VPN Logging Policies Explained

There are three types of data your VPN might record: activity logs, connection logs, and aggregated logs. Understanding what type of data falls into these categories is paramount if you’re to effectively protect your privacy.

1Activity Logs

Collecting activity data is the most invasive type of logging. It removes any privacy or anonymity benefit that a VPN might otherwise afford.

Also known as ‘usage logs’, this refers to any data explicitly related to your online activity.

Hola VPN’s privacy policy provides a good example of activity logging:

Free VPN applications like Hola VPN are a common culprit for collecting activity data. This data is often shared or sold to third parties for advertising purposes, effectively subsidizing the cost of a subscription.

Some subscription-based ‘no-log’ VPN services monitor user activity if they are suspicious about an individual, or if they are legally compelled to do so. Others will record user activity in real-time and then delete it when the VPN session is over.

For example, our review of SkyVPN found the service logs personally identifiable information such as your originating IP address and location information:

Because the data is deleted so quickly, this type of activity logging isn’t too much of a concern. That being said, it’s best to avoid it where possible.

Other providers like Hide.me are technically incapable of collecting activity logs due to the configuration of their network. From a privacy standpoint, these providers are your best option.

Needless to say, any VPN storing activity data should be avoided at all costs. If you’re concerned about activity logging, take a look at the most popular VPNs that log your activity data.

2Connection Logs

Connection logs can be collected at the server-level (e.g. total server bandwidth usage) or the user-level (e.g. your originating IP address).

Typically, this data is used to optimize network performance and troubleshoot customer queries.

Server-level connection logs are a great example of why not all logging is a problem. It’s practically impossible for a VPN to maintain performance without logging any data whatsoever.

In fact, monitoring and storing the right, non-identifiable data will help ensure you get the best possible experience from your VPN.

However, storing the wrong connection logs could allow a VPN service to match you to your activity. This could be used to personally identify you, which is a major problem for privacy-conscious users.

If you’re concerned about the type of connection data your VPN is logging, continue reading to find out exactly what kind of logging is unacceptable.

Here is an example of detailed user-level connection logs from Thunder VPN’s logging policy:

Claims that this data is only used to “deliver the best possible experience” or “improve customer service” are rife, but we know from experience that this level of detail isn’t necessary to maintain a well-performing VPN network.

3Aggregated Logs

Some of the most popular VPNs on the market collect aggregated logs. This means the VPN is collecting information that is supposedly anonymized and impossible to link to a specific user.

A VPN service might collect the websites that you visit, the bandwidth you use, or the dates and times you connect to a server. They will then strip this information of any identifying factors and add it to a larger database.

It’s important to be aware that some VPNs claim that they don’t keep logs when in fact they keep aggregated logs. Anchorfree’s privacy policy is a good example of what to look out for:

Ultimately, aggregated and anonymized data is not always the magic bullet that marketing teams will have you believe.

The exact type of data being aggregated and the efficacy of the anonymization process will dictate whether or not this type of logging is acceptable. You just have to trust that your VPN service is anonymizing your data effectively.

If this is a leap of faith you are uncomfortable with, you’re better off choosing a truly no-logs VPN service.

What Is a No-Logs VPN?

A truly no-logs VPN service does not collect or store any activity or connection data that could be used to personally identify you. Most importantly, it will not collect or hold any information transmitted through the VPN tunnel whatsoever.

This will ensure that no user can be tied to any specific activity or connection on the VPN network. Every user will be private, anonymous, and unknown even to the VPN provider.

The only identifying information a no-logs VPN will have is your email address (for registering your account) and billing (in case you want a refund).

No Log VPNs can’t be compelled to make user data available to authorities or third parties, as the data simply doesn’t exist.

This is how a strong logging policy can offset the issue of an unsafe VPN jurisdiction.

It’s important to note that “no-logs” doesn’t necessarily mean that absolutely no data is kept at all. Genuine “zero logging” is effectively impossible to implement while maintaining a strong network or enforcing restrictions like device limits.

Most VPNs will keep very basic data like aggregate server load information (the number of users or bandwidth used per server). This is a justifiably minimal approach to logging which involves absolutely no identifying information. This is still classed as a no-logs VPN.

The following VPN services log your browsing history and activity data. This is the most egregious form of logging and should be avoided at all costs.

This is by no means an exhaustive list of all VPNs that keep activity logs. You should always personally check your provider’s policy before trusting them with your data.

Provider Name	Data Logged	Storage Time
Hola Free VPN	URLs visited Time spent on web pages Access dates and times Originating IP address Browser type	“As long as necessary”
McAfee Safe Connect	URLs visited Time spent on web pages Connection timestamps Originating IP address Unique device ID Browser type Location information File data (emails, attachments, etc.)	“As long as necessary”
Psiphon	Domains visited VPN protocol used VPN session time Bandwidth usage Location data ISP	90 days
VPN99	URLs visited Unique device ID Originating IP address Connection timestamps OS version Browser type	5 years

*Collected by default through the ‘report operational errors’ feature within the application.

Unsuspecting VPN users are commonly misled by vague, false, or deliberately confusing logging policies designed to create the illusion of privacy.

If you don’t know what to look for, you could end up using a VPN service that puts you at risk.

If you’re assessing a VPN’s privacy policy or investing in a subscription, you should be aware of the following common problems.

If you’re already familiar with these issues, you can skip straight to How to Protect Yourself.

1False Advertising

With the exception of independent auditing, it’s almost impossible to truly verify a VPN’s logging policy until it’s too late.

To prove this point, there are several examples of supposedly ‘private’ or ‘no logs’ VPN providers that have been caught sharing detailed logs with authorities.

In 2011, London-based VPN service HideMyAss (HMA) played a key role in the arrest of Cody Kretsinger, a 23 year-old Phoenix resident. Kretsinger was a member of LulzSec, a spin-off of the hacker-activist group Anonymous.

HMA claimed to be a privacy-first service that allowed users to “surf anonymously online in complete privacy”:

The FBI traced Kretsinger’s hack to an IP address owned by HMA, and promptly issued a UK court order demanding logs. HMA complied and shared the connection logs that eventually identified Kretsinger.

While it is clear that illegal activities should not be condoned under any circumstances, this incident is just one example of a serious flaw in the VPN ecosystem. Selling a product that explicitly claims to protect a user’s identity and then doing the opposite is undeniably deceptive.

HideMyAss isn’t the only VPN with a history of false advertising — IPVanish also has a troubled past when it comes to data logging.

In 2016, IPVanish cooperated with the FBI to assist with a criminal investigation. Despite a privacy policy that was explicit about its zero-logging practices, IPVanish ultimately conceded to legal requests and provided detailed connection data to authorities.

While this is obviously concerning, it’s important to note that this incident occurred while the company was under entirely different ownership and management. For more information on this case, you can read our full IPVanish review.

It’s likely that there are many more examples of supposedly ‘no-logs’ VPNs sharing data with authorities or making false claims that we will simply never know about. As it stands, it’s important to look into your provider’s history before making a decision.

2Deliberate Ambiguity

In an ideal world, all VPN logging policies would clearly explain what data is kept during and after a VPN session. Unfortunately, many providers rely on ambiguity to help create a false sense of security.

Most users don’t realize that broad phrases like ‘no-logs’ aren’t always what they seem. Some VPN providers take advantage of the fact that there is no standard definition of ‘logs’ across the entire industry.

This loophole allows VPN services to avoid explicitly stating what type of data their ‘no logging’ claims refer to.

A provider might legitimately advertise ‘no-logs’ for activity data, but continue to record personally-identifiable connection data.

Put simply, many VPN providers are labeling themselves as ‘no logs’ by their own standards alone.

While some connection logs are not necessarily bad, making false or contradictory statements only adds to the confusion and distrust when selecting a VPN.

In a similar vein, it’s fairly common for a VPN’s marketing claims to directly contradict its privacy policy. Typically, they will make a bold ‘zero-logging’ claim on the homepage, and then carefully disclose the data they actually keep in the terms and conditions.

ThunderVPN provides a great example of these tactics. The company clearly advertises a “strict” no-logging policy on its Google Play Store listing:

However, a quick read of its privacy policy proves this to be completely untrue:

Not only are these practices dishonest, they’re potentially dangerous for unsuspecting VPN users that haven’t read their provider’s policy in full.

If you find a VPN that makes contradictory or misleading statements about its logging practices, it’s sensible to think twice about its trustworthiness. In most situations, it’s unlikely to be a VPN you should trust with your sensitive data.

3Lack of Detail

It’s surprisingly common for less popular VPN providers to operate without a privacy policy at all. Needless to say, if there are no details about data collection on the provider’s website, the VPN should not be trusted.

Similarly, look out for unusually short policies. Lots of providers simply state:

“We do not log any of your activity while connected to the VPN service”

These statements explain nothing about how your data might be collected in other ways.

Yoga VPN’s privacy policy is a good example of what to avoid. At just 371 words long, the entire document barely explains a single thing about how Yoga VPN operates.

Some services are also worryingly vague about how the terms of service are enforced. Dozens of providers boast about ‘no-logs’ but also warn users that they will “investigate suspicious behavior” or “ban abusive users” in the same sentence.

The question then stands: if a VPN does not log your IP address or activity, how are they able to investigate suspicious behavior?

If a VPN’s logging policy is short or vague, contact the provider’s support team for more details. Don’t use a product that’s not willing to invest the time to be clear and transparent about its practices.

4Jurisdiction

Logging policies and jurisdictions are closely intertwined. While obscure jurisdictions can be great for privacy, they can also cause issues in terms of accountability.

It’s much harder to hold a remote business accountable for violating false advertising laws or deceiving customers. If a VPN in Panama deliberately misleads a customer in Germany, there’s not a lot that can be done.

More importantly, a VPN provider’s jurisdiction will affect its legal obligation to log data and share it with authorities. A service based in the US, for example, could be compelled to monitor its users in secret.

These invasive jurisdictions are less of an issue if a VPN is truly no-logs. However, choosing a service outside of these countries may offer more protection.

To learn more about data sharing amongst the five, nine, and 14 eyes alliances, read our VPN Jurisdictions guide.