What Is a No-Logs VPN? How to Tell Real From Marketing
"No logs" is the single most-claimed feature in the VPN industry. It is also the one most likely to come apart on close inspection. Browse any VPN homepage and the phrase shows up in 60-point type. Click into the privacy policy and the picture is usually less clean.
This is not necessarily dishonest. Every VPN keeps some operational data, even if only briefly, because that is how computers work. The question is which data, for how long, and what happens if a court asks for it. Here is how to think about it.
The four kinds of "logs" that matter
Not all logs are equal. When a privacy policy says "we keep no logs," it almost always means specifically the first category and quietly preserves some of the others.
1. Connection / activity logs. What sites you visited, what files you downloaded, what apps you used through the tunnel. This is what people actually mean when they say "no logs." A real no-logs VPN does not have this data even briefly. Period.
2. Connection metadata. When you connected, which exit server you used, how long the session lasted, how much data you transferred. Some providers keep aggregated versions of this for capacity planning. Others keep nothing. Others keep enough to identify a specific user's session if asked.
3. Account data. Your email address, payment method, account creation date, password reset history. Nearly every paid VPN keeps this — they have to, to bill you and let you log in. It is also the easiest data to subpoena, which is why some providers offer cryptocurrency payment and accept anonymous email signups.
4. IP-side data on the exit server. Many VPN exit servers run on shared infrastructure (sometimes rented from cloud providers) where the host has its own logging. Even if the VPN provider truthfully keeps no logs, the underlying datacenter might briefly retain connection records.
A truly minimal no-logs setup avoids #1, runs RAM-only servers (which lose all state on reboot, eliminating #2 and #4), and offers privacy-preserving signup options for #3.
Why jurisdiction matters
A "no-logs" claim is only as meaningful as the legal system the provider operates under.
A VPN headquartered in a country that can compel data retention or that participates in intelligence-sharing agreements may be legally required to start logging the moment a court order arrives. The provider does not have to update its marketing copy. The user finds out months later, sometimes years later, when a leaked court document surfaces.
Countries that have historically been better for privacy-respecting VPN providers include Romania, Switzerland, the British Virgin Islands, Panama, and the Seychelles. Countries that are worse — even if the company is technically compliant with local law — include the United States, the United Kingdom, Australia, and several EU members with active data-retention frameworks.
duality.vpn operates from Romania, under Romanian law and the EU GDPR. Romanian courts have repeatedly struck down mandatory data retention laws as unconstitutional, which is why a number of privacy-focused providers are based there.
The five questions a real no-logs VPN can answer
If a VPN's privacy claims hold up, the answers to these are short and concrete. If they hedge, that is information.
- Do you log which sites I visit? (Should be: no, never, full stop.)
- Do you log connection timestamps and IP addresses? (Should be: no, or only ephemeral session data that is wiped on disconnect.)
- Have you ever responded to a government data request? A growing number of VPNs publish a transparency report listing the requests received and how they responded.
- Has your no-logs claim ever been verified by a court case or independent audit? "Audited" should mean a named third party with a public report — Cure53, Radically Open Security, Securitum, or similar. Not "audited internally."
- Where are you legally based, and what does that country's data-retention law require? A vague answer here is the biggest red flag.
What about free VPNs?
Free VPNs that monetize through ads are usually the worst case for logging — they need to know what you do online to sell that data. Free tiers offered by paid providers (where the free tier is effectively a sample of the paid product) can be fine, because their no-logs policy applies to all users equally.
duality.vpn offers a free tier with the same logging policy as the paid plans — no activity logs, regardless of plan.
Frequently asked questions
Can a no-logs VPN still be hacked or compelled to log?
Yes. "No logs" describes the current state, not a guarantee of the future. A court order, a server seizure, or a successful intrusion can change what data exists going forward. The protection of a no-logs policy is that it limits what is available retroactively — there is nothing to seize from yesterday.
How can I verify a VPN really keeps no logs?
Three ways: (1) a published independent audit by a reputable security firm; (2) court records from a legal case where the provider was asked for user data and could not produce any; (3) the technical setup — RAM-only servers and warrant canaries are stronger signals than marketing copy.
Is it legal for a VPN to keep zero logs?
In most jurisdictions, yes. Romania, Switzerland, Panama, and several others do not have mandatory data-retention laws for VPN providers. The legal landscape changes — providers that take privacy seriously publish updates when laws change.
