Free VPN vs Paid VPN: Who's Actually Paying For Your "Free" Connection?

Server capacity, bandwidth, and staff aren't free for the company running your VPN either. Someone is covering that cost — the question worth answering before you install anything is who.

Published Jul 1, 2026
Updated Jul 1, 2026
10 min read
Share
Free VPN app icon next to a paid VPN app icon, illustrating the hidden cost difference

A VPN server doesn't run on goodwill. Bandwidth costs money, server hosting costs money, and the people writing and maintaining the app expect a paycheck. A paid VPN answers the "who's paying for this" question in one sentence: you are, via your subscription. A free VPN has to answer it some other way, and that answer is the entire story of whether the app is safe to put on your phone.

Sometimes the answer is boring and fine — a company subsidizes a limited free tier to get you to try the paid product, the way Proton VPN's free plan works. Sometimes the answer is that your bandwidth and IP address are themselves the thing being sold to someone else. Both models exist under the word "free," and most people have no way to tell which one they downloaded.

You're asking the wrong question

"Is this free VPN safe" is the question everyone asks, and it's the wrong one because it treats safety as a fixed property of the app rather than a consequence of how it makes money. The right first question is simpler: if I'm not paying, what is this company actually selling, and to whom? Once you can answer that, whether the app is "safe" mostly answers itself.

There are really only four honest answers a free VPN can give. It's selling you eventually, by funneling free users toward a paid upgrade. It's selling your bandwidth, by routing other people's traffic through your connection. It's selling your data, by logging your activity for advertisers or data brokers. Or it's selling something adjacent, the way Facebook used a "security" app to study which competitors were worth acquiring. Only the first one is a business model you should feel fine about.

How a free VPN actually pays its server bill

Look past the marketing copy on any free VPN's landing page and the revenue model usually falls into one of a few patterns. None of these are hypothetical — each one below is something a real, widely downloaded VPN app has done.

Reselling your bandwidth. Hola VPN marketed itself in the early 2010s as a "people-powered" free VPN — you'd get free access, and in exchange your idle bandwidth would help route other users' traffic. What the company didn't make clear was that it operated a commercial subsidiary, Luminati Networks, which sold access to that same pool of residential IP addresses to paying business customers. Reporting at the time found that Hola's roughly 47 million users had effectively become exit nodes for anyone willing to pay Luminati, with no clear disclosure that this was the actual product.

Harvesting usage data for a completely different business. Facebook's Onavo Protect is the clearest example on record. Marketed as a security and data-saving tool, it collected detailed logs of which apps people opened, how long they used them, and what traffic flowed through the device. That data reportedly helped Facebook see which apps — including WhatsApp and Instagram, both later acquired — were gaining traction before the broader market noticed. Apple eventually pulled Onavo from the App Store for violating its data-collection policies, but by then it had been installed for years.

Selling ad and tracking data outright. This is the most common pattern and the least dramatic — a free VPN embeds third-party analytics and advertising SDKs into the app, the same way a free mobile game might, and the data those SDKs collect gets monetized through the normal ad-tech pipeline. It rarely makes headlines because it's not one dramatic event; it's just quiet, continuous data collection running in the background of an app whose entire premise is supposed to be reducing exactly that.

What happens when researchers open the hood

The most rigorous look at this came from a 2016 academic study, run jointly by CSIRO's Data61, the University of New South Wales, UC Berkeley's ICSI, and the International Computer Science Institute. The team pulled 283 VPN-permission Android apps from the Google Play Store — not a cherry-picked list of shady apps, just a broad sample of what was actually available — and ran each one through static and live traffic analysis.

38%
of the apps tested contained detectable malware
75%
embedded at least one third-party tracking library
18%
didn't encrypt the traffic passing through the "VPN" tunnel at all
84%
leaked traffic over IPv6, undermining the tunnel entirely

The comparison that matters most for this article sits inside the same dataset: among the paid VPN providers in the study, roughly two-thirds kept no third-party trackers at all. Among the free providers, that number dropped to a little over a quarter. That gap is not a coincidence — it's the direct, measurable fingerprint of two different business models running through the same category of app.

A study from 2016 in an app landscape from 2026

The exact app names in that research are mostly gone from the stores now, and the industry has matured in places. But the underlying economics haven't changed — a free app still needs a revenue source, and researchers examining fresh samples of free VPN apps keep finding the same categories of problem, just with different app names attached. Treat the pattern as current even where the specific apps aren't.

A short history of free VPNs going wrong

Academic studies establish the pattern. These are the moments the pattern became a headline.

2015
Hola VPN's bandwidth-reselling business surfaces
Security researchers and journalists revealed that Hola's free users were, without clear disclosure, functioning as exit nodes for Luminati Networks' paid proxy service — effectively a monetized botnet built on top of a "free" privacy tool.
2018
Apple removes Facebook's Onavo Protect
After years of Onavo collecting granular app-usage data under the banner of "protection," Apple pulled it from the App Store for violating data-collection terms. The data it had already gathered reportedly informed some of Facebook's biggest acquisition decisions.
2022
SuperVPN, GeckoVPN, and ChatVPN — 21 million records
A threat actor leaked databases claiming to hold 21 million user records from three free Android VPN apps, including emails, device identifiers, and location data — sourced, reportedly, from databases the developers had left exposed with default credentials still in place.
2023
SuperVPN again — 360 million records this time
Security researcher Jeremiah Fowler found a separate, unsecured 133 GB database tied to SuperVPN containing over 360 million records — IP addresses, geolocation data, visited sites, and account details — directly contradicting the app's stated no-logs policy.

What a subscription is actually buying you

It isn't the encryption itself — AES-256 and WireGuard are the same open standards whether you pay for them or not. What a subscription actually funds is the stuff that's expensive and boring: dedicated server capacity instead of an overcrowded shared pool, a team that can commission and publish a real third-party audit, and a straightforward incentive structure where the company's revenue depends on you staying subscribed rather than on some other business quietly monetizing you in the background.

Typical free VPN
  • Revenue source often unclear or undisclosed
  • Shared, congested server pool
  • Rarely published, independently audited
  • Data caps or forced speed throttling
  • Third-party ad/tracking SDKs common
Typical paid VPN
  • Revenue source is your subscription, full stop
  • Dedicated infrastructure sized to subscriber load
  • Audit reports published and attributable to a named firm
  • Unlimited bandwidth on the plan you're paying for
  • No commercial reason to embed third-party trackers

When a free VPN is genuinely fine

This isn't a blanket case against every free option. A small number of providers run a legitimate free tier on the exact same infrastructure and codebase as their paid product — Proton VPN's free plan is the standard example, with unlimited data, no ads, and the same open-source, audited apps as the paid tier. Windscribe and TunnelBear offer smaller but similarly transparent free allowances funded by their paid upgrades rather than by your data.

If your actual use case is light — checking email on public Wi-Fi at a coffee shop, or getting around a mild regional content block once in a while — a reputable free tier from a company that also sells a paid product is a reasonable choice. What changes the calculation is anything that actually matters: banking, sensitive communication, or routine daily use where a slow leak of metadata over months adds up to a real profile of your habits.

Red flags before you install anything

Run any free VPN through this list before it touches your phone.

No clearly stated company or headquarters. If you can't find who actually runs the app or where they're legally based, there's no jurisdiction holding them accountable for what they do with your traffic.
Unlimited "free forever" with no visible paid tier. If there's no product they're hoping to upsell you to, ask what else is funding the servers.
A "no-logs" claim with zero audit behind it. Anyone can write that sentence in a privacy policy. Only an independent audit report gives it any weight.
Nearly identical apps under different developer names. SuperVPN was listed under different developer accounts on Android and iOS despite sharing branding — a pattern worth treating as an automatic red flag.
Excessive permission requests. A VPN needs network permissions. It doesn't need your contacts, your SMS messages, or your precise location history to route your traffic.

Frequently Asked Questions

No, and it's worth saying plainly because the fear-based version of this answer gets repeated so often it starts to sound like marketing for paid providers. A small number of free VPNs — Proton VPN's free tier is the standard example — are run by the same company as the paid product, use the same audited code, and make money by hoping you'll eventually upgrade or buy their other services. That's a normal, honest business model.

The problem is that the honest ones are a minority in a very crowded field. Most free VPN apps in the Google Play Store and Apple App Store are small operations with no visible funding source, no published audit, and no clear answer to "how does this stay online." When you can't answer that question about a specific app, treat it as unsafe until proven otherwise rather than the other way around.

Yes, by design, and this is true of every VPN, free or paid — it's just a question of what they do with that visibility. When you connect to a VPN, it becomes the thing sitting between you and the internet, which means it technically can log your destination sites, timestamps, and connection metadata, the same way your ISP could before you had a VPN at all. A paid provider with an audited no-logs policy has committed, in writing and under third-party review, not to retain that data. A free provider with no audit and an unclear funding model has made no such commitment, and in several documented cases — Hola VPN being the clearest example — the visibility itself was the product being sold.

Server capacity costs money, and a free tier's entire purpose is to spend as little of it on you as possible while still looking usable enough that you might upgrade. Paid providers run dedicated server fleets sized for their subscriber base. Free tiers are usually a handful of shared servers absorbing traffic from everyone who hasn't paid, which is why speeds noticeably drop during evening peak hours in whatever time zone has the most free users connected. The slowdown isn't a bug — it's the upsell mechanism working as designed.

Not in the way most people assume, and this is one of the more common mix-ups we see. A real VPN sits at the operating system level and encrypts every packet leaving your device — your browser, your email client, your background apps, all of it. Opera's built-in "VPN" and Edge's similar feature are browser-level proxies. They reroute and mask the IP address the browser presents to websites, but nothing outside that browser window is touched. Your other apps, your system DNS requests, and anything running alongside the browser are unprotected.

That's not necessarily a criticism — a browser proxy is a legitimate, lightweight tool for the specific job of masking your browsing IP, and it costs nothing extra. It's just a different tool solving a narrower problem than a system-wide VPN client, and treating the two as interchangeable is where people get a false sense of coverage.

Believe the claim exactly as much as you can verify it, which for most free VPNs is not at all. A no-logs claim only carries real weight when an independent firm — Deloitte, Securitum, Cure53, and similar names show up repeatedly across the paid VPN market — has inspected the actual server infrastructure and confirmed the policy matches reality. That kind of audit costs real money and takes staff time most free VPN operators don't have, or don't choose to spend.

SuperVPN is the case study worth remembering here: it advertised a no-logs policy for years, and when a researcher found its exposed database in 2023, the leaked records showed the exact user activity, IP addresses, and connection history the policy claimed didn't exist. An unverified no-logs claim on a free app isn't evidence of privacy — it's just a sentence in a privacy policy nobody checked.