We believe privacy tools are only trustworthy when their creators are transparent about how they work. This page explains exactly how PrivacyTestLab's tests operate, what technical data is processed during testing, how we earn revenue, and the editorial standards we follow so that our content stays independent and accurate.
The privacy and cybersecurity industry has a serious credibility problem. Many platforms that claim to protect your privacy are simultaneously harvesting your data, inflating test results to serve business partners, or recommending products primarily because they pay the highest affiliate commissions.
PrivacyTestLab was created as a reaction to exactly that problem. We believe that a platform asking you to trust its privacy test results has an obligation to explain how those results are generated, what data passes through our servers, and what financial relationships might create conflicts of interest.
Each privacy test on PrivacyTestLab uses a specific technical method to detect what your browser or network connection is exposing. Here is a tool-by-tool breakdown:
Your browser makes an HTTP request to our server. We record the IP address the request arrives from and return it to your browser for display. If a VPN is active and working, this should show the VPN's exit IP — not your real home IP.
We generate a unique subdomain for each test session and instruct your browser to resolve it. Our authoritative DNS server logs which resolver actually handled the query. If it belongs to your ISP rather than your VPN provider's resolver, you have a DNS leak. This test requires our DNS infrastructure — it cannot be faked client-side.
Modern browsers expose local and public IP addresses through WebRTC APIs even when a VPN is active. Our test uses the RTCPeerConnection JavaScript API to enumerate all IP addresses your browser reveals through this pathway. No WebRTC connection to a remote server is established — the test is entirely local to your browser.
We collect the same signals that real tracking systems use: your user agent, screen dimensions, timezone, language settings, installed fonts, canvas rendering output, WebGL renderer, audio context fingerprint, and available browser APIs. We calculate an entropy score that represents how uniquely identifiable your combination of signals is compared to other browsers. The exact formulas and per-signal weights are published on our Methodology page.
Canvas fingerprinting works by drawing text and shapes using the HTML5 Canvas API and comparing the pixel output. Hardware, drivers, and OS render the canvas slightly differently — creating a persistent, cross-session identifier. Our test generates a canvas hash and estimates how common or unique it is, reported as raw entropy bits rather than the 0–100 scale used for the full fingerprint test (see why, in our Methodology).
Some tests require our servers to see technical data in order to return results. Here is exactly what reaches our infrastructure for each category:
We want to be explicit about what we deliberately do not do, because vague language about "minimal data collection" is common in this industry and often meaningless.
PrivacyTestLab earns revenue through two sources: Google AdSense display advertising and a small number of affiliate partnerships with VPN providers.
We currently maintain an affiliate relationship with ProtonVPN.
When a visitor clicks our ProtonVPN link and purchases a plan, PrivacyTestLab
may receive a commission at no additional cost to the visitor. This link
carries the rel="sponsored" HTML attribute in compliance with
Google's webmaster guidelines.
NordVPN and Surfshark are listed as recommendations on PrivacyTestLab, but links to these services are currently direct, non-affiliate links. No commission is earned on these referrals at this time.
It doesn't — and we have designed our workflow specifically to prevent it from doing so. Test results are generated by technical infrastructure, not editorial judgment. Written recommendations go through the same evaluation criteria regardless of whether an affiliate relationship exists with the product being reviewed.
Advertisements on PrivacyTestLab are served by Google AdSense. Google may use cookies to serve ads based on your interests. Advertisements are clearly separated from our editorial content. No advertiser has any influence over our test results, content, or product rankings. You can opt out of personalized ads through Google's Ads Settings.
PrivacyTestLab relies on a small number of external services to operate. Each is listed below along with its purpose:
Each third-party service operates under its own privacy policy and may process data according to its own terms. We select services that offer reasonable privacy practices and, where possible, configure them to minimise data exposure.
PrivacyTestLab publishes two types of content: tool results (generated technically) and written articles (produced editorially). Both categories follow the same independence standard.
Test results are produced by technical systems that run the same way for every visitor. No business relationship can influence whether your IP address shows as leaked or not, what your DNS resolvers are, or what entropy score your browser fingerprint receives. These results are facts, not opinions.
Our articles and VPN comparisons are researched and written based on publicly available technical evidence, audit reports, independent speed tests, and our own testing. We follow these editorial standards:
Browser privacy testing is not perfectly universal. We are transparent about the known limitations of each test category:
If you have questions about how any of our tests work, want to report a factual error in our content, or have concerns about our data practices, please reach out. We welcome scrutiny — it makes the platform better.
We aim to respond to all substantive enquiries within 3 business days.