A no-logs policy is a VPN provider’s claim that it does not retain records connecting users to their internet activity. The strongest version: the provider does not keep timestamps, source IPs, destination addresses, bandwidth used, or session durations linkable to a user account. The weakest version: the provider keeps “minimal” or “anonymized” records that turn out, under court order, to be sufficient for identification.
What it means in practice
A no-logs claim is meaningful only if it has been tested. Three categories of evidence in increasing weight. Marketing claim alone (worthless): the provider says they do not log. Marketing claim plus independent audit (better): a third party (Cure53, PwC, KPMG, Deloitte) has reviewed the configuration and verified the absence of logging. Marketing claim plus audit plus court-tested production (best): the provider has been compelled to produce data by a real legal process and the resulting production showed nothing useful. Mullvad falls into category three: the April 2023 Swedish police raid produced no user data because none existed. Proton VPN and IVPN are in category two, with strong audit histories and structurally limited collection. Most consumer VPNs that advertise no-logs are in category one with marketing language designed to look like category two.
Where it shows up
Critical for: anyone whose VPN is the linkability defense between their real identity and their browsing (journalists protecting sources, activists in monitored jurisdictions, lawyers maintaining client-confidential research, divorce clients researching strategy without producing browsing-history evidence). Less critical for: users whose threat model is local ISP curiosity or hotel Wi-Fi snooping (any reputable VPN suffices). The asymmetry to remember: a VPN that does retain logs is not just neutral, it is actively worse than no VPN, because it consolidates the linkability target into one provider that an adversary can subpoena. Choosing wrong is worse than choosing nothing for high-threat users.
What you can change today
Verify the no-logs claim of your current VPN. Check the audit page (it should link to a recent third-party audit; if not, that is the answer). Read the legal-process section of the provider’s privacy policy or transparency report; the language about what they retain and produce is the actual policy, not the marketing. If the answer is unclear or the audit is more than 18 months old, switch to Mullvad, Proton VPN, or IVPN. Document the decision and revisit annually; ownership changes (the Kape acquisitions of CyberGhost, Private Internet Access, ExpressVPN restructured the consumer VPN market multiple times in the past five years) can invalidate yesterday’s recommendation overnight.