The phrase no logs appears on nearly every VPN provider’s homepage. It is one of the first claims highlighted in marketing material and one of the most frequently misunderstood. What it actually means, and whether a given provider can demonstrate it credibly, requires more than reading a marketing headline. This article explains what VPN logging is, what different types of no-logs claims mean in practice, and how to assess the claim before subscribing.

For users who care about genuine privacy rather than a basic IP mask, this distinction matters. A VPN that retains detailed records is fundamentally different from one that does not, even if both encrypt your connection.

What Kind of Data Can a VPN Log?

Different providers log different data, and the definition of no logs varies considerably between them. A no logs vpn policy should mean the provider retains no records that could identify what you did online or when you were connected. In practice, some providers still retain connection timestamps or aggregate bandwidth data under a no-logs label.

Types of data a VPN might store:

  • Connection timestamps: when you connected and disconnected from the service
  • IP address records: your real IP at the time of connection
  • Bandwidth usage: how much data you transferred per session
  • DNS queries: which domains you looked up during a session
  • Activity logs: which websites you visited or what files you transferred

The most invasive logs are activity logs and originating IP address records. These can be used to identify a specific user and their activity on a specific date. Timestamp-only logs are less informative but can still support correlation with other data sources.

What Does a Strict No-Logs Policy Actually Mean?

A strict no-logs policy means the provider retains none of the above. No timestamps, no IP records, no DNS queries, no activity data. When a legal request arrives asking for information about a specific user, there is nothing stored to hand over. The data does not exist.

Some providers have had this verified through real-world events rather than marketing claims. ExpressVPN servers were seized by Turkish authorities in 2017 as part of a criminal investigation. No user data was recovered because none had been stored. NordVPN experienced a server breach in 2018. Again, no user data was exposed for the same reason. These events are as close to real-world confirmation as the industry can provide.

How Are No-Logs Claims Verified?

Independent security audits are the standard method. These involve cybersecurity firms reviewing server infrastructure, configuration files, and logging systems to confirm that data is not being retained. The audit results are published and can be reviewed by potential subscribers.

Providers with published independent audits include:

  • ExpressVPN, audited by Cure53
  • NordVPN, audited by PricewaterhouseCoopers
  • Mullvad, audited by Cure53
  • ProtonVPN, audited by SEC Consult

An audit confirms that at the time of the review, the provider was operating as claimed. It does not guarantee future behaviour. Providers that undergo repeated audits over time provide stronger ongoing evidence than those with a single historical audit.

Does the Location of the VPN Provider Matter?

Yes, and significantly. A VPN provider based in a country with mandatory data retention laws is legally required to store certain user data regardless of what its privacy policy says. EU member states, the UK, and Australia all have data retention frameworks that can compel providers to collect and hand over user data.

Providers based in privacy-friendly jurisdictions include:

  • Mullvad, based in Sweden but operating outside EU data retention obligations
  • ProtonVPN, based in Switzerland, which has strong domestic privacy law and falls outside EU data retention directives
  • ExpressVPN, registered in the British Virgin Islands
  • NordVPN, registered in Panama

Jurisdiction alone does not guarantee privacy, but it removes one category of legal risk that applies directly to providers operating under surveillance-aligned frameworks.

What Should You Look for Before Subscribing?

An unaudited provider with no documented legal history offers considerably less reassurance than one with multiple independent audits and a verifiable track record. When assessing a no-logs claim, the useful questions are:

  • Has the provider been independently audited, and by whom?
  • Is the audit report publicly available and recent?
  • Where is the provider legally registered?
  • Has the provider faced any real-world legal requests, and what was the outcome?

Marketing language alone is not evidence. For users who need genuine privacy protection rather than a cosmetic privacy label, these questions provide a much clearer picture of what the subscription actually delivers.