How to Choose a VPN You Can Actually Trust: A 10-Point Checklist

There are hundreds of VPN companies. Most of the websites that rank and compare them are owned by the same companies they are reviewing. Kape Technologies — which owns ExpressVPN, CyberGhost, and Private Internet Access — also owns vpnMentor and Wizcase, two of the most widely read VPN review publications. The reviews are not independent. The recommendations are not disinterested. The affiliate links pay out whether the product is good or not.

This checklist exists to make you independent of that ecosystem. Each of the ten checkpoints below tells you what to look for, why it matters, and how to verify it yourself — without relying on a review site, a sponsored YouTube video, or anyone else's recommendation.

Use it on every VPN you are considering. Use it on PlanckVPN. Where PlanckVPN does not pass, this guide says so plainly.

1. Who owns the company?

What to look for: The name of the parent company, disclosed on the consumer-facing homepage — not buried in a terms of service document, not requiring a corporate registry search to find.

Why it matters: A VPN company asking you to trust it with your internet traffic should be willing to state, clearly and prominently, who owns it. If that information is not on the homepage, ask why. The answer is rarely flattering.

How to verify: Search the company name alongside "parent company," "acquired by," and "owned by." Check Crunchbase for funding history. If the company has been acquired, search the acquirer's history separately — Kape Technologies was previously named Crossrider and was flagged by UC Berkeley and Google as a major adware platform before rebranding and acquiring VPN companies.

PlanckVPN: Passes. Founded and operated by Kuzzat Altay. No parent company. No outside investors. Named on the about page.

2. How does the free tier make money?

What to look for: A clear, disclosed revenue model for any free tier. Two models are acceptable: advertising (disclosed, with named ad partners) and subsidization by paid subscribers. One model is not acceptable: no stated revenue model at all.

Why it matters: Running VPN infrastructure costs real money — servers, bandwidth, engineering, support. A free VPN with no visible revenue model is not a charity. If the product is free and the business model is not explained, the most likely explanation is that user data is the product. This is not speculation — it is the documented business model of a significant portion of the free VPN market. Research by the Tech Transparency Project found that 1 in 5 of the top 100 free VPN apps on Apple's US App Store are secretly owned by Chinese companies with opaque data practices, representing over 70 million combined downloads.

How to verify: Read the privacy policy carefully, specifically the data sharing and monetization sections. Search the company name alongside "revenue model," "data sharing," and "sells data." If the business model is not explained in the privacy policy, treat that as a red flag.

PlanckVPN: Passes. The free tier is supported by Google AdMob advertising. This is disclosed. No user data is sold. The privacy policy states this specifically.

3. What specifically is not logged?

What to look for: A specific list — not a policy statement. Traffic content: not retained. DNS queries: not retained. IP addresses: not retained. Connection timestamps: not retained. Bandwidth totals linked to user accounts: not retained. The more specific the language, the more accountable the company is to it.

Why it matters: "No-logs policy" has no standard definition. Two companies can both truthfully claim a no-logs policy while meaning entirely different things. One retains connection timestamps. Another retains session durations. A third retains nothing at all. Vague policy language protects the company. Specific language protects you.

How to verify: Read the privacy policy, not the marketing page. Look for what is explicitly excluded. If the policy uses phrases like "we do not log browsing activity" without specifying DNS queries, IP addresses, and timestamps separately, the policy has gaps — whether intentional or not.

PlanckVPN: Passes. Zero logs. Traffic content, DNS queries, IP addresses, connection timestamps, and session metadata are not retained. When a session ends, nothing about it is written to disk.

4. Has the no-logs policy been independently audited?

What to look for: The name of the auditing firm, the year the audit was conducted, the specific scope of what was audited, and a publicly available report.

Why it matters: An audit is only as useful as its scope. An audit of server configurations is not an audit of application code. An audit conducted in 2019 does not tell you about 2026 practices. A company that cites an audit without being able to specify what was audited is using the word "audit" as a marketing term.

How to verify: Search for the published audit report directly. Reputable auditing firms publish findings. If the report is not publicly available, the audit's value as a trust signal is significantly reduced.

PlanckVPN: Does not yet pass. No independent audit of PlanckVPN's no-logs policy has been completed. This is stated plainly here and on the transparency page. An audit is planned. Until it is done and published, the no-logs claim rests on policy and architecture, not third-party verification.

5. Is there a warrant canary?

What to look for: A regularly updated public statement confirming the company has never received a government data request, court order, or subpoena for user data.

Why it matters: Laws in many jurisdictions prevent companies from disclosing when they have received certain types of government requests. A warrant canary works in the other direction: its continued presence signals that no request has been received. If the canary is removed or stops being updated, users know something has changed without the company needing to say so directly. Its presence is a meaningful signal. Its absence is not proof of a government request, but it is a notable gap for a company claiming to prioritize transparency.

How to verify: Check the company's transparency page. Note the date it was last updated. A warrant canary that has not been updated in over a year is not functioning as intended.

PlanckVPN: Passes. Warrant canary active as of March 2026. PlanckVPN has never received a government request, court order, or legal demand for user data. Published and updated at planckvpn.com/transparency.

6. What is the jurisdiction?

What to look for: The country of incorporation, and an honest assessment of what that means for legal risk.

Why it matters: The Five Eyes intelligence alliance — the United States, United Kingdom, Australia, Canada, and New Zealand — involves deep signals intelligence sharing between member governments. Being incorporated in a Five Eyes country means a domestic court order could compel the company to begin logging specific users going forward, even if nothing has been retained historically. This is a forward-looking risk, not a historical one — past logs that do not exist cannot be produced. Nine Eyes and Fourteen Eyes extend similar considerations to additional countries in Europe.

How to verify: Search the company name alongside "incorporated," "registered," and "headquarters." Be aware that some companies list an address in a privacy-friendly jurisdiction while actually operating from elsewhere.

PlanckVPN: Partially passes. Incorporated in Virginia, United States — Five Eyes. A US court order could compel future logging of specific users. Because PlanckVPN retains nothing historically, there is nothing to produce in response to a demand for past records. The forward-looking risk is real and is not minimized here. It is the same risk carried by several of the most respected independent VPNs operating today, including those incorporated in Switzerland and Sweden, which are Fourteen Eyes members.

7. What protocol is used?

What to look for: The specific VPN protocol — and whether it is open source or proprietary.

Why it matters: Open-source protocols can be independently examined by anyone with the technical knowledge to do so. WireGuard and OpenVPN are both open source and have been reviewed extensively by independent security researchers. Proprietary protocols — or hybrid protocols that add closed layers on top of open-source foundations — cannot be fully audited externally. This is not automatically a disqualifier, but it is a meaningful data point about what you are trusting.

How to verify: The protocol should be named on the product page or in the technical documentation, not buried in the terms of service. If a company uses a branded protocol name, search for what it is built on.

PlanckVPN: Passes. WireGuard — fully open source, extensively audited by independent security researchers, and recognized as the current standard for performance and security among VPN protocols. PlanckVPN does not modify WireGuard's core implementation.

8. Is the pricing transparent on renewal?

What to look for: The renewal price stated clearly before purchase — not revealed for the first time when the subscription auto-renews.

Why it matters: The standard practice in the consumer VPN market is to advertise a heavily discounted introductory price — sometimes as low as $2–3 per month for a two-year plan — and then renew at the full rate, which is often three to four times higher. Users who do not read the fine print discover this when their credit card is charged. This is a trust signal about how the company treats existing customers, which is a reasonable proxy for how it treats its users generally.

How to verify: Before subscribing, find the stated renewal price. If it requires searching through the FAQ to locate, that is intentional obscurity.

PlanckVPN: Passes. Weekly $2.99, monthly $4.99, yearly $29.99 — displayed before purchase. The renewal price is the same as the initial price. No introductory discount that resets at renewal.

9. Is the app open source?

What to look for: Publicly available source code for the client application, ideally with a reproducible build process.

Why it matters: An open-source app can be independently reviewed. Anyone with the technical knowledge can examine what the app is actually doing — what data it sends, where it sends it, and whether its behavior matches its stated policy. Proton VPN's apps are open source. Mullvad's apps are open source. Most VPN apps, including PlanckVPN's, are not. This is not automatically disqualifying — a closed-source app using an audited open-source protocol is not the same as a closed-source app using a proprietary protocol — but it is a meaningful data point about the level of external accountability the company accepts.

How to verify: Search the company name on GitHub. Check the product page for any mention of open source. If neither surface mentions it, the app is almost certainly closed source.

PlanckVPN: Does not yet pass. PlanckVPN's iOS app is not open source. The underlying protocol — WireGuard — is open source and independently auditable. The application layer is not.

10. Can you find the company's physical address and team?

What to look for: A named founder or leadership team, a physical address, and a way to contact the company that does not route through an anonymous support form.

Why it matters: A company asking you to route your internet traffic through its servers, trust its logging claims, and potentially pay a subscription fee should be willing to say who they are and where they operate. Anonymous ownership is a significant red flag for any privacy product. The companies with the most concerning ownership histories — Kape's acquisition of ExpressVPN and CyberGhost, Chinese-owned free VPN apps — are precisely the ones that made their ownership difficult to find.

How to verify: Look for an about page with named individuals. Search the founder's name independently to confirm they exist and have a verifiable history. Check for a physical address on the contact page or in the privacy policy.

PlanckVPN: Passes. Founded by Kuzzat Altay, named on the about page at planckvpn.com/about. Incorporated in Virginia, United States. Contact available at support@planckvpn.com.

PlanckVPN's Full Score

For the sake of being direct about what this checklist actually produces:

PlanckVPN passes checkpoints 1, 2, 3, 5, 7, 8, and 10. Ownership disclosed. Free tier revenue model disclosed. Zero logs specifically defined. Warrant canary active. WireGuard protocol. Renewal pricing transparent. Named founder and address published.

PlanckVPN does not yet pass checkpoints 4 and 9. No independent audit completed. App not open source.

PlanckVPN partially passes checkpoint 6. Virginia, US — Five Eyes jurisdiction, with the forward-looking risk that entails, mitigated by a zero-log architecture that leaves nothing to produce historically.

Seven out of ten, with two clear gaps stated plainly.

The reader who uses this checklist on PlanckVPN and finds it useful has also acquired the tools to evaluate every other VPN they will ever consider. That is the point.

No checklist replaces judgment. But these ten questions cut through most VPN marketing in about five minutes. A company that passes all ten is not automatically trustworthy — trust is built over time, through consistent behavior, not through a checklist score. A company that fails several of them has told you something important.

Use them on us. Use them on everyone.

Sources

• — Kape Technologies — ExpressVPN acquisition announcement (September 2021)
• — Kape Technologies — vpnMentor acquisition announcement
• — Ars Technica — "How Crossrider became Kape Technologies and acquired a VPN"
• — Tech Transparency Project — "Chinese VPNs Dominate US App Store"
• — WireGuard — official paper and codebase
• — WireGuard — Linux kernel source code
• — Apple Developer Documentation — App Transport Security
• — Proton VPN — GitHub repository (open-source apps)
• — Mullvad — GitHub repository (open-source apps)