How We Work
Our Methodology
Last updated: April 2026
Our Approach
Every product on The Privacy Authority receives an independent editorial assessment based on publicly available information. We review privacy policies, security documentation, audit reports, and published features to form our evaluations.
Our grades represent our editorial opinion, not certifications or endorsements. They are designed to help you make more informed decisions about the privacy tools you use every day.
Grade Scale
We use a letter grade system ranging from A+ to F. Each grade tier reflects our overall assessment of a product's privacy and security posture.
A+ / A / A- · Excellent
Top-tier privacy and security. Strong encryption, verified no-logs or zero-knowledge architecture, independent audits, privacy-friendly jurisdiction, and open source code. These products set the standard for their category.
B+ / B / B- · Good
Solid privacy fundamentals with minor concerns. These products may have jurisdiction issues, corporate ownership questions, or limited audit history, but they still demonstrate a genuine commitment to user privacy.
C+ / C / C- · Average
Functional product but with notable privacy concerns. May lack independent audits, have questionable data practices, or offer limited transparency into how user data is handled.
D+ / D · Poor
Significant privacy concerns. Products in this tier may have reported data collection practices, security breaches, or deceptive marketing around their privacy claims.
F · Failing
Extensive data collection, user profiling, or fundamental privacy violations. These products actively work against user privacy despite marketing claims to the contrary.
Scoring Signals
Grades are determined by weighing the following signals. No single signal determines a grade; the final assessment is a holistic editorial judgment based on all available evidence.
| Signal | Positive | Negative |
|---|---|---|
| No-logs / zero-knowledge | Verified by independent audit | Unverified claims or known logging |
| Independent audits | Recent audit by reputable firm | No audits or audits older than 2 years |
| Jurisdiction | Privacy-friendly (e.g. Switzerland, BVI, Panama) | Five Eyes / Fourteen Eyes member |
| Open source | Client and/or server open source | Fully proprietary, no public code |
| Corporate ownership | Independent or privacy-focused parent | Owned by advertising / data company |
| Security track record | No breaches, or breaches handled transparently | Breaches concealed or poorly handled |
| Encryption | Strong, modern protocols (WireGuard, E2EE) | Weak or outdated protocols |
Historical incidents (e.g. past breaches or logging events) are weighed against what the company has done since: a transparent disclosure followed by structural changes (RAM-only servers, new audits, jurisdiction changes) carries less weight than an unaddressed incident. We cite our sources so you can evaluate the evidence yourself.
Category-Specific Criteria
Each product category is evaluated against criteria specific to that type of service. Here is what we assess for each category we cover.
VPNs
- Encryption protocols and implementation
- Logging policy and verifiable no-logs claims
- Jurisdiction and legal obligations
- Independent security audits
- Ownership and corporate structure
- Kill switch and leak protection
- Speed and server network
Browsers
- Telemetry defaults and opt-out options
- Tracking protection and content blocking
- Fingerprint resistance
- Built-in ad blocking capabilities
- Open source status and rendering engine
- Update frequency and ownership
Email Providers
- End-to-end encryption support
- Zero-access encryption architecture
- Jurisdiction and legal framework
- Metadata handling and storage encryption
- Open source status and data practices
Password Managers
- Encryption standard and implementation
- Zero-knowledge architecture
- Independent security audits
- Open source status and breach history
- Platform support and data practices
How We Research
We review privacy policies, security whitepapers, independent audit reports, and publicly documented features for every product we evaluate. We cite our sources on every product card so you can verify our findings yourself.
We do not test products in controlled lab environments. We are not a testing lab. Our assessments are based on documented evidence, published research, and expert analysis of publicly available information.
Independence
Our grades are not influenced by affiliate relationships. Products with affiliate programmes and products without them receive the same editorial treatment and are evaluated using identical criteria.
For full details on how we handle affiliate links and paid reviews, see our affiliate disclosure.
Corrections
If you believe we have made a factual error in any of our evaluations, we want to hear from you. We investigate all reports and publish corrections where warranted.
Companies and individuals can reach us via our contact page.
Updates
Reviews are periodically re-evaluated as products update their practices, undergo new audits, or change ownership. The "last reviewed" date on each product card shows when we last checked our assessment.
Grades may change over time. A product that earns an A today could be downgraded if its practices deteriorate, and a product with a low grade can improve by addressing our concerns.