Topic Terms

What is a VPN No-Log Policy?

A VPN no-log policy is a commitment by a VPN provider not to collect, store, or share records of users' online activity, connection timestamps, IP addresses, or browsing data.

A no-log policy (also called a zero-log policy) is a promise from a VPN provider that it does not retain records about what you do while connected to its service. It's the single most important privacy claim a VPN can make — and also one of the hardest to verify.

If a VPN provider logs your activity and receives a government subpoena or data request, it can be compelled to hand over that data. A provider that genuinely stores nothing has nothing to share.

What a True No-Log Policy Covers

A comprehensive no-log policy means the provider stores none of the following:

  • Your original IP address
  • The VPN server IP you connected to
  • Connection timestamps (when you connected)
  • Browsing history or DNS queries
  • Bandwidth usage per session
  • Traffic content

What Providers May Still Log

Even "no-log" providers often retain minimal operational data:

  • Total aggregate bandwidth (to manage infrastructure)
  • Whether an account is currently active (to enforce device limits)
  • Email addresses and payment info (for account management)

These are generally acceptable. The key question is whether data could be used to identify your activity and trace it back to you.

Verified vs. Claimed No-Log Policies

Any VPN can claim a no-log policy in its marketing. What separates trustworthy providers is independent verification:

  • Third-party audits — Firms like Cure53, PwC, and KPMG audit VPN providers' infrastructure and code to verify logging claims. NordVPN, ExpressVPN, Surfshark, and ProtonVPN have all undergone independent audits.
  • Real-world test — Some providers have had servers seized by authorities, and when investigation confirmed no usable data existed, it validated the no-log claim. Mullvad and NordVPN have both passed this test.
  • RAM-only servers — Providers that run servers entirely on RAM (no persistent disk storage) make it physically unable to retain logs across reboots.

No-Log Policy and Jurisdiction

A no-log policy is most meaningful when paired with favorable jurisdiction. A provider based in a country outside the Five Eyes or 14 Eyes alliances faces fewer legal pressures to collect and hand over user data. ProtonVPN is based in Switzerland; Mullvad in Sweden (technically inside 14 Eyes, but with strong privacy laws).

The Bottom Line

Always look for a VPN whose no-log policy has been audited by a credible third party — or whose logs have been tested in a real-world legal challenge. A policy written on a web page is a starting point; independent verification is what counts.

Related Terms