Last Updated — June 2026

Transparency Policy

We believe privacy tools are only trustworthy when their creators are transparent about how they work. This page explains exactly how PrivacyTestLab's tests operate, what technical data is processed during testing, how we earn revenue, and the editorial standards we follow so that our content stays independent and accurate.

Why Transparency Matters

The privacy and cybersecurity industry has a serious credibility problem. Many platforms that claim to protect your privacy are simultaneously harvesting your data, inflating test results to serve business partners, or recommending products primarily because they pay the highest affiliate commissions.

PrivacyTestLab was created as a reaction to exactly that problem. We believe that a platform asking you to trust its privacy test results has an obligation to explain how those results are generated, what data passes through our servers, and what financial relationships might create conflicts of interest.

Our transparency standard: If we can't explain how something works on this page, we don't do it. No hidden data collection, no black-box scoring, no undisclosed commercial arrangements.

How Our Tests Work

Each privacy test on PrivacyTestLab uses a specific technical method to detect what your browser or network connection is exposing. Here is a tool-by-tool breakdown:

IP Leak Test

Your browser makes an HTTP request to our server. We record the IP address the request arrives from and return it to your browser for display. If a VPN is active and working, this should show the VPN's exit IP — not your real home IP.

DNS Leak Test

We generate a unique subdomain for each test session and instruct your browser to resolve it. Our authoritative DNS server logs which resolver actually handled the query. If it belongs to your ISP rather than your VPN provider's resolver, you have a DNS leak. This test requires our DNS infrastructure — it cannot be faked client-side.

WebRTC Leak Test

Modern browsers expose local and public IP addresses through WebRTC APIs even when a VPN is active. Our test uses the RTCPeerConnection JavaScript API to enumerate all IP addresses your browser reveals through this pathway. No WebRTC connection to a remote server is established — the test is entirely local to your browser.

Browser Fingerprint Test

We collect the same signals that real tracking systems use: your user agent, screen dimensions, timezone, language settings, installed fonts, canvas rendering output, WebGL renderer, audio context fingerprint, and available browser APIs. We calculate an entropy score that represents how uniquely identifiable your combination of signals is compared to other browsers. The exact formulas and per-signal weights are published on our Methodology page.

Canvas Fingerprint Test

Canvas fingerprinting works by drawing text and shapes using the HTML5 Canvas API and comparing the pixel output. Hardware, drivers, and OS render the canvas slightly differently — creating a persistent, cross-session identifier. Our test generates a canvas hash and estimates how common or unique it is, reported as raw entropy bits rather than the 0–100 scale used for the full fingerprint test (see why, in our Methodology).

All tests are designed to be informational and diagnostic. They show you what third-party websites, ad networks, and tracking scripts can detect about you — using the same methods those systems actually use.

Data Processed During Tests

Some tests require our servers to see technical data in order to return results. Here is exactly what reaches our infrastructure for each category:

  • IP Leak Test: Your IP address is seen by our server to process the request. It is not logged to a database.
  • DNS Leak Test: A uniquely generated subdomain query reaches our DNS infrastructure. The resolving IP is recorded temporarily to display your result, then discarded.
  • WebRTC Test: No data reaches our servers — this test runs entirely inside your browser using JavaScript APIs.
  • Fingerprint Tests: Signal data is processed client-side in your browser. Aggregated, anonymised entropy statistics may be retained to improve scoring accuracy — never tied to an individual.
  • Network Tools (DNS Lookup, WHOIS, Geolocation): The domain or IP you query is sent to our server to make the appropriate API call on your behalf.
No personally identifiable information is collected during testing for the purpose of building user profiles, targeting advertising, or resale to third parties.

What We Don't Store

We want to be explicit about what we deliberately do not do, because vague language about "minimal data collection" is common in this industry and often meaningless.

  • We do not store a history of IP addresses tied to individual sessions.
  • We do not build behavioral profiles from your test activity.
  • We do not sell, share, or license individual test data to advertising networks or data brokers.
  • We do not use session cookies to track you across multiple visits for profiling.
  • We do not require account creation, meaning we have no way to associate test results with a named identity.
Our privacy policy provides the full legal framework for data handling. This section describes our operational practices in plain terms. Read the Privacy Policy

Affiliate & Revenue Disclosure

PrivacyTestLab earns revenue through two sources: Google AdSense display advertising and a small number of affiliate partnerships with VPN providers.

Affiliate Partnerships

We currently maintain an affiliate relationship with ProtonVPN. When a visitor clicks our ProtonVPN link and purchases a plan, PrivacyTestLab may receive a commission at no additional cost to the visitor. This link carries the rel="sponsored" HTML attribute in compliance with Google's webmaster guidelines.

NordVPN and Surfshark are listed as recommendations on PrivacyTestLab, but links to these services are currently direct, non-affiliate links. No commission is earned on these referrals at this time.

How Affiliate Revenue Affects Our Content

It doesn't — and we have designed our workflow specifically to prevent it from doing so. Test results are generated by technical infrastructure, not editorial judgment. Written recommendations go through the same evaluation criteria regardless of whether an affiliate relationship exists with the product being reviewed.

We will only maintain an affiliate relationship with a product we would recommend independently based on its technical performance. Full details are in our Affiliate Disclosure.

Google AdSense

Advertisements on PrivacyTestLab are served by Google AdSense. Google may use cookies to serve ads based on your interests. Advertisements are clearly separated from our editorial content. No advertiser has any influence over our test results, content, or product rankings. You can opt out of personalized ads through Google's Ads Settings.

Third-Party Services

PrivacyTestLab relies on a small number of external services to operate. Each is listed below along with its purpose:

  • Google Analytics (GA4) — used for aggregate traffic analytics with IP anonymisation enabled. We use this to understand which tools and articles are most useful, not to track individuals.
  • Google AdSense — advertising platform that may serve personalized or contextual ads.
  • Google Fonts — fonts loaded from Google's CDN. This causes a request to Google servers when you load any page.
  • Lucide Icons — SVG icon library loaded from unpkg CDN.
  • KaTeX (cdnjs) — renders the entropy formulas on our Methodology page in your browser.
  • GitHub (api.github.com / raw.githubusercontent.com) — our server fetches the public star count and CHANGELOG.md of our open-source scoring repository to display on the Methodology page. This is a server-to-server request; no visitor data is sent to GitHub.
  • IP Geolocation APIs — used by our IP and geolocation tools to resolve IP addresses to approximate locations. Queries are transient and not logged.

Each third-party service operates under its own privacy policy and may process data according to its own terms. We select services that offer reasonable privacy practices and, where possible, configure them to minimise data exposure.

Content Standards

PrivacyTestLab publishes two types of content: tool results (generated technically) and written articles (produced editorially). Both categories follow the same independence standard.

Tool Results

Test results are produced by technical systems that run the same way for every visitor. No business relationship can influence whether your IP address shows as leaked or not, what your DNS resolvers are, or what entropy score your browser fingerprint receives. These results are facts, not opinions.

Written Articles

Our articles and VPN comparisons are researched and written based on publicly available technical evidence, audit reports, independent speed tests, and our own testing. We follow these editorial standards:

  • Claims about VPN privacy must be supported by verifiable no-logs audit reports or documented technical testing.
  • Speed data reflects real-world measurements, not vendor-supplied benchmarks.
  • Negative findings are reported honestly — including findings about products we have affiliate relationships with.
  • Articles are updated when new information contradicts previously published conclusions.
  • We do not accept payment to write positive reviews or suppress negative findings.
If you believe any content on PrivacyTestLab contains a factual error or is outdated, please contact us. We take accuracy corrections seriously.

Accuracy & Limitations

Browser privacy testing is not perfectly universal. We are transparent about the known limitations of each test category:

  • IP Leak Test — only tests the IPv4 address visible to our server. Run alongside the IPv6 and WebRTC tests for a complete picture.
  • DNS Leak Test — detects which resolver handled our test query. A VPN that routes DNS but uses a resolver shared with other providers may appear fine while still being potentially identifiable.
  • WebRTC Test — browser support for mDNS obfuscation (used by Chrome) means some local IPs may appear as a random string rather than your real LAN address. This is Chrome's privacy protection working, not a test failure.
  • Browser Fingerprint Test — entropy scores are comparative estimates. Signal weights are currently seeded from published academic datasets (AmIUnique, EFF Panopticlick), not yet from PrivacyTestLab's own traffic, and signals are summed assuming independence. Full detail, including which weights are still estimates, is tracked openly on our Methodology page.
  • VPN Speed Tests — results reflect conditions at the time of testing from our test infrastructure and may not represent your personal experience.
No browser-based testing platform can guarantee complete privacy online. Privacy exposure changes constantly depending on browser updates, network infrastructure, and evolving tracking technologies. Our tools give you an accurate snapshot of your current exposure — not a permanent guarantee.

Contact

If you have questions about how any of our tests work, want to report a factual error in our content, or have concerns about our data practices, please reach out. We welcome scrutiny — it makes the platform better.

We aim to respond to all substantive enquiries within 3 business days.