Orion/VPN
EN RU
Download app
◇ Education 9 min read

No-log VPN: what it really means and how to verify

"No logs" gets thrown around a lot. Here's what a real no-log VPN means, what to check before you trust one, and how Orion/VPN is built so we can't read your traffic.

Lena Kepler Privacy & encryption editor

A no log VPN is a service that does not record what you do while connected to it — not the sites you visit, not the data you send, not who you really are. That is the promise. The reality is messier. Almost every provider on the market calls itself a zero log VPN, but the word “logs” hides four very different things, and most “no logs” claims only cover one or two of them. If you are wondering whether the VPNs you are looking at are actually private, or whether the privacy policy you skimmed actually means anything, this is the breakdown.

The short version: “no logs” is a baseline marketing phrase, not a technical guarantee. To trust a private VPN, you need to know what kinds of logs exist, what a real no-log architecture looks like, and how to read a privacy policy without falling for weasel words.

What “logs” even means

When a VPN talks about logs, it can mean any of these things, and they are not equivalent:

Connection logs. When you connected, from which IP, to which server, for how long, and how much data passed through. Many providers keep at least some of this for “diagnostics” or “abuse handling.” Connection logs by themselves can deanonymize you — if a provider knows that account X connected from IP Y at time T, that record can be subpoenaed or leaked.

Traffic logs. The actual content of what you did — sites visited, files downloaded, packet payloads. This is the gold standard of surveillance and the thing every VPN swears it does not do. If a provider keeps traffic logs, they are not a VPN, they are a wiretap with extra steps.

DNS logs. Every time your device asks “what is the IP for example.com?”, that question goes through DNS. If your VPN runs its own DNS servers (most do), it can record every domain you look up. DNS logs are almost as revealing as traffic logs — they tell the operator which sites you tried to reach, even if the connection itself is encrypted.

Metadata. The shape of your traffic — total bytes per session, timing, packet sizes, which server endpoint, how often you reconnect. Even without content, metadata can fingerprint a user, link sessions to accounts, or correlate VPN sessions with external events.

A claim of “no logs” that does not specify which of these four it covers is, at best, sloppy. At worst, it is deliberate.

Why every VPN says “no logs”

“No logs” became a category baseline somewhere around 2015, and now you cannot find a VPN homepage without it. That does not mean every provider is lying — it means the phrase has lost most of its meaning. Free VPNs that resell user data say “no logs.” Providers that have been caught handing over connection records to authorities still say “no logs.” The phrase has been stretched until it covers anything from “we wipe logs after 30 days” to “we genuinely cannot reconstruct what you did.”

Some providers play with definitions. “We don’t log activity” might technically mean “we don’t keep traffic content, but we keep connection timestamps.” “We don’t link logs to your account” might mean “we keep logs, but we promise we won’t connect them to you.” If you are evaluating a VPN, see our breakdown of free vs paid VPNs for why free providers in particular have an incentive to be vague.

The honest answer is that “no logs” without a specific architecture behind it is just a marketing line. What matters is what the service is technically capable of recording.

What “true no-log” actually requires

A real no-log private VPN is not a policy decision — it is an architecture decision. The provider is built so that even if they wanted to hand over your data, they could not. A few concrete properties:

Diskless or RAM-only servers. If a server has no persistent storage, anything written to it is wiped on reboot. There is no disk to seize, no log file to subpoena. A provider running RAM-only nodes physically cannot retain your session after the box restarts.

No account-to-traffic linking. Even if the system has to know “this session belongs to a paying user,” the part of the system that handles your traffic should not know which user. Authentication and traffic routing should be separated so that the node moving your packets has no idea who you are beyond “valid token.”

A privacy policy that names what is and isn’t kept. Vague language is a tell. A real no-log policy lists each category — connection, traffic, DNS, metadata — and says what happens to each. If a policy only says “we don’t log your activity,” ask which of the four it means.

Jurisdiction. Where the company is incorporated matters. Some jurisdictions have data retention laws that require logging regardless of company policy. A no-log claim in a jurisdiction that legally mandates connection logs is, at minimum, in tension with the law.

No tracking on the website or app. A provider that runs heavy third-party analytics on its own site, or ships an app that phones home, has a different relationship with “your data” than its privacy page implies.

How to verify a claim WITHOUT taking the company’s word

You cannot fully verify a no-log claim from the outside, but you can do a lot better than trusting the homepage. Here is what to actually check.

Read the privacy policy line by line. Not the marketing summary — the actual policy. Look for specific categories: connection data, IP addresses, timestamps, bandwidth, DNS queries. A policy that says “we collect minimal data” without specifying what is in scope is a yellow flag. A policy that says “we collect your IP address on connection but discard it after the session ends” is more honest, even if it is less reassuring, than one that says “we are 100% no logs.”

Look for weasel words. “We do not log your browsing activity” sounds strong but only covers traffic. “We do not store any personally identifiable information” might mean they collect it and discard it, or hash it, or share it with a partner. Strong privacy policies use plain language and name specific data types. Marketing-grade policies use abstractions.

Check for past incidents. Has the provider ever been served a legal request? Did they hand over data? Did they say they had no data to hand over? A handful of providers have actual court records showing they had nothing to give — that is a stronger signal than any homepage banner. Search for the company name plus “subpoena” or “data request” and read what comes up.

Look for transparency reports. Some providers publish how many data requests they receive per quarter and how they responded. The existence of a transparency report is not proof of zero logs, but the absence of one — combined with strong “we never log anything” claims — is worth noticing.

Cross-reference with other independent reviews. Not paid affiliate roundups — those are mostly noise. Look for technical writeups, security researcher posts, and forum threads where someone actually traced what an app sends and to where. If you are still narrowing down a shortlist, our guide on how to choose a VPN walks through the trust signals beyond just no-log claims.

What Orion/VPN does (and doesn’t keep)

Orion/VPN is built so the question “can you log my traffic?” answers itself: no, by architecture.

We do not record traffic content. The encryption between your device and the exit node uses AES-256, and the node forwards your packets without decrypting application-level content. We do not run DNS servers that log queries. We do not store the destinations you connect to.

The account system and the traffic system are intentionally separate. Your account knows you have a valid plan and remaining quota. The node that actually moves your packets does not know which account you belong to — it knows that a session presented a valid token. That separation is why “we don’t link traffic to users” is not a policy promise on our side, it is a property of how the service is built.

The privacy policy lists what we do and do not retain, in plain language, by category. We mention 10 GB free not because it is a promotion line but because it lets you verify how the app behaves on your own connection before you commit to anything. Install it, check what it sends and where, watch the traffic it generates. If something does not match what we say, that is a real problem and we want to hear about it.

What no-logs CANNOT protect against

This is the section most VPN articles skip. A private VPN is a useful tool, but it is not magic, and pretending otherwise sets users up to make worse decisions.

Your endpoint. If your computer or phone is compromised, no VPN helps. Malware on your device sees your traffic before it ever hits the tunnel. A keylogger captures what you type whether you are on a VPN or not.

Your account on the destination. If you log into your real Google account through a VPN, Google still knows it is you. The VPN hides your IP from Google, not your identity. Treating “I’m on a VPN” as anonymity for accounts you have already logged into is a category error.

The destination service itself. The site you connect to sees the VPN exit IP, but it can also fingerprint your browser, track cookies, watch your behavior, and build a profile that has nothing to do with your IP. A VPN is one layer; it is not all the layers.

Threat models that need stronger guarantees. If you are dealing with a state-level adversary, doing investigative journalism in a hostile jurisdiction, or trying to protect a source, a commercial VPN — even a genuinely no-log one — is probably not enough. Compare the trust assumptions in VPN vs Tor vs proxy before deciding which one matches your actual threat model.

A no log VPN protects against passive surveillance, ISP snooping, geolocation by IP, and post-hoc record requests against the VPN itself. It does not turn you into a ghost.

Wrap

“No logs” is the easiest thing in the world to claim and one of the harder things to actually deliver. The phrase by itself tells you almost nothing — what matters is which kinds of logs are excluded, what the architecture physically allows, and whether the privacy policy survives a careful reading.

If you are evaluating a private VPN, look past the homepage. Ask whether the service can record your traffic, not just whether it promises not to. Check the privacy policy for category-specific language. Look at jurisdiction, transparency reports, and past behavior. And measure any provider — including Orion/VPN — against what they actually keep, not what they put in their headline.

We try to make that easy: an architecture where traffic and identity are separated, a clear privacy policy, and 10 GB free so you can verify the app behaves the way we describe before you trust it with anything more.

Try Orion/VPN free
10 GB on us. macOS app available now. Both protocols, every region, no card required.
Download for macOS → See plans →
◇ Comparison 11 min read

Free vs paid VPN: what you actually get for $0

Most free VPNs sell your data, throttle speeds, or limit servers. Here's how to spot the trade-offs — and why Orion/VPN gives you 10 GB free without the catch.

Read article →
◇ Guide 12 min read

How to choose a VPN: a 7-point buyer's checklist

Logs, jurisdiction, protocols, speeds, server count, app quality, refunds — the seven things that matter when choosing a VPN. Try Orion/VPN free with 10 GB and zero card.

Read article →
◇ Comparison 11 min read

VPN vs Tor vs proxy: which one for what (with examples)

VPN, Tor, and proxies solve different privacy problems. A plain-English comparison, when each one fits, and why most people start with a VPN like Orion/VPN — 10 GB free.

Read article →