What data do DuckDuckGo’s VPN and subscription services retain and for how long?

1. What DuckDuckGo says it retains about VPN connections

DuckDuckGo’s subscription privacy pages and public announcements assert that the VPN does not keep logs that could connect a user to their online activity, meaning they claim not to store records tying IP addresses, visited sites, or traffic contents to identifiable users ^{[2] [5]}. For operational needs the company admits its VPN servers store “generic usage and diagnostic data (for example, CPU load and errors), but nothing connected to any individual,” and it emphasizes that its VPN servers are physically separated from other DuckDuckGo infrastructure ^{[3] [4]}.

2. Identifiers and account linkage: random IDs and optional email

To activate the subscription without creating a conventional account, DuckDuckGo issues a random subscription ID to authorize devices and says that this ID is not connected to VPN traffic data or to credit card/payment information; if a user adds an email for ease of activation, DuckDuckGo says that email also won’t be tied to subscription activity or payment info ^{[4] [2]}.

3. What happens to data from Personal Information Removal and identity services

DuckDuckGo’s documentation states the personal‑information removal feature scans dozens of data broker sites and that information provided for removal is stored locally on the device rather than on DuckDuckGo’s servers, while identity‑theft restoration is provided as an advisory/assistance service through the subscription ^{[6] [2] [7]}. Reviewers note the removal tool scans many brokers and automates takedown requests, but the company’s materials emphasize that harvested broker results and the user’s PII for removals are managed on the user device ^{[7] [2]}.

4. Promises about Duck.ai and training data

DuckDuckGo states that Duck.ai chats are private and “never used to train AI,” and the subscription privacy pages reiterate that Duck.ai and other subscription features are intended to be isolated from activity‑connecting logs ^{[2] [1]}. Independent observers caution that such claims are difficult to verify externally without full transparency or independent audit reports ^[7].

5. Verification, audits and reasonable skepticism

DuckDuckGo has said a third‑party audit of its VPN no‑logs claims is in progress and that no major issues have been found so far, but the full audit report has not been published at the time of these sources and independent verification remains limited ^[5]. Privacy writers and product reviews welcome the company’s data‑minimization stance but stress that “no‑logs” claims require third‑party audits or technical transparency to be fully persuasive ^{[8] [7]}.

6. What is not disclosed or remains unclear

Despite repeated assertions about not tying VPN activity to users and storing only generic diagnostics, DuckDuckGo’s public materials reviewed here do not specify precise retention windows for those diagnostic logs, whether aggregated telemetry is retained and for how long, or the technical safeguards and deletion schedules applied to any backend data that exists ^{[3] [4] [2]}. Where sources are silent on retention durations, reporting cannot definitively state whether any transient connection metadata might be retained temporarily for troubleshooting or legal compliance beyond the generic statements provided ^{[3] [5]}.

DuckDuckGo’s published stance is clear: minimize collection, keep no identifiable VPN logs, store personal‑data removal inputs on the device and use a random subscription ID instead of a tied account; but the company has not published granular data‑retention timelines or the full third‑party audit report necessary to independently confirm those no‑log and retention claims ^{[2] [3] [5]}.