Every VPN on the market says roughly the same thing. Military-grade encryption. Total privacy. Your data, protected. The language is confident, the promises are broad, and none of it tells you very much — because a company saying it protects your privacy is not the same as a company that actually does.
The frustrating part is that most people have no obvious way to check. You turn the VPN on, a green light appears, and you take it on faith that something meaningful is happening behind the scenes. For a lot of VPN providers, that faith is well-placed. For others, it isn’t — and nothing about the marketing copy will tell you which is which.
There are, however, a few concrete things you can look at. Not promises, not feature lists — actual evidence. Here’s what to check.
The First Question: What Does This Company Actually Record?
When you use a VPN, your traffic passes through the provider’s servers. That means the provider, in principle, could record what you’re doing — which sites you visit, when, for how long, from which device. Whether they actually do this is the single most important question to answer before choosing a provider.
This is what a no-logs policy addresses. A no-logs VPN is one that doesn’t store records of your browsing activity or connection data. No timestamps, no IP addresses, no session logs. If a government agency or legal authority came asking, there would be nothing to hand over — not because the company refused, but because the data simply doesn’t exist.
The problem is that “no-logs” has become a marketing term as much as a technical one. Providers use it loosely. Some claim no-logs while still recording connection metadata — things like when you connected, for how long, and from which city. That’s not nothing. Metadata like this can establish patterns of behaviour, and in some legal contexts it’s been enough to identify individuals even without the content of their browsing. So when you read a privacy policy, look for specifics: what exactly is not being stored, not just the headline claim.
A policy that says “we do not log your browsing activity, connection timestamps, IP addresses, or session duration” is meaningfully different from one that says “we are committed to your privacy.” The first is checkable. The second is just a sentence.
The Second Question: What Happened When Someone Asked for User Data?
A no-logs policy tells you what a company intends to do. A transparency report tells you what actually happened when that policy was tested.
Many VPN providers publish a VPN transparency report — a public record of legal requests they’ve received from governments, law enforcement agencies, or courts, and how they responded to each one. Think of it as the paper trail that shows whether the policy held up under real pressure.
What you want to see in a transparency report: the number of requests received, broken down by type (court orders, subpoenas, government demands), and the outcome of each — data provided, request rejected, or no data available to provide. That last category is the one that matters most. Say a provider received ten legal requests and handed over nothing in all ten cases because no logs existed — that’s meaningful evidence of a genuine no-logs operation, not just a policy claim.
What should make you cautious: a provider with no transparency report at all, or one that publishes a report so vague it contains no useful information. “We received some requests and handled them in accordance with our policy” is not a transparency report. It’s a press release.
Some providers publish these reports quarterly. Others annually. The frequency matters less than the existence and the detail. A provider that has been publishing specific, itemised records for several years has a track record. One that started publishing last month has a statement of intent.
The Third Question: Has Anyone Checked Their Work?
If you’ve found a provider with a specific no-logs policy and a detailed transparency report with a multi-year history, you’re already making a more informed decision than most people do. But there’s one more layer worth considering.
Both of the above — logging policies and transparency reports — are produced by the companies themselves. Which raises an obvious question: you’re still largely taking their word for it. The next layer of verification is whether an independent third party has come in and checked whether the claimed practices match the actual infrastructure.
This is what a security audit is: an outside firm — typically a specialist cybersecurity company — is given access to the provider’s systems and asked to verify specific claims. Do the servers actually store the data the provider says they don’t? Are there any logs being kept that contradict the policy? The audit firm produces a report, and the provider publishes it.
Audits aren’t perfect. They’re a snapshot in time, not a continuous guarantee. A provider could pass an audit in one year and change their practices the next. But a provider that has never commissioned an audit, or refuses to publish the results of one, is harder to evaluate than one with a documented independent review on record.
When you’re comparing providers, look for audit reports from recognisable specialist firms — Cure53 and Leviathan Security have both audited VPN providers — and check whether the audit covered privacy practices specifically, not just general security.
What You’re Actually Looking For
The goal isn’t to find a VPN with the most impressive marketing. It’s to find one that has given you something concrete to evaluate — a privacy policy with specific commitments rather than general reassurances, a transparency report with real numbers rather than vague statements, and ideally a published audit from an outside firm.
X-VPN, for example, has published a record of data requests and responses going back to 2017. That’s not a guarantee of anything, but it’s a verifiable history rather than a promise — and verifiable histories are what you’re looking for.
Most people skip all of this and just pick whichever VPN comes up first in a search or looks the most polished. That’s understandable. But the whole point of a VPN is that you’re trusting it with your traffic — which makes choosing one based on evidence a reasonable minimum standard.
