While most commercial VPNs promise not to keep logs, there’s no way to verify those claims. You’re simply shifting trust from one party to another (from the ISP to the VPN). Some popular VPN companies have been known to hand over logs when requested by authorities, despite supposed no-log policies. VPN apps can also leave logs on your device, which sometimes contain usernames and email addresses, as noted in CR Digital Labs’ report. The Indian government even forces commercial VPNs to store usage logs linked to their customers’ real identities (via Entrackr). Although not as aggressive, other governments also have data retention policies.
VPNs cannot keep you safe from advertiser tracking, either; they can mask your IP address, but modern data collection is far more sophisticated. At any rate, IP addresses cannot pinpoint your location. Tracking based on IP addresses usually marks your ISP’s infrastructure, often located hundreds of miles away from your area.
Instead, companies leave cookies on your device that track your activity all over the web, create unique fingerprints for targeted advertising across devices, and track location via GPS. The cluster of information generates a hyper-detailed ad profile linked to you. VPN companies also have to work with third parties to, say, handle notifications or process payments. And they have to share your information with those parties — some vendors are more transparent in their sharing policy than others, but the majority give third parties access to user data, CR Digital Labs explains.