5 Signs Your VPN Is Selling Your Data (Red Flags to Watch)

1 The Privacy Policy Loophole

The most common trick in the VPN industry is a privacy policy that sounds strict but contains deliberate loopholes. Look for phrases like:

• "We may share anonymized data with third parties." — "Anonymized" data can often be re-identified. This is how Avast's Jumpshot subsidiary sold user browsing data for years.
• "We collect information necessary to provide and improve our services." — What does "improve" mean? This phrase is so broad it can justify almost anything.
• "We do not sell your personal data." — Note the word "personal." Some VPNs argue that browsing logs aren't "personal data" and sell them anyway.

What to look for instead: A policy that explicitly states "We do not log your browsing history, IP address, or connection timestamps" — and backs it up with an independent audit.

2 Trust Me, Bro

Any VPN can claim to be no-logs. Without a third-party audit from a reputable firm like Cure53, Securitum, or PwC, that claim is just marketing. I've seen VPNs with beautiful websites and convincing copy get exposed because they refused to undergo an audit.

Red flag behaviors:

• The VPN has been operating for 5+ years but has never commissioned an audit.
• When asked about audits, they give vague answers like "we're considering it."
• They claim to be "self-audited" or "community-reviewed" — meaningless terms.

What to look for instead: A publicly available audit report, preferably renewed annually. Proton VPN, TunnelBear, and Hide.me all publish theirs.

3 The Unlimited Free Lunch

Running a VPN costs money — servers, bandwidth, staff. If a VPN offers unlimited free data with no ads, you need to ask: Where is the money coming from? There are only three sustainable business models for a free VPN:

1. Paid users subsidize free users (Proton VPN, PrivadoVPN).
2. The free tier is a limited trial (TunnelBear's 500 MB, Atlas VPN's 5 GB).
3. The company sells something else — and if they don't openly say what, the product is you.

If a VPN offers unlimited data for free and has no paid tier to subsidize it, your data is almost certainly the revenue source.

4 Dangerous Jurisdiction

The Five Eyes, Nine Eyes, and Fourteen Eyes are intelligence-sharing alliances. VPNs based in these countries (US, UK, Canada, Australia, New Zealand — and their extended partners) can be legally compelled to log and share user data without informing the user.

Red flag example: A VPN headquartered in the United States that claims "no logs." Even if true today, a National Security Letter could force them to start logging tomorrow — and they'd be legally prohibited from telling you.

What to look for instead: VPNs based in privacy-friendly jurisdictions like Switzerland (Proton VPN, PrivadoVPN), Panama (NordVPN), or Malaysia (Hide.me) — countries with no mandatory data retention laws.

5 Ad-Supported Surveillance

Some free VPNs inject their own advertisements into your browsing sessions. To serve "relevant" ads, they need to track what you're doing. This is the opposite of what a VPN is supposed to do.

Specific behaviors to watch:

• The VPN injects banner ads into websites you visit.
• You notice tracking cookies appearing after installing the VPN.
• The VPN app requests permissions that have nothing to do with VPN functionality (location, contacts, microphone).

Betternet was caught doing exactly this. Hola VPN sold user bandwidth. These aren't just bad VPNs — they're actively harmful.