No-Log VPN: What It Actually Means (And What to Watch For)
Every VPN claims "no logs." Most of them are lying — or at least misleading you. Here's how to tell the difference.
Every VPN on the market claims to be "no-log." It's become meaningless marketing. Here's what you actually need to know.
Types of logs
Not all logs are equal. VPNs can log different things:
| Log type | What it records | Privacy risk |
|---|---|---|
| Traffic logs | The websites you visit, data you transfer | Critical |
| Connection logs | When you connected, your IP, duration | High |
| Bandwidth logs | How much data you used, tied to your account | Medium |
| Aggregate logs | Anonymous usage statistics, server load | Low |
| No logs | Nothing tied to your identity | None |
When a VPN says "no logs," they usually mean no traffic logs. But they may still record connection timestamps, bandwidth usage, or your real IP address.
Red flags in VPN privacy policies
Watch out for:
- "We don't log your browsing activity" — this carefully avoids mentioning connection logs
- "We may collect anonymized data" — anonymized data can often be de-anonymized
- "We comply with law enforcement requests" — if they have nothing, they can't comply. If they can comply, they have something.
- "Our servers automatically delete logs after 24 hours" — that's not "no logs," that's "temporary logs"
The jurisdiction question
Where a VPN is incorporated matters. Some countries have mandatory data retention laws. Others participate in intelligence-sharing alliances (Five Eyes, Nine Eyes, Fourteen Eyes).
VPNs based in privacy-friendly jurisdictions (Panama, British Virgin Islands, Switzerland) have a structural advantage — they can't be legally compelled to log.
What rowm. does
rowm. takes the simplest possible approach: we don't store anything that could identify you.
- No traffic logs
- No connection timestamps
- No bandwidth records tied to accounts
- No DNS query history
- No IP address logging
Our servers are configured to hold only what's needed for your active session. When you disconnect, it's gone. Not deleted after 24 hours — gone immediately.
We don't want your data. Not because it's the right marketing message, but because stored data is a liability. Every byte we keep is a byte that could be breached, subpoenaed, or leaked.
How to verify
Short of auditing the servers yourself, look for:
- Independent audits — has a third party verified the no-log claims?
- Court cases — has the VPN been subpoenaed and had nothing to hand over?
- Infrastructure design — RAM-only servers can't persist data through reboots
- Open-source clients — can the community verify the app isn't phoning home?
Trust is built through evidence, not marketing copy.