What “No-Logs” Actually Means — And Why Most VPNs Define It Differently

Every VPN on the market claims a no-logs policy. It is on their homepage, in their App Store description, in every review that covers them. The phrase has been repeated so many times, by so many companies, that it has become noise — a credential that signals trustworthiness without actually providing it.

The problem is not that VPN companies are lying. Some are. But the larger problem is that "no-logs" has no standard definition. Two companies can both truthfully claim a no-logs policy while meaning entirely different things. One retains connection timestamps. Another retains bandwidth totals. A third retains nothing at all. All three call it the same thing.

If you are choosing a VPN based on a no-logs claim, you are not choosing based on information. You are choosing based on a marketing phrase. Here is what the phrase should mean, what it often means instead, and how to tell the difference.

The Logging Spectrum

Not all logs are equal. Understanding the difference matters because the risk associated with each type is different.

Traffic logs are records of what you actually did — the content of your browsing, the sites you visited, the data you transmitted. These are the most invasive type. A VPN that keeps traffic logs is not a private VPN by any meaningful definition. Most VPN companies genuinely do not keep these, because the storage cost alone would be prohibitive at scale, and the legal liability would be enormous.

Connection logs record when you connected, how long your session lasted, and which server you connected to. Less invasive than traffic logs — no one can read your messages from a connection log — but enough to place you on a specific server at a specific time. If a court order arrives demanding to know who was connected to server X between 2:00 and 3:00 AM on a particular date, connection logs answer that question.

Metadata logs capture aggregate usage data — total bandwidth consumed, general usage patterns — without tying it to individual sessions. Not directly identifiable, but still a form of logging. Combined with other data sources, metadata can be used to narrow the field of suspects in an investigation.

Timestamps record exactly when a session began and ended. On their own, they seem benign. Combined with an ISP's connection records showing when you connected to a VPN, they can confirm whether a specific person was responsible for a specific VPN session. Timestamps are the detail that turns a general record into an individual one.

Zero logs means nothing about your session is written to disk. No connection record. No timestamp. No bandwidth total linked to your account. When your session ends, it is gone. This is what "no-logs" should mean. It is not what every company means when they say it.

What "Independently Audited" Actually Means

An independent audit sounds definitive. It is not, on its own, a reason to trust a no-logs claim without asking follow-up questions.

An audit is only as useful as its scope. NordVPN has been audited by Deloitte. The Deloitte audit specifically tested whether NordVPN's servers were configured in a manner consistent with their no-logs policy at the time of the audit — it examined server configurations, not code, not infrastructure architecture, not the company's ability to be compelled to log in the future. Proton VPN's audits have examined both their no-logs policy implementation and their application code security — two different scopes, conducted separately.

These are not equivalent. A company can pass an audit of its no-logs server configuration and still have significant vulnerabilities in its application code. A company can have its app code audited and still have a logging policy that retains more than users expect. An audit of last year's infrastructure tells you something about last year's infrastructure. It is not a guarantee about today's.

The right questions are not "have you been audited" but "what exactly was audited, by whom, in what year, and what was the specific scope." A company that cannot answer those questions with precision is either hiding something or does not understand its own compliance posture — neither of which is reassuring.

Jurisdiction and What It Actually Determines

Where a VPN is incorporated determines what legal demands it can receive and must comply with. This is real and it matters — but it is frequently misrepresented in both directions.

The Five Eyes intelligence alliance — the United States, United Kingdom, Australia, Canada, and New Zealand — involves deep signals intelligence sharing between member governments. Nine Eyes adds Denmark, France, Netherlands, and Norway. Fourteen Eyes extends to Germany, Belgium, Italy, Spain, and Sweden. Being incorporated in a non-Fourteen Eyes country is sometimes marketed as a privacy advantage.

The reality is more nuanced. A VPN in a non-Five Eyes jurisdiction can still receive legal requests from other countries through mutual legal assistance treaties. A VPN in a Five Eyes country with a genuine zero-logs architecture has nothing to hand over historically, regardless of what a court order demands. What jurisdiction primarily determines is the nature of forward-looking risk: a US court order could compel a US-incorporated VPN company to begin logging specific users going forward, even if nothing has been retained historically.

This distinction matters. Past logs that do not exist cannot be produced. Future logging that a court orders to begin is a different category of risk — one that no no-logs policy can prevent, because the policy governs what was retained, not what a company could be ordered to retain.

No VPN can protect you from a targeted, active court order demanding that logging begin for your specific account. What a genuine zero-logs policy protects you from is historical exposure — what can be produced in response to a demand for records of past activity.

What to Actually Look For

Four specific, verifiable things are worth checking for any VPN you are considering.

Does the company specify exactly what it does and does not log? Not "we have a no-logs policy" — a list. Traffic: not retained. DNS queries: not retained. IP addresses: not retained. Connection timestamps: not retained. Bandwidth totals: not retained. The more specific the policy, the more accountable the company is to it. Vague language protects the company, not you.

Has the no-logs policy been independently audited, and what was the scope? The name of the auditing firm, the year, and a link to the published report. If the company cannot provide all three, the audit either did not happen or is not worth citing.

Is there a warrant canary? A warrant canary is a published statement that a company has not received a government request for user data — updated regularly. If the canary is removed or stops being updated, users know something has changed without the company needing to say so explicitly. Its presence is a meaningful signal. Its absence is not proof of a request, but it is a notable gap for a company claiming to prioritize transparency.

Where is the company incorporated, and is its ownership disclosed? Jurisdiction affects forward-looking legal risk. Ownership — who actually controls the company — affects every other risk. A VPN that will not tell you who owns it is asking you to trust its privacy claims while concealing the most basic fact about its business.

PlanckVPN's Position on All of This

Transparency requires applying the same standard to ourselves that we apply to everyone else.

What PlanckVPN does not log: VPN traffic content, browsing history, DNS queries, IP addresses, connection timestamps, and session-related metadata. Zero. When a session ends, nothing about it is retained.

Has this been independently audited? No. Not yet. An independent audit of PlanckVPN's no-logs policy has not been completed. We intend to conduct one. Until it is done and published, you have our policy statement and our warrant canary — not third-party verification. That is an honest answer, and it is the only one we can give.

Warrant canary: Active as of March 2026. PlanckVPN has never received a government request, court order, or legal demand for user data. This is published openly at planckvpn.com/transparency and updated regularly.

Jurisdiction: Virginia, United States. Five Eyes. This means a US court order could compel PlanckVPN to begin logging specific user activity going forward. Because we retain nothing historically, there is nothing to produce in response to a demand for past records. The forward-looking risk is real and we do not minimize it. It is the same risk faced by every VPN incorporated in a Five Eyes country — including several of the most respected independent VPNs operating today.

Ownership: PlanckVPN is founded and operated by Kuzzat Altay. No parent company. No outside investors. The full about page is available.

The phrase "no-logs policy" has been repeated so many times by so many companies that it has become a credential without a standard. The right question is not whether a company has a policy — they all do — but what specifically they do not log, whether that has been independently verified, what the scope of that verification was, and what would happen if a government asked them to start logging tomorrow.

Ask those questions. Ask them of every VPN, including this one. The answers are more informative than the phrase has ever been.

Sources

• — NordVPN — published Deloitte audit reports
• — Proton VPN — published security audit reports
• — UKUSA Agreement (1946, declassified 2010) — legal basis for Five Eyes intelligence sharing
• — Electronic Frontier Foundation — "Warrant Canaries: An FAQ"