What is a no-logs policy

Every VPN says "no logs." The phrase is a marketing baseline at this point — even providers who do log claim some version of it. The differences are in the small print: what they actually keep, what they don't, and whether the claim has been audited or just asserted.

What "no logs" should mean

A meaningful no-logs commitment covers three categories:

• Browsing history — the websites you visit. Should not be logged. If they are, the VPN is functionally pointless for privacy.
• DNS queries — the domains you look up. Should not be logged. DNS is where most privacy leaks happen.
• Traffic content — the data inside your packets. Should not be logged. This is what encryption protects in transit; it shouldn't be captured at the exit either.

Fexyn's commitment is exactly this: no browsing-history, DNS-query, or traffic-content logs. Read the full no-logs policy for the specifics, including what we do keep.

What every VPN keeps (and that's fine)

Subscription billing requires keeping something. So does abuse handling and basic operations. The honest no-logs providers list what they retain:

• Account data — email, hashed password, billing record. Required to run a paid service.
• Aggregated connection counters — how many devices are online, total bandwidth used per server. Required for capacity planning. Can be aggregated rather than per-user.
• Security events — failed logins, brute-force attempts, abuse reports. Required for security operations.

A VPN that says "we don't log anything" without listing what they actually do keep is being imprecise. Subscription billing requires a database; the question is what's in it.

What an audit means

Independent audits — Cure53, Deloitte, KPMG, PwC — test the claim. The audit is a snapshot: it says "at the time of the audit, the systems matched the policy." It does not guarantee future behaviour.

NordVPN, ExpressVPN, Mullvad, and ProtonVPN have all done public no-logs audits. Surfshark has done partial ones. Fexyn has not yet completed a public audit; we're transparent about that on the no-logs policy page. When we have one, we'll publish the result.

A claim of "audited" without a published report is a marketing claim, not a security claim. Always look for the actual report.

Why jurisdiction matters

Different countries have different rules about what a VPN provider must log and what they must hand over on request. Five Eyes countries (US, UK, Canada, Australia, NZ) share intelligence; some non-Five Eyes jurisdictions have their own retention laws. The interaction between policy and jurisdiction is what actually determines what data exists and who can demand it.

Fexyn is registered in Wyoming, US. We chose Wyoming for the entity-level privacy protections and the requirement of warrants for subscriber data. The trade-off is that the US is a Five Eyes member, which we don't pretend isn't true; the mitigation is the no-logs structure plus short-lived certificates that bound any single compromise.

For users where this matters most — journalists, activists, people in restrictive regimes — read the policy carefully and decide whether the structure works for your threat model.

Try Fexyn free for 7 days — what we don't keep is documented in plain English.