// start here

Your data. Your rules.

This guide is here to help you understand VPNs and online privacy in plain language.

Key Takeaways

A VPN is not magic. It shifts who sees your traffic, but doesn't make you invisible.
Free VPNs are often traps. If you're not paying, you're the product. Your data gets sold.
Privacy is normal. Wanting to control your information is not suspicious or "shady."
Trust matters more than features. Choose providers with independent audits and no-logs policies.

Quick Start: Free VPNs

Bitmask

Free, open-source VPN. Connects to vetted providers like Riseup.net and Calyx Institute. No accounts, no logs, no tracking. Third-party audited. Built by LEAP (same team behind RiseupVPN). Bypasses censorship.

Visit Bitmask →

Proton VPN

Free tier available. No-logs policy with independent audits. Based in Switzerland (strong privacy laws). Free tier is genuine, not a data trap.

⚠ Payment privacy warning

If you pay with debit/credit card or PayPal, your identity is linked to your account. Proton payment data was used to identify an activist. For maximum privacy, use cryptocurrency or prepaid cards.

Visit Proton VPN →

Red Flags: Close the Tab

Asking for ID, passport, or home address for "verification"
Free VPN requiring phone number to "activate"
Claims of "total anonymity" or "military-grade encryption" (marketing fluff)
No clear explanation of how they make money
Preferring non-private payment methods like credit/debit card or PayPal

// vpn picks

Choosing a VPN

Not all VPNs are equal. Here's what to look for.

What to Look For

No-logs policy with independent audit. A promise means nothing without verification.
Open source apps. Researchers can verify the code isn't doing anything shady.
Privacy-friendly jurisdiction. Avoid providers in the US, UK, or countries with weak privacy laws.
Anonymous payment options. Cash, cryptocurrency, or prepaid cards.
No personal info required. Email-optional or account-number-only registration.

Provider Options

Comparison of VPN providers. Click names to visit official sites (opens in new tab).
Service	Free?	Logging	Audit	Anon Pay	Notes
Bitmask	Yes	No logs	Yes	Free	Uses Riseup/Calyx. No accounts. Open source.
Proton VPN	Yes	No-logs	Yes	Crypto*	Good free tier. ⚠ Avoid card payments for privacy.
Mullvad	No	No logs	Yes (2024)	Cash, Crypto	Best for privacy. Account number only.
NymVPN	No	No logs	Yes (Cure53)	Crypto, PAYG	Most private (5-hop mixnet). Slower, no free tier.
RiseupVPN	Yes*	No logs	Community	Donations	Volunteer-run. No registration. Suggested $5/mo. ⚠ Fewer servers, no audits.
AirVPN	No	No logs	Yes	Crypto	Established (2010). Italy-based. Net neutrality advocate.
iVPN	No	No logs	Yes	Crypto, Cash	Gibraltar-based. Minimal data. Account number only.

Payment Privacy Matters

Even if a VPN has a no-logs policy, your payment method can link your identity to your account. For maximum privacy:

Mullvad: Send cash by mail, use crypto, or buy vouchers in stores
NymVPN: Use "Pay-as-you-go" with $NYM token—no account needed, truly anonymous
Proton VPN: Use cryptocurrency (Monero is best, Bitcoin works)
Any VPN: Avoid debit cards, credit cards, and PayPal if privacy is critical

// why privacy

Why Privacy Matters

"Privacy is not about having something to hide. It's about having something to protect."

Your personal information is valuable. Companies, governments, and bad actors want it—and they're willing to pay for it.

Who Wants Your Data

Advertisers

Build detailed profiles to manipulate what you see, buy, and believe. They use deception and abusive tactics to trick you into spending money.

Data Brokers

Buy and sell profiles of millions of people, including minors. Your data is their product and they will sell it to anyone willing to pay—stalkers, police, abusers, government agencies.

Your ISP

In many countries, your internet provider can legally log and sell your browsing history. Some ISPs hijack typos or referral links to track you and profit from your data.

Predators

Use location data, social engineering, and online traces to find real people in the real world.

Privacy is Normal

You close your curtains not because you're doing something wrong, but because what happens inside your home is your business. Online privacy is the same. You have the right to:

Control who sees your location and browsing habits
Keep health questions, identity resources, and personal topics private
Refuse to share your home address, school, or phone number just because a website asks

// what vpn

What Is a VPN?

VPN stands for Virtual Private Network. Here, "VPN" means a VPN service provider that routes your traffic through its servers—not a workplace VPN or a self-hosted one.

How It Works

Normally, your ISP can see the flow of internet traffic entering and leaving your network. It usually cannot see exactly what you read thanks to HTTPS, but it can still see which domains you connect to.

A VPN encrypts traffic between your device and a server run by the VPN provider. Your ISP then sees only that you're connected to a VPN, not the specific activity moving through it.

Without a VPN: Your ISP sees which sites you visit, and websites see your real IP address.

With a VPN: Your ISP sees only the VPN connection, websites see the VPN IP, and the VPN provider can still see your traffic.

Key Point: Trust Shift

Using a VPN does not eliminate monitoring—it shifts who you trust. Your ISP can no longer see your traffic, but the VPN provider now can. That is why choosing a trustworthy provider with verified privacy practices matters.

What a VPN Does

Hides traffic from your ISP. It cannot easily see which sites you visit or what you download.
Hides your IP from websites. This helps reduce some forms of geographic tracking.
Bypasses geo-restrictions. It can help you access content blocked in your region.
Protects you on public Wi-Fi. It encrypts traffic on untrusted networks.

What a VPN Does Not Do

It does not make you anonymous. If you log into Google or Facebook, those services still know it's you.
It does not encrypt traffic beyond the VPN server. The connection between the VPN server and a website is only encrypted if the site uses HTTPS. Always use HTTPS.
It does not protect against malware. You still need safe habits and security tools.
It does not stop browser fingerprinting. A VPN helps with network privacy, not browser identity.
A "no-logs" claim is only as good as its verification. Choose providers with independent audits.

VPN vs. Tor

VPN

Trust model: You trust one company completely.

Use when: You want to hide activity from your ISP, bypass geo-blocks, or protect yourself on public Wi-Fi.

Tor Browser

Trust model: No single party knows both who you are and where you're going.

Use when: You need stronger anonymity, face higher risk, or do not want to trust any single provider.

Should you use Tor over a VPN? Generally, no. Tor's strength is that no single party knows both who you are and where you're going. Connecting to Tor through a VPN gives the VPN provider more visibility. If you need Tor, connect directly. Learn more about Tor →

// other tools

Other Privacy Tools

A VPN is one layer. Different tools do different jobs. Use them together for better protection.

Tor Browser

Onion Routing Network

Routes your traffic through 3 volunteer-run servers. No single party knows both who you are and where you're going. Slower than VPN, but stronger privacy.

Download Tor Browser →

uBlock Origin

Ad & Tracker Blocker

The gold standard for blocking ads, trackers, and malware. Works alongside your VPN. Free and open source.

Get uBlock Origin →

Signal

Encrypted Messaging

End-to-end encrypted messaging and calls. Signal cannot read your messages even if legally compelled. Open source and audited.

Get Signal →

Bitwarden

Password Manager

Generate and store unique, strong passwords for every site. Open source, audited, and free for personal use.

Get Bitwarden →

Learn More: PrivacyGuides.org

For comprehensive, community-maintained recommendations on privacy tools (browsers, email, messaging, operating systems, and more), visit PrivacyGuides.org. They provide unbiased, research-backed recommendations without sponsored content or affiliate programs.

Important: Many VPN review sites are advertising vehicles open to the highest bidder. Privacy Guides does not make money recommending products and does not use affiliate programs.

// threat models

What Are You Protecting Against?

Different situations need different tools. Pick your scenario:

Parent / Shared Home Network

VPN Hides:

ISP sees VPN connection instead of website list
Websites see VPN IP instead of home IP

VPN Cannot Hide:

Browser history on the device
Activity on logged-in accounts
Parental control software installed on device

School Network

VPN Hides:

School Wi-Fi sees a VPN connection, not every destination
Protects browsing on your own device

VPN Cannot Hide:

Violation of school policy (can cause discipline)
School-managed devices (screens/apps are monitored)

Work / Part-time Job Wi-Fi

VPN Hides:

Work Wi-Fi sees a VPN connection, not every personal site

VPN Cannot Hide:

Employer-owned devices are monitored
Logged-in accounts that still identify you

Public Advocacy / Protest

VPN Hides:

Keeps home IP away from some observers
Reduces direct link between post and front door

VPN Cannot Hide:

Face, voice, writing style, and metadata
Platform records and legal risks

// red flags

Don't Fall for the "Safety" Trap

"It's for safety." "We verify you're 18+." "Think of the children." You've heard this before. It's how they justify collecting ID, banning privacy tools, normalizing surveillance. Don't buy it.

The "Safety" Argument, Decoded

"ID Verification Protects Kids"

Requiring government IDs to access the internet doesn't stop predators. It creates a massive database of everyone's real identity, linked to what they read online. When that database is breached, sold, or subpoenaed—that's the real danger.

"Banning VPNs Stops Crime"

Criminals find workarounds. Banning VPNs only affects regular people who want to protect their browsing from ISPs, employers, or network monitoring. It doesn't stop anyone determined to do harm—it just makes privacy illegal for everyone else.

"Real Names Prevent Abuse"

Forcing real names online doesn't stop harassment. It makes it easier for abusers to find targets in the real world. Privacy protects vulnerable people, not the guilty.

Warning Signs: Close the Tab

!! RED FLAG

Asking for your home address just to create an account

!! RED FLAG

Requiring government ID or live webcam for "age verification"

!! RED FLAG

Pressuring to turn off your Adblocker or VPN.

!! RED FLAG

Claims of "total anonymity" "military-grade encryption"

✓ GREEN FLAG

Plain privacy policy says exactly what data is collected and why

✓ GREEN FLAG

Transparency section on website shows responses to government/court orders.

✓ GREEN FLAG

Clear limits: doesn't promise magic

Anonymous SMS Verification

Some services require SMS verification to create an account. Instead of using your real phone number, use services that let you receive one-time verification codes on a temporary, anonymous number:

SMSPool.net – Pay a small fee per verification code
TextVerified.com – Another reliable option for one-time verifications

Pay with cryptocurrency for maximum privacy. Use a different number for each service to prevent cross-linking. These services work for most platforms that require SMS verification to create an account.

The Real Risk

When a service asks for your ID, address, or phone number "for safety," they're building a record of who you are and what you access. That record outlives the service itself. Breaches happen. Subpoenas happen. Data brokers trade in this information. Once your data is out there, you can't take it back.

Your real-world identity and your online activity isn't linked by defaulted by default.

// payment

Paying Privately

If you want to subscribe without linking your identity to your account, here's how.

Option 1: Prepaid Cards (Easiest)

Buy a prepaid Visa/Mastercard gift card with cash at a store
Use it to pay for the VPN online
Register with a throwaway email (use SimpleLogin or ProtonMail)

Option 2: Cryptocurrency (More Private)

Use P2P exchanges to buy Bitcoin or Monero without KYC (identity verification):

Bisq — decentralized, no registration
RoboSats — simple, Lightning support
Retroswap — Monero-focused P2P

Best for: Mullvad, Proton VPN

Note: Monero (XMR) is more private than Bitcoin. Bitcoin transactions are public and traceable.

Warnings

Crypto is volatile. Values change rapidly. Only buy what you need.
Crypto is irreversible. If you send to the wrong address, it's gone.
Never send money to strangers who DM you. Scammers target people asking about privacy tools.
Talk to a trusted adult before using P2P exchanges if you're unsure.

// scenarios

What If...

Real-world situations and how to handle them.

Someone asks where I live or go to school

DO: Stop answering. You don't owe anyone your location. Genuine friends respect boundaries. Say "I don't share that kind of info online."

DON'T: Give partial answers like "somewhere in Texas." They can be pieced together with other clues to find you.

A website wants my passport for age verification

DO: Question if you actually need the site. Uploading ID to random websites is a huge identity theft risk. Look for alternatives that don't require ID.

DON'T: Submit government IDs to sites you don't fully trust. Once your data is out there, you can't take it back. Breaches happen constantly.

My school Wi-Fi blocks sites I need

DO: Use mobile data if you have it. Understand that bypassing school filters may violate school policy.

DON'T: Use this guide to break school rules. ;-)

An app asks for permissions it doesn't need

DO: Deny permissions that aren't necessary. A flashlight app doesn't need your location. A game doesn't need your contacts.

DON'T: Accept all permissions by default. Many apps request excessive permissions as a data collection strategy.

// privacyguides

Want learn more?

Looking ways protect privacy find better alternatives corporate services spy you? Check out PrivacyGuides.org trusted, independent advice.

// glossary

The Lingo

Key terms you'll see when reading about privacy and VPNs.

IP Address: Your device's "return address" on the internet. Websites use it to know where to send data back. It reveals your approximate location.
ISP (Internet Service Provider): The company you pay for internet access (e.g., Comcast, AT&T, BT). They can see every website you visit unless you use a VPN or encrypted DNS.
No-Logs Policy: A VPN's promise not to record your activity. Only meaningful if verified by an independent audit. Otherwise, it's just marketing.
Encryption: Scrambling data so only the intended recipient can read it. HTTPS (the padlock in your browser) encrypts your connection to websites.
DNS Leak: When your device asks your ISP for a website's address instead of your VPN's DNS server. This reveals what sites you're visiting. Test at dnsleaktest.com.
KYC (Know Your Customer): Identity verification requirements used by banks and crypto exchanges. Requires government ID. Creates a permanent record linking your identity to your account.
Metadata: Data about data. For encrypted messages, metadata reveals who you talked to, when, and for how long—without showing what was said. Metadata alone is very revealing.
HTTPS: Encrypted HTTP. The padlock icon in your browser. Ensures your connection to a website is encrypted. A VPN does NOT add encryption between VPN server and website—you must use HTTPS regardless.
Threat Model: A way thinking who wants data, why, what tools have. threat model determines which privacy tools appropriate. journalist protecting sources different threat model than someone avoiding targeted ads.
Fingerprinting: Technique websites use identify unique device based browser configuration, screen resolution, installed fonts, other technical details. Even without cookies, fingerprinting track across sessions. Use Tor Browser uniform fingerprint, disable JavaScript, use privacy-focused browsers reduce uniqueness.