I think this is probably true for most providers. They could add logs if they were legally required but don't actively keep them. I think there is way too much stock put in the 'we don't log' comments that are common amongst privacy tools. Most VPN providers can log if they have to and often do log some data for service abuse and load monitoring but quibble over the definition of what 'we don't log' means. I used to work for a VPN provider where we kept statements in our privacy policies about some logging and users ripped us apart despite these comments being truthful + other providers being dishonest ( or at least confusing ); but since so many providers provided false confidence via slamming all over their site that they don't log the user base buys into these statements as 100% true ( and unchangeable ) and providers that try and provide a realistic view of what can happen get slammed. I am happy to see that proton put the statement up. I would have preferred they had statements up already but just because another provider says they don't log I wouldn't trust these statements. For me, I am not too worried if the provider can log some data like ip when they receive a non-avoidable court order ( https://en.wikipedia.org/wiki/United_States_Foreign_Intelligence_Surveillance_Court ) as I generally expect this to be true for all services and my threat model isn't to avoid three letter agencies. If your threat model requires avoiding three letter agencies then trusting almost any service provider is going to be difficult. Obviously you should be using tor to connect to anything but you would have to assume almost everything with a server is either compromised or can be given certain court orders. Using services like briar seem like your best bet ( https://briarproject.org/ ).