Exclusive: I asked 10 VPNs for my personal data — only one lived up to our expectations

News
By Contributions from , published

We put the industry's top names through a simple GDPR test

A VPN running on a mobile device
(Image credit: Getty Images)
Jump to:
  • 9 out of 10 top VPN providers failed to meet what we consider baseline GDPR expectations
  • Article 15 requires firms to share the data they hold on you when asked
  • Surfshark was the only provider to perfectly fulfill its GDPR promises

VPNs are used to minimize the amount of data you share with your ISP and to keep your browsing data secure. But that doesn't mean VPN companies hold absolutely no information about you.

In reality, identifiers such as email addresses and payment details are almost always collected and stored to manage your subscription.

This means they are legally "controllers' of our data under legislation like the GDPR in Europe.

Article continues below

This classification isn't optional. Even if a provider is based in a "privacy haven" like Panama or the British Virgin Islands, they must comply with Article 15 of the GDPR if they offer services to users in the EU or UK.

Article 15 is explicit: you have the right to obtain confirmation from the company as to whether your personal data is being processed and, if so, access that data.

We wanted to test how some of the best VPNs on the market behave when asked to fulfill this basic right.

The results were underwhelming. Our investigation found that 9 out of 10 providers fell short of what we consider basic GDPR expectations, with most failing to share the information they held on us at all.

While our testing focused on the GDPR, these obligations are not unique to Europe. The "Right of Access" is a fundamental pillar shared by modern privacy regulations across more than 160 countries, including California’s CCPA/CPRA and Brazil’s LGPD.

It's important to note that a poor response to a data subject access request is not indicative of poor privacy practices more broadly.

We contacted every VPN company featured in this report. You can read the replies below.

Our findings at glance

  • 90% of tested VPNs failed to meet our standards of a "thorough and timely" data subject access report.
  • 2 providers (NordVPN and TunnelBear) failed to provide any response within the 30-day window without multiple prompts.
  • Only 1 out of 10 (Surfshark) provided a professional, readable PDF report within 24 hours.
  • 20% of providers sent unusable or unexplained data files (CSVs with generic headers like "field_0").
Swipe to scroll horizontally

Vendor

Result

Surfshark

Instant, professional PDF report

IPVanish

30+ day delay; sent CSV with signup IP

CyberGhost

30+ day delay; sent email with some details when reminded

Hotspot Shield

30+ day delay; sent 7 cryptic, unlabelled CSVs

PrivadoVPN

Sent email saying they only stored my email and payment details

ExpressVPN

Refused to send data; linked to Policy instead

PureVPN

30+ day delay; sent an email asking which data I wanted

Proton VPN

Sent email repeating clauses from Privacy Policy

NordVPN

Radio silence for 8 weeks

TunnelBear

Radio silence for 8 weeks

How did we get there

To see how the industry’s leading VPN services handle their legal obligations, TechRadar contacted 10 major providers on January 5, 2026, requesting all personal data held on our accounts.

We maintained active subscriptions with every provider and followed the specific instructions laid out in their respective privacy policies for data access requests.

We monitored their response rates over an eight-week period, sending multiple follow-up prompts to companies that failed to acknowledge the initial request.

The hall of shame

NordVPN and TunnelBear were the most significant disappointments. Despite having clear instructions in their policies on how users can exercise their GDPR rights, both exceeded the 30-day legal limit and failed to deliver any data by the eight-week mark.

Equally frustrating were the responses from Proton VPN and ExpressVPN — two services that market themselves on a "privacy-first" ethos. Instead of providing the requested data, both issued "canned" responses directing us to read their privacy policies.

This fails to meet the requirements of Article 15 because a company’s obligation to provide a user's specific data is not satisfied by simply pointing to a generic public document.

PrivadoVPN acknowledged it held email and had once held payment data but stopped short of disclosing the details. Meanwhile, PureVPN replied after 30 days only to ask what specific types of data we were looking for. Under Article 15, providers are required to disclose all data held on a user and it is not the user's responsibility to guess what that might be.

Cryptic and delayed responses

While some providers failed entirely, others attempted to comply but fell short of a professional standard.

IPVanish was a mixed bag. The company uses a specialized portal to make requests easier and provided a CSV dataset. However, the response took over 30 days and revealed the company still held IP addresses from the signup period — a finding that may clash with the 'anonymous' experience many users expect.

CyberGhost's process was flawed from the start. We were required to download a DOCX file to submit our request, which appeared to be an outdated Scottish government template. The company then demanded sensitive information, such as a physical address and phone number, which they didn't even have on file. After eight weeks and multiple chases, the final response only listed the types of data held, rather than the data itself.

Hotspot Shield eventually provided data in the form of seven CSV files, but the files contained no headers. This left dozens of data points labeled cryptically as "field_0" through "field_32," making the information functionally useless. While the company offered to clarify the data later, this does not fulfill the GDPR requirement to provide data in a concise, transparent, and intelligible format.

The winner: Surfshark

Surfshark was the only provider in our test that treated the request as a serious legal obligation. It took the provider only four hours to deliver a detailed PDF report of all the information held on our account.

The report included a full record of payments (including dates, currency, and IDs), account email addresses, active subscriptions, and even a log of malware blocked by Surfshark’s built-in antivirus tool.

While the level of detail is a win for transparency and GDPR compliance, it does raise secondary questions about whether a privacy-focused company should be logging some of these data points in the first place.

You can read our full analysis of Surfshark's response here.

VPN providers' responses

We contacted every VPN company included in this report for comment prior to publication. Most didn't respond. However, several challenged our findings.

NordVPN said that our decision not to verify our identity when requesting information was responsible for the delay. A spokesperson said the company strives to complete DSARs "within the applicable timelines" but that "delays may occur if a requestor chooses not to verify their identity."

"Identity verification is an important safeguard that helps ensure personal data is disclosed only to the rightful individual and remains protected," they added.

We emailed the company twice and never received a response. We were not asked to verify our identity.

IPVanish also said that the delay was caused due to waiting for identitiy verification. The company also emphasized it's no-log policy and said: "when a customer subscribes to our service, their sign-up IP address may be collected in connection with payment processing and preventing fraud."

Proton VPN said that there was a misunderstanding as to whether our initial request formally constituted a DSAR, though admitted "the response could have been more specific."

A spokesperson for the company said that personal data — such as security logs, payment details, subscriptions and emails — can all be found via "dedicated tools" online.

Privado VPN said: "We are always happy to provide data subjects with a copy of their personal data upon request, and we consider this obligation to have been met in this case."

While they did respond promptly, their response provided generic information about the categories of data held, rather than specific data points.

It was missing many of the supplementary information points we would expect to see, such as the right to make a complaint, whether or not automated decision-making is being used, and how long the data is stored for.

Surfshark's responses have been included in the accompanying article that highlights the data the company holds on users.

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!

CATEGORIES
Chiara Castro
Chiara Castro
News Editor (Tech Software)

Chiara is a multimedia journalist committed to covering stories to help promote the rights and denounce the abuses of the digital side of life – wherever cybersecurity, markets, and politics tangle up. She believes an open, uncensored, and private internet is a basic human need and wants to use her knowledge of VPNs to help readers take back control. She writes news, interviews, and analysis on data privacy, online censorship, digital rights, tech policies, and security software, with a special focus on VPNs, for TechRadar and TechRadar Pro. Got a story, tip-off, or something tech-interesting to say? Reach out to chiara.castro@futurenet.com

With contributions from

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.