1. Forum
  2. tqwNet
  3. TQW GENTECH

  • Exclusive: I asked 10 VPNs for my personal data only one lived u

    From TechnologyDaily@1337:1/100 to All on Thursday, March 26, 2026 12:30:26
    Exclusive: I asked 10 VPNs for my personal data only one lived up to our expectations

    Date:
    Thu, 26 Mar 2026 12:15:45 +0000

    Description:
    Under GDPR and similar privacy regulations, VPN providers are legally
    required to share the data they hold on you when asked. I decided to put this basic data right to the test.

    FULL STORY ======================================================================Copy link Facebook X Whatsapp Reddit Pinterest Flipboard Threads Email Share this article 0 Join the conversation Follow us Add us as a preferred source on Google Newsletter Tech Radar Get daily insight, inspiration and deals in your inbox Sign up for breaking news, reviews, opinion, top tech deals, and more. Contact me with news and offers from other Future brands Receive email from
    us on behalf of our trusted partners or sponsors By submitting your information you agree to the Terms & Conditions and Privacy Policy and are aged 16 or over. You are now subscribed Your newsletter sign-up was
    successful An account already exists for this email address, please log in. Subscribe to our newsletter 9 out of 10 top VPN providers failed to meet what we consider baseline GDPR expectations Article 15 requires firms to share the data they hold on you when asked Surfshark was the only provider to perfectly fulfill its GDPR promises VPNs are used to minimize the amount of data you share with your ISP and to keep your browsing data secure. But that doesn't mean VPN companies hold absolutely no information about you.

    In reality, identifiers such as email addresses and payment details are
    almost always collected and stored to manage your subscription. This means they are legally "controllers' of our data under legislation like the GDPR in Europe. Article continues below You may like The price of transparency: What Surfshark's data request reveals about its collection policies Investigation: over 75% of Android VPNs fail basic transparency tests Not equipped to handle that responsibility: the VPN industry reacts to TechRadar's latest research

    This classification isn't optional. Even if a provider is based in a "privacy haven" like Panama or the British Virgin Islands, they must comply with Article 15 of the GDPR if they offer services to users in the EU or UK.

    Article 15 is explicit : you have the right to obtain confirmation from the company as to whether your personal data is being processed and, if so,
    access that data.

    We wanted to test how some of the best VPN s on the market behave when asked to fulfill this basic right.

    The results were underwhelming. Our investigation found that 9 out of 10 providers fell short of what we consider basic GDPR expectations, with most failing to share the information they held on us at all.

    While our testing focused on the GDPR, these obligations are not unique to Europe. The "Right of Access" is a fundamental pillar shared by modern
    privacy regulations across more than 160 countries, including Californias CCPA/CPRA and Brazils LGPD.

    It's important to note that a poor response to a data subject access request is not indicative of poor privacy practices more broadly.

    We contacted every VPN company featured in this report. You can read the replies below. What to read next Australians are downloading these 3 VPNs right now, we find 1 of them a little concerning The best VPNs for Android our top picks based on expert testing The best Mac VPNs: top options based on hours of expert-led testing Our findings at glance 90% of tested VPNs failed to meet our standards of a "thorough and timely" data subject access report.
    2 providers ( NordVPN and TunnelBear ) failed to provide any response within the 30-day window without multiple prompts. Only 1 out of 10 ( Surfshark ) provided a professional, readable PDF report within 24 hours. 20% of
    providers sent unusable or unexplained data files (CSVs with generic headers like "field_0"). Swipe to scroll horizontally

    Vendor

    Result

    Surfshark

    Instant, professional PDF report

    IPVanish

    30+ day delay; sent CSV with signup IP

    CyberGhost

    30+ day delay; sent email with some details when reminded

    Hotspot Shield

    30+ day delay; sent 7 cryptic, unlabelled CSVs

    PrivadoVPN

    Sent email saying they only stored my email and payment details

    ExpressVPN

    Refused to send data; linked to Policy instead

    PureVPN

    30+ day delay; sent an email asking which data I wanted

    Proton VPN

    Sent email repeating clauses from Privacy Policy

    NordVPN

    Radio silence for 8 weeks

    TunnelBear

    Radio silence for 8 weeks How did we get there To see how the industrys leading VPN services handle their legal obligations, TechRadar contacted 10 major providers on January 5, 2026, requesting all personal data held on our accounts.

    We maintained active subscriptions with every provider and followed the specific instructions laid out in their respective privacy policies for data access requests.

    We monitored their response rates over an eight-week period, sending multiple follow-up prompts to companies that failed to acknowledge the initial
    request. The hall of shame NordVPN and TunnelBear were the most significant disappointments. Despite having clear instructions in their policies on how users can exercise their GDPR rights, both exceeded the 30-day legal limit
    and failed to deliver any data by the eight-week mark.

    Equally frustrating were the responses from Proton VPN and ExpressVPN two services that market themselves on a "privacy-first" ethos. Instead of providing the requested data, both issued "canned" responses directing us to read their privacy policies.

    This fails to meet the requirements of Article 15 because a companys obligation to provide a user's specific data is not satisfied by simply pointing to a generic public document.

    PrivadoVPN acknowledged it held email and had once held payment data but stopped short of disclosing the details. Meanwhile, PureVPN replied after 30 days only to ask what specific types of data we were looking for. Under Article 15, providers are required to disclose all data held on a user and it is not the user's responsibility to guess what that might be. Cryptic and delayed responses While some providers failed entirely, others attempted to comply but fell short of a professional standard.

    IPVanish was a mixed bag. The company uses a specialized portal to make requests easier and provided a CSV dataset. However, the response took over
    30 days and revealed the company still held IP addresses from the signup period a finding that may clash with the 'anonymous' experience many users expect.

    CyberGhost's process was flawed from the start. We were required to download a DOCX file to submit our request, which appeared to be an outdated Scottish government template. The company then demanded sensitive information, such as a physical address and phone number, which they didn't even have on file. After eight weeks and multiple chases, the final response only listed the types of data held, rather than the data itself.

    Hotspot Shield eventually provided data in the form of seven CSV files, but the files contained no headers. This left dozens of data points labeled cryptically as "field_0" through "field_32," making the information functionally useless. While the company offered to clarify the data later, this does not fulfill the GDPR requirement to provide data in a concise, transparent, and intelligible format. The winner: Surfshark Surfshark was the only provider in our test that treated the request as a serious legal obligation. It took the provider only four hours to deliver a detailed PDF report of all the information held on our account.

    The report included a full record of payments (including dates, currency, and IDs), account email addresses, active subscriptions, and even a log of
    malware blocked by Surfsharks built-in antivirus tool.

    While the level of detail is a win for transparency and GDPR compliance, it does raise secondary questions about whether a privacy-focused company should be logging some of these data points in the first place.

    You can read our full analysis of Surfshark's response here . VPN providers' responses We contacted every VPN company included in this report for comment prior to publication. Most didn't respond. However, several challenged our findings.

    NordVPN said that our decision not to verify our identity when requesting information was responsible for the delay. A spokesperson said the company strives to complete DSARs "within the applicable timelines" but that "delays may occur if a requestor chooses not to verify their identity."

    "Identity verification is an important safeguard that helps ensure personal data is disclosed only to the rightful individual and remains protected,"
    they added.

    We emailed the company twice and never received a response. We were not asked to verify our identity.

    IPVanish also said that the delay was caused due to waiting for identitiy verification. The company also emphasized it's no-log policy and said: "when
    a customer subscribes to our service, their sign-up IP address may be collected in connection with payment processing and preventing fraud."

    Proton VPN said that there was a misunderstanding as to whether our initial request formally constituted a DSAR, though admitted "the response could have been more specific."

    A spokesperson for the company said that personal data such as security
    logs, payment details, subscriptions and emails can all be found via "dedicated tools" online.

    Privado VPN said: "We are always happy to provide data subjects with a copy
    of their personal data upon request, and we consider this obligation to have been met in this case."

    While they did respond promptly, their response provided generic information about the categories of data held, rather than specific data points.

    It was missing many of the s upplementary information points we would expect to see, such as the right to make a complaint, whether or not automated decision-making is being used, and how long the data is stored for.

    Surfshark's responses have been included in the accompanying article that highlights the data the company holds on users. Today's best VPN deals
    NordVPN 2 Year 2.59 /mth View +3 months free Surfshark 24 Months 1.49 /mth View Proton VPN 2.39 /mth View +4 MONTHS FREE ExpressVPN 24 month 1.74 /mth View We check over 250 million products every day for the best prices Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!



    ======================================================================
    Link to news story: https://www.techradar.com/vpn/vpn-privacy-security/exclusive-i-asked-10-vpns-f or-my-personal-data-only-one-made-it-easy


    --- Mystic BBS v1.12 A49 (Linux/64)
    * Origin: tqwNet Technology News (1337:1/100)