Which VPN Providers Really Take Privacy Seriously?

Home > Technology > VPN Providers >

Choosing the right VPN can be a tricky endeavor. There are hundreds of VPN services out there promising to improve users' privacy, but some are more private than others. To help you pick the best one for your needs, we asked dozens of VPNs to detail their logging practices, how they handle torrent users, and what else they do to keep you as anonymous as possible.

private lockThe VPN industry is booming and prospective users have hundreds of options to pick from. All claim to be the best, but some are more privacy-conscious than others.

The VPN review business is flourishing as well. Just do a random search for “best VPN service” or “VPN review” and you’ll see dozens of sites filled with recommendations and preferred picks. Some VPN companies even own review sites.

At TF we don’t want to make any recommendations. When it comes to privacy and anonymity, an outsider can’t offer any guarantees. Vulnerabilities and limitations (e.g. Tunnelvision) are always lurking around the corner and even with the most secure VPN, you still have to trust the VPN company with your data.

Instead, we aim to provide an unranked overview of VPN providers, asking them questions we believe are important. Many of these questions relate to privacy and security, and the various companies answer them here in their own words.

We hope that this helps users to make an informed choice. However, we stress that users themselves should always ensure that their VPN setup is secure, working correctly, and not leaking. We also advise people to properly research the company behind the VPN service. This article is not a recommendation of any kind.

This year’s questions and answers are listed below. We have included all VPN providers we contacted that don’t keep extensive logs or block lawful torrent traffic on all of their servers. The order of the providers is arbitrary and doesn’t carry any value.

Note: The responses below were received in 2023. Some companies failed to respond and are therefore excluded. A 2025 update is in the planning.

1. Do you keep (or share with third parties) ANY data that would allow you to match an IP-address and a timestamp to a current or former user of your service? If so, exactly what information do you hold/share and for how long?

2. What is the name under which your company is incorporated (+ parent companies, if applicable) and under which jurisdiction does your company operate?

3. What tools are used to monitor and mitigate abuse of your service, including limits on concurrent connections if these are enforced?

4. Do you use any external email providers (e.g. Google Apps), analytics, or support tools ( e.g Live support, Zendesk) that hold information provided by users?

5. In the event you receive a DMCA takedown notice or a non-US equivalent, how are these handled?

6. What steps would be taken in the event a court orders your company to identify an active or former user of your service? How would your company respond to a court order that requires you to log activity for a user going forward? Have these scenarios ever played out in the past?

7. Is BitTorrent and other file-sharing traffic allowed on all servers? If not, why? Do you provide port forwarding services? Are any ports blocked?

8. Which payment systems/providers do you use? Do you take any measures to ensure that payment details can’t be linked to account usage or IP-assignments?

9. What is the most secure VPN connection and encryption algorithm you would recommend to your users?

10. Do you provide tools such as “kill switches” if a connection drops and DNS/IPv6 leak protection? Do you support Dual Stack IPv4/IPv6 functionality?

11. Are any of your VPN servers hosted by third parties? If so, what measures do you take to prevent those partners from snooping on any inbound and/or outbound traffic? Do you use your own DNS servers?

12. In which countries are your servers physically located? Do you offer virtual locations?

Important note: Services that offer dedicated or fixed IP-addresses are often able to link an IP-address to a user account, irrespective of the answer to question 1.

Tip: Here’s a list of all VPN providers covered here, with direct links to the answers. Some links in this article are affiliate links. This won’t cost you a penny more but it helps us to keep the lights on. Please note that unlawful activity is strictly forbidden on these services. That includes copyright infringement.

All VPNs

NordVPN (review)
TorGuard
Private Internet Access
ExpressVPN
ProtonVPN
IVPN
Windscribe
Oeck
Speedify
CyberGhost
AirVPN
Trust.Zone
Mullvad
Perfect Privacy
Hide.me
AzireVPN
FastestVPN
Guardian
OVPN
Ivacy

NordVPN

NordVPN logo1. We do not keep connection logs nor timestamps that could allow us to match customers with their online activity.

2. Parent company is Nordvpn S.A., operating under the jurisdiction of Panama.

3. We use an automated tool that limits the maximum number of concurrent connections to six per customer and a system that automatically suspends the account if a specific connection pattern is recognized, e.g. hundreds of connections to different servers in a very short period of time. This is being done in order to mitigate web scraping. Apart from that, we do not use any other tools.

4. NordVPN uses third-party data processors for emailing services and to collect basic website and app analytics. We use Iterable and Sendgrid for correspondence, Zendesk to provide customer support, Google Analytics to monitor website and app data, as well as Crashlytics, Firebase Analytics and Appsflyer to monitor application data. All third-party services we use are bound by a contract with us to never use the information of our users for their own purposes and not to disclose the information to any third parties unrelated to the service.

5. NordVPN is a transmission service provider, operating in Panama. DMCA takedown notices are not applicable to us.

6. If the order or subpoena is issued by a Panamanian court, we would have to provide the information if we had any. However, our no-log policy means that we do not store any information about our users’ online activity – only their email address and basic payment info. So far, we haven’t had any such cases.

NordVPN notes on its website that it “will only comply with requests from foreign governments and law enforcement agencies if these requests are delivered according to laws and regulations.” It adds that it will “never log [user] activity unless ordered by a court in an appropriate, legal way.”

NordVPN tells us that the standard no-logging policy remains in place. It will challenge any logging requests until all options are exhausted and will use all means to keep customers informed. At the same time, the company wants to dissociate itself from bad actors in the VPN industry while sending a clear message to terrorists and criminals that it will not work as a safe haven for crime.

7. We do not restrict any BitTorrent or other file-sharing applications on most of our servers. We have optimized a number of our servers specifically for bandwidth-hungry activities. At the moment, we do not offer port forwarding and block outgoing SMTP 25 and NetBIOS ports.

8. Our customers are able to pay via all major credit cards, regionally localized payment solutions and cryptocurrencies. Our payment processing partners collect basic billing information for payment processing and refund purposes, but that data cannot be connected to an internet activity of a particular customer. Bitcoin is the most anonymous option, as it does not link the payment details to the user identity or other personal information.

9. All our protocols are secure, however, the most advanced encryption is used by NordLynx. NordLynx is based on the WireGuard® protocol and uses ChaCha20 for encryption, Poly1305 for authentication and integrity, and Curve25519 for the Elliptic-curve Diffie–Hellman key agreement protocol.

10. We provide automatic kill switches and DNS leak protection. Dual-Stack IPv4/IPv6 functionality is not yet supported with our service; however, all NordVPN apps offer an integrated IPv6 Leak Protection.

11. Most of our servers are leased, but we are gradually increasing our collocated server network. That said, the security of our infrastructure is our top priority. Due to our special server configuration, no one is able to collect or retain any data, ensuring compliance with our no-logs policy. Our no-logs policy has been audited and verified by Deloitte — an industry-leading Big Four auditing firm. We do have our own DNS servers, and all DNS requests travel through a VPN tunnel. Our customers can also manually set up any DNS server they like.

12. We do not offer virtual locations, our servers are located in places we state they are. At the time of writing, we have over 5500 servers in 60 countries.

NordVPN details

TorGuard

TorGuard logo1. TorGuard has always adhered to a strict no-logs policy for all its users. Neither timestamps nor IP logs are maintained on any VPN or authentication server. The only data that TorGuard possesses is network statistical data. This information aids in assessing server load. Additionally, TorGuard records the billing or payment method details when a user acquires our services.

2. TorGuard is a part of VPNetworks LLC, which itself is a subsidiary of Data Protection Services. All our operations are executed within the regulatory framework of the United States. TorGuard’s originality and commitment to its core values are preserved as it continues to operate under its initial ownership – VPNetworks LLC and Data Protection Services. It’s noteworthy to mention that TorGuard has always been faithful to its origins, never having changed ownership, and continues to function under the governance and principles set by its founding companies.

3. We use a simplified edition of Nagios to oversee hardware utilization, uptime, and latency associated with our VPN/Proxy, devoid of any extra modules. TorGuard enforces a real-time limit of eight simultaneous connections for each user, and each session is instantly cleared as soon as the user disconnects. In instances where a user fails to disconnect or gets inadvertently disconnected, our system has the capability to automatically discard these obsolete sessions within a few minutes.

4. We host our own analytics using Matamo, an open-source platform, and have ensured it doesn’t retain referral IP addresses. We utilize anonymized data from Matamo analytics to enhance our understanding and optimize our website and service offerings. All customer support processes are managed in-house, without the use of third-party tools. As for email delivery, it is managed via Sendgrid.

5. In the event of receiving a legitimate DMCA removal notice, our legal team would be responsible for addressing it. However, owing to our stringent no-log policy and shared IP network, it’s impossible for us to relay any such requests to a specific user.

6. When we receive a court order, it’s immediately subjected to a review by our legal team to validate its jurisdictional legitimacy. In cases where the order is validated, our legal representation would be compelled to expound on the details of our shared IP network and our firm policy against storing any identifiable logs or timestamps. Considering the design of our network and the substantial volume of traffic it accommodates, any modifications to record user activity are unfeasible. This is a circumstance we’ve never had to confront in the course of our operations.

Our network at TorGuard is specifically engineered to operate with minimal server resources, rendering it inherently incapable of retaining user logs. The structure of our shared VPN servers and the high traffic volume that circulates through our network make it virtually impossible to maintain such logs.

7. All servers, with the exception of those located in the USA and on our residential and streaming IP network, permit torrent traffic. The exclusion of Bittorrent traffic on USA servers is a measure taken in response to a legal settlement in 2022. Furthermore, TorGuard provides port forwarding for all ports exceeding 2048. The only port we restrict outgoing is the SMTP port 25, as a measure to prevent misuse.

8. We employ Stripe to process credit or debit card transactions and have our own BTCPay system for handling Bitcoin and Litecoin transfers. TorGuard also accepts all types of cryptocurrency through NowPayments, and Paymentwall is used for Gift Card payments and local bank transfer options. To ensure the utmost protection of our users’ privacy, TorGuard has taken considerable steps, including extensive modifications to our billing system, to accommodate various payment providers.

9. For enhanced security, we suggest deploying OpenVPN with AES-256-GCM-SHA512, incorporating our stealth VPN protocol as an additional protective layer. This can be done through TorGuard’s desktop or mobile applications.

10. Indeed, our kill switch has a unique design that directs all traffic into a ‘black hole’ should the user experience connectivity loss or if the application crashes for any reason. We are currently developing a dual-stack for IPv4/IPv6, which will be launched once IPv6 adoption becomes more prevalent among users.

11. While we do host servers at third-party locations, we only choose these sites after a thorough review based on strict security criteria. We employ disk encryption and operate part of the network on virtual RAM disks. Regular audits are conducted on our servers and we ensure no keys are stored on the endpoints that could risk traffic compromise. Moreover, any remote access, like IPMI, is either disabled or stringently restricted and monitored. We offer secure public DNS, but we also furnish our internal DNS on every endpoint, which directly queries root VPN servers.

12. Currently, we maintain three virtual locations: Taiwan, Greece, and Russia. Although TorGuard generally prefers to avoid virtual locations, there are instances when we can’t find a bare-metal data center that satisfies our stringent security criteria. In such cases, we choose not to compromise on security.

TorGuard website


Private Internet Access

Private Internet Access1. We do not store any logs relating to traffic, session, DNS or metadata. There are no logs kept for any person or entity to match an IP address and a timestamp to a current or former user of our service. In summary, we do not log, period. Privacy is our policy.

2. Private Internet Access, Inc. is an Indiana corporation, under the parent company Kape Technologies PLC, a leading ‘privacy-first’ consumer software provider.

3. We have an active, proprietary system in place to help mitigate any abuse. However, we’re pleased to announce that earlier this year we rolled out unlimited simultaneous device connections for all our users, in order to help PIA to deliver even better value with one subscription and to allow customers to benefit from the privacy and security of a VPN across all their devices.

4. We use Google Apps Suite and Google Analytics on our website only with interest and demographics tracking disabled and anonymized IP addresses enabled. We use Zendesk for our support team.

5. Primarily, we stress that our service is not intended to be used for illegal activities and copyright infringements and we request our users to comply with this when accepting our Terms of Use. In this respect as in all others, we are committed to protecting the privacy of our customers while following the letter of the law.

6. PIA has a strict 100% no-usage-logs policy which has twice been proven in court. Last year, our No Logs policy also underwent an independent audit by Big Four firm, Deloitte, which found that PIA’s server configurations align with internal privacy policies and confirmed that our infrastructure is not designed to identify users or pinpoint their activities. As part of our commitment to transparency, we provide a semi-annual report containing details about any recent requests made to our legal department. As always, PIA has nothing to share in response to these inquiries as we keep no logs of our customers. Our company would fight a court order that requires us to do any sort of logging.

7. BitTorrent and file-sharing traffic are not discriminated against or throttled. We do not censor our traffic, period. PIA does offer port-forwarding, and information on how to enable port forwarding can be found here.

8. Our current payment providers/methods include Stripe, Paypal, Bitpay, Apple/iTunes, GooglePlay, Amazon and Paygarden. Payment details are only linked to accounts for billing purposes. IP assignments and other user activity on our VPN servers aren’t linkable to specific accounts or payment details because of our strict and demonstrated no-log policy.

9. At the moment, the most secure and practical VPN connection and encryption algorithm that we recommend to our users would be our cipher suite of AES-256 + RSA4096 + SHA256 over OpenVPN. More information for customers can be found on our support portal.

10. Our users gain access to a plethora of additional tools, including but not limited to a robust Kill Switch, IPv6 Leak Protection and DNS Leak Protection. PIA’s MACE feature is also included as standard and offers a DNS-based ad blocker that helps protect users from ads, trackers, and malware. PIA’s other security features include Identity Guard, allowing users to monitor whether their emails have been involved in data breaches, and an optional privacy-first antivirus product offering users additional security online.

11. Our bare metal servers are located in third-party data centers that are operated by trusted business partners with whom we have completed serious due diligence. If countries or data centers fail to meet our high privacy standards, we remove our VPN server presence. Often in these instances we would be able to offer virtual server locations instead, where the registered IP address matches the country you’ve chosen to connect to, while the server is physically located in another country, usually nearby. In addition, all of our servers are RAM-only, so any information that has passed through them is erased every time the server reboots.

12. PIA’s server network covers 84 countries and 140+ locations, including in all 50 US states. Our full list of server locations can be found here. We have been upgrading our servers to superior NextGen servers with 10Gbps network cards, which help provide reduced server downtime, better speeds and security for our users. All our servers themselves are physical. We do also offer virtual locations as explained above.

Private Internet Access details

ExpressVPN

expressvpn1. No, ExpressVPN doesn’t keep any connection or activity logs, including never logging browsing history, data content, DNS requests, timestamps, source IPs, outgoing IPs, or destination IPs. This ensures that we cannot ascertain whether a given user was connected to the VPN at a certain time, assumed a particular outgoing IP address, or generated any specific network activity.

KPMG also recently conducted an independent audit which confirmed that our VPN servers are in compliance with our privacy policy. This means that users can be confident that we will never know what they do online when connected to our service and that we do not have such sensitive information to share, even if compelled to.

2. Express Technologies Ltd is a British Virgin Islands (BVI) company. Being under BVI jurisdiction helps to protect user privacy, as the BVI has no data retention laws, is not party to any 14 Eyes intelligence sharing agreements, and has a dual criminality provision that safeguards against legal overreach. (As of September 2021, ExpressVPN is part of the Kape Technologies group).

3. We reserve the right to block specific abusive traffic to protect the server network and other ExpressVPN customers. With regards to limits on the number of devices simultaneously connected, no timestamps or IP addresses are ever logged; our systems are merely able to identify how many active sessions a given license has at a given moment in time and use that counter to decide whether a license is allowed to create one additional session. This counter is temporary and is not tracked over time.

4. We use Zendesk for support tickets and SnapEngage for live chat support; we have assessed the security profiles of both and consider them to be secure platforms. We use Google Analytics and cookies to collect marketing metrics for our website and several external tools for collecting crash reports (only if a user opts in to sharing these reports).

5. As we do not keep any data or logs that could link specific activity to a given user, ExpressVPN does not have the ability to identify or report users.

6. Legally our company is bound to respect subpoenas and court orders when they originate from the British Virgin Islands government or in conjunction with BVI authorities via a mutual legal assistance treaty. Regarding a demand that we log activity going forward: Were anyone ever to make such a request, we would refuse to re-engineer our systems in a way that infringes on the privacy protections that our customers trust us to uphold.

We never store any data that could match an individual to specific network activity or behavior. Thus, we may only inform law enforcement that we do not possess logs of connections or user behavior that could associate a specific end-user with an infringing IP address, timestamp, or destination. This was proven in a high-profile case in Turkey in which law enforcement seized a VPN server leased by ExpressVPN but could not find any server logs that would enable investigators to link activity to a user or even determine which users, or whether a specific user, were connected at a given time.

7. We do not believe in restricting or censoring any type of traffic on any of our VPN servers, including BitTorrent traffic. We do not support port forwarding.

8. ExpressVPN accepts all major credit cards, PayPal, and a large number of local payment options. We also accept Bitcoin, which we recommend for those who seek maximum privacy with relation to their form of payment. As we do not log user activity, IP addresses, or timestamps, neither ExpressVPN nor any external party can link payment details entered on our website with a user’s VPN activities, including IP assignments.

9. By default, ExpressVPN automatically chooses the protocol best-suited to your network depending on a variety of factors. For example, our in-house modern protocol Lightway uses a 4096-bit CA with AES-256-GCM and ChaCha20/Poly1305 encryptions, D/TLS 1.2 on UDP or TLS 1.3 for TCP, and SHA256 signatures to authenticate traffic.

10. Yes, our Network Lock feature, which is turned on by default, prevents all types of traffic including IPv4, IPv6, and DNS from leaking outside of the VPN, such as when your internet connection drops or in various additional scenarios. We do not currently support IPv6 routing through the VPN tunnel. ExpressVPN also protects users from data leaks in a number of ways.

11. Our VPN servers are hosted in trusted data centers with strong security practices, where the data center employees do not have server credentials. Leased vs co-located is not the salient factor in determining security.

The efforts we take to secure our VPN server infrastructure are extensive and include (among other things) our proprietary TrustedServer technology, unique keys per server, VPN servers that don’t store user data, and carefully engineered our apps and VPN servers to categorically eliminate sensitive information. We run our own logless DNS on every server, meaning no personally identifiable data is ever stored. We do not use third-party DNS. Most recently, we were the first VPN provider to pull our servers from India because of the recent directives requiring all VPN providers to store user information for at least five years.

To ensure that we are delivering the best protections to users, we also recently invited both KPMG and Cure53 to separately conduct independent audits on our systems and core server technologies.

12. ExpressVPN has servers in 94 countries, and also recently upgraded to 10Gbps servers for faster speeds and more reliable connections. For more than 95% of our servers, the physical server and the associated IP addresses are located in the same country. For countries where it is difficult to find servers that meet ExpressVPN’s rigorous standards, we use virtual locations. The specific countries are published on our website here.

ExpressVPN website

ProtonVPN

protonvpn1. Each time a user connects to the service, we only obtain a timestamp of the last successful login attempt. This gets overwritten each time a user successfully logs in. This does not contain any identifying information, such as IP addresses or locations. We retain this limited information to protect user accounts from password brute force attacks. However, we do not share any of this data with third parties.

2. Proton AG

3. Users are required to create an account in order to use our service. We keep accounting data to see how many sessions are being opened by a given user, in order to allow only the number of sessions corresponding to their subscribed plan.

4. We use Zendesk to collate and respond to support requests or bug reports.

5. Our Anti-Abuse and Legal team investigates the complaints we receive in that regard with all evidence available and make a decision on whether there is good cause to believe that the mentioned accounts are involved in such activities, in which case they are suspended. We always use Swiss law as our reference for such complaints.

6. This type of request has never been made for Proton VPN. That said, Proton VPN is based in Switzerland meaning it would be illegal for us to cooperate with any foreign law enforcement or court unless specifically requested to do so by the Swiss authorities. However, even in this scenario, the only information we would have access to would be the username, email address and billing information for existing users. This data is deleted when an account is deleted.

7. Some of our servers are optimized for P2P file sharing. This feature comes with fast download speeds and unlimited bandwidth.

8. We allow users to pay by credit card, debit card, PayPal, Bitcoin or cash. We rely on third parties to process credit card and PayPal transactions, and we do not save full credit card details.

9. We use only the highest strength encryption and would recommend others do the same. This means all network traffic is encrypted with AES-256, key exchange is done with 4096-bit RSA, and HMAC with SHA384 is used for message authentication. We use only VPN protocols that are known to be secure – IKEv2/IPSec, OpenVPN and WireGuard. Proton VPN does not have any servers that support PPTP and L2TP/IPSec, even though they are less costly to operate.

10. All of our clients support kill-switch functionality.

11. While we own our Secure Core entry servers, we do also utilize rented infrastructure. We only use physical servers that we can fully control as opposed to virtual servers meaning the hardware is dedicated solely to Proton VPN, giving us a higher degree of control and making it more secure. All rented Proton VPN servers are secured with block-level disk encryption. By implementing full-disk encryption on all our servers, we can protect our certificates and mitigate the risk of MITM attacks. And yes, all our servers implement DNS servers.

12. As part of Proton AG we share with Proton Mail the core infrastructure where our websites and databases are hosted. This infrastructure is hosted in Switzerland and owned by Proton AG. As part of the VPN infrastructure, we own the VPN Secure Core servers and rent dedicated physical VPN servers across the globe.

ProtonVPN website

AirVPN

AirVPN logo1. No, we do not keep or share with third parties ANY data that would allow us to match an IP address and a timestamp to a current or former user of our service

2. AirVPN in Italy. No parent company/companies.

3. No monitoring tools are used. In order to limit the amount of simultaneous connections from a single account, a counter is kept. Each new connection increases the counter and each new disconnection decreases the counter. If the counter exceeds the amount of concurrent connections allowed (purchased for an account) a new connection is refused. In this way no logging or inspection activity is necessary.

4. No, we do not use any external email providers, analytics, or support tools that hold information provided by users.

5. They are ignored if they pertain to P2P, they are processed, verified and handled accordingly (rejected or accepted) if they pertain to websites (or FTP services etc.) hosted behind our VPN servers.

6. a) We would co-operate to the best of our abilities, although we can’t give out information we don’t have. b) We are unable to comply due to technical problems and limitations. c) The scenario in ‘case b’ has never occurred. The scenario in ‘case a’ has occurred multiple times, but our infrastructure does not monitor, inspect or log customers’ traffic, so it is not possible to correlate customer information (if we had it) with customers’ traffic and vice-versa.

7. a) Yes, BitTorrent and other file-sharing traffic are allowed on all servers. AirVPN does not discriminate against any protocol or application and keeps its network as agnostic as possible. b) Yes, we provide remote inbound port forwarding service. c) Outbound port 25 is blocked.

8. We accept payments via PayPal, major credit cards, Apple Pay, Google Pay, giropay, iDEAL, eps and Bancontact. We also accept Bitcoin, Litecoin, Bitcoin Cash, Dash, Doge, and Monero. By accepting directly various cryptocurrencies without intermediaries we get rid of additional fees and above all privacy issues, including correlations between IP addresses and payments. By accepting Monero we also offer the option to our customers to pay via a cryptocurrency that protects transactions with a built-in layer of anonymity.

9. CHACHA20-POLY1305 and AES-256-GCM

10. We provide Network Lock in our free and open-source software. It can prevent traffic leaks (both IPv4 and IPv6 – DNS leaks included) even in case of application or system processes wrong binding, in case of UPnP caused leaks, wrong settings, WebRTC and other STUN related methods, and of course in case of unexpected VPN disconnection. b) Yes, we do provide DS IPv4/IPv6 access, including IPv6 over IPv4, pure IPv4 and pure IPv6 connections. In this way, even customers whose ISP does not support IPv6 can access IPv6 services via AirVPN.

11. We do not own our datacenters and we are not a transit provider, so we buy traffic from Tier 1, Tier 2 and only occasionally Tier 3 providers and we house servers in various datacenters. The main countermeasures are: exclusive access to IPMI etc. via our own external IP addresses or a specific VPN for the IPMI etc.; reboot inhibition; USB support eliminated from kernel; all data stored in RAM disk, and some other methods we prefer not to disclose. However, if server lines are wiretapped externally and transparently, and server tampering does not occur, there is no way inside the server to prevent, or be aware of, ongoing wiretapping. Wiretapping prevention must be achieved with other methods on the client-side (some of them are integrated into our software), for example, VPN over Tor, Tor over VPN etc.

12. NO, we do not offer virtual locations and/or VPS. We declare only real locations of real “bare metal” servers.

AirVPN website

Oeck

oeck1. No. We do not keep any connect / disconnect timestamps or similar information. We explain exactly what we don’t log and what we monitor in our Privacy Policy.

2. Oeck Limited. We are registered in Hong Kong as the data retention laws are still in favor of VPN companies and the location is still friendly towards VPN services. When and if we need to, we can quickly move Oeck to Singapore if anything in Hong Kong changes.

3. Though we allow account sharing for our customers, we do limit their total concurrent connections to six. This is monitored in real-time and there is no logging of this information whatsoever. We also do ask that our customers use a designated P2P region if they are going to be doing any torrenting or other P2P activity.

4. We use AWS for our outbound email – however, email is never used for correspondence. We have a support ticket system that our customers must use in order to communicate with us which is custom made and part of our website. Tickets are deleted 48 hours after resolution. We use Matomo for our analytics. We went down this path as Matomo is hosted by us and no other party has access to it.

5. If possible, we temporarily suspend usage of the port on the VPN node specified in the complaint. That’s all we can do, as there is no way for us to match anything to any customer. The suspension of the specified port on the specified server is lifted after 31 days.

6. This has never happened to us. However, in this event, we would only be able to provide a customer’s username, email address, and any possible billing information from our payment providers ( receipts of payment, etc ). Billing information will be impossible if the customer has chosen to pay by cash. If we were forced by authorities to log activity moving forward, we would simply turn off our servers in the affected jurisdiction. We own all of our own hardware ( even the routers in the datacenter ) and our exit-nodes run without any storage media. We will simply turn the switch off. We also make use of a warrant canary.

7. Yes. We allow our customers to torrent via our torrent region as it is optimized for that technology. Although we do not block torrenting in our other regions, we do suggest that users use the torrent region when torrenting. We provide a very advanced port-forwarding service to all of our customers. No ports are blocked.

8. We use Stripe, PayPal and Coinbase Commerce for online payments. We also accept cash in the mail. The only detail we have is if a customer has paid their account or not. As far as what the payment providers log – they log everything they possibly can. We encourage payments via cash if possible.

9. We offer OpenVPN with RSA-4096 and AES-256-GCM.

10. Our apps come with a kill-switch feature. For users who choose not to use our apps and use a third-party OpenVPN client instead, we have made available SOCKS5 proxies that work just like a kill-switch. These can only be accessed via our VPN. They can be used via a browser, app, or system-wide proxy.

11. No. All of our hardware is owned by us. Even the routers are owned by us. We do not log any VPN activity. Our VPN exit-nodes do not have hard drives or other storage capabilities, everything runs off RAM. Our upstream providers do not have access to our network as our stuff begins at our own routers. We only ever use our own DNS servers.

12. We have a real-time monitor of our servers. That is a list of our available VPN regions that users can connect to. The graph is displaying the information as a per-region display. This is because we node-balance our servers so users always have the best connection. Though we don’t offer virtual locations, we do offer residential IP proxies as part of our service. There are over 30 regions available and these are used for our smart routing feature.

Oeck website

Perfect Privacy

Perfect Privacy logo1. We do not store or log any data that would indicate the identity or the activities of a user.

2. The name of the company is CyberDock IT Solutions GmbH and the jurisdiction is Germany.

3. The number of connections/devices at the same time is not limited because we do not track it. In case of malicious activity towards specific targets, we block IP addresses or ranges, so they are not accessible from our VPN servers. Additionally, we have limits on new outgoing connections for protocols like SSH, IMAP, and SMTP to prevent automated spam and brute force attacks. We do not use any other tools.

4. Our websites use Google Analytics to improve the quality of the user experience and it’s GDPR compliant with anonymized IP addresses. You can prohibit tracking with just one click on a provided link in the privacy policy. If a customer has a problem with Google, he has the possibility to disable the tracking of all Google domains in TrackStop. I believe we are the only VPN provider that offers this possibility. All other solutions like email, support, and even our affiliate program is in-house software and under our control.

5. Because we do not host any data, DMCA notices do not directly affect us. However, we generally answer inquiries. We point out that we do not keep any data that would allow us to identify a user of the used IP address.

6. If we receive a German court order, we are forced to provide the data that we have. Since we don’t log any IP addresses, timestamps or other connection-related data, the only step on our side is to inform the inquiring party that we do not have any data that would allow the identification of a user based on that data. Should we ever receive a legally binding court order that would require us to log the activity of a user going forward, we’d rather shut down the servers in the country concerned than compromise our user’s privacy.

There have been incidents in the past where Perfect Privacy servers have been seized, but no user information was compromised that way. Since no logs are stored in the first place and additionally all our services are running within RAM disks, a server seizure will never compromise our customers. Although we are not subject to US-based laws, there’s a warrant canary page available.

7. With the exception of our US servers and French servers, BitTorrent and other file-sharing software is allowed. We offer port forwarding and do not block any ports.

8. We offer Bitcoin, PayPal and credit cards for users who prefer these options and over 60 other payment methods. Of course, it is guaranteed that payment details are not associated with any IP addresses. The only thing you know about a person is that he or she is a customer of Perfect Privacy and which email address was used.

9. The most secure protocol we recommend is still OpenVPN with 256-bit AES-GCM encryption. With our VPN Manager for Mac and Windows you also have the possibility to create cascades over four VPN servers. This Multi-Hop feature works tunnel in tunnel. If you choose countries for the hops which are known not to cooperate with each other, well you get the idea. On top of that, you can activate our NeuroRouting feature, which changes the routing depending on the destination of the visited domain and dynamically selects different hops for the outgoing server to ensure it is geographically close to the visited server.

10. Yes, our servers support full Dual Stack IPv4/IPv6 functionality, even when your ISP does not support IPv6. Our VPN Manager has a “kill switch” which has configurable protection with three security levels.

11. We run dedicated bare-metal servers in various data centers around the world. While we have no physical access to the servers, they all are running within RAM disks only and are fully encrypted.

12. Currently, we offer servers in 25 countries worldwide. All servers are located in the city displayed in the hostname – there are no virtual locations. For full details about all servers locations, please check our server status site as we are constantly adding new servers.

Perfect Privacy website

Hide.me

hide.me logo1. No, we don’t keep any logs. We have developed our system with an eye on our customers’ privacy, so we created a distributed VPN cluster with independent public nodes that do not store any customer data or logs at all.

2. Hide.me VPN is operated by eVenture Limited and based in Malaysia with no legal obligation to store any user logs at all.

3. We do not limit or monitor individual connections. To mitigate abuse, we deploy general firewall rules on some servers that apply to specific IP ranges.

4. Our website does not include third-party tracking tools. For live support, we embed Zendesk in a privacy-friendly two-click solution, so it does not load by default and no personal data is shared.

5. Since we don’t store any logs and/or host infringing copyright material on our services, we’ll reply to these notices accordingly.

6. Although it has never happened in such a scenario, we won’t be able to entertain the court orders because our infrastructure is built in a way that it does not store any logs, and there is no way we could link any particular cyber activity to any particular user. In case, we are forced to store user logs, we would prefer to close down rather than putting our users at stake who have put their trust in us.

7. There is no effective way of blocking file-sharing traffic without monitoring our customers, which is against our principles and would be even illegal. Usually, we only recommend our customers to avoid the US & UK locations for file-sharing, but it is on a self-regulatory basis since these countries have strong anti-copyright laws in place.

8. We support a wide range of popular payment methods, including all major cryptocurrencies like Bitcoin, Litecoin, Ethereum, Dash, Monero, Paypal, credit cards and nank transfer. All payments are handled by external payment providers and are linked to a temporary payment ID. This temporary payment ID can not be connected to the user’s VPN account/activity. After the payment is completed, the temporary payment ID will be permanently removed from the database.

9. After all, modern VPN protocols that we all support – like WireGuard, IKEv2, OpenVPN, SoftEtherVPN, and SSTP, are considered secure even after the NSA leaks. We follow cryptographic standards and configured our VPN servers accordingly in order to support a secure key exchange with 8192-bit key size and a strong symmetric encryption (AES-256) for the data transfer.

10. Our desktop client supports security features such as Multihop Double VPN, Kill Switch, Firewall to limit apps to VPN, Firewall to limit all connections to VPN, Split Tunnel, Auto Connect, Auto Reconnect, etc, which makes sure that the connection is always secure. Above all, we have put in some additional layers of security, which include default protection against IP and DNS leaks.

Hide.me is one of the few VPN providers that supports Dual Stack IPv4 and IPv6, so our customers do not need to worry about potential IP leaks.

11. We operate our own non-logging DNS-servers to protect our customers from DNS hijacking and similar attacks. We do not own physical hardware, but in case there is intrusion detection and other various security measures in place to ensure the integrity and security of all our single servers. Furthermore, we choose all third-party hosting providers very carefully, so we can assure that there are certain security standards in place (ISO 27001) and no unauthorized person could access our servers. Among our reputable partners are NFOrce, M247, Psychz Networks and many more.

Similar to Apple’s private relay, our dynamic Multihop Double VPN feature allows us to route tunnel the connection over multiple server locations. Neither the incoming or outgoing server can match users’ activity, which provides an extra layer of security.

12. Our servers are located in countries all over the world.

Hide.me website

Trust.Zone

Trustzone logo1. Trust.Zone doesn’t store any logs. Therefore, we have no data that could be linked and attributed to the current or former user. All we need from customers is an email to sign up.

2. Trust.Zone is under Seychelles jurisdiction. The company is operated by Internet Privacy Ltd.

3. Our system can understand how many active sessions a given license has at a given moment in time. This counter is temporarily placed in RAM and never logged or saved anywhere.

4. Trust.Zone has never used any third-party tools like Google Analytics, live chat platform, support tools, or others.

5. If we receive any type of DMCA requests or Copyright Infringement Notices – we ignore them. Trust.Zone is under offshore jurisdiction, out of 14 Eyes Surveillance Alliance. There is no data retention law in Seychelles.

6. A court order would not be enforceable because we do not log information and therefore there is nothing to be had from our servers. Trust.Zone supports Warrant Canary. Trust.Zone has not received or been subject to any searches, seizures of data, or requirements to log any actions of our customers.

7. BitTorrent and file-sharing traffic is allowed on all Trust.Zone servers. Moreover, we don’t restrict any kind of traffic. Trust.Zone does not throttle or block any protocols, IP addresses, servers, or any type of traffic whatsoever. We offer port forwarding to increase download speeds for torrents.

8. All major credit cards are accepted. PayPal, Alipay, wire transfer, and many other types of payments are available. As we don’t store any logs, there is no way to link payment details with a user’s internet activity

9. We use the most recommended protocols in the VPN industry – WireGuard, OpenVPN, IKEv2/IPSec, L2TP/IpSec, Softether, Socks5 proxy Trust.Zone uses AES-256 Encryption by default.

10. Trust.Zone supports a kill-switch function. We also own our DNS servers and provide users with the ability to use our DNS to avoid any DNS leaks. All features listed above are also available with our FREE PLAN, which doesn’t require a credit card to start. We also provide users with additional recommendations to be sure that there are no WebRTC leaks, DNS leaks, or IP leaks.

11. We have a mixed infrastructure. Trust.Zone owns some physical servers and we have access to them physically. In locations with lower utilization, we normally host with third parties. But the most important point is that we use dedicated servers in this case only, with full control by our network administrators. DNS queries go through our own DNS servers.

12. We are operating with 200+ dedicated servers in 100+ geo-zones and are still growing. We also provide users with dedicated IP addresses and port forwarding. The full map of the server locations is available here.

Trust.Zone website

Windscribe

Windscribe logo1. No.

2. Windscribe Limited. Ontario, Canada.

3. Byte count of all traffic sent through the network in a one-month period as well as a count of parallel connections at any given moment.

4. No. Everything is self-hosted.

5. Our transparency policy is available here.

6. Under Canadian law, a VPN company cannot be compelled to wiretap users. We can be legally compelled to provide the data that we already have (as per our ToS) and we would have to comply with a valid Canadian court order. Since we do not store any identifying info that can link an IP to an account, the fact that emails are optional to register, and the service can be paid for with cryptocurrency, none of what we store is identifying.

7. We allow P2P traffic in most locations. Yes, we provide port forwarding for all Pro users. Only ports above 1024 are allowed.

8. Stripe, Paypal, Coinpayments, Paymentwall. IP addresses of users are not stored or linked to payments.

9. The encryption parameters are similar for all protocols we support. AES-256 cipher with SHA512 auth and a 4096-bit RSA key. We recommend using IKEv2, as it’s a kernel space protocol that is faster than OpenVPN in most cases. We also support WireGuard.

10. Our desktop apps have a built-in firewall that blocks all connectivity outside of the tunnel. They also have split routing (per process, or network level), MAC address spoofing, and external DNS server support. In an event of a connection drop, it fails closed – nothing needs to be done. The firewall protects against all leaks, IPv4, IPv6, and DNS. We only support IPv4 connectivity at this time.

11. We lease servers in over 150 different datacenters worldwide. Some datacenters deploy networking monitoring for the purposes of DDOS protection. We request to disable it whenever possible, but this is not feasible in all places. Even with it in place, since most servers have dozens/hundreds of users connected to them at any given moment, your activity gets “lost in the crowd”. Each VPN server operates a recursive DNS server and performs all DNS resolution locally.

12. Our server overview is available here. We don’t offer virtual locations.

Windscribe website

Mullvad

Mullvad1. No, all details are explained in our no-logging data policy.

Update: April 2023: Mullvad was subject to a search warrant but the company reports that customer data wasn’t compromised.

2. Mullvad VPN AB – Swedish. The parent company is Amagicom AB – Swedish.

3. We mitigate abuse by blocking the usage of ports 25, 137,139, and 445 due to email spam and Windows security issues.

OpenVPN: Number of connections: Each VPN server reports to a central service. When a customer connects to a VPN server, the server asks the central service to validate the account number, whether or not the account has any remaining time. If the account has reached its allowed number of connections, and so on. Everything is performed in temporary memory only; none of this information is permanently stored on disk.
WireGuard: Number of connections: Each VPN server reports public keys connected to a central service. If a key is abused, it will be revoked.

Our servers send two types of data to our monitoring system: aggregated application data, such as the total number of current VPN connections, and generic system metrics, such as CPU load per core and total bandwidth used by the server.

We log the total sum of each of these statistics in order to monitor the health of each individual VPN server. We ensure that the system isn’t overloaded, and we monitor the servers for potential attacks, bugs, and network issues. We also monitor the real-time state of total connections per account as we only allow for five connections simultaneously. As we do not save this information, we cannot, for example, tell you how many connections your account had five minutes ago. For WireGuard we have a limit of a maximum of 5 keys (i.e. 5 devices).

4. We have no external elements at all on our website, except for pulling in external elements when customers select stripe payments. These elements are not loaded until the user selects “pay by” and a method that Stripe supplies. We do use an external email provider; for those who want to email us, we encourage them to use PGP encryption which is the only effective way to keep email somewhat private. The decrypted content is only available to us.

5. As explained here, there is no such Swedish law that is applicable to us.

6. From time to time, we are contacted by governments asking us to divulge information about our customers. Given that we don’t store activity logs of any kind, we have no information to give out. Worst-case scenario: we would discontinue the servers in the affected countries. The only information AT ALL POSSIBLE for us to give out is records of payments since these are stored at PayPal, banks etc.

7. All traffic is treated equally, therefore we do not block or throttle BitTorrent or other file-sharing protocols. Port forwarding is allowed (update May 2023, it is now disabled).

8. We accept cash, Bitcoin, Bitcoin Cash, bank wire, credit card, PayPal, GiroPay, Eps transfer, Bancontact, IDEAL, Przelewy24 and Swish. We encourage anonymous payments via cash or one of the cryptocurrencies. We run our own full node in each of the blockchains and do not use third parties for any step in the payment process, from the generation of QR codes to adding time to accounts. Our website explains how we handle payment information. You can also pay in-app on the Apple store using the Mullvad iOS app.

9. We offer OpenVPN with RSA-4096 and AES-256-GCM. And we also offer WireGuard which uses Curve25519 and ChaCha20-Poly1305.

10. We offer a kill switch and DNS leak protection, both of which are supported in IPv6 as IPv4. While the kill switch is only available via our client/app, we also provide a SOCKS5 proxy that works as a kill switch and is only accessible through our VPN.

11. At 14 of our locations (4 in Sweden, 1 in Denmark, 1 in Amsterdam, 2 in Norway, 1 in the UK, 2 in Finland, 1 in Germany, 1 in Paris, 1 in Zurich) we own and have physical control over all of our servers. In our other locations, we rent physical, dedicated servers and bandwidth from carefully selected providers. Keep in mind that we have 3 locations in the UK and 3 in Germany, the servers we physically own are the ones hosted by 31173.se (they start with gb-lon-0* and de-fra-0*, and gb4-wireguard, gb5-wireguard, de4-wireguard and de5-wireguard). All servers are 10gbps.

Yes, we use our own DNS servers. All DNS traffic routed via our tunnel is hijacked, even if you set accidentally select another DNS our DNS will anyhow be used. Except if you have set up DNS over HTTPS or DNS over TLS, or if you use a custom DNS in our app.

12. We don’t have virtual locations. All locations are listed here.

Mullvad website

IVPN

IVPN logo1. No. We believe that not logging VPN connection related data is fundamental to any privacy service regardless of the security or policies implemented to protect the log data. Specifically, we don’t log: traffic, DNS requests, connection timestamps and durations, bandwidth, IP address, or any account activity except simultaneous connections.

2. Privatus Limited, Gibraltar. No parent or holding companies.

3. We limit simultaneous connections by maintaining a temporary counter on a central server that is deleted when the user disconnects (we detail this process in our Privacy Policy).

4. No. We made a strategic decision from day one that no company or customer data would ever be stored on third-party systems. All our internal services run on our own dedicated servers that we set up, configure, and manage. No third parties have access to our servers or data. We don’t host any external scripts, web trackers, or tracking pixels on our website. We also refuse to engage in advertising on platforms with surveillance-based business models, like Google or Facebook.

5. Our legal department sends a reply stating that we do not store content on our servers and that our VPN servers act only as a conduit for data. In addition, we inform them that we never store the IP addresses of customers connected to our network nor are we legally required to do so. We have a detailed Legal Process Guideline published on our website.

6. If asked to identify a customer based on a timestamp and/or IP address then we would reply factually that we do not store this information. If legally compelled to log activity going forward we would do everything in our power to alert the relevant customers directly (or indirectly through our warrant canary).

7. We do not block any traffic or ports on any servers. (Update: Port forwarding will be gradually removed.)

8. We accept Bitcoin, Cash, Monero, PayPal, and credit cards. When using cash there is no link to a user account within our system. When using Bitcoin, the transaction is processed through our self-hosted BTCPay server. We store Bitcoin transaction IDs in our system. If you wish to remain anonymous to IVPN you should take the necessary precautions when purchasing Bitcoin. We accept Monero directly to our self-hosted wallet and, no third party has access to payment information. When paying with PayPal or a credit card a token is stored that is used to process recurring payments but this is not linked in any way to VPN account usage or IP assignments.

9. We offer and recommend WireGuard, a high-performance protocol that utilizes state-of-the-art cryptography. Alternatively, we also offer OpenVPN with RSA-4096 / AES-256-GCM, which we also believe is more than secure enough for the purposes for which we provide our service.

10. Yes, the IVPN client offers an advanced VPN firewall that blocks every type of IP leak possible including IPv6, DNS, network failures, WebRTC STUN, etc. Our VPN clients work on a dual-stack IPv4/IPv6 but we currently only support IPv4 on our VPN gateways. Full IPv6 support is in the pipeline.

11. We use bare metal dedicated servers leased from third-party data centers in each country where we have a presence. We install each server using our own custom images and employ full disk encryption to ensure that if a server is ever seized the data is worthless.

We also operate an exclusive multi-hop network allowing customers to choose an entry and exit server in different jurisdictions which would make the task of legally gaining access to servers at the same time significantly more difficult. We operate our own network of log-free DNS servers that are only accessible to our customers through the VPN tunnel.

12. We have servers in 32 countries. No virtual locations. The full list of servers is available here.

IVPN website

AtlasVPN

atlasvpn1. If the question relates to the VPN server’s IP address and a user’s online activity while connected to VPN, then the answer is no.

2. Atlas VPN is incorporated under Peakstar Technologies Inc. We operate in Delaware’s (USA) jurisdiction.

3. We use an automated system that monitors the number of simultaneous connections per account. Yet, we do not store this information. The free version of our service is limited to 2 concurrent connections. Worth noting that our premium subscription does not limit the number of concurrent connections.

4. We mainly use Zendesk to communicate with our users. We also use Google Analytics and AppsFlyer to monitor application and website data.

5. Atlas VPN is considered to be a transmission service provider as per § 512 (a) of the Digital Millennium Copyright Act (DMCA) and not a storage service provider. Transmission service providers have no obligations to react to take-down notices or enable counter-notices.

6. We would comply with a justified court order in a manner that would be deemed appropriate after consultation with legal counsel. It would naturally depend on the court order on what steps we would need to take to ensure compliance. As far as logging future activity, we would do whatever it takes to protect our users’ privacy. We can not say how the process would unfold as we have never received any court order of this nature.

7. Yes, it is allowed. No port forwarding services are provided. SMTP ports are blocked to prevent email abuse.

8. Stripe (as well as Google Pay for the convenience of our users), PayPal as well as reseller services, such as Google Play and App Store. The details can be linked with account usage as far as app analytics go. They can be linked with ongoing sessions. This linkage is deleted as the VPN session is terminated.

9. It depends on the platform of the application. We use the IPSec/IKEv2 protocol, and depending on the platform we recommend Diffie Hellman group 20 and 256-bit ChaCha20/Poly1305 with 128-bit ICV.

10. Yes, these are implemented using platform tools. We do support dual-stack functionality.

11. All of our servers are hosted by third parties. We perform proper due diligence to ensure that the partners are reliable. Even if partners tried snooping, they would not be able to do so, since inbound and outbound traffic from the client is encrypted. We do use our own DNS servers.

12. They are located in the countries that are shown in our applications at any given time. No virtual locations are offered.

AtlasVPN website

Speedify

speedify1. No, we do not share ANY user information with ANY third party. We do not store or log ANY information about which users accessed which domain names or IP addresses. We do not log customers’ IP addresses.

2. Connectify, Inc. – operating under US jurisdiction.

3. We monitor with a set of self-hosted, open-source tools including Prometheus and Grafana.

4. We don’t use third-party analytics tools. Our help desk is built on HelpScout. Messages are automatically deleted after a time period.

5. We politely reply that we do not collect enough information to be of any use.

6. We properly respond to law enforcement and offer the information which is in our logs. Which as previously noted, is not helpful for connecting users to activity. We would fight any order that attempted to force us to log a user activity going forward. We have received subpoenas for information about various IP addresses before. We have never been asked or ordered to attempt to log information about any user going forward.

7. Speedify has dedicated servers for P2P traffic. Most of our servers do not allow BitTorrent traffic. We do provide port forwarding and static IP address services with our dedicated VPN servers. Only port 25 is blocked as unencrypted SMTP is dangerous and insecure even to the sender, and has no legitimate use.

8. Speedify offers a variety of ways to pay, including Apple App Store, Google Play Store, Recurly, PayPal, and FastSpring. Purchases through Apple App Store and Google Play Store do not provide us with any information about the purchaser unless the user provides it to us directly.

9. We default to 256-bit AES encryption. Those concerned about security may wish to turn on the Killswitch to ensure traffic does not go out while the VPN is not connected.

10. Yes, we support killswitch. It is not on by default, but it’s available in the settings menu. Yes, we have built-in DNS and IPv6 leak protection. The software supports Dual Stack IPv4/IPv6, but not all our deployed servers are on IPv6. it’s rolling out to more and more servers as we speak.

11. Speedify VPN servers are hosted by third parties. On the VPN side, traffic is entirely encrypted. Internet traffic from clients is run through a server-side TCP proxy to erase hints in IP and TCP headers such as RTT which a sophisticated opponent could otherwise use to tease apart traffic from different operating systems. Then the traffic is NATed together, often 1000 users sharing a single IP address, to make individuals impossible to trace. We proxy the DNS before forwarding it to trusted, privacy-oriented DNS partners.

12. Our servers are constantly changing: in areas with few users, we will use virtual servers, but in most cases, we will use hardware servers.

Speedify website

CyberGhost

1. Cyberghost LogoCyberGhost has a strict No-Logs policy, so none of our traffic or DNS servers log or store any user info. Customers can rest assured that we keep absolutely no logs of any of our customers’ activities.

2. CyberGhost has been part of Kape Technologies, a leading ‘privacy-first’ consumer software provider, since 2017.

3. Our dedicated team monitors the whole service and infrastructure for any abuse of service. We have several tools in place, from CDN protection to firewalls and our own server monitoring system. Concurrent connections limits are monitored & also enforced via our systems to avoid such types of abuses.

4. We use Google Analytics for website analytics, Zendesk for customer support, and Iterable for customer communications.

5. Back in 2011, we were the first in the VPN industry to publish a Transparency Report. It’s something we still do today when we launch our reports quarterly. Our latest transparency report for Q1 2023 can be found here. Regardless of the number of DMCA takedown notices or legal requests we receive, our reply is always the same: we keep no user logs and so we cannot comply with the request.

6. Since we store no logs, such requests do not affect us. Under Romanian law, data retention is not mandatory. This allows us to give our ‘Ghosties’ complete digital privacy.

7. Many of our servers do support BitTorrent and CyberGhost offers servers that are optimized for private and secure file-sharing and safe and anonymous access to torrent sites for legal downloads. In some countries, local legislation prevents us from offering adequate service for torrenting. Other locations have performance constraints. We currently do not support port forwarding services. What’s more, specific ports related to email services are also blocked as an anti-spam security measure.

8. Our current payment providers are Cleverbridge, Stripe, BitPay, Braintree, and Paddle. We do not store any payment details. These are handled by our payment providers, which are entirely Payment Card Industry Data Security Standard compliant.

9. We generally favor the AES-256 encryption platform & protocol wide for its good balance of performance and security.

10. CyberGhost features an automatically integrated kill switch as a robust and reliable security feature. This is turned on by default, protecting users should their VPN connection ever be disrupted. CyberGhost does not support dual stack.

11. We use disk encryption to make sure no third party can access the contents of our VPN servers. Furthermore, we have additional server authenticity tests in place to eliminate the risk of Man-in-the-middle attacks. We use self-managed DNS servers to ensure the E2E protection of online activity.

12. Most of our servers are physically located within the borders of the specified country. We do also offer virtual locations for countries or locations where physical servers are not possible. Our server fleet now covers over 90 countries and over 115 different locations, allowing our users to browse safely and anonymously across the world. More details are available here.

CyberGhost website

FastestVPN

fastestvpn1. No information is shared with any third parties apart from the method of payments through our affiliate program. The only information FastestVPN processes are email addresses, and payment methods. No amount of identifiable data is stored that could be led back to any user.

2. Fastest Technologies is the parent company that operates under the jurisdiction of the Cayman Islands. Being placed under this location makes it easier to protect user privacy and prevent data retention under bound policies. Our jurisdiction is not among any of the 14-Eyes country alliances.

3. The maximum number of connections that FastestVPN allows is 10 multi-connections. If, or when, our system detects an unusual number of unsubscribed connections with our service, the user is notified, and the account is temporarily suspended until a solution is brought up. Here are the tools we utilize:

– Maxmind for fraudulent payment detector
– Cloudflare for websites to prevent DDoS attack
– BugSnag for error logging
– Radius for limited connection control

4. Postmark for transactional emails, Google Analytics for website monitoring, Tawk TO for customer services, and BugSnag do not store identifiable data. All third-party services associated with us are bound by legal contract never to misuse or compromise any stored minute data.

5. It never comes to the point of being handled due to DMCA notices not being applicable to the Cayman Islands jurisdiction.

6. It hasn’t. We neither store nor share any sensitive data from our users. We have RAM-based servers that never store any amount of data received. All our servers are also audited by an independent firm Altius IT, which has ensured that we do not keep users’ data.

7. No, FastestVPN does not restrict access to BitTorrent or P2P-based services and is supported on most of our servers. However, on the matter of Port Forwarding, we do not offer it.

8. FastestVPN uses a payment method service from FastSpring that is a well know payment gateway service provider We make sure that the details of the payments taken from our users are charged completely on the user’s consent and decision. We ensure that all payments are issued according to the subscription a user has chosen.

9. By default, FastestVPN has Auto Protocol enabled, which again depends on the server you choose and according to the Network connection you’ve enabled. Our Auto-protocol option detects and connects you with the best protocol for your network. Other than that, all apps and protocols are secured with AES 256-bit encryption, with the inclusion of our latest WireGuard technology.

10. Yes, FastestVPN does support a Kill Switch option for all our apps. We also support DNS/IPV6 leak protection. Right now, FastestVPN apps support both by converting IPV6 to IPV4, which means if we receive an IPV6 connection request, we convert it to IPV4

11. We have physically hosted servers in major countries, few servers are virtual but RAM-based. This means no data can be maintained or logged on either side. Apart from that, yes, we have our own DNS servers.

12. We have physical servers in 40+ countries, including the USA, UK, Canada, Australia, Germany, France, and all the major countries. Our virtual servers are in India, Russia, and the UAE.

FastestVPN website

AzireVPN

AzireVPN logo1. No, we do not record or store any logs related to our services. We do not log traffic, user activity, timestamps, IP addresses, number of active and total sessions, DNS requests, or similar data.

2. The registered company name is Netbouncer AB, and we operate under Swedish jurisdiction. There are no data retention laws for VPN providers in Sweden.

3. We take extra security steps to harden our servers: they are prepared by removing their hard drives. Their custom base image runs in RAM. The operating system is hardened with a method we call Blind Operator 2.0, which means that local (TTY) or remote (SSH) access is blocked. The servers are completely headless after deployment and it is not possible to log in to them. As for abuses such as incoming DDoS attacks, filtering on the attacker’s source port is used to mitigate them.

4. No, we do not rely on and refuse to use third-party vendors. We run our own email infrastructure and encourage people to use PGP encryption when contacting us. The ticketing support system, website analytics (Matomo with anonymization settings), and other tools are all open-source, or custom software hosted in-house.

5. We inform the sender that we do not keep any logs and cannot identify a user.

6. A court may issue an order requiring us to identify a user. In this case, we will first ensure that the order is valid. We will then inform the other party that because of our unique infrastructure, we cannot identify any current or former user of our service. If they force us to give them physical access to a server they will not be able to do anything. The reason for this is that the servers block local (TTY) and remote (SSH) access as part of Blind Operator 2.0, making it impossible to log in to a server.

To date, we have never received a court order and have never provided any personal information.

7. Yes, BitTorrent, peer-to-peer, and file-sharing traffic is allowed and treated the same as any other traffic on all of our servers. We do not offer port forwarding services yet, but we are working on it and expect to release it in the coming weeks.

8. Anonymous payment methods include cryptocurrencies or sending cash through the mail. Available cryptocurrencies include Bitcoin, Litecoin, Monero, and a few others. Traditional payment methods such as PayPal (with or without recurring payments), credit cards (VISA, MasterCard, and American Express via Stripe), and Swish are accepted.

We do not store any sensitive payment information on our servers, only an internal reference code for order confirmation. All transaction information is deleted from our database after six months.

9. We recommend the use of our WireGuard servers. WireGuard is a lightweight and powerful modern VPN protocol. Our custom applications are available for Windows, Android, macOS, and iOS. Otherwise, it is preferable to use official tools on Linux, macOS, and routers (using OpenWrt or DD-WRT).

10. We provide easy-to-use and similar looking custom VPN applications for Windows, Android, macOS and iOS that do not require any configuration file manipulation. We plan to add a kill switch and DNS leak protection to our desktop applications in the future.

We provide our users with a full dual IPv4+IPv6 stack on all servers. This eliminates the need for loose IPv6 leak protection. In the coming weeks, it will also be possible to connect to our WireGuard servers via a native IPv6 line.

11. We physically own all of our servers in all of the locations we offer. Our team ships them to data centers that meet our strict criteria, such as the availability of neutral and privacy-conscious Internet providers and closed racks for security. We also host our non-logging local DNS servers in each location; our VPN tunnels use them by default. Static DNS servers are also available.

12. We currently have 78 servers in 25 locations. In the past year, we have added new servers in Finland, Hong Kong, Singapore, and 3 new locations in the United States. There are no virtual locations.

AzireVPN website

Guardian

guardian1. We do not.

2. DNSFilter, Inc. United States of America.

3. No limits on concurrent connections, though we may introduce bandwidth throttling if we notice huge amounts being consumed. We still won’t track, just would limit speeds in such cases.

4. Zendesk, so if you send an e-mail to support, it will have a help ticket for the inquiry you’ve sent. No analytics.

5. We simply block the port that they allege was in use. We do not retain any useful records and thus have no further action to take.

6. We have not had such a case occur. If one were to happen, we would engage with our legal counsel on how to fight it.

7. We currently have no terms for or against specific types of traffic. If a DMCA request is filed and says a specific port is being used for file-sharing activity, we will block the port.

8. We use Apple’s in-app purchase system on iOS, and Stripe on the web. Our payment authorization systems are separated from our VPN credential generation systems.

9. We offer IKEv2, as mentioned above, but are now also offering WireGuard and encourage our users to consider using it.

10. We currently only support IPv4, with IPv6 on our roadmap. We do not support what may be deemed a “kill switch” in a traditional sense due to the limitations of iOS.

11. We use 1.1.1.1 for DNS, and we use bare-metal servers (not shared VMs) on our hosting provider. We are in the process of setting up our own data centers.

12. We have servers located in the United States, Canada, Brazil, France, Germany, Italy, Netherlands, Switzerland, United Kingdom, Japan, Singapore, and Australia.

Guardian website

OVPN

OVPN logo1. Our entire infrastructure and VPN service is built to ensure that no logs can be stored – anywhere. Our servers are locked in cabinets and operate without any hard drives. We use a tailored version of Alpine, which doesn’t support SATA controllers, USB ports, etc.

2. OVPN Integritet AB (Org no. 556999-4469). We operate under Swedish jurisdiction. In May 2023: OPVN was acquired by Pango.)

3. We don’t monitor abuse. In order to limit concurrent connections, our VPN servers validate account credentials by making a request to our website. Our web server keeps track of the number of connected devices. This is stored as a value of 0-4, where it is increased by one when a user connects and decreased by one when a user disconnects.

4. For website insights, we use Matomo/Piwik, an Open Source solution that we host ourselves. The last two bytes of visitors’ IP addresses are anonymized; hence no individual users can be identified. Automatic emails from the website are sent using Postmark. Intercom is used for support.

5. Since we don’t store any information, such requests aren’t applicable to us.

6. OVPN has proven in court that no logs are stored. Furthermore, a court wouldn’t be able to require logging in our jurisdiction – but in case that changes in the future, we would move the company abroad. OVPN has insurance that covers legal fees as an additional layer of safety, which grants us the financial muscles to refute any requests for information.

7. We don’t do any traffic discrimination. As such, BitTorrent and other file-sharing traffic are allowed on all servers. We do provide port forwarding services as incoming ports are blocked by default. The allowed port range is 49152 to 65535. For other ports, we recommend users to purchase our Public IPv4 add-on.

8. PayPal, credit cards (via Braintree), Bitcoin (via CoinPayments), Ethereum (via CoinPayments), Monero (via CoinPayments), cash in envelopes as well as a Swedish payment system called Swish. We never log the IP addresses of users, so we can’t correlate an IP address to a payment.

9. OVPN’s default setting is to use WireGuard as VPN protocol.

10. Our desktop client provides a kill switch as well as DNS leak protection. All our servers support dual-stack IPv4 & IPv6. Our browser extension blocks WebRTC leaks.

11. We own all the servers used to operate our service. All VPN servers run without any hard drives – instead, we use tmpfs storage in RAM. Writing permissions for the OpenVPN processes have been removed, as well as syslogs. Our VPN servers do not support physical console access, keyboard access or USB access. The servers are colocated in various data centers that meet our requirements. OVPN does not rent any physical or virtual servers. We operate our own DNS servers.

12. We do not offer any virtual locations. All our regions are listed here. We have photos of our servers at all locations, which are viewable by clicking on the region names

OVPN website

Ivacy

ivacy1. Ivacy VPN does not keep any personally identifiable information on any of its users. Since we do not keep such information, there is no way to share private information with third parties. The only bit of information we collect is email address against which the account is bound and payment details which are necessary in order to issue a paid subscription. Plus we also offer more anonymous ways of making a transaction if you’re concerned about your privacy like Cryptocurrencies.

As for what information is collected, none contains any identifiable information or user data like DNS requests, traffic details, or IP addresses. The only thing known is the countries where users originate from.

2. The company is registered as Ivacy VPN and is a part of PMG Pte. Ltd. Ivacy mainly operates from Singapore with some remote resources working from other parts of the world. As such, we’re only answerable to Singaporean laws.

3. We employ a few essential tools, which are as follows: Firebase Crashlytics, Google Analytics, and iTunes.

4. Apart from the tools mentioned above, we also utilize third-party tools like Zendesk (Customer Service & Support Ticketing) and LiveChat (Help Desk Software).

To provide outstanding customer support and quick delivery of service, we keep a record of all our correspondence. This includes a record of complaints, questions, and compliments submitted via our website, extensions, or apps.

5. When a user connects with Ivacy, he/she becomes anonymous. Therefore, we cannot connect specific activities with specific users since we don’t keep any logs or records. However, if a case is forwarded to our legal department, appropriate measures will be taken to address the issue promptly.

6. As mentioned earlier, Ivacy VPN does not keep any personally identifiable information on any of its users, which is also in accordance with the GDPR. Because of this, we do not have any information to give to anyone, even if it is a court order. Such scenarios have never played out in the past because Ivacy VPN is a GDPR complaint VPN provider.

7. Yes, BitTorrent and other file-sharing traffic are allowed on our P2P-optimized servers. Ivacy also keeps striving to improve its product and as such, new P2P servers within the same country and new countries with P2P protocols will keep on adding in the future We do offer port forwarding services as well. However, all ports are blocked by default and need to be enabled by users according to their needs and requirements.

8. Ivacy VPN utilizes the following payment systems/providers: Debit/Credit Cardm, PayPal, BitPay, Coingate, and PerfectMoney. Please note Ivacy VPN utilizes third-party payment processors. These third-party payment processors are evaluated regularly, ensuring our users’ data is not used for any other purpose except for processing payments.

It is important to note, though, that the payment data provided rests with the respective payment processors. Therefore, in those instances where we process data, it is passed on to the processor without keeping any record of it at our end.

9. OpenVPN with the AES-256-GCM encryption algorithm.

10. Ivacy VPN does provide tools like Internet Kill Switch, IPv6 Leak Protection, Secure DNS, Public Wi-Fi Security, Split Tunnelling, and several other advanced security features. These features ensure our users remain safe, secure, and anonymous at all times while connected to our VPN servers.

11. Our servers are hosted on Tier-4 data centers, and yes, we do own DNS servers.

12. Ivacy does not offer virtual locations and all the locations listed are actual, physical locations. Our complete list of physical servers can be found over here.

Ivacy website

Further reading: Free vs. Paid VPN.

*Note: NordVPN, ExpressVPN, and Private Internet Access are TorrentFreak sponsors. We reserve the first three spots for them as a courtesy. This article also includes a few affiliate links which cost readers nothing but help us pay the bills. We never sell positions in our review article or charge providers for a listing.

Sponsors

Popular Posts

From 2 Years ago…