Asking are free VPNs safe is the same as asking “is free email safe”. The honest answer is it depends entirely on the business model. Some free VPNs are loss-leaders for a paid product. Some are surveillance products with a VPN feature bolted on. The two look identical in the App Store.
Why “free” should make you suspicious
Every service costs money to run. Servers cost money. Bandwidth costs money. Engineers cost money. When you pay nothing for a product, you’re either receiving a subsidized sample — or you’re the product. That’s not a cynical reading; it’s just the accounting.
Free VPNs cluster into three business models, and only one of them is actually trying to protect you.
The loss-leader. A paid VPN gives away a small free tier to let users evaluate the service before committing money. The free product is a genuine sample: same servers, same software, same privacy properties as the paid tier, but with a cap — usually a data limit, a device limit, or a restricted selection of server locations. The cap is there to signal “this is a taste, not the whole thing,” and to control infrastructure costs. The economics work because paid subscribers fund the service; the free tier exists to convert prospects. This model is transparent and honest — the company makes money from subscriptions, not from user data. Proton VPN’s free tier and ORION/VPN’s 10 GB/month plan fall here. A VPN operating on this model is architecturally identical to its paid counterpart; the limitation is quantity, not quality.
The data-broker. This is the model that gave “free VPN” a bad name. The VPN logs your traffic and monetizes it — browsing history, app usage patterns, sometimes device identifiers or credential fragments. Papers and independent security investigations have repeatedly documented free VPN apps doing exactly this: collecting the traffic they’re supposed to be protecting and selling it to data brokers, advertisers, or analytics companies. The user pays not in money but in surveillance. The irony is precise: you install a privacy tool and the privacy tool is the privacy violation. The user experience is often indistinguishable from a legitimate VPN. Connection speeds are fine. The app looks polished. The damage is happening in the background, in ways you cannot observe.
The malware delivery vehicle. The VPN is a marketing wrapper to get a dangerous piece of software installed on your device. The app may route some traffic through a server — enough to seem functional — while also running click-fraud scripts, enrolling the device in a botnet, serving injected ads into your browser sessions, or installing secondary payloads. Research into app stores has found VPN-branded applications that were adware, stalkerware, or credential harvesters. These aren’t edge cases from obscure platforms; a significant fraction of the top-ranked free VPN apps in major stores have been flagged in academic and security-community research at one time or another.
The point of this framing is not that free VPNs are universally bad. The model matters. The same question — “who is paying for this?” — determines whether a free VPN is a reasonable tool or a trap. If the answer is “paid subscribers subsidize the free tier,” you’re probably fine. If the answer isn’t visible anywhere, that’s an answer in itself.
Five red flags in any free VPN
These aren’t theoretical risks. Each one appears repeatedly in documented cases of VPNs that were caught selling data, serving malware, or lying about their privacy properties. If a free VPN you’re considering hits two or more of these, close the tab.
1. No published privacy policy — or one that says they “may share data with partners.” A legitimate VPN has a specific, legible privacy policy that says what logs are kept (ideally none beyond connection metadata for abuse prevention), where servers are located, and who operates the service. A policy that says data “may be shared with trusted partners” or “third-party service providers” is a disclosure that they’re selling your data, written to be ambiguous enough to survive legal challenge. The absence of any policy is worse. Privacy policies are not a guarantee of behavior, but the combination of a specific policy plus independent audit creates accountability that vague or absent language does not.
2. No transparent ownership. You can’t find who runs the company. The domain is registered through a privacy proxy. The “About” page has stock photography and generic text. The company address leads to a mail forwarding service. Free VPN dangerous situations are concentrated in services where the operational entity is deliberately obscured — often because the company behind it has previous products that were shut down for privacy violations, or because the actual beneficiary of the data collection is located in a different jurisdiction from the nominal company. Transparency about corporate ownership is a weak signal on its own, but opacity is a strong negative signal.
3. Unlimited everything for free. Unlimited bandwidth. Unlimited devices. Unlimited server locations. All of it, free, forever. If a VPN company provides an unlimited service to users who pay nothing, and the service isn’t funded by donations and you can’t find any paid tier, the infrastructure has to be paid for somehow. The gap between “what this costs to run” and “what users pay” is filled by something. That something is almost always monetization of user data, advertising injected into traffic, or enrollment of user devices in a larger commercial operation (proxying other users’ traffic through your device being a common one). An honest cap — data limit, device limit, region limit — is a sign the company is managing real infrastructure costs. Absence of any limit is a sign the company isn’t managing costs at all, because it’s recouping them differently.
4. Excessive permissions on install. A VPN needs permission to create a network interface. That’s it. It does not need access to your contacts, your SMS messages, your microphone, your photos, your location, or your call log. Some free VPN apps request all of these and more. On Android, some request device admin privileges that make the app difficult to uninstall. These permissions aren’t needed to route your traffic through a VPN server; they’re needed to harvest data from your device for monetization. On iOS, App Tracking Transparency requests from VPN apps are a similar signal — a VPN has no legitimate use for cross-app tracking.
5. Aggressive in-app advertising or pop-ups. And worse: ads styled to look like system dialogs, fake security warnings designed to frighten you into additional installs, or persistent notification spam. Some free VPNs inject ads into unencrypted HTTP traffic in transit — so you see ads on pages that normally don’t have them, and the ads are served by the VPN itself. The presence of advertising inside a VPN app is not automatically disqualifying — ad-supported models exist — but the combination of ads plus opacity about ownership plus vague privacy policy is a consistent pattern in documented free VPN dangerous cases.
The two legitimate models for a free VPN — and what to look for
Once you filter out the data-brokers and malware delivery vehicles, two categories of free VPN remain that work honestly.
Loss-leader: a paid VPN with a genuine free tier. This is the most common legitimate model and the one that produces the best free VPN options in practice. What to look for: a real, clearly marketed paid product behind the free tier (the existence of paying subscribers is what funds the infrastructure); a published privacy policy that is specific and audited rather than vague and self-serving; independent third-party audits of no-log claims (these cost money and the company bears that cost voluntarily — a meaningful signal); transparent ownership with identifiable founders, corporate registration, and a business address that isn’t a mail drop; and an honest cap that makes the economics make sense. The cap — data limit, server limit, device limit — is evidence that the company is thinking about infrastructure costs rather than treating users as a monetization pool.
The cap is also how you evaluate the quality of the free tier. A limit of 500 MB per month is barely a free tier at all; it’s a forced upgrade mechanism. A limit of 2–10 GB per month reflects actual infrastructure capacity allocation for conversion-funnel users and is generally enough for light privacy use, public WiFi protection, and evaluation of the service quality. The best free VPN for most users is usually the free tier of a reputable paid VPN, evaluated against these criteria.
Non-profit or donor-funded. This model is rare in the VPN space but exists. The Tor Project is the canonical example — not technically a VPN, but a privacy network funded by grants, donations, and institutional sponsors. Mozilla has offered or subsidized VPN products through non-profit-adjacent structures. When evaluating a non-profit model, look for: charity registration or foundation documentation in a jurisdiction with real oversight; publicly disclosed funding sources (who are the major donors?); source-available or open-source code (especially important for privacy tools — closed-source privacy claims are weaker by definition); and governance transparency. The constraint of this model is scale — non-profit funding cannot easily support millions of simultaneous users at high bandwidth, which is why non-profit VPNs tend to serve specific constituencies or operate at limited capacity.
Anything outside these two categories should be assumed surveillance until evidence proves otherwise. The burden of proof runs in that direction for free VPNs, because the documented track record of free VPNs outside these categories is bad enough to justify the prior.
ORION/VPN’s 10 GB free plan — what it is and isn’t
The 10 GB/month free plan is a loss-leader for the paid product. That’s the honest description.
It gives you both transports: Horizon for networks that inspect traffic and block conventional VPN signatures — it makes connections look like ordinary web traffic, which matters in cafés, airports, and more restrictive networks — and Wind for open networks where raw throughput is the priority. Same AES-256-class authenticated encryption on both. No card required to sign up.
The cap is real. 10 GB per month is enough for daily privacy use on public networks, for most regional unblocking, and for evaluating whether the service does what it claims before paying for it. It’s not enough for streaming a lot of video or routing all your home traffic through it continuously. That’s not an accident — the cap reflects the real infrastructure cost of running free users, which is funded by subscribers on the paid plan at $4.99/month or $34.99/year.
We don’t sell traffic. We don’t run ads. We don’t log connection content. The business model is subscriptions. The free plan exists to let people try the service.
For the canonical use case of a free plan — protecting your traffic on untrusted public WiFi networks — 10 GB/month is usually sufficient. For the architectural details of what a VPN actually does, including how tunnels work and what gets encrypted and what doesn’t, that article has the mechanics.
The free vs paid question — worth addressing directly
Free VPN vs paid is sometimes framed as a quality question — is a paid VPN technically better than a free one? That framing misses the actual issue. The question isn’t technical quality; it’s business model alignment. A paid VPN that charges $4.99/month is structurally aligned with giving you a good experience, because your money depends on it. A free VPN with no paying users is aligned with extracting value from you some other way.
Within the loss-leader category, the technical gap between free and paid tier is usually zero — same servers, same software, same privacy properties. The paid tier offers more bandwidth, more server locations, and more simultaneous devices. If the free tier gives you 10 GB/month and that’s enough for your use, you’re getting the same product the paid user gets; you’re just getting less of it.
The meaningful distinction between free VPN vs paid isn’t “free is worse than paid.” It’s “what is the free tier paying for itself with?” If the answer is “paid subscribers who converted from the free tier,” that’s a sustainable, honest model. If the answer isn’t visible, or if there are no paying subscribers to point to, the economics have to add up somewhere else.
Closing
Free isn’t inherently bad — the model is what matters. A free tier from a paid VPN is structurally honest: the company’s incentives run toward giving you a good experience to convert you, not toward harvesting your data. A free VPN with no paying users and no transparent funding source has the opposite structure, and the documented record of the category reflects that. ORION/VPN’s free 10 GB/month plan runs on the loss-leader model — a sample of the paid service, funded by subscribers, with no data monetization behind it. Whether that’s enough for your use case is a factual question about whether 10 GB/month covers what you need. The framework for evaluating any other free VPN you encounter is the same: find out who’s paying for it.