Your internet provider logs every site you visit.

The reflex when this comes up is to talk about VPNs. The honest answer starts one tier lower, with what your provider can see in the absence of any tool, and what changes once one is in the loop.

The picture is the same in broad strokes everywhere: your provider sees the destinations of your traffic in real time, retains a record of those destinations for a regulated period, and operates under a legal framework that decides who can compel that record. The differences from one jurisdiction to another are about who buys it, not whether it exists.

What your ISP actually logs

The provider sits between your device and the rest of the internet. Three categories of record sit on its side of that connection.

DNS queries. Every domain your device asks for. The site name is resolved by the provider unless you have actively pointed the device at a different resolver. The lookup itself is the record, regardless of whether you actually visited the page.

IP connections. Every server your device talks to, with timestamps and traffic volume. Encrypted protocols hide the content of what was exchanged. They do not hide the addresses on each side of the exchange, or the size of the exchange, or when it happened.

Protocol metadata. Connection durations, repetition patterns, the rhythm of the traffic. Modern traffic analysis can identify many services, sometimes individual sites, from the shape of the encrypted flow alone. The HTTPS padlock keeps strangers out of the message. It does not change the silhouette.

Retention varies by country. The US framework allows providers to monetise the data with limited consent friction. The UK framework requires retention by law for a statutory period, accessible to law enforcement under defined process. France and most EU member states require retention of connection metadata for periods measured in months, with carrier obligations differing from internet provider obligations. The detail varies. The principle does not. Somewhere, for some period, your provider is keeping a list.

What a VPN changes

A VPN moves visibility from your provider to your VPN provider. Your provider then sees an encrypted connection to a VPN server, the data volume, and the timing. It does not see the destinations behind the tunnel.

What this changes, in practice, is who has the list. The trust question becomes which provider is more likely to be compelled to disclose, and under which legal framework. A Swiss-based audited VPN with a documented record of refusing to produce logs that do not exist is a different proposition from a residential ISP operating under a national retention law.

The two providers we use ourselves on this question, and why, are in our Proton VPN review for 2026 and our Mullvad VPN review for 2026. The bottom of the market is described in how free VPNs sell your data, which is the cautionary half of the same conversation.

The full scope of what a VPN does and does not do, including the failure modes that no audit fixes, is mapped in why a VPN will not save you once this has already happened. Read it before reaching for one in a moment that already feels too late.

What this looks like in practice

For everyday browsing on a residential connection, the practical exposure is targeted advertising and the occasional regulatory compliance disclosure. For most users, that is acceptable risk for the convenience of a default setup.

For anyone whose threat model includes a partner who shares the home network, an employer who monitors corporate infrastructure, or a domestic legal proceeding where browsing patterns might be subpoenaed, the calculation changes. The same applies to mobile carriers, which sell location data on top of everything else. The provider data is no longer abstract. It is a record that may end up in front of a third party who has a reason to read it.

The intermediate case is the most common. A user who does not face state-level adversaries but does not want their provider building a profile, selling fragments of it, or producing it on demand. For that user, the right move is an audited paid VPN running by default on every network, with the provider treated as an explicit trust decision rather than an afterthought.

Frequently asked questions

Can my ISP see what I do if I use HTTPS?

Your ISP can see which domains you visit but not the specific pages or content when HTTPS is active. With a VPN active, they see only the VPN server address.

Do ISPs sell browsing data in the EU?

GDPR significantly restricts this. EU ISPs cannot sell personal browsing data without explicit consent. Historical data retention remains common regardless.

Does a VPN completely hide my traffic from my ISP?

A VPN hides traffic content and destinations. Your ISP can still see that you are connected to a VPN and the volume of data transferred.

Can my ISP tell which apps I am using even with HTTPS?

Often yes, through traffic-pattern analysis. Each service has a characteristic shape: connection size, server endpoints, timing rhythm. Streaming, messaging, and video calls produce distinct silhouettes. The content stays encrypted. The fact that you used a particular app at a particular time does not. A VPN flattens those silhouettes from the ISP’s perspective by funnelling everything into one tunnel of indistinguishable traffic.

---

There’s no perfect setup. Anyone selling you perfect is selling fear. The goal is simple: make yourself a harder target than the person next to you.