If you’re familiar with VPNs, then you’ll know their main purpose is to encrypt your online data and mask your IP address. But your VPN provider likely still collects some information on you, with shadier services taking data collection way too far.
So, what kind of user data do VPNs generally collect, and how can you find out if your provider is collecting too much?
Data VPNs Usually Collect
If you’re using a subscription-based VPN, such as ExpressVPN or NordVPN, your provider will collect your payment details if you’re paying monthly. This is so that the provider can collect your monthly payments automatically. Your billing country and billing address will also be collected here.
If you don’t want your chosen VPN service to have your payment card information, a lot of popular providers allow you to pay for your subscription via PayPal.
Other data your VPN provider will likely collect includes your full name and your email address. However, some VPNs don’t even need these details. Many free VPNs don’t require your email address but will offer you extra perks if you do provide it. Windscribe, for example, gives users of its free version a higher monthly data cap if they provide and confirm their account email address.
When you create a VPN account, you’ll often be required to set a password alongside your email address. However, solid VPN providers will encrypt your password, meaning even the service itself cannot view it. This password remains only accessible to you. Surfshark and NordVPN both encrypt your login password.
Certain VPNs may want to know a little more about you. You may be asked to provide your phone number, but this is quite rare. Because VPNs are designed to keep you anonymous, it’s unlikely that a reputable provider would require a lot of your personal information.
Data VPNs Shouldn’t Collect
You’d think most VPN providers would have good intentions, as the whole service is based on protecting you online. But as VPNs have become increasingly popular, a lot of shadier parties are looking for ways to profit from your data.
This is often the case with free VPNs. You may have already noticed that the most popular and reputable VPNs out there are only accessible via a paid subscription. Of course, this fee allows the VPN provider to profit from their services. A free VPN provider cannot make a profit via user fees. While it’s nice to think that these free services are totally non-profit and simply want to give everyone access to a VPN, this often isn’t the case.
So, how do free VPN providers make money? There are a few avenues a given company may take, the first being ads.
Some free VPN apps come with pop-up ads, just like the majority of free apps out there today. These ads may be very occasional, only popping up once in a blue moon.
But unfortunately, you’ll likely be dealing with these ads on the regular. When changing server location, activating or deactivating your VPN, or even opening the VPN client, you may run into frustrating ads. By running advertisements through the app, VPN providers can receive payments from the companies being displayed.
Popups are irritating, but this isn’t as bad as it can get. Instead of simply showing you ads, a VPN may also sell your private data.
This is done via databases known as VPN logs. A VPN log is designed to record certain types of user data that a legitimately no-log VPN wouldn’t collect. Each log can differ in the data it gathers, but search history, commonly visited sites, and IP addresses are among the most sought-after kinds of information.
But why collect this data? Do these VPNs aim to hack you?
Not exactly. It’s by no means impossible for a malicious VPN provider to collect your sensitive data in order to carry out a hack or scam. But most dodgy VPN providers use data logs for one of two reasons: data sales and surveillance.
In countries with strict laws around internet usage, such as China, a lot of legal VPNs are only deemed so because they provide the government with a backdoor for surveillance. Stricter governments can also require VPNs that are legal in the nation to keep VPN logs.
In short, your VPN provider should never collect the following information:
- Your IP address.
- The webpages you visit.
- The data you input online.
- Connection time stamps.
- Session durations.
The entire point of a VPN is to make the data above inaccessible to anyone except you. This includes your internet service provider, government entities, malicious actors, and the VPN provider itself.
Is Your VPN Collecting Your Private Information?
A shadier VPN will never make a song and dance about collecting your data. However, companies are required by law to outline the kind of data they collect and how they use it. This is usually explained in the VPN’s privacy policy, which you should be able to find on its website.
A VPN’s privacy policy should also outline whether any of your data is shared, and, if so, who that data is shared with.
If your VPN provider does not have a privacy policy, consider this a huge red flag. Even non-security-focused platforms like Instagram, Walmart, YouTube, and CNN have privacy policies, so you should expect this as a bare minimum from a VPN service.
If a VPN’s privacy policy is very short or vague, there may also be something amiss. A legitimate company should very clearly outline how your data is collected, used, and shared, especially if that company’s purpose is to protect you and your online data.
ExpressVPN provides a solid example of a VPN privacy policy, in which a range of important topics are covered. This includes data collection and usage, users’ privacy rights, cookies and third-party analytics, child users, and data protection.
If you’re concerned that your VPN’s privacy policy may not be based in fact, make sure the company has been independently audited. That way, you know that any false claims have been weeded out.
Not All VPNs Are Altruistic
As much as we’d all like to think all VPNs are focused on user safety and security, there will always be some bad apples. These shadier VPN services might seek out your sensitive data to make a profit or keep tabs on your activity. If you want your VPN to truly protect you and your data, it’s best to opt for a highly reputable and thoroughly audited option.