Free VPNs sell your data. Exactly what they collect.
Short answer
Yes. Free VPNs sell your data. A VPN costs money to operate. If you are not paying, you are the product. Documented cases, including Hotspot Shield, UFO VPN, and Hola, show free VPN providers logging and selling browsing history, device identifiers, and location data. Some explicitly claimed no-log policies. They lied.
There is no such thing as a free VPN. There is a VPN where you pay with money, and a VPN where you pay with your data. If you don’t know which one you’re using, you’re using the second kind.
And once you have chosen a paid VPN, the deeper failure modes that no audit fixes are documented in why a VPN will not save you once this has already happened. The provider matters. The device that talks to it matters more.
This isn’t an opinion. It’s the business model, made explicit.
How free VPNs make money
Operating a VPN requires servers, bandwidth, and engineering. None of that is free. If a VPN isn’t charging you, it’s monetising something else.
The most common model: selling aggregated browsing data to advertising networks and data brokers. Your traffic passes through their infrastructure. They log it. They package it. They sell it.
Some free VPNs are more explicit: they sell bandwidth. Hola VPN turned user devices into exit nodes for a commercial network called Luminati. Your internet connection was being used to route other people’s traffic, including, in documented cases, to conduct botnet attacks.
What they actually collect, documented cases
Hotspot Shield: in 2017, a complaint filed with the FTC detailed that Hotspot Shield was injecting JavaScript code into users’ browsers and redirecting traffic through advertising partners. They collected device identifiers, Wi-Fi network names, and browsing history. Their privacy policy claimed no logging.
SuperVPN, VGo VPN, Act VPN: in 2020, a dataset containing the personally identifiable information of over 20 million users from seven free VPN providers was exposed. The data included email addresses, payment information, device IDs, and browsing logs. The companies claimed no-log policies.
UFO VPN and six related services: same year, the same researcher found another exposed database. Over 1.2 terabytes of logs from services that explicitly marketed themselves as no-log VPNs.
The pattern is consistent. The marketing says no logs. The infrastructure keeps logs. When the infrastructure is exposed, the logs are there.
What a paid VPN with an actual audit looks like
Proton VPN publishes its source code. It has undergone independent security audits. Its no-log policy has been verified in court. Swiss authorities have requested user data and been provided with nothing, because there was nothing to provide.
Mullvad VPN accepts cash payment by post. No email required to register. No account linked to your identity. Swedish police visited their servers with a warrant in 2023 and found no user data. Mullvad does not run an affiliate programme. There is no commercial relationship between Predaxia and Mullvad. The full operational picture is in our Mullvad VPN review for 2026, and the head-to-head with Proton sits in Proton versus Mullvad in 2026.
The difference in price between a free VPN and Proton or Mullvad is roughly five euros per month. The difference in what they do with your data is the difference between selling it and not collecting it.
Frequently asked questions
Are free VPNs safe?
In documented cases, no. Multiple free VPN providers have been caught logging and selling user data despite claiming no-log policies. The business model of a free VPN requires monetising something, and that something is usually your data.
What is the difference between a free VPN and a paid VPN?
A paid VPN like Proton or Mullvad has a revenue model that doesn’t depend on selling user data. They’ve been independently audited and their no-logs policies verified under real legal requests. Free VPNs have no such audits and a commercial incentive to collect data.
Are free VPNs that come with antivirus suites also data-harvesters?
Often yes, with the same revenue model. The bundled VPN inside an antivirus subscription is rarely audited the way a standalone privacy-focused VPN is. The provider has access to traffic metadata, the antivirus client has system-level visibility, and the same legal entity owns both. For privacy purposes, treat a bundled VPN as marketing-grade, not threat-grade.
Is a free trial of a paid VPN safer than a permanently free VPN?
Usually yes. A free trial of an audited paid VPN inherits the parent service’s no-logs architecture for the trial period. The provider already has a revenue model that does not depend on harvesting your data. The risk is the payment method you use to start the trial, since some require a card on file. For evaluation, the audited paid trial is the closer-to-safe option.
Free VPNs are data collection services with a VPN feature. The tunnel goes both ways.
Proton Unlimited is the tool we recommend for encrypted email, VPN and secure storage. It’s what we’d use ourselves.
There’s no perfect setup. Anyone selling you perfect is selling fear. The goal is simple: make yourself a harder target than the person next to you.
