One of the Most Downloaded VPN Apps Says It Keeps No Logs. I Checked VPN Super’s Claim — Here’s What I Found
- Is VPN Super a no-logs VPN? No. There is zero independent evidence supporting its no-logs claims - 0 audit, 0 transparency report, 0 warrant canary, and 0 real-world legal test. Worse, its own privacy policy admits it collects your IP address, device identifiers, approximate location, usage analytics, and advertising IDs, and shares data with advertising partners. A privacy claim that cannot be independently verified, and is contradicted by the company's own disclosures, should not be trusted.
No-Logs Confidence: Very Low
Search "VPN" on the Google Play Store or the Apple App Store. VPN - Super Unlimited Proxy will be in the first few results in many regions, it's number one. Since it offers both a free version and a paid subscription, it has a massive reach. Tens of millions of downloads. A review count most privacy tools will never reach. By any app store metric, this is the VPN most people are actually installing.
That scale is exactly why I pulled up its privacy policy, went looking for independent audits, checked for a transparency report, searched for any court case or law enforcement incident that had tested the no-log claim in the real world, and documented everything I found - and everything I didn't.
How We Evaluated VPN - Super Unlimited Proxy's Logging Practices
A no-logs claim doesn't mean much on its own. Any VPN can put those words on a privacy policy page. The real question is whether there's anything outside the company's own website to back it up.
To find out, I looked beyond VPN Super's claims for both its free and paid versions. I checked for independent security audits, transparency reports, legal records, publicly documented incidents, and other credible sources that could either support or challenge what the company says. I also compared the privacy policy with its other legal documents to see if everything lined up.
Each of those tells you something different. An audit can verify how a service actually works. Legal records can show what happened when authorities requested user data. Transparency reports reveal how open a company is about those requests. And documented incidents can highlight gaps between what's promised and what actually happened. When you put all of that together, you get a much clearer picture than a privacy policy alone. That's the approach I used for this review.
Privacy Policy: The official privacy notice of VPN Super was the first document I read in full - not skimmed, read. That distinction matters here because the policy runs across several sections, covers many separate legal entities, and contains region-specific disclosures near the bottom that are separated from the headline claims by several scrolls and several thousand words. Wherever the policy used terms like "anonymized" or "de-identified," I treated those as assertions to be verified externally rather than accepted at face value.
Security Audits: For any VPN making a no-log claim, an independent audit is how that claim moves from self-reported to verified. I searched for any published audit of VPN Super's infrastructure - from any firm, at any point in the company's history including the kinds of reports that involve auditors physically accessing production servers and reviewing daemon configurations and data retention mechanisms directly.
Transparency Reporting: I looked for any transparency report (annual or otherwise) documenting government and law enforcement data requests received, challenged, or complied with. This category tells you whether the no-log claim has ever had to hold up against a real external demand, and how the company responded when it did.
Legal Records: I searched across jurisdictions for any documented legal case be it criminal, civil, or regulatory where VPN Super was compelled to respond to a data demand or where its data practices came under formal scrutiny.
Warrant Canary: I checked VPN Super's website, privacy notice, and all linked pages for any warrant canary statement. I also checked other resources other than VPN Super's own.
Community and External Sources: I reviewed privacy forums, security researcher commentary, and independent technical analyses for anything relating to VPN Super's data practices that originated outside the company's own communications.
VPN Super's Logging Policy Summary
Is VPN - Super Unlimited Proxy Really a No-Logs VPN?
No. Based on everything I found, VPN Super does not deserve to be called a verified no-logs VPN.
This isn't only because I found evidence proving the company logs your browsing history. It's also because I found no evidence whatsoever proving its privacy claims are true and quite a bit of evidence showing the service collects far more data than its marketing suggests.
Here's what the evidence actually looks like.
What Supports VPN Super's No-Logs Claims
- VPN browsing activity is stated as not being recorded in any form linked to a user
- VPN traffic stated as encrypted - contents neither inspected nor recorded
- IP addresses are described as being discarded at the end of a session, not stored
- No browsing activity collected means no browsing activity to hand over to law enforcement
What Goes Against VPN Super's No-Logs Claims
- Zero independent no-logs audits.
- Zero transparency reports.
- Zero warrant canaries.
- Zero publicly documented legal cases proving the policy works in practice.
- Four different legal entities may control your data depending on where you downloaded the app.
- Ten advertising networks are integrated into the free version.
- Its own privacy policy confirms collection of IP addresses, approximate location, device information, network information, app usage, diagnostics, crash reports, device identifiers, and advertising IDs.
- The company's own CCPA disclosures state that identifiers, IP addresses, geolocation, internet activity, and analytics data have been shared with advertising partners within the previous 12 months.
- Critical categories such as DNS queries, connection timestamps, bandwidth usage, and session metadata are never explicitly addressed.
- The privacy policy was last updated in July 2024, despite the app continuing to attract millions of new users.
That contrast is shocking.
VPN Super asks millions of users to trust its no-logs promise while offering nothing that would allow anyone to verify it. In other words, the single biggest selling point of the service rests entirely on "because we said so."
Even that argument falls apart when you read the privacy policy. The company openly admits collecting IP addresses, device identifiers, location data, usage analytics, and advertising identifiers, while also disclosing data sharing with advertising partners. Whether that technically qualifies as "logging" is almost beside the point. A privacy service that collects this much data while asking users to blindly trust its biggest privacy claim has a credibility problem.
My verdict: A no-logs claim without evidence is marketing. A no-logs claim contradicted by extensive data collection deserves even more skepticism. Until VPN Super proves its claims through independent verification, there is no reason to give its privacy promises the benefit of the doubt or to even give it a try.
What Kind of Data Does VPN Super Collect?
Not all data “logs” mean the same thing. Some are just needed to run the service, while others could potentially identify you or show what you do online.
Based on VPN Super’s privacy policy, here’s a simpler breakdown of what they say they collect (and what’s not clearly explained).
VPN Super says it doesn’t track your actual browsing activity (for which they have no independent audit to back it), which is the most sensitive type of logging.
But it does collect other types of data like:
- account info (email, billing, etc.)
- device/app info
- some connection-related data (like your IP)
- website analytics and marketing tracking on its site
Some areas like exact connection logs, DNS handling, or retention periods aren’t fully spelled out, so there are still a few gaps in how detailed their logging really is.
A VPN sits between you and the entire internet. And VPN Super has failed the most important test a VPN can face - not proving its privacy claims. It asks users to entrust every search, every login, every banking session, and every private conversation to infrastructure that has never been independently audited. At the same time, its own privacy policy openly acknowledges collecting categories of user data that privacy-first VPNs work to eliminate or minimize. That is not a foundation for trust. It is a demand for blind faith.
What I Found in VPN Super's Privacy Policy Regarding Logs
I sat down with every page VPN Super links to from its privacy notice - the notice itself, the cookie references inside it, and the region-specific disclosures buried near the bottom. I approached VPN Super's privacy policy expecting to find evidence supporting its no-logs claims. Instead, I found a very different picture.
On paper, VPN Super repeatedly says it doesn't log your browsing activity. But the deeper I went, the more that promise became qualified. The company openly acknowledges collecting a wide range of operational and device data, its California disclosures reveal data sharing with advertising partners, and some of the most important technical logging categories aren't addressed at all. More importantly, I couldn't find a single piece of independent evidence, a no-logs audit, transparency report, warrant canary, or real-world legal case that verifies any of the company's privacy claims.
To understand exactly what happens to your data, I traced the entire user journey - from visiting the website and creating an account to using the VPN, staying connected, and eventually leaving the service. Here's what I found at each stage.
1. On Their Website
VPN Super doesn't make a dedicated privacy claim about the marketing website the way Mullvad does (no five-minute server log deletion promise, no public cookie count). What the notice does say is that it uses cookies and "similar technologies" for service operation, preferences, analytics, security, and advertising - and that it allows business partners to place tracking technologies on the site for analytics, marketing, retargeting, and ad serving.
That's a meaningfully different starting point. There's no claim that website-level logs get auto-deleted in minutes, no statement that no third-party analytics run, and no specific cookie count published anywhere I could find. The policy treats the website and the app under one umbrella of "services," so the same broad data-use language that covers the VPN also covers your visit to vpnsuper.com itself - page views, ad interactions, and the analytics that come with both.
Privacy Impact: Low to Moderate. Unlike a policy that commits to zero website tracking, VPN Super's notice openly allows analytics and advertising trackers on the marketing site itself, with no stated deletion window. Simply visiting vpnsuper.com to read the policy generates a data trail, separate from anything that happens once you install the app.
2. When You Sign Up
One of the first things I looked for was how much personal information VPN Super asks for before you can start using the service. Surprisingly, this is where the provider takes a relatively privacy-friendly approach (at least initially).
If you simply want to use the free version, you don't need to create an account at all. The privacy policy explicitly states that you can use the service without providing an email address, username, or password. That makes the onboarding process quick and removes one layer of personally identifiable information from the start.
However, things change once you decide to create an account or purchase a subscription.
Here's what I found:
- No account is required for basic use, allowing you to access the VPN without sharing your email or creating login credentials.
- Creating an account requires personal details, including your name, username, email address, and password.
- Your account isn't necessarily managed by a single company. Depending on where you downloaded the app, your information may be handled by one of four different legal entities - Super Unlimited Inc., VPN Super Inc., Free VPN Pte. Ltd., or Mobile Jump Pte. Ltd. The policy doesn't tell you which one that is upfront; you have to go check the download page or terms of service for your particular app build to find out.
- Payments follow a conventional model rather than a privacy-first one. Subscription purchases are processed through third-party payment providers, and VPN Super says it collects billing information such as your billing address, subscription type, purchase amount, currency, and transaction dates.
This is where VPN Super starts to move away from the privacy-focused approach adopted by providers like Mullvad. I couldn't find any option to pay anonymously using cash or cryptocurrencies like Monero, nor any indication that the company minimizes payment-related information beyond what is necessary for processing transactions.
Privacy Impact: Moderate. Skipping an account is genuinely possible and worth doing if anonymity matters to you. But any paid subscription routes through a payment processor and an account tied to one of four legal entities you have to identify yourself, and the policy doesn't offer an anonymous payment path of any kind.
3. When You Actively Use the VPN
This is the section where I spent the most time reading the privacy policy because the language becomes noticeably more nuanced. On the surface, VPN Super makes a reassuring no-logs claim but once I dug deeper, I found that the promise applies specifically to your browsing activity, not necessarily to everything the app collects while you're using it.
The company's primary assurance is that it does not record your VPN browsing activities in any way that can be associated with you. According to the policy, it doesn't log the websites you visit, the content you access, or your online activity while connected to the VPN. The only exception mentioned is if you voluntarily identify yourself by contacting customer support through the VPN connection, such as via email or live chat.
However, that doesn't mean the service operates without collecting data.
Here's what I found:
- Your browsing activity isn't logged, according to the company's stated no-logs policy.
- Your IP address is collected to determine your approximate location.
- Device-related information is collected, including your device model, operating system, device settings, network information, app version, and a randomly generated device hash.
- Free users are also assigned advertising identifiers, which are collected through third-party advertising partners.
- The app collects anonymized usage analytics, including connection success rates, VPN speeds, latency, feature usage, login success, crash reports, error logs, and troubleshooting information.
What stood out to me is that none of this contradicts the company's no-logs claim because VPN Super defines "logs" quite narrowly. The promise covers what you do online, but not necessarily the operational and diagnostic data generated while using the service.
I also paid close attention to the repeated use of the word "anonymized." The policy states that application usage data is anonymized, but I couldn't find any technical explanation describing how that anonymization is performed or whether independent verification exists to support the claim. Without additional documentation or an external audit, it's difficult to assess exactly how that data is processed behind the scenes.
Overall, my takeaway is that VPN Super appears to separate browsing activity from operational telemetry. The company says it doesn't log the former, but it does collect a meaningful amount of device, network, and performance data to operate and improve the service. That's a distinction worth understanding because a "no-logs" claim doesn't necessarily mean "no data collection."
Privacy Impact: High. Browsing activity itself is claimed not to be logged, but active use still generates IP-derived location, device fingerprint-adjacent data (model, OS, settings, hash), and, for free users, advertising identifiers shared with third-party ad networks. None of that is covered by the no-log promise.
4. While You Are Actively Connected
This is the section I went into most skeptical about, because it's where most VPN providers' language gets vaguest, and it's also where Mullvad's claims hold up best because independent auditors physically checked the relay servers.
VPN Super's policy states plainly that VPN traffic is encrypted and that they "do not inspect or record the contents" of what you browse, view, or do through the connection - again with the support-communication exception. On IP addresses specifically, the policy makes a distinction I think is genuinely important to flag: they say IP address collection is "required from a technical perspective" to provide the service, but that addresses are "neither stored nor used beyond... the duration of a VPN session," and are not associated with VPN browsing activity. The IP gets used to connect you to the nearest server and to calculate your approximate location, then, according to the policy, it is discarded.
That's a collect, use, then discard model, not a never touch it model. The wording itself is internally consistent and not unusual for VPN privacy policies generally, but I want to be direct about what's missing here: there is no independent audit, no named third-party security firm, and no server-level verification anywhere in this document or anywhere I could find externally that confirms this discard actually happens as described. With Mullvad, I could point to the 2022 Assured AB relay audit that had hands-on access to production servers and confirmed logging was disabled at the daemon level. With VPN Super, I have one paragraph asking me to trust that the IP address doesn't outlive the session.
Privacy Impact: Critical. The policy describes a connect-then-discard handling of your IP address, and states browsing content isn't inspected. Taken at face value, that's a reasonable architecture. The problem is that nothing here is independently confirmed, no audit, no named security firm, no court test, so this entire section rests on the company's own word.
5. What Persists After You Leave
One question I always try to answer is what happens to your data after you're done using the VPN. This is where VPN Super's privacy policy becomes less specific.
The policy says personal information is generally retained for as long as necessary to provide the service, for as long as your account remains active, or for additional periods required to comply with legal obligations, prevent abuse, resolve disputes, or defend against legal claims. It also notes that residual copies of data may continue to exist in backup systems.
Here's what I found:
- No retention period is provided for most categories of personal information. The policy doesn't specify whether data is deleted after days, months, or years.
- VPN browsing activity is the notable exception. Throughout the policy, VPN Super consistently states that it does not store or retain information about your VPN browsing activity. I found this assurance repeated in multiple sections without contradiction.
- Account information remains on file if you've created an account, alongside subscription details and purchase records associated with your membership.
- Customer support conversations may also be retained, although the policy doesn't mention when, or if, those communications are deleted.
- California-specific disclosures reveal broader data sharing practices. Under the California Consumer Privacy Act (CCPA), VPN - Super Unlimited Proxy states that, within the previous 12 months, it has shared categories of information such as identifiers, IP addresses, commercial information, internet or network activity, analytics data, and approximate geolocation with third-party providers in ways that meet the law's broad definition of a "sale."
What stood out to me is that this final disclosure isn't presented alongside the company's privacy assurances. Instead, it's tucked away in the California privacy section, separate from the main no-logs discussion. Unless you deliberately read through the regional disclosures, as I did, it's easy to miss that this information exists.
My overall takeaway is that VPN Super draws a clear line between browsing activity, which it says it doesn't retain, and account, billing, operational, and regulatory data, which may remain on file for an unspecified period. The lack of concrete retention timelines makes it difficult to know exactly when most personal information is permanently deleted.
Privacy Impact: Critical. Browsing activity is the one category the policy commits to not retaining. Everything else - account data, billing records, support history, and (per the CCPA disclosure) identifiers and IP-derived data shared with advertising partners - has no specific retention period and, in the case of the CCPA "sale," has already left the company in the past 12 months.
What Does VPN Super NOT Log?
Once I'd been through every stage of the user journey, I went back and isolated each specific no-log claim the policy actually makes, category by category. This matters because "we don't log" is not one promise. It's usually several narrower promises bundled under one headline, and the gaps between them are where the real picture lives. Here's what VPN Super specifically commits to not logging, what evidence backs each claim, and just as importantly, which categories the policy simply never addresses.
1. VPN Browsing Activity (Websites and Apps Accessed)
This is the core claim, repeated in multiple places throughout the notice. The policy states VPN Super does not record your VPN browsing activities "in any way that can be associated with you," and separately that it does not store information identifying what you browse, view, or do online via the VPN connection.
The claim appears at least twice in different sections (the Key Assurances summary and the body of the notice), using consistent language both times. There's also a stated logical consequence: because they say they don't collect this category, the policy claims that in response to a law enforcement request, "there would be nothing to give."
What's missing: No independent audit confirms this architecturally. The claim is consistent on paper, but consistency within a single company-authored document isn't the same as third-party verification.
Privacy Impact: Critical. This is the claim VPN - Super Unlimited Proxy wants users to trust most, yet it's supported by zero evidence beyond its own privacy policy. A company saying "we don't log your browsing activity" is meaningless until someone independent verifies it.
2. Content of Your Traffic (Deep Packet Inspection)
Separately from which sites you visit, the policy addresses whether they look at what's inside your traffic. It states that VPN traffic is encrypted and that VPN Super does not inspect or record the contents of what you browse, view, or do through the connection.
This is a single, direct statement in the policy, with the same support-communication carve-out applied elsewhere (if you message them through the tunnel and identify yourself, that exchange isn't covered).
What's missing: No technical documentation, no published encryption protocol audit, and no statement about which VPN protocols are used were available anywhere I checked. The claim is plausible (DPI of encrypted tunnel traffic isn't standard practice for most VPNs), but it's also unverified the same way the browsing-activity claim is.
Privacy Impact: High. VPN Super says it doesn't inspect your traffic, but offers no technical proof whatsoever. When your privacy depends entirely on the company's word, you're trusting a promise, not a privacy guarantee.
3. IP Address Association With Activity
The policy makes a narrower claim here than a flat "we don't log your IP." It states they do not associate your IP address with your VPN browsing activity, separate from the question of whether the IP is collected at all. Stated directly in the same passage that discusses IP collection: the IP is described as used for approximate location and server connection, then explicitly not tied to the browsing-activity data category.
What's missing: Whether IP and browsing data are ever stored adjacent to each other internally, even temporarily, before being processed apart, isn't addressed. The promise is about the output (no linked record exists), not the internal handling.
Privacy Impact: Critical. VPN Super admits collecting your IP address while claiming it isn't linked to your activity. Without an audit, there is no reason to simply assume that separation happens exactly as described. The company is effectively asking users to take it at its word.
4. Personal Identity Tied to Connection Sessions
The policy frames the entire no-log promise around attribution, not "we see nothing" but "what we might see can't be tied back to you." This shows up in the repeated phrase "in any way that can be associated with you."
This phrasing is consistent with the "anonymized" and "de-identified" language used elsewhere in the policy for usage and diagnostic data, suggesting a deliberate design choice to keep certain technical telemetry decoupled from account identity.
What's missing: No description of how de-identification is achieved (hashing, aggregation thresholds, deletion of linking keys) is given. "Anonymized" is asserted, not explained.
Privacy Impact: High. Words like "anonymized" and "de-identified" sound reassuring, but without explaining how they're achieved or proving them through an audit, they're little more than buzzwords. If users can't verify the privacy protections, they have no reason to blindly trust them.
What the Policy Simply Doesn't Address
This is the part worth sitting with. Several categories that audited no-log VPNs typically address head-on are absent from VPN - Super Unlimited Proxy's notice entirely - not denied, not confirmed, just not mentioned:
- DNS queries. No statement about whether DNS requests are logged, routed through VPN Super's own resolvers, or retained even briefly.
- Connection timestamps. No explicit statement on whether the exact time you connect or disconnect is logged or discarded - "connection success" is mentioned as anonymized usage data, but a timestamp isn't the same thing as a success/failure flag.
- Bandwidth consumed per session. Not addressed as its own category.
- Originating port or session identifiers. Not mentioned.
Why this matters: A policy that explicitly says "we don't log DNS queries" or "we don't log connection timestamps" is making a falsifiable, auditable claim. A policy that's silent on these categories isn't necessarily logging them, but it also isn't promising it doesn't. Compared to a no-log VPN whose audited policy walks through each technical category by name, VPN Super's notice operates one level higher in abstraction: "VPN browsing activity" as a bundled concept, without breaking out the technical components an auditor would normally check one by one.
Independent Audits & Real-World Proof
When I finished reading VPN Super's privacy notice, I did what I do with every VPN that makes a no-log claim: I went looking for something outside the company's own words that could either confirm or contradict it. An independent audit from a named security firm. A transparency report showing how many government data requests were received, contested, or complied with. A court case or law enforcement incident that put the no-log claim to a real-world test. A warrant canary. Anything.
I found none of it.
- I did not find any independent audit
- I did not find any transparency report
- I did not find any warrant canary
- I did not find any court cases or lega incidences that showed VPN Super did not give away any data
Not an outdated audit. Not a partial transparency report. Not a single documented legal incident. Nothing. Here is how what it shows:
1. No Independent Audit - Ever
As of the date of this research, VPN - Super Unlimited Proxy has never published or commissioned a publicly available independent security audit of its no-log infrastructure. Specifically, I found no evidence of:
- Any publicly named third-party firm verifying server configurations or confirming that logging is disabled at the infrastructure level.
- A Cure53 audit.
- An Assured AB infrastructure review.
- A KPMG assessment.
This is not a minor gap. An independent audit is the only way to move a no-log claim from "the company says so" to "someone checked." Without one, everything in the previous sections - the browsing-activity promise, the IP discard claim, the "anonymized" usage data, all of it - rests entirely on a single source: VPN Super's own policy document, written by VPN - Super Unlimited Proxy, about VPN Super.
This is particularly notable given VPN Super's large presence on both Google Play and the Apple App Store.
Privacy Impact: Critical. VPN Super expects you to trust its biggest privacy promise without allowing anyone to verify it. An unaudited no-logs claim is little more than self-certification. When your entire internet activity passes through a VPN, "trust us" is not an acceptable security model.
2. No Transparency Report - Ever
Most VPNs that take their no-log claims seriously publish at least an annual transparency report:
- how many government data requests were received,
- how many were legally challenged,
- how many resulted in any data being handed over, and
- what that data was.
It is an imperfect accountability mechanism.
VPN Super has published no transparency report of any kind. There is no public record of how many law enforcement requests the company has received, which jurisdictions those requests came from, or what the company's response was. The privacy notice states that because browsing activity isn't collected, "there would be nothing to give" - but without a transparency report, there is also no record of whether that claim has ever been tested, and no way to verify that account-level data (which is collected) hasn't been disclosed when requested.
Privacy Impact: Critical. If governments have requested user data, you'll never know. If VPN Super complied, you'll never know. If it had nothing to hand over, you'll never know. A company handling your private internet traffic asks for complete trust while offering zero public accountability. That is nothing but ironic and not trustable.
3. No Warrant Canary
A warrant canary is a simple, regularly updated statement that a service has not received any classified or secret government data requests it is legally prohibited from disclosing. It's a low-cost transparency mechanism that several privacy-oriented VPNs maintain. VPN - Super Unlimited Proxy has none. I found no canary statement anywhere on the site, in the policy, or in any linked documentation.
Privacy Impact: High. Even the simplest transparency mechanism is missing. A warrant canary costs almost nothing to maintain, yet VPN Super doesn't provide one. That's another signal that users are expected to rely on promises instead of evidence.
4. No Court Cases or Law Enforcement Incidents on Record
I searched for any documented case (civil, criminal, or regulatory) where VPN Super's no-log claim was tested by a real-world legal demand. I found nothing: no case where a user's data was requested and VPN - Super Unlimited Proxy confirmed it had nothing to provide, and no case where data was disclosed despite the no-log promise. The absence of cases cuts both ways. It doesn't prove the claim is false, but it also means the claim has never been stress-tested in public.
Privacy Impact: Critical. The no-logs claim has never been tested when it mattered most. Until a VPN demonstrates under legal pressure that it genuinely has no user data to hand over, its no-logs policy remains an unproven assertion—not a verified fact (especially when it also lacks other tust-verification sources).















