No-logs explained: what it means, what to look for, and how we design for it

TL;DR

• A true no-logs VPN does not keep records of your browsing history, connection timestamps, or IP addresses.
• Many VPNs claim "no-logs" but still collect connection metadata like session duration and bandwidth used.
• You should look for independently audited no-logs policies with public reports, rather than trusting marketing claims.
• Jurisdiction matters—where the VPN company is based affects what data can be legally demanded by authorities.
• PrivateByRight is designed to minimize data collection by default, using RAM-only servers and third-party audits.

What a VPN Does (and Doesn't)

✅ A VPN does: - Encrypts your connection between your device and the VPN server - Hides your IP address from many websites and services - Helps reduce exposure on public networks

❌ A VPN doesn't: - Make you anonymous - Guarantee that your provider isn't logging (without an independent audit) - Protect you if the provider stores data that can later be requested by authorities

"We have a strict no-logs policy."

You see this claim on nearly every VPN website. But what does it actually mean? And more importantly—how do you verify it?

A "no-logs" policy should mean the VPN provider doesn't keep records of what you do online. No browsing history, no connection timestamps, no linking of activity to your account. But the reality is more nuanced. Some providers claim "no-logs" while still collecting connection metadata. Others make the claim without any independent verification.

This guide explains what logs exist, what to look for in a no-logs policy, and how we design our systems to minimize data collection.

Types of Logs: What VPNs Can Collect

Not all logs are the same. Here is what VPN providers could collect—and what "no-logs" should actually mean.

1. Activity Logs (Browsing History)

What it is: Records of which websites you visit, when you visit them, and what you do there.

Example data: - Domain names (example.com, news-site.org) - Full URLs (example.com/page-123) - Timestamps for each request - Data transferred per session

Why it matters: This is the most invasive type of logging. If a VPN keeps activity logs, they can hand over your entire browsing history to authorities, advertisers, or anyone else requesting it.

No-logs policy should say: "We do not log browsing activity, DNS queries, or destination IP addresses."

2. Connection Logs (Metadata)

What it is: Records of when you connect, how long you stay connected, and which server you use—but not what you do during the session.

Example data: - Your real IP address - VPN server you connected to - Connection timestamp (start/end time) - Session duration - Total bandwidth used

Why it matters: Even if a provider doesn't log what you browse, connection logs can still link you to a VPN session. If authorities request data, the provider can confirm "User X was connected to Server Y at Time Z." This is enough to narrow down suspects or correlate activity with other data sources.

No-logs policy should say: "We do not log connection timestamps, session duration, or originating IP addresses."

3. Aggregated / Anonymized Data

What it is: Statistical data used for performance monitoring, server load balancing, or debugging—without identifying individual users.

Example data: - Total bandwidth used across all servers (not per user) - Server uptime and performance metrics - Anonymized error reports

Why it matters: This type of logging is generally safe if it is truly anonymized. However, "anonymized" data can sometimes be re-identified if combined with other data sources.

No-logs policy should clarify: "We collect anonymized performance data that cannot be linked to individual users."

4. Payment and Account Data

What it is: Information required to create an account and process payments.

Example data: - Email address (if required for account creation) - Payment method (credit card, PayPal, cryptocurrency) - Account creation date - Subscription status

Why it matters: Even a true "no-logs" VPN has to store some data to maintain accounts. The key question is: can this account data be linked to browsing activity? If the provider doesn't log connections, there is no way to link account data to specific browsing sessions.

No-logs policy should clarify: "We store account data necessary for service operation, but this data is not linked to browsing activity."

How to Evaluate a No-Logs Policy

Red Flags (Skip These Providers)

❌ Vague language "We respect your privacy." "We don't log sensitive data." What does "sensitive" mean? If it is not specific, assume they log everything.

❌ No privacy policy link If a VPN doesn't publish a clear, public privacy policy, assume the worst.

❌ Conflicting claims Marketing page says "no-logs." Privacy policy says "we may log connection metadata for troubleshooting." They are logging.

❌ Jurisdiction in surveillance-heavy countries If the VPN is based in a country with mandatory data retention laws, their "no-logs" claim may be legally unenforceable.

❌ Free VPNs If you are not paying, how does the service make money? Often by selling data or injecting ads.

Learn more: Free vs paid VPNs: privacy, security, and the hidden tradeoffs

❌ No third-party audits Anyone can claim no-logs. Without an independent audit, there is no verification.

Green Flags (Look for These)

✅ Specific, technical language "We do not log DNS queries, browsing history, connection timestamps, session duration, originating IP addresses, or destination IPs."

✅ Independently audited Look for public audit reports from reputable firms. The audit should verify logging practices, not just infrastructure security.

✅ Open-source code (if applicable) Open-source apps and server software can be reviewed by the community, making it harder to hide logging mechanisms.

✅ Transparent about what is collected Good providers clearly explain what data they do collect (e.g., account emails, payment info) and why.

✅ Favorable jurisdiction VPNs based in privacy-friendly countries are less likely to face legal demands for data.

✅ Warrant canary or transparency reports Some providers publish transparency reports showing how many legal requests they receive and how they respond. A "warrant canary" is a regularly updated statement that they haven't received secret legal orders.

Jurisdiction: Why Location Matters

Where a VPN company is based affects what data can be legally demanded—and whether "no-logs" is even enforceable.

Five Eyes, Nine Eyes, Fourteen Eyes

These are intelligence-sharing alliances between countries. If a VPN is based in one of these countries, their government may be able to request data—or even compel secret logging.

• Five Eyes: USA, UK, Canada, Australia, New Zealand
• Nine Eyes: Five Eyes + Denmark, France, Netherlands, Norway
• Fourteen Eyes: Nine Eyes + Germany, Belgium, Italy, Spain, Sweden

Does this mean you should avoid VPNs in these countries? Not necessarily. If a VPN has a true no-logs policy (audited), there is no data to hand over—even if authorities request it. But jurisdiction is still a factor in assessing trust.

Privacy-Friendly Jurisdictions

Countries with strong privacy laws and no mandatory data retention:

• Switzerland – Strong data protection laws, not part of EU/Five Eyes
• Iceland – Strong privacy protections, freedom of information laws
• Panama – No mandatory data retention, outside major surveillance alliances
• British Virgin Islands – Outside EU/Five Eyes, no data retention laws
• Romania – EU member, but privacy-friendly with no mandatory VPN logging laws

Jurisdiction alone doesn't guarantee privacy. A VPN in a privacy-friendly country can still log data if they choose to. Always verify the policy and audits.

Learn more: How we handle legal requests: principles, process, and what we can share

Real-World No-Logs Tests: VPNs Under Legal Pressure

Several VPN providers have faced legal requests for user data. Here is what happened:

Case 1: ExpressVPN (Turkey, 2017)

Turkish authorities seized an ExpressVPN server to investigate a case. Because the provider used RAM-only servers with no logging, authorities found no user data. This validated their no-logs claim under real-world pressure.

Case 2: Private Internet Access (USA, 2016)

The FBI requested user logs in a criminal investigation. PIA provided evidence that they had no logs to hand over, and the case proceeded without VPN data. Their no-logs policy held up in court.

Case 3: VPN Provider X (Jurisdiction Withheld)

A VPN claiming "no-logs" was revealed to have handed over connection logs, including IP addresses and timestamps, to authorities. The provider later admitted they log metadata "for troubleshooting."

Legal pressure is the ultimate test of a no-logs policy. Look for providers with a track record of transparency when authorities come knocking.