VPN Privacy Grades
5 companies analysed · Sorted by privacy score
A VPN tunnels your traffic, but it can still see account identifiers, billing data, support tickets, app analytics, and marketing pixels on the website—layers many “no logs” slogans never mention. Jurisdiction matters because lawful intercept and data-order rules differ, yet a minimal data architecture often matters more than flag-waving about offshore incorporation. The best providers spell out what happens to crash reports, affiliate IDs, and refund records; the worst bolt ad-tech SDKs onto the same client that claims to shield you from trackers. Also watch for vague “improvement” purposes that let long-lived device identifiers persist outside the tunnel. Use our grades to compare tunnel claims against everything outside the tunnel. Methodology and pillar definitions live on the About page.
| # | Company | Grade | Score | In plain English | |
|---|---|---|---|---|---|
| 1 | A | 93/100 | Mullvad collects almost nothing — no account names, no activity logs, no IP retention — and the poli…Mullvad collects almost nothing — no account names, no activity logs, no IP retention — and the policy is short because there's genuinely very little to say; what little data does get processed (payments, support emails) has hard, specific deletion windows and never leaves the EU. | → | |
| 2 | B- | 70/100 | ExpressVPN's no-logs commitment for VPN traffic is genuine and KPMG-audited, anonymous payment is av…ExpressVPN's no-logs commitment for VPN traffic is genuine and KPMG-audited, anonymous payment is available, and its BVI jurisdiction keeps legal requests demanding, but the service is ultimately owned by Kape Technologies PLC (a UK company with a controversial history) — and while the policy explicitly firewalls your data from Kape, an aggressive marketing cookie stack including Facebook Pixel, DoubleClick Ad, and Microsoft Advertising runs on the website, essential cookies including Google Analytics cannot be disabled, and transactional data is retained for ten years. | → | |
| 3 | C+ | 63/100 | Surfshark is notably transparent — it publishes specific data retention windows for every processing…Surfshark is notably transparent — it publishes specific data retention windows for every processing activity, a warrant canary, and a transparency report — but it temporarily stores your IP address during VPN sessions (deleted within 15 minutes of disconnection), is incorporated in the Netherlands (Nine Eyes jurisdiction), shares data with Nord Security group companies including US entities, stores data in Google BigQuery, and its Alternative Number feature sends call and SMS content to Telnyx in the United States. | → | |
| 4 | C+ | 62/100 | NordVPN genuinely doesn't log your VPN activity — that part of the privacy pitch holds up — but outs…NordVPN genuinely doesn't log your VPN activity — that part of the privacy pitch holds up — but outside the tunnel it runs a large advertising and analytics infrastructure full of US-based trackers, shares data within a broad corporate group, markets to you for a year after you cancel, and retains billing records for a decade. | → | |
| 5 | C+ | 60/100 | PureVPN has a credible BVI-jurisdiction no-logs policy for VPN traffic, but Facebook Pixel is explic…PureVPN has a credible BVI-jurisdiction no-logs policy for VPN traffic, but Facebook Pixel is explicitly listed as an in-app analytics tool (not just a website cookie), the optional Dark Web Monitoring feature hands your Social Security number, passport number, and credit card to a third-party breach firm called SpyCloud, data retention is vaguely described as lasting 'until you remain a subscriber', and a roster of marketing platforms including UseInsider, MixPanel, and Facebook Pixel all receive data about how you use the app. | → |