7 things to look for in a VPN privacy policy
Don't ignore a VPN's privacy policy - just a quick glance can help you spot a scammer
You've found what looks like the best VPN for you. You're about to hand over your cash. 'Check this box to confirm you agree with the Privacy Policy', it asks. But do you click the link to read it, each and every time? We're guessing you don't - who does? That's not a surprise. Ploughing through thousands of words of technical and legal jargon is precisely no-one's idea of fun, especially when we just want to get on with installing the apps and trying them out.
But, you don't have to read and understand the entire policy to make it worth a look. Just spending 30 seconds scrolling down the page and browsing a few headings can tell you plenty about a service.
Okay, it helps if you do a little more reading, but there's still no need to have any legal or VPN expertise to figure out the basics. Just follow our simple rules and they'll help you pick out the superior VPNs from the outright scams.
1. Does the Privacy Policy exist?
The first requirement of any good VPN privacy policy is that it actually has to exist. Okay, yes, that sounds obvious. But the reality is that many small VPNs have privacy policy links which are either dead, or don't point to a page with any useful details.
As we write, for instance, Billion VPN's Privacy Policy link on the Google Play store points to the Billion VPN website.
Which sounds very reasonable, until you see there's no website there - the domain fails to resolve.
Sharp-eyed readers may also notice that in any case this domain would have resolved to a .xyz TLD (Top Level Domain). These domain names are extremely low cost so are popular with spammers. Although we don’t want to be accused of domain name snobbery, all the reputable VPN providers we cover in TechRadar reviews use a .com extension for their websites.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
If you’re still not sure about a provider’s website, don’t be afraid to do some detective work by putting the domain name into a ‘WhoIs’ website. For example entering ‘Billion VPN’s’ domain name reveals that the registration lapsed in August 2022. This can also give you more information about who’s running the VPN service.
Even if you see a VPN provider with a Privacy Policy link, don't assume that means the service is legit, all on its own: click it, see what comes up.
2. Is the Privacy Policy detailed?
Lengthy small print is often hard to read, so you might feel relieved to see a privacy policy with just a few generic sentences: 'we don't log your activities', 'we don't share your data' and so on.
But in reality, privacy policies aren't just about making airy promises. They're supposed to describe in detail how the service works. If you glance at the page and it only has a few sentences (Gulf Secure VPN has less than 100 words stuffed into a plaintext or .txt document).
If the privacy policy doesn’t even fill your device screen, then it almost certainly doesn't have enough detail to be useful. For instance, in the case of GulfVPN, they state:
“As security is important stuff on mobile systems, Android has a permissions system. It's up to users to be really careful with what permission he grant to an application. Permissions used by Gulf VPN”
Firstly, this is suggesting that you as the user are responsible for configuring permissions correctly in the VPN Android app. Still, this isn’t very reassuring as the developers are the ones making the app in the first place. More details about what information the app needs and transmits it’s always best, particularly given that Android apps can lie about what data they’re using.
Read a few paragraphs to find out more. A poor privacy policy is only there to try and reassure potential users, so it'll focus entirely on what the service doesn't do (we don't log this, we don't record that...). What you're looking for is an honest policy which gives you details on everything it logs, as well as everything it doesn't.
Windscribe's privacy policy does a great job of squeezing a lot of information into a short document. It's only 600 words, but still finds room to tell you what it does on the website, what it records (and what doesn't) when you log in, when you're connected, and more.
For instance, Windscribe’s policy clearly states that they do record third party cookies (if you’ve allowed this) to compensate websites which have referred you there by affiliate links.
They also state that they record the total number of bytes you’ve transferred across their network, as well as a timestamp of your activity. Combined with browser fingerprinting, it would technically be possible for a determined attacker to use this information to identify you if they had access to Windscribe’s records but very unlikely. The point remains, you can now make an informed decision about how far you trust this provider.
3. Has the Privacy Policy been copied from another provider?
Small VPNs might understand that customers want to see a detailed privacy policy, but not have the technical expertise to create one. The worst providers solve this problem by copying and pasting another provider's policy, and replacing the original company name with their own.
To check for this, read down the policy and look for an appealing sentence which someone else might steal. If your policy begins with:
“We want you to understand what information (including Personal Data) we collect in connection with your use of our Services and/or access to our Site; for what purpose such information is collected; how we collect, use, and store such information; to whom it may be disclosed; and how you can exercise your rights and access your information, verify its accuracy, correct and/or have it erased. Equally, we want you to know what information we do not collect under any circumstances.”
Copy and paste that sentence into Google, though, and you'll find that line is taken from the opening paragraph of ExpressVPN's privacy policy. You’ll see also that it has been copied almost word for word into the privacy policy of ‘MeliVPN’.
If a provider can't be bothered to create its own privacy policy, and is dishonest enough to steal one from someone else, and pretend it's their own, then we'd say that's not someone who deserves your cash. Move on, there are plenty of more reputable providers around.
If you want to search in this way, make sure to include the sentence in question in quote marks i.e. “”. This will force Google (or any other major search engine) to look for that exact phrase. Make sure to keep an eye out also for dubious VPN providers who tweak the wording slightly in order to avoid being flagged by search engines. Don’t be afraid to open multiple privacy policies in different tabs in your web browser, so you can view and compare together.
4. Is the Privacy Policy well organized?
A VPN Privacy Policy often covers a lot of ground: what's happening on the website, cookie details, how the VPN handles logins and sessions, as well as talking about data handling laws in different jurisdictions. Let's be realistic, it's never going to be an easy read.
A good provider can make your life easier, though, by organizing the document to make it simpler to follow.
The ExpressVPN privacy policy is more than 3,000 words long, for instance, but a table of contents helps you find the details you need. Sections have titles which tell you exactly what they're about ('Storing of Information Related to Email, Live Chat, and Feedback Forms'), and many of these sections are very short ('Email, Live Chat and Feedback Forms' is only 130 words.)
A good privacy policy will also have specific sections addressing:
These are all very basic points. If your VPN Provider hasn’t addressed them in their privacy policy and becomes evasive when you ask, your data could be at risk.
5. Is the Privacy Policy clear and precise?
When you look at a VPN Privacy Policy, keep in mind what it's supposed to be. This isn't an optional 'nice to have' feature, where you'll be happy if the provider gets the office junior to throw something together in an afternoon. It's a legal document which tells you exactly what personal data the company collects, and how that's going to be processed.
There are lots of legal complexities around that - how requirements change between countries, for instance - but you don't need to understand all (or any) of those issues. Just scanning a paragraph or two can give you valuable information.
We regularly see privacy policies list items the provider logs, for instance, without making it clear whether that applies to website visitors, app users, or both. It's sometimes possible to guess, but that shouldn't be necessary: a privacy policy is supposed to answer questions, not raise them.
Another common problem is privacy policies which look like they've been written in one language, then passed through Google Translate, about five times, before they made it to you. If the policy is so poorly written that you're unsure what it means, then that's just not good enough.
What you're hoping to see is something much more like ProtonVPN's privacy policy . The document has short sections covering specific areas (Account Creation, Payment, Website, Apps), with brief details on what data is collected, why, and what might happen to it later.
For example, ProtonVPN spells out specifically in its privacy policy that it does not log user’s traffic or content, nor does it throttle any particular type of traffic like streaming video. They provide a helpful link to their “no log policy”, which explains that they can offer this level of privacy because:
Whether or not this makes you feel reassured, the point remains that this VPN provider has gone to some lengths to explain clearly exactly how their service works and how it protects your data. You should expect the same from any other provider you use.
6. Is the Privacy Policy honest and complete?
A VPN provider can say anything they like in their small print. That's why it's best to choose providers who've verified their credentials with independent audits (ExpressVPN, NordVPN, TunnelBear, and Surfshark have all put themselves through major security and no-logging checks.) But even if you've only got a privacy policy to look at, you might still be able to spot VPNs who aren't telling you the full story.
Suppose a VPN has a free plan with a 10GB a month limit. You look in the policy and it tells you there's absolutely no logging of how, when or how often you use the service. Sounds great, yes? Well, maybe not.
If a provider has a limited bandwidth account, then it must log the amount of data you use. It also has to create one or more device IDs, so that it can recognize you when you connect, and add that session's data to your specific account. The VPN must be carrying out this minimal logging, at least, so if it's claiming to log nothing at all, then that's a problem.
Admittedly it might be difficult to link this data to your specific identity but if a determined adversary had access to both your ISP and VPN’s records, they could compare how much data was transferred and at what times using this information to find you. If the VPN provider has no such information to offer, then it would be much harder to trace you.
Missing the odd detail here or there doesn't necessarily mean a provider is trying to fool you, of course. They might be trying to keep the document simple. Perhaps they're just useless at writing privacy policies (many are.) But whatever the explanation, this isn't ideal.
Windscribe has a great example of a privacy policy which explains its free plan in detail. The policy explains what it logs (a running bandwidth total), what it doesn't (any of your internet history) and how even its minimal data collection is reset when the month is up. They also point out that since so many users share IP addresses and they don’t log who does what, they could not provide any meaningful information about who’s using their service, even if they wanted to cooperate with authorities.
Forget the 'free' VPN apps with the fake 'ZERO LOGS!!' banners, that's the kind of honest and clear privacy policy detail we like to see.
7. Where’s the warrant?
No matter how detailed, well laid out and honest a privacy policy is, if any of your provider’s servers come under the jurisdiction of countries like the USA they can be served a secret court order.
This essentially amounts to a subpoena requiring your VPN service to break its own privacy policy and begin recording all your activity, which is then handed over to the government. Worse still, they’re forbidden from telling you (or anyone else) that your data’s now at risk.
Your first defense against this should be to check your provider’s privacy policy carefully to make sure they’re not based in a jurisdiction which does this. For instance, as you just learned, ProtonVPN is based in Switzerland, where the law requires people to be notified about the data request.
Failing, this you can also check the Privacy Policy to see if your VPN Provider has a warrant canary.
This is simply a statement published on a regular basis e.g. through a monthly video address where a VPN provider affirms they have not been subjected to any kind of subpoena or secret court order requiring them to hand over user data.
Despite being based in Panama, NordVPN introduced their own warrant canary in 2017. Surfshark also updates theirs each month.
If your VPN provider offers this service and fails to make a statement on a certain week or month, you’ll know your data is at risk so you can close your account. Check your provider’s privacy policy for details on this and most importantly where you should go to check the warrant canary is still ‘singing’. Make sure also to check how often the VPN service updates their warrant canary, so you know that every notification is in date.
Mike is a lead security reviewer at Future, where he stress-tests VPNs, antivirus and more to find out which services are sure to keep you safe, and which are best avoided. Mike began his career as a lead software developer in the engineering world, where his creations were used by big-name companies from Rolls Royce to British Nuclear Fuels and British Aerospace. The early PC viruses caught Mike's attention, and he developed an interest in analyzing malware, and learning the low-level technical details of how Windows and network security work under the hood.