What data or logs has mullvad vpn given up?
Executive summary
Mullvad publicly and repeatedly states it “does not keep activity logs of any kind,” including IP addresses, DNS requests, connection timestamps, browsing activity, bandwidth, and session duration [1] [2]. Independent reporting and audits cited by reviewers and outlets say Sweden police raids found no subscriber data on Mullvad servers, and auditors have repeatedly validated its no-logs posture [3] [4] [5].
1. Mullvad’s formal no‑logs claim — what's on record
Mullvad’s own policy language is explicit: the company says it does not log VPN users’ IP addresses, the VPN IP address used, browsing activity, bandwidth, connections, session duration, timestamps, or DNS requests and that “we do not keep activity logs of any kind” [1] [2]. The official privacy and policies pages reiterate the same position and explain that account access is controlled by an anonymous 16‑digit account number rather than email/password identifiers [6] [1].
2. Independent corroboration and real‑world test cases
Multiple reviews and news items point to real‑world events that support Mullvad’s claim. Reporting notes that when Swedish police executed a warrant/search in 2023 they left “empty handed” because Mullvad’s servers did not contain the subscriber data investigators sought [3] [4] [5]. Review outlets also cite independent audits and penetration tests that, according to those reports, found no critical issues and gave credibility to Mullvad’s technical safeguards and no‑logs assertions [5] [7].
3. What Mullvad does record or expose — limited operational metrics
While Mullvad says it keeps no activity logs, several reviews and Mullvad documentation indicate limited, non‑identifying operational metrics are tracked. For example, servers record counts such as “number of current VPN connections” and aggregated bandwidth usage; Mullvad’s help pages note central services validate account numbers for remaining time and connection limits when a client connects [2] [8]. These are presented as functional checks rather than per‑user traffic logs [2].
4. Payment and support exceptions — where personal data can appear
Mullvad’s anonymous signup is core to its approach, but exceptions exist tied to payment or direct communications. The company accepts cash and cryptocurrencies to minimize linkability, yet some payment methods (bank wire, credit card, PayPal) involve third‑party processors and could expose personal data to those processors — Mullvad’s privacy policy acknowledges processing personal data in such situations [6] [2]. Mullvad says data from payment processors “does not necessarily mean Mullvad are storing the data anywhere else than in the service,” but the presence of those flows is explicitly acknowledged [6].
5. App telemetry and crash reports — minimal but present
Mullvad’s app documentation and APK notes state the client collects “a very minimal amount of telemetry” and that app logs are not sent automatically but only when explicitly submitted by a user; Mullvad emphasizes that telemetry is not tied to account numbers or IPs [9]. This indicates some non‑traffic technical diagnostics exist, but Mullvad frames them as unlinkable and minimal [9].
6. Technical measures to reduce recoverable data
Mullvad moved servers to RAM‑only installations (no persistent disks) and emphasizes server architecture choices intended to limit data persistence; several reviews highlight that RAM‑only servers and other design choices make it harder to recover data after reboots [10] [7]. Mullvad also touts features like DAITA and multi‑hop as privacy enhancements, though those are feature claims rather than direct evidence about logging practices [10].
7. How to interpret “no logs” claims — competing perspectives
Independent reviewers and outlets generally treat Mullvad’s no‑logs claim as credible because of audits, the 2023 police raid outcome, and technical safeguards [3] [5] [7]. At the same time, reviewers remind readers that no‑logs claims are impossible to prove with absolute certainty and depend on corporate practices, audits, and legal processes; CNET explicitly notes that, as with any VPN, it’s impossible to verify a no‑logs promise 100% [3]. That tension between strong supporting evidence and theoretical limits of external verification is prominent in the coverage.
8. What available sources do not mention
Available sources do not mention any specific instances where Mullvad handed over identifiable user traffic logs to authorities or third parties, nor do they provide a public example of Mullvad producing per‑user connection timestamps or IP bindings from its infrastructure (not found in current reporting). Available sources do not provide the raw audit reports in full within these snippets, though they reference audits and summaries [5] [7].
Bottom line: public documentation, multiple independent reviews, and at least one enforcement action that yielded no data all back Mullvad’s claim that it does not retain traffic or connection logs; limited operational metrics, payment‑related data flows, and optional app telemetry are the main exceptions acknowledged in the company’s policies and by reviewers [2] [6] [9] [3].