- Surfshark was the only VPN to exhaustively reply to TechRadar DSAR
- The provider shared a detailed report of all the information it holds
- While great for transparency, the amount of data raises questions
When we tested how the world’s best VPN services handle their GDPR obligations, Surfshark was the only service to fully live up to its promises. While the response was a triumph for transparency, it also revealed a surprising amount of retained data.
Under Article 15 of the GDPR, users have the right to issue a Data Subject Access Request (DSAR) to any company operating in the UK or EU.
These companies are legally required to provide a "thorough and timely" response. Surfshark met this standard impressively, replying just four hours after our request was submitted on January 5, 2026.
Article continues belowThe provider delivered a comprehensive report detailing exactly what information it held on our account. While we were pleased with the efficiency and clarity of the response, the sheer depth of the data raises significant questions.
What data Surfshark collects
From Surfshark’s DSAR report, we can see that the provider holds the following data about its users:
- User ID: That's a permanent Universally Unique Identifier (UUID) that ties every service (Surfshark VPN, Alternative ID, Surfshark Antivirus, Incogni) together.
- Device profiling: The provider knows which type of device you use (Windows, Mac, etc.) and whether or not you have 2FA protection active.
- Financial signature: Surfshark stores a complete history of your "Payer ID" and payment email. Details also include the amount paid, payment status, whether you've used a coupon, and your currency.
- Subscriptions: The company also has a track record of all your subscriptions — whether these are active, cancelled, or expired — and your subscribed services with creation and expiry dates.
- Malware history: That's a list of every threat detected on your machine by the Surfshark Antivirus app, including the malware name, type of threat, device where it was blocked, and user country.
- Support Ticket: The provider also records all the support tickets a user isssued ties to a reference number and date.
What the data reveals
In its report, Surfshark states that it processes user data only for "specific and clearly defined purposes." These include service delivery, analytics, customer support, and compliance with legal and accounting requirements.
While these practices don't appear to breach Surfshark’s own privacy policy, the sheer granularity of the data provided raises several points of concern for the privacy-conscious user.
1. The antivirus paper trail
The most surprising discovery was the "Antivirus Malware Logs" section. The report doesn't just show that you have an active security subscription, it lists the specific names of malware detected on your machine, the device used during the detection, and your country-level location at the time.
While this may not immediately compromise your anonymity, it raises a significant question: why would a VPN provider store a centralized history of your local device's infections? In a truly privacy-centric model, one would expect this data to be wiped immediately after the session ends.
A spokesperson for the company said storing this information was useful for families that use the product. In a written response to TechRadar the company said:
"Since many of our users manage security for their entire household under one account, centralizing this data will allow them to monitor threats across all their devices from a single dashboard.
"This way, we will be able to provide the visibility needed for users to identify and address security risks, ensuring their family stays protected regardless of which device they are using."
2. Permanent identity storage
Our real-world email address appeared repeatedly throughout the report, acting as the common thread that links a Payer ID (financial) and User ID (technical) into one unified profile.
Again, this aligns with Surfshark’s policy, but it means users remain identifiable in the event of a data breach.
Some VPNs have already moved to mitigate this risk. The Swedish provider Mullvad, for example, axed recurring subscriptions to avoid holding such data, while Windscribe allows account creation without an email address entirely.
The company said has no plans to allow accounts without email addresses, though said it is constantly considering "more ephemeral models."
It argued that maintaining an email address is "essential to providing a transparent subscription experience" and that the company's approach "is designed to balance user privacy with necessary account security, proactive communication, and effective customer support."
3. The seven-year retention period
Privacy is often associated with being "ephemeral" — leaving no trace. However, Surfshark's DSAR shows recorded persistence.
By keeping records of payments and specific discount codes (like COMEBACK_70) for over seven years, Surfshark maintains a permanent link between your real-world bank account and your digital persona.
In an era of sophisticated cyberattacks, we have to ask: is it necessary to store such sensitive identifiers for nearly a decade? For many, the risk of a leak outweighs the convenience.
In response to these findings a spokesperson for the company said the storage of payment information "is strictly a matter of compliance with anti-money laundering, fraud prevention, and legal accounting obligations."
"Our current approach is designed to balance user privacy with necessary account security, proactive communication, and effective customer support," they added.
4. Automated Profiling
The report includes a mandatory disclosure regarding "Automated Decision-Making." Surfshark admits to using "limited amounts of personal information" to evaluate certain user behaviors.
While this is a common functional requirement for modern tech companies, it sits uncomfortably alongside "no-logs" marketing. Most VPN users turn to these tools specifically to avoid being profiled by big tech.
While data collection can help improve a product, we believe this should be an optional "opt-in" rather than a default state for a privacy company.
Surfshark said automated decision-making was used "to evaluate user eligibility for subscription discounts." However, due to its no-logs design, these processes rely on" "very limited subscription information — such as subscription length and plan type."
Final verdict
Surfshark’s move to the Netherlands and its clear commitment to GDPR compliance make it one of the most transparent and accountable VPNs on the market.
However, we expect VPNs to operate on the principle of "data minimization" — collecting only the bare minimum required to provide a service. Storing a centralized list of a user's local malware infections for years appears to exceed that minimum.
If a provider decides to log unnecessary details like your PC’s infection history today, it sets a worrying precedent for what they might choose to log tomorrow.
We have reached out to Surfshark for clarification and will update this article as soon as we receive a response.
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!
You must confirm your public display name before commenting
Please logout and then login again, you will then be prompted to enter your display name.