone don't count.
The good news is, you now have 7 concrete methods to verify for yourself. You don't need to believe anyone's marketing — you can check the privacy policy, check the jurisdiction, check the audit reports, and run DNS leak tests yourself.
Free costs the most, but paying doesn't guarantee safety either. The only thing that can truly protect your privacy is your own judgment.