Review Methodology
How we evaluate website privacy and calculate risk scores. Our goal is transparency — you should know exactly how we arrive at our assessments.
What We Evaluate
Each website privacy review examines five categories of privacy risk. Every claim in our reviews is sourced from the company's official privacy policy, regulatory actions, published audits, or credible third-party research.
1. Data Collection Scope
What personal information the service collects, as stated in its own privacy policy. We categorize data into: account information, behavioral/usage data, device and technical data, location data, biometric data, financial data, third-party data, and content data. The more categories collected, the higher the risk.
2. Tracking and Third-Party Sharing
Whether the service deploys tracking technologies (cookies, pixels, fingerprinting) on its own properties and across the web. We check for the presence of advertising trackers, analytics scripts, and cross-site tracking mechanisms. Services that track users across other websites (like Meta Pixel or Google Ads) score higher risk.
3. Breach History
Whether the service has experienced known data breaches, as documented by HaveIBeenPwned, regulatory filings, or credible news reporting. Breaches involving passwords, financial data, or biometrics are weighted more heavily.
4. Regulatory Actions and Fines
Whether the service has faced enforcement actions from data protection authorities (GDPR fines, FTC settlements, state attorney general actions). We note the nature and amount of fines where publicly available.
5. User Control and Transparency
Whether the service provides meaningful privacy controls: ability to download your data, delete your account, opt out of tracking, and clear privacy policy language. Services that provide robust controls receive lower risk scores.
Risk Score Calculation
Our privacy risk score is a qualitative assessment based on the five categories above. We use a five-level scale:
| Risk Level | Criteria |
|---|---|
| Very Low | Minimal data collection, no cross-site tracking, no breach history, strong user controls, privacy-first business model |
| Low | Limited data collection, minimal tracking, no significant breaches, good user controls |
| Moderate | Standard data collection for the service category, some tracking, may have minor breach history, adequate user controls |
| High | Extensive data collection, cross-site tracking, breach history, advertising-driven business model, limited opt-out options |
| Very High | Aggressive data collection including biometrics or keystroke data, pervasive cross-site tracking, significant breach history or regulatory fines, opaque data practices |
Sources
Every factual claim in our reviews is sourced. Common sources include:
- Official privacy policies (linked and dated in each review)
- HaveIBeenPwned breach database
- GDPR enforcement tracker and EU DPA decisions
- FTC enforcement actions and settlements
- Published security audits and third-party research (Citizen Lab, EFF, Consumer Reports, Internet 2.0)
- Major news reporting (Washington Post, Reuters, Ars Technica, The Record)
Limitations
We are transparent about what our reviews cannot do:
- We cannot verify what companies actually do with data beyond what their policies state and regulators have discovered
- Tracker counts may vary based on region, browser, and user state (logged in vs. logged out)
- Privacy policies change — we date-stamp every review and update periodically
- Our risk scores are editorial assessments, not automated scores — reasonable people may disagree
Updates
Reviews are updated when significant changes occur: major privacy policy updates, new data breaches, regulatory actions, or significant product changes. Each review shows a "Last verified" date.
Independence
Privacy Toolkit is not owned by or affiliated with any VPN company, security vendor, or technology company reviewed on this site. We earn revenue through affiliate links and display advertising, which are clearly disclosed. Our reviews are editorially independent — affiliate relationships do not influence risk scores or recommendations.
Questions about our methodology? Contact us at hello@nothingleaks.com