Every VPN on the market claims to keep no logs, including several that were later caught handing detailed connection records to authorities or leaking analytics databases to the open internet. The phrase is unregulated marketing. What you can do is triangulate: there is a specific set of signals that are verifiable from the outside, and together they separate providers who engineered for privacy from providers who wrote a paragraph about it.
First, know what "logs" even means
A useful conversation needs the five categories separated, because "no logs" collapses them dishonestly:
- Traffic content: what you downloaded or said. Encrypted end to end in modern protocols; nobody serious stores this.
- Activity logs: sites and services you visited. This is the category that must not exist, and the one the marketing phrase refers to.
- Connection logs: timestamps, source IPs, session durations, bandwidth per user. The dangerous middle: enough to deanonymize when correlated.
- Operational data: subscription expiry, device count, aggregate server load. Necessary to run a service; harmless when it is not tied to traffic.
- Account and payment data: email, name, card records. Not "logs" at all, yet the richest identity source, which is why it deserves its own scrutiny.
The verification checklist
1. Read the policy for exclusions, not slogans
A serious policy names the categories above and states which are not collected. Vague wording ("we do not log your activity") that never mentions connection metadata is a classic tell. Also check the retention period for whatever operational data is admitted.
2. Check the jurisdiction
The company's legal home decides what it can be compelled to do. Mandatory data retention laws can force future logging regardless of today's policy. Prefer jurisdictions without retention mandates, and note where the servers physically sit, because local seizure is a separate risk from corporate legal pressure.
3. Look for court-tested evidence
The strongest public proof a no-logs claim can have is a documented case where records were demanded and the provider had nothing to produce. Search the provider's name together with "court", "subpoena" or "seized server". Absence of such history proves nothing either way; presence of the opposite ends the evaluation.
4. Independent audits, read correctly
An audit by a reputable firm is a strong positive signal with a precise meaning: at inspection time, configuration matched policy. Check the audit's scope (infrastructure or just apps), its date, and whether the full report is public rather than a press release about it.
5. Architecture that cannot remember
The best log is one that cannot exist. Signals of privacy-first engineering: RAM-only or diskless nodes that lose all state on reboot, authentication via opaque identifiers rather than identities, and a subscription model where the server only needs to know "this key is valid until date X". When user identity was never collected, as with email-free Telegram signup and crypto payment, entire categories of dangerous data have nothing to attach to.
6. Follow the money
Infrastructure is expensive. If the service is free, ask what pays for it; documented answers across the industry include selling bandwidth, injecting ads and selling browsing data. A paid service with anonymous payment options has the healthiest incentive structure: revenue comes from subscriptions, and the provider profits from knowing less about you, not more.
The 60-second version
When you have one minute instead of an evening, run this compressed pass. Open the privacy policy and search for the words "connection", "timestamp" and "IP address": either they are explicitly excluded or you have your answer. Check the company's jurisdiction against mandatory data-retention regimes. Search the brand plus "logs" plus "court" for history. Confirm the signup form works without personal data and that crypto is among the payment methods, because both are expensive to fake. Any single failure is survivable in context; two or more means the marketing department wrote the privacy story and the engineers were not consulted.
Red flags that end the conversation
- A privacy policy that reserves the right to log "for service improvement" without defining limits.
- A history of quietly edited policies after incidents, or a parent company in the data business.
- Mandatory personal data at signup: full name, phone number, address. There is no technical reason a tunnel needs them.
- Marketing that promises total anonymity. Serious providers describe threat models, not magic.
What you can test yourself today
You cannot inspect a provider's disks, but you can test the claims that touch your device, and diligence here predicts diligence there:
- DNS leaks: with the VPN connected, a DNS leak test site must show only resolver locations consistent with the VPN, never your ISP.
- IPv6 and WebRTC: browser WebRTC checks should not reveal your real address; IPv6 must be tunneled or disabled.
- Kill switch behavior: drop the connection mid-download and confirm traffic stops instead of failing open.
- Signup and payment claims: create an account and verify how little the flow actually demands. A provider that advertises anonymous signup but then requires a card has answered your question.
How Kovra approaches this, stated plainly
We prefer verifiable design over adjectives. Accounts can be created with a Telegram login and no email; payment can be cryptocurrency, which leaves us holding a transaction hash instead of a billing identity. The service model is subscription-based: infrastructure needs to know that a key is valid and until when, not what flows through it, and the VLESS + Reality protocol keeps even the existence of the tunnel invisible on the wire. We will not claim more than that in a guide about verifying claims: apply the checklist above to us the same way you would to anyone else.