VPN Logs Explained: What 'No-Logs' Really Means (2026)
Almost every VPN claims to be 'no-logs.' But the term is widely misused — some providers log connection times, bandwidth, and aggregated data while still calling themselves no-logs. Understanding what VPNs actually log — and which have proven their claims — is the most important privacy decision you'll make when choosing a VPN.
Types of VPN logs
True no-logs means: no connection logs, no usage logs, no IP logs. Payment and account data is acceptable (needed for billing) but ideally minimized — Mullvad accepts cash and cryptocurrency.
- Connection logs (most sensitive): Timestamps, IP addresses at connection/disconnection, VPN IP assigned. These can link your identity (IP) to your session time — allowing correlation with other logs.
- Usage/traffic logs (most sensitive): Which websites you visited, what data was transmitted. Any VPN that logs traffic can see everything you do. This makes them effectively no different from your ISP.
- Bandwidth logs: How much data you transferred per session. Usually used for quota enforcement. Less identifying but still shows usage patterns.
- Error/crash logs: Diagnostic data that may contain partial IP or session information. Often retained for 30-90 days.
- Account/payment logs: Email address, payment method, subscription dates. Not traffic-related but ties the account to a real identity.
How to verify no-logs claims
- Independent audit: A reputable firm reviews the VPN's servers and code to verify no logs are kept. NordVPN (KPMG), ExpressVPN (Cure53), Mullvad (Cure53), ProtonVPN (SEC Consult), Surfshark (Cure53).
- Open-source code: If the client and server code is public, anyone can verify no logging code exists. ProtonVPN and Mullvad are fully open-source.
- RAM-only servers: If servers never write to disk, there are no persistent logs. ExpressVPN TrustedServer, NordVPN, Mullvad, Surfshark, PIA all use RAM-only infrastructure.
- Legal cases: Has the provider been unable to hand over data? NordVPN (2018): servers seized in Romania, police found no logs. IPVanish (2016): provided FBI with data despite no-logs claim — a cautionary example.
- Warrant canary: A statement that no law enforcement requests have been received. If removed, the canary is dead — implying a request was received.
VPNs with proven no-logs policies
- Mullvad: Cash-friendly, no email at signup, RAM-only servers, annual Cure53 audit, no connection logs
- ProtonVPN: Swiss jurisdiction, open-source, court-verified (Swiss court ordered data, ProtonVPN couldn't provide browsing history — only the VPN account's IP)
- NordVPN: KPMG-audited, RAM-only servers, servers seized 2018 with no logs found
- ExpressVPN: Cure53 audited, TrustedServer (RAM-only), Turkish authorities seized server in 2017 and found no logs
- IVPN: Strongly privacy-focused. Minimal account data (no email required with cash payment). Regular audits.
Red flags in privacy policies
- 'We may keep aggregate statistics': Aggregates can still reveal individual patterns if cross-referenced
- 'Logs are deleted after [period]': They exist during that period — that's still logging
- Vague language like 'we don't log your activities': Activities is undefined — connection metadata may still be logged
- US-based, no audit, no history: Highest risk combination
- IPVanish example: Claimed no logs, provided FBI with a user's IP connection log in 2016. No audits at the time. Now owned by Ziff Davis (US). Proceed with caution.
Frequently asked questions
Can a VPN see what I'm doing even with a no-logs policy?
Yes — technically, your VPN traffic passes through their servers. They could inspect it if they chose to. A no-logs policy means they claim not to store it. Audits verify this at a point in time. For maximum privacy, choose open-source VPNs like ProtonVPN or Mullvad where you can verify the code.
Does no-logs mean a VPN can't be subpoenaed?
A VPN can be subpoenaed, but if they truly don't log data, they have nothing to provide. This has been proven in multiple cases: NordVPN in Romania (2018) and ExpressVPN in Turkey (2017) both had servers seized by authorities and produced no useful data. PureVPN and IPVanish failed this test by actually having logs.
Should I trust a VPN's privacy policy?
As a starting point, not as definitive proof. Privacy policies can say anything — what matters is verification: independent audits, open-source code, and track record. A VPN with three audits and RAM-only servers is more trustworthy than one with an elaborate privacy policy and no verification.