🌙 LATE NIGHT MODE ACTIVATED — THE CLOWN IS WATCHING 🌙
HomeResourcesPrivacy → No-Logs

What "No Logs"
Actually Means.

The most-claimed and least-verified phrase in VPN marketing. Here's how to read it, who's actually doing it, and what the verification options are.

What "no logs" should mean

A VPN provider claiming "no logs" should mean: they don't retain any data about your VPN usage that could be used to identify you, your destinations, your timing, or your activity. Specifically:

  • No log of your originating IP address.
  • No log of which sites or IPs you visited through the tunnel.
  • No log of DNS queries.
  • No log of bandwidth used per session.
  • No log of session start/end timestamps.
  • No log of which server you connected to.

That's the strict version. Most VPN companies have a weaker interpretation — and the gap between marketing and reality is where users get burned.

The three categories of "no-log" claims

1. Policy-based no-logs

"We have a policy not to log VPN traffic." This is the most common claim. Logging is enabled at the server/protocol level by default; the provider has procedures to delete or not retain logs. The risk: a config error, a rogue employee, or compelled compliance can produce logs that the policy said wouldn't exist.

2. Architecture-based no-logs

"We've configured our servers so that logging is disabled at the protocol level." The data is never written to disk to begin with. Even if compelled, there's nothing to hand over because nothing was ever recorded.

This is what we do at ClownVPN. WireGuard has logging disabled via config. Servers run on RAM-disk so reboots wipe all state. There's no logging system to subpoena.

3. Audited no-logs

A third-party firm (PwC, Deloitte, KPMG, Cure53, Securitum) has reviewed the provider's infrastructure and confirmed the claim. Audit results are usually published as a report.

This is the gold standard, but it's not without limits. An audit is a point-in-time snapshot — the provider could change their config the next day. Most providers re-audit annually to provide ongoing assurance.

Audited no-logs is what NordVPN, ExpressVPN, ProtonVPN, Surfshark, and Mullvad ship. ClownVPN has not been audited yet (planned for late 2026).

Read the actual policy

The headline of a "no logs" claim is marketing. The policy page is where the real terms are. Things to look for in the actual privacy policy:

  • The word "logs" used precisely. "No traffic logs" is narrower than "no logs." "No usage logs" is yet a third interpretation.
  • What IS collected. Most providers do collect some operational data — email for account creation, aggregate server statistics, crash reports. The honest ones list these in detail.
  • Retention windows. "We don't keep logs longer than 30 days" is not the same as "we don't keep logs."
  • Jurisdictional disclosures. Where is the provider based? Do local data-retention laws apply?
  • Compelled disclosure procedures. What happens if the provider receives a subpoena?

Most providers have substantive privacy policies if you read them. Most users skim the headline. Read the actual document for the providers you're considering.

What gets logged even by "no log" providers

Honest providers will tell you up front that some data is unavoidable to collect. Common categories:

  • Account email + payment info. Any VPN with user accounts has this. We don't have accounts — this is one of our differentiators.
  • Aggregate server statistics. Total users connected, peak load times, bandwidth used in aggregate. Not tied to any individual user.
  • Crash reports. Stack traces, device class, anonymized install IDs. Used to fix bugs.
  • Marketing data on the website. Most VPN websites use Google Analytics or similar. We don't.

Our policy explicitly lists all of these (see /privacy/ sections 3-4). The honest ones do the same.

Historical "caught lying" incidents

A few times in VPN history, "no log" providers have been caught with logs:

  • HMA (Hide My Ass), 2011. Provided logs to FBI in a LulzSec investigation despite stated no-log policy. Major scandal at the time. Shaped industry expectations.
  • PureVPN, 2017. Provided connection logs to FBI in a stalking investigation. Their no-log marketing was technically narrower than users believed. Industry took note.
  • IPVanish, 2018. Provided logs to DHS in a child-exploitation investigation. Despite "zero log" marketing, they had logs. Subsequent ownership change + audit cycle.

These incidents are why audits exist. They're also why "policy" without architecture is a fragile claim.

Our position

We're architectural no-logs but not yet audited. Concretely:

  • WireGuard runs with logging disabled at config level.
  • Server filesystems are RAM-disk only.
  • DNS queries are pushed through Cloudflare 1.1.1.1 via the tunnel — we don't run our own DNS, so we never see queries.
  • No user accounts means no identity attached to sessions.
  • We do retain anonymous crash reports (90 days) and aggregate server statistics — fully disclosed in /privacy/.
  • Third-party audit planned for late 2026.

Until we're audited, our claims rest on architectural choices that are documented but not third-party-verified. That's a weaker trust position than NordVPN or ProtonVPN. We're honest about that.

How to evaluate a VPN's no-log claim

Quick checklist:

  1. Read the privacy policy, not just the marketing page.
  2. Look for an audit report. If yes, by which firm? What year? Is it ongoing or one-off?
  3. Check the jurisdiction. Five Eyes / Fourteen Eyes countries have intelligence-sharing agreements; some users prefer providers outside them.
  4. Look at the operating company. Independent? Owned by a larger entity (Kape, McAfee, etc.)?
  5. Look up any historical incidents (FTC complaints, app- store removals, news coverage of compelled disclosures).

Related reading

🎪 FAQ

Has any VPN been caught lying about no-logs?
Yes, several. HMA was caught providing logs to authorities in a 2011 case. PureVPN provided logs to the FBI in 2017 despite a stated no-log policy. Both incidents predate current audit practices, but they shaped the industry's transparency norms. Modern no-log policies are stronger because the bar moved.
What's the difference between 'no logs' and 'no traffic logs'?
'No traffic logs' is a narrower claim — they don't log what you're doing on the internet, but might still log connection metadata (when you connected, how much bandwidth, what server). 'No logs' is a stronger claim that should include connection metadata. Read the policy text, not just the headline.
Can a no-log VPN still be subpoenaed?
Yes — any company in any jurisdiction can receive a court order. The point of no-logs is that there's nothing useful to hand over. We've documented exactly what we would and wouldn't have in our audit page. Architectural no-logs means the subpoena returns an essentially empty dataset.
Why don't more VPNs audit their no-log claims?
Cost and complexity. A real audit means an independent firm reviewing server configs, sampling production traffic, examining the code. Big VPNs (NordVPN, ExpressVPN, ProtonVPN) absorb the cost as a competitive advantage. Smaller VPNs (us included, currently) defer it until they can do it well. The audit is on our roadmap.
What's a 'warrant canary' and does ClownVPN have one?
A warrant canary is a public statement that a service has NOT received certain government orders, updated regularly. If the canary stops being updated, users know something has changed (without the provider violating a gag order). We haven't published one yet — they're complex to operate correctly, and we want to do it right or not at all. Most consumer VPNs also don't have canaries; the heavy users are services like Mullvad.

🎪 See The Receipts

Our no-log audit is at /no-logs/ — full transparency on what we collect vs don't.

📋 Read The Audit 🤖 Get The App