The price of transparency: What Surfshark's data request reveals about its collection policies | Tech Radar

Overview

The price of transparency: What Surfshark's data request reveals about its collection policies

Surfshark successfully fulfilled its GDPR obligations, but the volume of data it held was alarming

Details

When you purchase through links on our site, we may earn an affiliate commission. Here’s how it works.

Surfshark was the only VPN to exhaustively reply to Tech Radar DSAR

The provider shared a detailed report of all the information it holds

While great for transparency, the amount of data raises questions

When we tested how the world’s best VPN services handle their GDPR obligations, Surfshark was the only service to fully live up to its promises. While the response was a triumph for transparency, it also revealed a surprising amount of retained data.

Under Article 15 of the GDPR, users have the right to issue a Data Subject Access Request (DSAR) to any company operating in the UK or EU.

These companies are legally required to provide a "thorough and timely" response. Surfshark met this standard impressively, replying just four hours after our request was submitted on January 5, 2026.

Exclusive: I asked 10 VPNs for my personal data — only one made it easy

Surfshark VPN review – a fully-featured, low cost privacy solution

Independent auditors confirm Surfshark’s VPN infrastructure as secure

The provider delivered a comprehensive report detailing exactly what information it held on our account. While we were pleased with the efficiency and clarity of the response, the sheer depth of the data raises significant questions.

From Surfshark’s DSAR report, we can see that the provider holds the following data about its users:

User ID: That's a permanent Universally Unique Identifier (UUID) that ties every service (Surfshark VPN, Alternative ID, Surfshark Antivirus, Incogni) together.

Device profiling: The provider knows which type of device you use (Windows, Mac, etc.) and whether or not you have 2FA protection active.

Financial signature: Surfshark stores a complete history of your "Payer ID" and payment email. Details also include the amount paid, payment status, whether you've used a coupon, and your currency.

Subscriptions: The company also has a track record of all your subscriptions — whether these are active, cancelled, or expired — and your subscribed services with creation and expiry dates.

Malware history: That's a list of every threat detected on your machine by the Surfshark Antivirus app, including the malware name, type of threat, device where it was blocked, and user country.

Support Ticket: The provider also records all the support tickets a user isssued ties to a reference number and date.

In its report, Surfshark states that it processes user data only for "specific and clearly defined purposes." These include service delivery, analytics, customer support, and compliance with legal and accounting requirements.

The most surprising discovery was the "Antivirus Malware Logs" section. The report doesn't just show that you have an active security subscription, it lists the specific names of malware detected on your machine, the device used during the detection, and your country-level location at the time.

While this may not immediately compromise your anonymity, it raises a significant question: why would a VPN provider store a centralized history of your local device's infections? In a truly privacy-centric model, one would expect this data to be wiped immediately after the session ends.

A spokesperson for the company said storing this information was useful for families that use the product. In a written response to Tech Radar the company said:

Surfshark boosts its ultimate security bundle with $1 million identity theft protection

Using Surfshark Search can supercharge your internet browsing – here's how

How did Surfshark "significantly raise the bar for VPN performance" in 2025 — and what does the future hold in 2026?

"Since many of our users manage security for their entire household under one account, centralizing this data will allow them to monitor threats across all their devices from a single dashboard.

"This way, we will be able to provide the visibility needed for users to identify and address security risks, ensuring their family stays protected regardless of which device they are using."

Our real-world email address appeared repeatedly throughout the report, acting as the common thread that links a Payer ID (financial) and User ID (technical) into one unified profile.

Again, this aligns with Surfshark’s policy, but it means users remain identifiable in the event of a data breach.

Some VPNs have already moved to mitigate this risk. The Swedish provider Mullvad, for example, axed recurring subscriptions to avoid holding such data, while Windscribe allows account creation without an email address entirely.

The company said has no plans to allow accounts without email addresses, though said it is constantly considering "more ephemeral models."

It argued that maintaining an email address is "essential to providing a transparent subscription experience" and that the company's approach "is designed to balance user privacy with necessary account security, proactive communication, and effective customer support."

Privacy is often associated with being "ephemeral" — leaving no trace. However, Surfshark's DSAR shows recorded persistence.

By keeping records of payments and specific discount codes (like COMEBACK_70) for over seven years, Surfshark maintains a permanent link between your real-world bank account and your digital persona.

In an era of sophisticated cyberattacks, we have to ask: is it necessary to store such sensitive identifiers for nearly a decade? For many, the risk of a leak outweighs the convenience.

In response to these findings a spokesperson for the company said the storage of payment information "is strictly a matter of compliance with anti-money laundering, fraud prevention, and legal accounting obligations."

"Our current approach is designed to balance user privacy with necessary account security, proactive communication, and effective customer support," they added.

The report includes a mandatory disclosure regarding "Automated Decision-Making." Surfshark admits to using "limited amounts of personal information" to evaluate certain user behaviors.

While this is a common functional requirement for modern tech companies, it sits uncomfortably alongside "no-logs" marketing. Most VPN users turn to these tools specifically to avoid being profiled by big tech.

While data collection can help improve a product, we believe this should be an optional "opt-in" rather than a default state for a privacy company.

Surfshark said automated decision-making was used "to evaluate user eligibility for subscription discounts." However, due to its no-logs design, these processes rely on" "very limited subscription information — such as subscription length and plan type."

Surfshark’s move to the Netherlands and its clear commitment to GDPR compliance make it one of the most transparent and accountable VPNs on the market.

However, we expect VPNs to operate on the principle of "data minimization" — collecting only the bare minimum required to provide a service. Storing a centralized list of a user's local malware infections for years appears to exceed that minimum.

If a provider decides to log unnecessary details like your PC’s infection history today, it sets a worrying precedent for what they might choose to log tomorrow.

We have reached out to Surfshark for clarification and will update this article as soon as we receive a response.

Follow Tech Radar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!

Chiara is a multimedia journalist committed to covering stories to help promote the rights and denounce the abuses of the digital side of life – wherever cybersecurity, markets, and politics tangle up. She believes an open, uncensored, and private internet is a basic human need and wants to use her knowledge of VPNs to help readers take back control. She writes news, interviews, and analysis on data privacy, online censorship, digital rights, tech policies, and security software, with a special focus on VPNs, for Tech Radar and Tech Radar Pro. Got a story, tip-off, or something tech-interesting to say? Reach out to chiara.castro@futurenet.com

You must confirm your public display name before commenting

1 Yes, yes, we're all sick of hearing about the RAM crisis — but this gaming desktop might be a light at the end of tunnel

2I had an absolute blast flying the DJI Avata 360 — it’s ‘the 360 drone to beat’

3'The ultimate power solution for homes, RVs, and professionals:' Eco Flow Delta Pro 3 handles power outages, road trips, and off-grid weekends — and it’s $800 off

4 These licensed Power A Nintendo controllers are less than half price of the official Pro Controller — and even work with Switch 2

5I can’t put down two cheap headphones I tested this year — one’s better for budget audiophiles, one’s perfect for commuters

Tech Radar is part of Future US Inc, an international media group and leading digital publisher. Visit our corporate site.

© Future US, Inc. Full 7th Floor, 130 West 42nd Street, New York, NY 10036.

Key Takeaways

• The price of transparency: What Surfshark's data request reveals about its collection policies

• Surfshark successfully fulfilled its GDPR obligations, but the volume of data it held was alarming

• When you purchase through links on our site, we may earn an affiliate commission

• Surfshark was the only VPN to exhaustively reply to Tech Radar DSAR

• The provider shared a detailed report of all the information it holds