What Data Can VPNs Log?
A no-logs policy is one of the most important features to evaluate when choosing a VPN provider. In essence, it means the VPN company does not record, store, or monitor your online activity while you are connected to their service. However, the term has been widely misused in marketing, and not all no-logs claims are equal. Understanding what types of data can be logged and how to verify a provider's claims is critical for making a truly privacy-focused choice.
What "No-Logs" Really Means
VPN providers can potentially collect several types of data. Connection logs include timestamps of when you connect and disconnect, the duration of your session, and the amount of data transferred. Usage logs (also called activity logs) are far more invasive and include the websites you visit, files you download, and services you use. Some providers also record your originating IP address, the VPN server IP you were assigned, and your DNS queries. A genuine no-logs provider should not retain any of these data points beyond what is needed for the active session.
How to Verify Privacy Claims
The term "no-logs" should ideally mean zero persistent records of your activity or connection metadata. However, some providers claiming no-logs policies still collect anonymized connection data or aggregate bandwidth statistics. The most privacy-respecting providers explicitly state they do not log originating IP addresses, browsing activity, DNS queries, or any data that could link a specific user to a specific online action. Read the privacy policy carefully and look for clear, unambiguous language rather than vague assurances.
Independent Audits and Their Importance
Independent security audits are the most reliable way to verify a provider's no-logs claims. Reputable VPN companies hire firms like PricewaterhouseCoopers, Deloitte, Cure53, or KPMG to examine their server infrastructure, code, and data handling practices. These audits confirm whether the provider's systems are technically capable of logging and whether any data is actually retained. Providers like Mullvad, ProtonVPN, NordVPN, and ExpressVPN have published audit results that confirm their no-logs commitments.
Jurisdiction and Legal Considerations
Jurisdiction plays a significant role in how trustworthy a no-logs policy is. VPN providers based in countries within the Five Eyes, Nine Eyes, or Fourteen Eyes intelligence-sharing alliances may be compelled by law to collect and share user data. Providers based in privacy-friendly jurisdictions such as Panama, the British Virgin Islands, Switzerland, or Sweden operate under legal frameworks that do not mandate data retention for VPN services. However, jurisdiction alone does not guarantee privacy; it should be considered alongside audit results and technical architecture.
Real-world incidents provide the strongest evidence of a VPN's privacy commitment. Cases where law enforcement has requested user data from VPN providers and the provider was unable to hand over anything meaningful (because they genuinely had nothing logged) are the gold standard of trust. When a provider's no-logs claim has been tested in court or by government seizure of servers and no usable data was found, that is a powerful testament to their privacy practices.