In This Article
Free VPNs aren’t free. They’re paid for in three ways most users never check. The vendor sells your traffic to advertisers, resells your bandwidth as a residential proxy, or bundles adware into the install. The honest exceptions are real, but they’re outnumbered roughly twenty to one on the Play Store charts.
This is the read on free VPNs. Which ones survive scrutiny, which ones to uninstall today, and the five questions to ask before trusting any VPN with your traffic. The bar is higher than it was. Mozilla, the FTC, and a small set of independent auditors have spent six years building the public record that makes the call easier.
TL;DR
The pick: ProtonVPN Free. No data cap, ten free server countries, annual no-logs audit, no ads.
Good alternatives: Windscribe Free (10 GB monthly) for moderate use, TunnelBear Free (2 GB monthly) for occasional public Wi-Fi.
Skip if: the VPN is bundled with antivirus or speed-booster apps, asks for SMS or contacts permissions, or doesn’t publish a no-logs audit.
The thesis: free VPNs aren’t a category, they’re two categories pretending to be one
One free-VPN model funds itself on a paid tier. The other funds itself on you. Treat them as the same product and the privacy math collapses.
The honest tier exists because a paying subscriber base subsidizes free users at roughly fifty cents per active user per month, the rough server-and-bandwidth cost. ProtonVPN, TunnelBear, and Windscribe all run this way. The dishonest tier funds itself elsewhere: an ad network, a data broker, or a residential-proxy resale customer that turned the user’s phone into an exit node.
Telling the two apart before installing is the reader’s job. The rest of this article is the evidence.
Why most “free” VPNs aren’t actually free
If the business model isn’t visible, the user is the business model. Three monetization paths dominate the dishonest tier.
The first is direct data sale. In February 2024, the Federal Trade Commission settled with Avast for $16.5 million. The complaint alleged that Avast’s antivirus and free-VPN products sold browsing histories through its Jumpshot subsidiary, despite years of marketing copy promising the opposite. The order required Avast to delete the harvested data, scrap the derived algorithms, and obtain explicit consent before any future browsing-data sale. The lesson: “no-logs” claims unsupported by an independent audit are marketing, not policy.
The second is residential-proxy resale. Your phone becomes a node in a paid proxy network. Other customers route through that node to scrape websites, run ad-verification jobs, and occasionally commit fraud, all attached to your IP. Hola VPN built its business on this model under the Luminati brand starting. The company charged external customers $20 per gigabyte of bandwidth siphoned from free users, rebranded as Bright Data in March 2021, and kept the residential-IP pipeline running.
The third is malware bundling. The widely cited 2016 CSIRO study tested 283 Android VPN apps. 38 percent contained malware. 75 percent used third-party tracking libraries. 82 percent requested sensitive permissions like contacts and SMS. 84 percent leaked traffic measurably. The numbers got worse before they got better. Spot-checks and 2025 show the install-base composition has improved at the top of the charts. The long tail of obscure free VPNs still trips most of the same wires.
The honest free tier: ProtonVPN Free
One free tier survives every scrutiny test we can throw at it. ProtonVPN Free is the unusual case.
The Swiss parent company runs a paid Plus tier (currently fifty dollars a year if you commit) that subsidizes the free tier directly. The no-logs audit has been renewed annually since 2020. The open-source Android client is publicly reviewable on GitHub. The corporate ownership structure is disclosed in plain English on the site.
As of May 2026, free users get ten server countries: the United States, Japan, the Netherlands, Romania, Poland, Norway, Canada, Switzerland, Singapore, and Mexico. The plan ships unlimited bandwidth, one device, AES-256 with ChaCha20 fallback, and the same kill-switch behavior the paid tier ships.
What it doesn’t give you: server selection (the app picks for you), streaming-optimized servers, peer-to-peer support, split tunneling, or the Secure Core multi-hop routing. Speeds drop during peak hours because paid users get queue priority. The connection stays usable for browsing and one-stream-at-a-time video. For anyone reading our case for why a VPN belongs on Android, ProtonVPN Free is the no-friction default.
The lower-volume options: TunnelBear and Windscribe
If ProtonVPN’s server selection bothers you, two audited alternatives exist with hard data caps. Both are good. Both are limited on purpose.
TunnelBear, owned by McAfee since 2018, gives free users 2 GB of monthly traffic across forty-seven country locations. The privacy posture is solid. An annual public security audit by Cure53 has run since 2017. The apps are reasonably transparent. The Canadian-team origin keeps it outside Five Eyes data-retention regimes, though the McAfee parent is American, which matters for some threat models. The 2 GB cap covers occasional public-Wi-Fi browsing and email; it does not cover video.
Windscribe is the more generous option, giving 10 GB monthly to users who confirm their email plus eleven server locations on the free tier. The Canadian company publishes a detailed transparency report, has been independently audited, and unusually does not cap the number of simultaneous devices on the free plan. 10 GB covers a few hours of HD streaming or a moderate browsing-and-email month. The configurable firewall and ad-blocker are inherited from the paid tier intact.
Quick take
If you want free and safe, use ProtonVPN Free. If you need more than ~10 GB a month or want a server you can pick, you have outgrown free; pay for a tier from Mullvad, Proton, or IVPN.
The categories to avoid entirely
Four red-flag patterns flag the dishonest tier on sight. Treat any one as disqualifying.
Any free VPN bundled with a free antivirus, free speed booster, or free phone-cleaner app is the first pattern. The bundling is the tell: the vendor needs a second monetizable surface because the VPN itself isn’t paying for the servers. the Top10VPN audit found that bundled-utility free VPNs over-indexed dramatically on excessive Android permissions, particularly contacts, SMS, and accessibility-service access. None of those are required to run a VPN.
The second is any free VPN headquartered in a jurisdiction with mandatory data-retention laws and no independent audit. Russian, Belarusian, and certain Hong Kong free VPNs sit here. Pakistan and Iran passed local-routing laws-2025 that compromise the VPN guarantee structurally. Jurisdiction is policy, not branding.
The third is Hola VPN and any of its rebrands or whitelabel forks. The Hola model was, and still is, to turn free users into exit nodes for the Bright Data residential-proxy network. the Trustwave disclosure was the cleanest public account. The corporate structure has shifted twice since; the bandwidth-resale pipeline has not.
The fourth is browser-extension-only VPNs that ask for permission to read all data on every site you visit. The permission is technically necessary for the extension to function. Functionally, it gives the vendor a near-complete record of your browsing. Pair the read-all-sites permission with an unaudited privacy policy and the threat model is worse than no VPN. Our broader six-step Android security walkthrough covers the extension audit alongside app-side hygiene.
The counter: when free is actually fine
Free isn’t always the wrong choice; it’s the wrong choice for the wrong job. Three use cases are genuinely served by a free tier.
The first is intermittent geo-shifting. If you check what a website looks like from a different country once a week, ProtonVPN Free’s ten server countries handle it without a paid subscription. The latency hit is real but the use case is low-volume by definition.
The second is short-trip public-Wi-Fi protection. Two days at an airport hotel and an open-Wi-Fi cafe sit well inside TunnelBear’s 2 GB monthly window. A free tier from an audited vendor beats unprotected Wi-Fi in every threat model, peak-hour slowdowns included. Public Wi-Fi hygiene is the broader frame; a free VPN is one layer of it.
The third is the budget-permanent personal browsing case. You use a VPN to add a layer of cover to personal browsing on a phone you don’t use for work. 4K streaming isn’t on the table. A free tier covers ninety percent of the threat model. The argument for paying flips when streaming, gaming, or torrenting enters the picture, which is where our annually maintained paid-VPN ranking matters.
At a glance
| Service | Monthly cap | Server countries | Jurisdiction | Privacy posture |
|---|---|---|---|---|
| ProtonVPN Free | Unlimited | 10 | Switzerland | Annual no-logs audit since 2020; open-source clients |
| Windscribe Free | 10 GB | 11 | Canada | Independent audit; transparency report; unlimited devices |
| TunnelBear Free | 2 GB | 47 | Canada (McAfee-owned) | Annual Cure53 audit since 2017 |
| Hola VPN | Unlimited | N/A | Israel (Bright Data) | Sells user bandwidth as residential proxy; avoid |
| Random app-store free VPN | Varies | Unknown | Often opaque | No public audit; assume worst case |
What to verify before trusting any VPN
Five questions separate the legitimate VPNs from the rest. ProtonVPN, TunnelBear, and Windscribe answer all five cleanly; most others fail at least two.
- Recent independent no-logs audit? Within the last twelve months, by Cure53, Securitum, Deloitte, KPMG, or a recognized peer. “Internal audit” doesn’t count.
- Jurisdiction? Switzerland, Panama, and the British Virgin Islands have favorable case law; Five Eyes and Fourteen Eyes do not. Mandatory data-retention laws compromise the no-logs claim structurally.
- Disclosed ownership? Shell-company structures, undisclosed parents, and recent ownership changes are real risk signals.
- Android permissions match a VPN’s actual needs? Only the VPN service and notification permissions. If the install asks for SMS, contacts, accessibility service, or device administrator access, uninstall.
- Sustainable business model? Paid-tier subsidy, an enterprise product line, or a foundation grant are defensible. Ad-supported free VPNs and bandwidth-resale operations are not.
The Electronic Frontier Foundation’s Surveillance Self-Defense library has tracked the VPN-vendor ecosystem since 2018 and remains the cleanest non-commercial reference. Mozilla’s Privacy Not Included VPN reviews are the lay-reader complement to it.
FAQ
Is ProtonVPN Free really free forever?
Yes. ProtonVPN’s free tier has run continuously since 2017 and is funded by the company’s paid subscribers and the broader Proton ecosystem (Mail, Drive, Calendar, Pass). The Swiss parent is privately held and discloses its ownership structure. There is no time-limited trial mechanic.
Will any free VPN unblock Netflix or Disney Plus?
Almost never. Streaming services maintain real-time blocklists of known VPN IP ranges, and the free-tier IPs are the first to be flagged. Paid services maintain dedicated streaming server pools that get rotated when blocks land; free tiers do not. If a free VPN does briefly unblock a service, expect it to stop working within weeks.
Is a free browser-extension VPN safer than a free app VPN?
Usually no. Browser-extension VPNs only protect browser traffic; every other app on the device sends data over the unprotected connection. The permission model is also broader. A browser extension typically requires permission to read all data on every site you visit. That is a higher trust ask than a system-level VPN.
Do paid VPNs also sell user data?
Reputable paid VPNs do not. The verification is the audit, the jurisdiction, and the business model, the same three checks you apply to free VPNs. Mullvad and IVPN go a step further by accepting cash payments to avoid any account-linkage. If a paid VPN can’t produce a recent independent audit, treat its no-logs claim with the same skepticism you’d apply to a free one.
How do I tell if a free VPN is reselling my bandwidth?
Three tells. The Terms of Service has a clause permitting your device to act as a node in a network, even if the wording is oblique. The vendor also operates a paid commercial proxy product under a related brand. The Android app keeps the VPN session alive when the phone is idle and the screen is off, with steady upstream traffic. Hola and its lineage are the textbook case; the pattern recurs on smaller free VPNs that appear on the charts and then vanish.
Bottom line
Free VPNs aren’t free; they’re paid for in three ways most users never check. The opening claim is the closing claim, but you now have the receipts. The Avast settlement, the CSIRO study, the Hola-to-Bright-Data lineage, and the audit cadence at Proton, TunnelBear, and Windscribe are not equivalent data points. They tell you which tier of the free-VPN market a vendor sits in. The gap between the tiers is wide enough to drive the decision.
The shortest decision rule fits in two sentences. If you want a free VPN and need it to be honest, use ProtonVPN Free. If you outgrow ten gigabytes of monthly traffic or want a server you can pick, you have outgrown free. Pay for a real plan, or skip the VPN until you can.
The five-question filter survives every refresh of this article. Vendors change; the questions do not. That is the editorial spine of free-VPN literacy.
How we put this guide together
The picks reflect what we install and test on current Android builds. Hardware: Pixel 8a and Galaxy S24 running Android 15 and Android 16, cross-checked against vendor documentation and the public audit record. Primary sources: the FTC’s 2024 Avast consent decree, CSIRO’s 2016 Android-VPN study, the EFF Surveillance Self-Defense library, and Mozilla’s Privacy Not Included reviews. Vendor-side: audits and transparency reports from Proton, TunnelBear, and Windscribe. We update each guide when material vendor behavior changes. This revision is current as of May 2026.
