If you’re familiar with VPNs, you’ll know that their main purpose is to encrypt your online data and hide your IP address. But your VPN provider may still be collecting some information about you, and some of the shadier services may even go overboard with their data collection.
So, what kind of user data do VPNs typically collect, and how do you know if your provider is collecting too much information?
If you’re using a subscription-based VPN, such as ExpressVPN or NordVPN, the provider will collect your payment details if you pay monthly. This is so the provider can automatically collect your monthly payments. Your country and billing address will also be collected here.
If you don’t want your chosen VPN service to have your payment card information, many popular providers let you pay for your subscription via PayPal.
Other data your VPN provider may collect includes your full name and email address. However, some VPNs don’t even need these details. Many free VPNs don’t ask for your email address but will give you additional perks if you provide it. For example, Windscribe offers users a free version with a higher monthly data limit if they provide and confirm their account email address.
When creating a VPN account, you will usually be asked to set a password along with your email address. However, trusted VPN providers will encrypt your password, meaning that even the service itself can’t see it. This password can only be accessed by you. Surfshark and NordVPN both encrypt your login password.
Certain VPNs may want to know a little more about you. You may be asked to provide your phone number, but this is quite rare. Since a VPN is designed to keep you anonymous, it’s unlikely that a reputable provider will ask for much of your personal information.
You might think that most VPN providers have good intentions because the entire service is based on protecting you online. But as VPNs become more and more popular, more shady parties are looking to profit from your data.
This often happens with free VPNs. You may have noticed that the most popular and reputable VPNs are currently only accessible through a paid subscription. Of course, this fee allows the VPN provider to profit from their service. Free VPN providers cannot make a profit through user fees. Don’t be naive to think that these free services are purely non-profit and just want to give people access to a mere VPN.
So how do free VPN providers make money? There are a number of ways a certain company can do this, the first being by advertising.
Some free VPN apps come with pop-up ads, like most free apps these days. These ads can be very infrequent, appearing only on certain occasions.
But unfortunately, you will probably face these ads often. When changing server locations, activating or deactivating VPN, or even opening a VPN client, you may encounter annoying ads. By running ads through the app, VPN providers can receive payments from the companies displayed.
Pop-ups are annoying, but worse can happen. Instead of just showing ads, a VPN can also sell your private data.
This is done through a database known as the VPN log. VPN logs are designed to record certain types of user data. Each log may vary in the type of data collected, but search history, frequently visited websites, and IP addresses are among the most sought-after types of information.
But why collect this data? Are these VPNs aimed at hacking you?
Not necessarily. A malicious VPN provider cannot collect your sensitive data to commit hacking or phishing. But most sophisticated VPN providers use data logs for one of two reasons: Selling data and monitoring.
In countries with strict laws regarding Internet use, such as China, many legal VPNs are forced to provide the government with a backdoor for surveillance. Stricter governments may also require domestic legal VPNs to keep VPN logs.
In short, your VPN provider should never collect the following information:
The whole purpose of a VPN is to make the data inaccessible to anyone except you. This includes your Internet service provider, government organizations, malicious actors, and the VPN provider itself.
A shadier VPN will never reveal its data collection. However, the law requires companies to outline what data they collect and how they use it. This is usually explained in the VPN’s privacy policy, which you can find on the official website.
The VPN’s privacy policy should also state whether any of your data is shared and, if so, with whom it is shared.
If your VPN provider doesn’t have a privacy policy, be careful with this. Even platforms that don’t focus on privacy like Instagram, Walmart, Youtube, and CNN all have privacy policies, so you should expect this at a minimum from a VPN service.
If a VPN’s privacy policy is very short or vague, there may also be something wrong. A legitimate company should clearly state how it collects, uses, and shares your data, especially if its purpose is to protect you and your data online.
ExpressVPN provides a representative example of a VPN privacy policy, which covers a range of important topics. This includes data collection and use, user privacy, third-party cookies and analytics, child users, and data protection.
If you’re concerned that your VPN’s privacy policy may not be based on facts, make sure the company has been independently audited. That way, you know that any false claims have been eliminated.