But, you don't have to read and understand the entire policy to make it worth a look. Just spending 30 seconds scrolling down the page and browsing a few headings can tell you plenty about a service.
Okay, it helps if you do a little more reading, but there's still no need to have any legal or VPN expertise to figure out the basics. Just follow our simple rules and they'll help you pick out the superior VPNs from the outright scams.
Which sounds very reasonable, until you see there's no website there - the domain fails to resolve.
Sharp-eyed readers may also notice that in any case this domain would have resolved to a .xyz TLD (Top Level Domain). These domain names are extremely low cost so are popular with spammers. Although we don’t want to be accused of domain name snobbery, all the reputable VPN providers we cover in TechRadar reviews use a .com extension for their websites.
If you’re still not sure about a provider’s website, don’t be afraid to do some detective work by putting the domain name into a ‘WhoIs’ website. For example entering ‘Billion VPN’s’ domain name reveals that the registration lapsed in August 2022. This can also give you more information about who’s running the VPN service.
But in reality, privacy policies aren't just about making airy promises. They're supposed to describe in detail how the service works. If you glance at the page and it only has a few sentences (Gulf Secure VPN has less than 100 words stuffed into a plaintext or .txt document).
“As security is important stuff on mobile systems, Android has a permissions system. It's up to users to be really careful with what permission he grant to an application. Permissions used by Gulf VPN”
Firstly, this is suggesting that you as the user are responsible for configuring permissions correctly in the VPN Android app. Still, this isn’t very reassuring as the developers are the ones making the app in the first place. More details about what information the app needs and transmits it’s always best, particularly given that Android apps can lie about what data they’re using.
For instance, Windscribe’s policy clearly states that they do record third party cookies (if you’ve allowed this) to compensate websites which have referred you there by affiliate links.
They also state that they record the total number of bytes you’ve transferred across their network, as well as a timestamp of your activity. Combined with browser fingerprinting, it would technically be possible for a determined attacker to use this information to identify you if they had access to Windscribe’s records but very unlikely. The point remains, you can now make an informed decision about how far you trust this provider.
To check for this, read down the policy and look for an appealing sentence which someone else might steal. If your policy begins with:
“We want you to understand what information (including Personal Data) we collect in connection with your use of our Services and/or access to our Site; for what purpose such information is collected; how we collect, use, and store such information; to whom it may be disclosed; and how you can exercise your rights and access your information, verify its accuracy, correct and/or have it erased. Equally, we want you to know what information we do not collect under any circumstances.”
If you want to search in this way, make sure to include the sentence in question in quote marks i.e. “”. This will force Google (or any other major search engine) to look for that exact phrase. Make sure to keep an eye out also for dubious VPN providers who tweak the wording slightly in order to avoid being flagged by search engines. Don’t be afraid to open multiple privacy policies in different tabs in your web browser, so you can view and compare together.
A good provider can make your life easier, though, by organizing the document to make it simpler to follow.
There are lots of legal complexities around that - how requirements change between countries, for instance - but you don't need to understand all (or any) of those issues. Just scanning a paragraph or two can give you valuable information.
Another common problem is privacy policies which look like they've been written in one language, then passed through Google Translate, about five times, before they made it to you. If the policy is so poorly written that you're unsure what it means, then that's just not good enough.
Whether or not this makes you feel reassured, the point remains that this VPN provider has gone to some lengths to explain clearly exactly how their service works and how it protects your data. You should expect the same from any other provider you use.
Suppose a VPN has a free plan with a 10GB a month limit. You look in the policy and it tells you there's absolutely no logging of how, when or how often you use the service. Sounds great, yes? Well, maybe not.
If a provider has a limited bandwidth account, then it must log the amount of data you use. It also has to create one or more device IDs, so that it can recognize you when you connect, and add that session's data to your specific account. The VPN must be carrying out this minimal logging, at least, so if it's claiming to log nothing at all, then that's a problem.
Admittedly it might be difficult to link this data to your specific identity but if a determined adversary had access to both your ISP and VPN’s records, they could compare how much data was transferred and at what times using this information to find you. If the VPN provider has no such information to offer, then it would be much harder to trace you.
Missing the odd detail here or there doesn't necessarily mean a provider is trying to fool you, of course. They might be trying to keep the document simple. Perhaps they're just useless at writing privacy policies (many are.) But whatever the explanation, this isn't ideal.
7. Where’s the warrant?
This is simply a statement published on a regular basis e.g. through a monthly video address where a VPN provider affirms they have not been subjected to any kind of subpoena or secret court order requiring them to hand over user data.
Despite being based in Panama, NordVPN introduced their own warrant canary in 2017. Surfshark also updates theirs each month.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
Mike is a lead security reviewer at Future, where he stress-tests VPNs, antivirus and more to find out which services are sure to keep you safe, and which are best avoided. Mike began his career as a lead software developer in the engineering world, where his creations were used by big-name companies from Rolls Royce to British Nuclear Fuels and British Aerospace. The early PC viruses caught Mike's attention, and he developed an interest in analyzing malware, and learning the low-level technical details of how Windows and network security work under the hood.