Is Your VPN Actually Private? We Graded Mullvad and NordVPN

A VPN that keeps logs of your activity is worse than no VPN. So the most important question about any VPN is: do they actually keep no logs?

The honest answer for most VPN providers is: it depends what you mean by "logs." Most major VPN providers don't log your VPN activity — the websites you visit, your originating IP address, your browsing behaviour. That part of the no-logs pitch is usually true. Where VPNs differ significantly is everything else: account data, analytics, advertising, payment records, and jurisdiction.

We've done a full analysis of Mullvad VPN (grade: A, 93/100) and NordVPN (grade: C+, 62/100). The gap between them is larger than most users expect.

The no-logs claim: what's real

Both Mullvad and NordVPN genuinely do not log your VPN activity. Mullvad states explicitly: "It is therefore our policy to never store any activity logs or metadata." NordVPN states: "we do not record our users' internet activity or their IP addresses when using our NordVPN services."

NordVPN's no-logs policy has been independently audited by PricewaterhouseCoopers and Deloitte — credible firms whose findings are on the record. Mullvad publishes its policy in enough detail to verify it structurally, though it hasn't undergone the same named third-party audits.

So when it comes to the VPN tunnel itself, both companies deliver. The difference begins the moment you look at everything outside the tunnel.

Account creation: the first difference

Mullvad doesn't require an email address. Your account is identified by a randomly generated 16-digit number. You can pay with cash sent in an envelope to Mullvad's office in Sweden, or with Monero. There is no name, no email, no phone number associated with your account.

NordVPN requires an email address and creates an identifiable account. That email becomes the anchor for all subsequent data collection: marketing, billing records, product analytics, and legal disclosure.

This is a fundamental structural difference. Mullvad's architecture makes it impossible to link a VPN account to a person even if someone obtained their database. NordVPN's architecture makes that link trivially easy.

The advertising infrastructure gap

NordVPN markets itself as a privacy tool. Its apps and website embed Google Analytics, AppsFlyer, Braze, and Tune/HasOffers — a full-stack advertising and analytics platform used to measure user acquisition, track conversions, and enable targeted advertising.

These are the same categories of infrastructure that VPNs are often used to escape. Using a VPN to avoid being tracked by advertising networks while that VPN simultaneously embeds advertising networks in its own app is a genuine contradiction. NordVPN's privacy pitch applies inside the tunnel. Outside it, the app's data practices look similar to any other subscription SaaS product.

Mullvad's privacy policy is short — unusually short for a company of any size. The reason is that there's genuinely very little to say. No advertising partners, no analytics third parties, no affiliate tracking. The company publishes an explicit policy declining affiliate arrangements and review-based advertising because those business models create incentives to share user data that Mullvad doesn't want.

What happens to your data after you cancel

NordVPN retains billing records for ten years. It continues marketing communications for up to a year after you cancel. These are legitimate commercial practices for an enterprise SaaS company — but they sit oddly against a privacy-first brand.

Mullvad deletes support emails after exactly 70 days. Transaction IDs used for refunds are permanently deleted after exactly 20 days. Legally required payment records are kept for the statutory period under Swedish accounting law — seven years, with specific carve-outs clearly documented.

The difference between "as long as necessary" (NordVPN) and "exactly 20 days" (Mullvad) is the difference between a vague commitment and an auditable one.

Jurisdiction

NordVPN is incorporated in Panama, which is outside the Five Eyes and Fourteen Eyes intelligence alliances. This is a genuine privacy advantage for VPN activity: government requests must go through Panamanian legal process, which is slow and demanding. NordVPN rightly highlights this as a protection against surveillance.

Mullvad is a Swedish company, which means GDPR applies and the Swedish Authority for Privacy Protection (IMY) is the enforcement body. Sweden is a member of the Fourteen Eyes, but the GDPR framework provides meaningful structural protections that Panamanian law doesn't. This is a genuine trade-off with no clear winner — Panama is better for avoiding bulk surveillance programmes; Sweden is better for individual rights enforcement.

Side by side

	Mullvad	NordVPN
No-logs (VPN activity)	✓ Yes	✓ Yes (audited)
Account requires email	✗ No (random number)	✓ Yes
Advertising tech stack	✗ None	✓ Google, AppsFlyer, Braze
Data outside EU?	✗ Never	✓ Multiple US providers
Billing retention	7 years (accounting law)	10 years
Marketing after cancellation	✗ None	Up to 1 year
Cash/anonymous payment	✓ Yes	✗ No
Privacy grade	A (93/100)	C+ (62/100)

Which one should you use?

If your priority is comprehensive privacy — the account not being linkable to you, no advertising infrastructure, minimal data retention — Mullvad is the clear choice. The grade gap (A vs C+) reflects real differences in practice, not just policy language.

If you prioritise an independently audited no-logs policy, a larger server network, and a well-funded product with a wider feature set, NordVPN is a legitimate option. The VPN activity logging protection is genuine. Just be aware that the broader privacy picture is more complicated than the marketing suggests.

See our full Mullvad analysis and full NordVPN analysis for the complete breakdowns. You can also compare them side by side.