Four top VPNs share your data with marketing software – and we worked out if you're at risk

Floating eyeballs watching a red laptop
(Image credit: J Studios / Getty Images)

VPNs are a vital tool for protecting our privacy online. They encrypt our data, protect it from dangerous third-parties, and often come with a host of additional cybersecurity features.

But recently there has been some concern surrounding the best VPNs and the implementation of the marketing analytics software, AppsFlyer.

AppsFlyer is a mobile marketing analytics and attribution platform, describing itself as a "global leader in marketing measurement, analytics, and engagement."

NordVPN and Surfshark both actively use AppsFlyer, and ExpressVPN has just trialled it – although it is now in the process of removing it.

These VPN providers are some of the very best on the market and all have proven no-logs policies – so potential third-party data sharing raises eyebrows.

Tom's Guide wanted to investigate the use of AppsFlyer to determine how it is used, what this means for users, and whether there's any risk to your data.

How AppsFlyer is used

Tom's Guide searched the privacy policies of 12 leading VPN providers for mentions of AppsFlyer and found it mentioned in four of them – NordVPN, Surfshark, ExpressVPN, and CyberGhost.

VPN providers with no mention of AppsFlyer in its privacy policy

Hide.me

IPVanish

Mullvad

PrivadoVPN

Private Internet Access

Proton VPN

PureVPN

Windscribe

The latter only appeared to use AppsFlyer on its website. However, the other three utilised AppsFlyer within their mobile apps.

CyberGhost claims it is "used to track and measure usage of the Site so that we can continue to provide engaging content." But it added that only "non-personal data" was collected.

Within most VPN app settings, you can opt-out of sharing anonymous data. This includes marketing performance as well as crash reports or feature usage data.

ExpressVPN

ExpressVPN had the most information on AppsFlyer. It says in its privacy policy that "we use AppsFlyer in our mobile apps to optimize our marketing."

ExpressVPN states AppsFlyer collects device information, including device model and OS, installation and in-app purchase data, and device identifiers.

The policy details that the data collected is not used to personally identify users, although AppsFlyer can see a user's IP address. ExpressVPN's policy follows this up by saying this information is "accessed only once" and "cannot be connected to any particular person" due to being irreversibly stored as an anonymized hash.

Screenshot of ExpressVPN privacy policy mentioning AppsFlyer

(Image credit: Future)

ExpressVPN's privacy policy says that neither it nor AppsFlyer stores a user's original IP address, and it cannot be released to anyone.

You have the opportunity to opt-out of data collection by AppsFlyer and can do so by adjusting your device settings or following AppsFlyer's opt-out instructions.

NordVPN & Surfshark

NordVPN and Surfshark are owned by Nord Security and both make little mention of AppsFlyer in their privacy policies.

Under the "Sharing Your Personal Data" section of its privacy policy, NordVPN says: "In some cases, we may need to share personal data with certain third parties, such as trusted service providers, partners, and other Nord group companies."

NordVPN's privacy policy states it uses third-party service providers to help with "various operations" and "as a result, some providers may process personal data."

NordVPN lists AppsFlyer as a "main long-term service provider" for "marketing, application analytics, and diagnostics."

Screenshot of NordVPN privacy policy mentioning AppsFlyer

(Image credit: Future)

Surfshark's mention of AppsFlyer in its privacy policy is also limited. It lists AppsFlyer as an "information recipient" for marketing services. Alongside other services, it states AppsFlyer is used to manage contacts and automate marketing.

Neither NordVPN or Surfshark explicitly state what type of data AppsFlyer is collecting and this formed a large part of our questioning when we contacted the providers.

Screenshot of Surfshark privacy policy mentioning AppsFlyer

(Image credit: Future)

The VPNs' response

We contacted all three providers for comment on their use of AppsFlyer.

Questions included how AppsFlyer was implemented into VPN services, what information AppsFlyer collected, what data protections were put in place, and whether AppsFlyer was hosted server-side or in-app.

ExpressVPN

ExpressVPN shared that AppsFlyer was only introduced on a trial basis and there are no plans to reintroduce the software.

ExpressVPN said: "We used AppsFlyer in a limited way to assess purchase attribution – this helped us better understand conversion rates for free trial redemptions and in-app purchases. As you have observed, we’ve explicitly outlined this in our privacy policy to ensure transparency."

"AppsFlyer operates in the same way as most other analytics platforms, and is a standard tool for attribution."

"ExpressVPN used AppsFlyer with our iOS app on a trial basis. Specifically, only iOS makes any use of AppsFlyer in the app itself."

"This trial has now ended, and we are in the process of removing this attribution tool from the iOS app. This will be finalized as part of our next scheduled release."

ExpressVPN mobile vpn apps

(Image credit: Future)

"Our Privacy Policy states that 'We do not collect logs of your online activity while you are connected to our Services, including no logging of browsing history, traffic destination, data content, or DNS queries. We also never store connection logs, meaning no logs of your IP address, your outgoing VPN IP address, connection timestamp, or session duration.'"

"Our use of AppsFlyer is fully compliant with our privacy policy. We are absolutely committed to the privacy of our users and have considered the core principles of our privacy commitment at every step."

"We have no plans to re-add the AppsFlyer integration we referred to below, nor any other similar tool."

"As to whether the trial was a success or not – our core aim was to more accurately validate purchase conversions; we did not see a meaningful difference."

NordVPN

NordVPN said that AppsFlyer's data collection is limited to technical information and no identifiable data is collected. It confirmed that AppsFlyer's Software Development Kit (SDK) was built in-app, users could turn off analytics, and it had Data Protection Agreements in place.

NordVPN said: "We use AppsFlyer strictly for analytical purposes related to the effectiveness of marketing campaigns and conversion attribution. The information collected through AppsFlyer is limited to technical data, such as device model, operating system, app installation information, anonymized performance metrics and similar."

"AppsFlyer does not collect any information that directly identifies an individual, such as names, usernames, addresses, or any other type of sensitive personal information, including browsing activities, VPN usage data, passwords, or financial details."

"Additionally, we have Data Protection Agreements in place to ensure that the data remains confidential, is safeguarded with appropriate technical and organisational security measures, is used solely for purposes related to the services provided, and is not disclosed to any third parties without our authorisation."

"AppsFlyer SDK is in-built in Nord's apps. Customers can also turn off analytics from the app settings menu or by rejecting a consent prompt upon install."

NordVPN being used on iOS

(Image credit: NordVPN)

Surfshark

Surfshark also confirmed the collection of limited technical information and the presence of Data Protection Agreements. It stated that AppsFlyer's SDK was in-built into the Surfshark app but integration also took place server-side.

Surfshark said: "Surfshark uses the AppsFlyer tool for mobile channel sales monitoring; for example, it allows us to see sales split between organic traffic and Apple search ads."

"AppsFlyer collects limited information (e.g. ad engagement information, technical and device information, app installation information) used for our mobile channel sales monitoring and attributing app installations and in-app purchases to advertising sources."

"This data is only used for purposes related to the AppsFlyer services provided to Surfshark. To guarantee that the data stays confidential, we have Data Protection Agreements in place, and this data is protected with suitable technical and organizational security measures. Users also have a possibility to manage the use of analytic data in-app."

"There is AppsFlyer SDK in-built in Surfshark's app and integration is also implemented on server-side."

Surfshark on a Mac and iPhone

(Image credit: Future)

Is your data at risk?

All three VPNs stated that AppsFlyer's integration complies with their privacy policies and no personally identifiable information on users is collected or stored.

As mentioned earlier, all the providers have undergone independent security and no-logs audits. We have no reason to believe there is foul play occurring, and they're still some of the best VPNs available.

When comparing the three privacy policies, ExpressVPN is the most transparent, and we would like to see NordVPN and Surfshark share more details about AppsFlyer's use. Despite this, no provider hides its presence.

Despite no immediate risk, it is disappointing to see these providers allowing third-party access to data of any kind and we would challenge its necessity.

If you're using one of these providers as a streaming VPN or simply value the extra cybersecurity features, then you may not be concerned.

However, if you're more privacy conscious and want a VPN that collects as little information as possible, you may want to explore alternatives. Proton VPN and Mullvad are two of the most private VPNs out there.

Disclaimer

We test and review VPN services in the context of legal recreational uses. For example: 1. Accessing a service from another country (subject to the terms and conditions of that service). 2. Protecting your online security and strengthening your online privacy when abroad. We do not support or condone the illegal or malicious use of VPN services. Consuming pirated content that is paid-for is neither endorsed nor approved by Future Publishing.

TOPICS
George Phillips
Staff Writer

George is a Staff Writer at Tom's Guide, covering VPN, privacy, and cybersecurity news. He is especially interested in digital rights and censorship, and its interplay with politics. Outside of work, George is passionate about music, Star Wars, and Karate.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.