6 things to look for in a VPN privacy policy

The phrase Privacy Policy in a word cloud
(Image credit: Shutterstock)

You've found what looks like a great VPN. You're about to hand over your cash. 'Check this box to confirm you agree with the Privacy Policy', it asks. But do you click the link to read it, each and every time? We're guessing you don't. (And no offense intended, because we don't, either.)

That's not a surprise. Ploughing through thousands of words of technical and legal jargon is precisely no-one's idea of fun, especially when we just want to get on with installing the apps and trying them out.

But, you don't have to read and understand the entire policy to make it worth a look. Just spending 30 seconds scrolling down the page and browsing a few headings can tell you plenty about a service.

Okay, it helps if you do a little more reading, but there's still no need to have any legal or VPN expertise to figure out the basics. Just follow our simple rules and they'll help you pick out the superior VPNs from the outright scams.

1. Does the Privacy Policy exist?

The first requirement of any good VPN privacy policy is that it actually has to exist. Okay, yes, that sounds obvious. But the reality is that many small VPNs have privacy policy links which are either dead, or don't point to a page with any useful details.

As we write, for instance, Billion VPN's (opens in new tab) Privacy Policy link points to the Billion VPN website. Which sounds very reasonable, until you see there's no website there yet, just a GoDaddy 'this domain is parked free' message. Utterly useless, and a major red flag all on its own.

If you see a VPN provider has a Privacy Policy link, then, don't assume that means the service is legit, all on its own: click it, see what comes up.

Gulf VPN's Privacy Policy

(Image credit: Gulf VPN)

2. Is the Privacy Policy detailed?

Lengthy small print is often hard to read, so you might feel relieved to see a privacy policy with just a few generic sentences: 'we don't log your activities', 'we don't share your data' and so on.

But in reality, privacy policies aren't just about making airy promises. They're supposed to describe in detail how the service works. If you glance at the page and it only has a few sentences (Gulf Secure VPN (opens in new tab) has less than 100 words), maybe doesn't even fill your device screen, then it almost certainly doesn't have enough detail to be useful.

Read a few paragraphs to find out more. A poor privacy policy is only there to try and reassure potential users, so it'll focus entirely on what the service doesn't do (we don't log this, we don't record that...). What you're looking for is an honest policy which gives you details on everything it logs, as well as everything it doesn't.

Windscribe's privacy policy (opens in new tab) does a great job of squeezing a lot of information into a short document. It's only 600 words, but still finds room to tell you what it does on the website, what it records (and what doesn't) when you log in, when you're connected, and more.

Google Search

(Image credit: Google)

3. Has the Privacy Policy been copied from another provider?

Small VPNs might understand that customers want to see a detailed privacy policy, but not have the technical expertise to create one. The worst providers solve this problem by copying and pasting another provider's policy, and replacing the original company name with their own.

To check for this, read down the policy and look for an appealing sentence which someone else might steal. If your policy begins with 'We want you to understand what information we collect, what we don’t collect, and how we collect, use, and store information', for instance, then that's a great example. 

Copy and paste that sentence into Google, though, and you'll find that line is taken from ExpressVPN's (opens in new tab) Privacy Policy, but has been lifted and reused by more than 100 lazy VPNs.

If a provider can't be bothered to create its own privacy policy, and is dishonest enough to steal one from someone else, and pretend it's their own, then we'd say that's not someone who deserves your cash. Move on, there are plenty of more reputable providers around.

The ExpressVPN Privacy Policy

(Image credit: ExpressVPN)

4. Is the Privacy Policy well organized?

A VPN Privacy Policy often covers a lot of ground: what's happening on the website, cookie details, how the VPN handles logins and sessions, as well as talking about data handling laws in different jurisdictions. Let's be realistic, it's never going to be an easy read.

A good provider can make your life easier, though, by organizing the document to make it simpler to follow.

ExpressVPN's privacy policy (opens in new tab) is more than 3,000 words long, for instance, but a table of contents helps you find the details you need. Sections have titles which tell you exactly what they're about ('Storing of Information Related to Email, Live Chat, and Feedback Forms'), and many of these sections are very short ('Email, Live Chat and Feedback Forms' is only 130 words.)

The ProtonVPN Privacy Policy

(Image credit: ProtonVPN)

5. Is the Privacy Policy clear and precise?

When you look at a VPN Privacy Policy, keep in mind what it's supposed to be. This isn't an optional 'nice to have' feature, where you'll be happy if the provider gets the office junior to throw something together in an afternoon. It's a legal document which tells you exactly what personal data the company collects, and how that's going to be processed.

There are lots of legal complexities around that - how requirements change between countries, for instance - but you don't need to understand all (or any) of those issues. Just scanning a paragraph or two can give you valuable information.

We regularly see privacy policies list items the provider logs, for instance, without making it clear whether that applies to website visitors, app users, or both. It's sometimes possible to guess, but that shouldn't be necessary: a privacy policy is supposed to answer questions, not raise them.

Another common problem is privacy policies which look like they've been written in one language, then passed through Google Translate, about five times, before they made it to you. If the policy is so poorly written that you're unsure what it means, then that's just not good enough. 

What you're hoping to see is something much more like ProtonVPN's privacy policy (opens in new tab). The document has short sections covering specific areas (Account Creation, Payment, Website, Apps), with brief details on what data is collected, why, and what might happen to it later. You might not understand every line, but it's plain that ProtonVPN is doing its very best to explain how the service works, and you should expect much the same from any other VPN you use.

The Windscribe Privacy Policy

(Image credit: Windscribe)

6. Is the Privacy Policy honest and complete?

A VPN provider can say anything they like in their small print. That's why it's best to choose providers who've verified their credentials with independent audits (ExpressVPN (opens in new tab), NordVPN (opens in new tab), TunnelBear (opens in new tab) and Surfshark (opens in new tab) have all put themselves through major security and no-logging checks.) But even if you've only got a privacy policy to look at, you might still be able to spot VPNs who aren't telling you the full story.

Suppose a VPN has a free plan with a 10GB a month limit. You look in the policy and it tells you there's absolutely no logging of how, when or how often you use the service. Sounds great, yes? Well, maybe not.

If a provider has a limited bandwidth account, then it must log the amount of data you use. It also has to create one or more device IDs, so that it can recognize you when you connect, and add that session's data use to your specific account. The VPN must be carrying out this minimal logging, at least, so if it's claiming to log nothing at all, then that's a problem.

Missing the odd detail here or there doesn't necessarily mean a provider is trying to fool you, of course. They might be trying to keep the document simple. Perhaps they're just useless at writing privacy policies (many are.) But whatever the explanation, this isn't ideal.

Windscribe has a great example of a privacy policy (opens in new tab) which explains its free plan in detail. The policy explains what it logs (a running bandwidth total), what it doesn't (any of your internet history) and how even its minimal data collection is reset when the month is up. Forget the 'free' VPN apps with the fake 'ZERO LOGS!!' banners, that's the kind of honest and clear privacy policy detail we like to see.

Mike Williams
Lead security reviewer

Mike is a lead security reviewer at Future, where he stress-tests VPNs, antivirus and more to find out which services are sure to keep you safe, and which are best avoided. Mike began his career as a lead software developer in the engineering world, where his creations were used by big-name companies from Rolls Royce to British Nuclear Fuels and British Aerospace. The early PC viruses caught Mike's attention, and he developed an interest in analyzing malware, and learning the low-level technical details of how Windows and network security work under the hood.