/
/
PureVPN History Timeline
VPN Company History // Evidence-Based Timeline

PureVPN History and Timeline: Growth, Controversy and Change

PureVPN is one of the longer-running consumer VPN brands. Its history includes early product expansion, a serious 2017 logging controversy, later privacy-policy changes and audits, a move from Hong Kong to the British Virgin Islands and a continuing shift toward a wider privacy platform.

First published: 12th June 2026 | Accuracy reviewed: 12th June 2026
By Martin Needs — Cybersecurity Expert
Launch Year2007PureVPN’s official history says the project launched with a small team and a two-server network.
Current OperatorGZ Systems LimitedThe current Terms of Service identify a British Virgin Islands company as the owner and operator.
Key Trust Issue2017 connection recordsA federal affidavit showed that PureVPN could associate a customer with home and workplace originating IP addresses.
Later ResponsePolicy changes and auditsPureVPN revised its logging policy and later commissioned external no-log assessments.
Ech the Tech Fox

This page separates three kinds of evidence: court and legal records, external assessments, and PureVPN’s own company history. Company claims are attributed rather than presented as independently proven facts.

PureVPN History: The Balanced Version

PureVPN’s history cannot be summarised fairly as either a straightforward success story or a company permanently defined by one controversy. Both parts matter.

The service has operated since 2007, expanded across desktop, mobile and television platforms and survived several major shifts in the consumer VPN market. It later adopted clearer no-log wording, commissioned external assessments and moved its legal jurisdiction to the British Virgin Islands.

However, the 2017 federal affidavit remains a material part of its record. It showed that PureVPN could identify the originating IP addresses used by a customer at home and at work. That was inconsistent with how many customers understood the provider’s broad no-log positioning at the time.

Bottom line

The most accurate conclusion is that PureVPN’s privacy position changed after 2017 and later received external assessment. That is evidence of improvement, but it does not erase the earlier trust failure or make any audit a permanent guarantee.

How PureVPN Started

PureVPN’s official About page says the service launched in 2007. It names Uzair, Umair and Aqib as newly graduated founders who began commercialising a product created in their spare time.

The company says the first network contained two servers and expanded to 16 during 2007–2008. Windows and Mac applications followed in 2009–2010, with Android and iOS apps listed for 2011–2012.

These early milestones come from PureVPN’s own company history. They are plausible and internally consistent, but user counts, staffing numbers and claims of being first in the market should be treated as company-reported rather than independently audited.

PureVPN Timeline

2007Company history

PureVPN launches

PureVPN says it began with a small team and a two-server network. Its current About page names Uzair, Umair and Aqib in the founding story.

2009–2012Company history

Desktop and mobile apps arrive

The company timeline lists Windows and Mac applications, followed by Android and iOS apps and 24-hour customer support.

2013–2016Company history

Feature and user growth

PureVPN says it added OpenVPN support, a kill switch, NAT firewall and other features while growing from more than 200,000 users to more than one million. These figures are provider-published.

2017Federal affidavit

Connection records become central to a criminal investigation

A US federal affidavit stated that PureVPN records helped establish that the same customer used the service from an IP address associated with his home and another associated with his workplace. This became the defining privacy controversy in the company’s history.

2018Policy response

PureVPN revises its privacy policy

PureVPN says it changed its policy to state explicitly that it does not retain browsing activity, original IP addresses, assigned VPN IP addresses, connection times or DNS queries.

2019External assessment

Altius IT examines the no-log claim

PureVPN published Altius IT’s conclusion that the examined configurations and service logs did not provide evidence capable of identifying a specific person and that person’s activity while using the service.

2020–2021External assessment

KPMG assessments and an “always-on” audit arrangement

PureVPN said KPMG reviewed infrastructure, configurations, code and technical logs. The provider later announced an arrangement allowing unannounced assessments and publicised a further evaluation in 2021.

2021Legal and company records

Jurisdiction moves to the British Virgin Islands

PureVPN says it decided in early 2021 to leave Hong Kong. Current legal terms identify GZ Systems Limited, a British Virgin Islands company, as the service owner and operator.

2022–2023Company and industry records

WireGuard, wider apps and industry accreditation

PureVPN’s timeline lists WireGuard and additional device apps. In 2023, PureVPN appeared among the inaugural providers receiving the VPN Trust Initiative’s Trust Seal accreditation.

2026Product launch

ChatGPT server-selection integration launches

PureVPN introduced a ChatGPT app that interprets natural-language requests and opens the native PureVPN app through a deep link. The VPN tunnel still operates in PureVPN’s own application and infrastructure.

What Happened in the 2017 Logging Controversy?

The controversy arose from a US cyberstalking investigation. The relevant federal affidavit described several online services used during the alleged activity and explained how investigators linked accounts and network connections.

According to the affidavit, PureVPN records showed that the same customer accessed the service from two originating IP addresses: one connected to the home where the suspect lived and another connected to his employer.

What this proves

PureVPN possessed or could derive identifying connection information that linked a customer to originating IP addresses during that investigation.

What it does not prove

The affidavit does not say PureVPN supplied a complete browsing history, message contents or a database of every website visited. Describing it as proof of full activity logging would go beyond the document.

The trust problem was nevertheless significant. At the time, many customers understood “no logs” to mean there would be no records capable of linking their account to an originating IP address. PureVPN’s distinction between browsing logs and connection records was not sufficiently clear to prevent that expectation.

PureVPN later argued that it complied with its policy and legal obligations as they existed at the time. That defence explains the company’s position, but it does not remove the gap between the technical records available and how customers interpreted the marketing.

What Changed After 2017?

PureVPN says it revised its privacy policy in 2018. The updated wording explicitly rejects retaining browsing activity, original IP addresses, assigned VPN addresses, connection times, visited sites, outgoing traffic and DNS queries.

Clearer wording was an important improvement because it addressed the exact type of ambiguity exposed in 2017. A policy statement alone, however, cannot prove how every server is configured. That is why the later external assessments matter.

AreaBefore or During 2017Later Position
Originating IP recordsThe affidavit states that PureVPN could identify two originating IP addresses used by the same customer.The updated policy says original IP addresses are not retained.
Public wordingUsers could interpret broad no-log statements more strongly than PureVPN’s internal distinction between activity and connection records.The policy names specific data categories the company says it does not store.
VerificationCustomers mainly relied on the provider’s own statements.PureVPN commissioned Altius IT and KPMG assessments.

How Strong Is PureVPN’s Audit Record?

PureVPN has publicised a 2019 Altius IT assessment and later KPMG assessments. The reported findings support the claim that the examined systems and configurations matched the provider’s newer no-log policy at the time of review.

The “always-on” arrangement is also a positive feature: PureVPN says KPMG can initiate an assessment without agreeing a date in advance. That reduces the provider’s ability to prepare only a temporary audit environment.

What the audits add

  • Independent examination is stronger than self-attestation alone.
  • The assessments reportedly included infrastructure, configurations, code and technical logs.
  • Unannounced access can make selective preparation more difficult.
  • The findings directly addressed the provider’s revised no-log claims.

What the audits do not prove

  • An assessment applies to the scope and period reviewed.
  • It cannot guarantee that future software or configuration will never change.
  • Detailed reports have not always been presented as fully public technical documents.
  • An audit of logging does not test every security, speed or reliability claim.

Who Owns PureVPN and Where Is It Based?

PureVPN’s current Terms of Service state that the service is owned and operated by GZ Systems Limited, a British Virgin Islands limited liability company. The terms also identify an associated Cyprus company, GZT Associates Limited.

PureVPN says the business originally launched in Hong Kong and decided in early 2021 to relocate its headquarters and legal jurisdiction to the British Virgin Islands.

The BVI is presented by PureVPN as a jurisdiction without mandatory data-retention requirements applicable to its service. That may reduce certain legal pressures, but jurisdiction alone does not prove privacy. A provider can keep logs voluntarily in a favourable jurisdiction, while a technically minimised service can offer meaningful protection elsewhere.

Best evidence order

Technical design and actual data practices matter most, followed by independent assessment and transparency. Jurisdiction is relevant, but it should not be the only reason to trust a VPN.

PureVPN History: Strengths and Concerns

Historical strengths

  • Longevity: the service has operated since 2007.
  • Broad platform expansion: PureVPN moved from desktop software into mobile, browser and television apps.
  • Clearer current privacy wording: the revised policy names data categories it says are not retained.
  • External assessment: Altius IT and KPMG reviews provide more evidence than provider claims alone.
  • Unannounced-audit concept: the always-on arrangement is more demanding than a scheduled assessment.
  • Industry participation: PureVPN joined the VPN Trust Initiative and received its Trust Seal.

Historical concerns

  • 2017 trust failure: identifying connection information existed despite broad no-log expectations.
  • Provider-controlled narrative: many early milestones and growth figures come only from PureVPN.
  • Limited public audit detail: summaries are easier to access than complete technical reports.
  • Jurisdiction marketing: a BVI address should not be treated as proof of technical privacy.
  • Changing product claims: server totals, features and certifications require periodic rechecking.
  • Broader suite complexity: additional privacy products create more policies, systems and data flows to evaluate.
Balanced assessment

PureVPN has taken substantive steps to address the weakness exposed in 2017. The later policy, audits and jurisdiction change are relevant improvements. The sensible position is neither to ignore those improvements nor to pretend the earlier incident never happened.

PureVPN Today

PureVPN’s current website describes a service with more than 6,000 servers across more than 65 countries, up to ten logins and more than three million users. These are current provider claims and may change as infrastructure and product plans are updated.

The company now presents itself as more than a basic VPN, promoting tools such as dark-web monitoring, password management, tracker blocking and data-removal services alongside its core encrypted connection product.

This broader strategy can add value for users who want multiple privacy tools in one ecosystem. It also means reviewers should assess each product separately rather than assuming that a VPN audit automatically verifies every add-on.

For testing of the current apps, performance, features and privacy controls, read our updated PureVPN review. Readers considering a subscription can also check the current testing and refund routes in our PureVPN free-trial guide.

How This History Was Researched

The timeline prioritises a small number of strong sources rather than linking every company announcement.

  • Primary evidence: the 2017 federal affidavit and current PureVPN legal terms.
  • Company records: PureVPN’s About page, policy-change explanation, audit summaries and headquarters announcement.
  • External confirmation: the VPN Trust Initiative’s accreditation announcement.

Provider claims are labelled as such. Audit findings are described as applying to the systems and period assessed. Current network and user figures are not presented as independently verified.

Frequently Asked Questions

When was PureVPN founded?

PureVPN’s official history says it launched in 2007. That is the founding year used throughout this timeline.

Who founded PureVPN?

PureVPN’s current About page names Uzair, Umair and Aqib as the graduates who began commercialising the original project.

Who owns PureVPN today?

The current Terms of Service identify GZ Systems Limited, a British Virgin Islands company, as the owner and operator of PureVPN.

Did PureVPN keep logs in 2017?

The federal affidavit shows that PureVPN could associate the same customer with originating IP addresses linked to a home and workplace. That is identifying connection information. The document does not establish that PureVPN supplied a complete browsing history.

Did PureVPN change after the 2017 case?

PureVPN says it revised its privacy policy in 2018 and later commissioned external no-log assessments by Altius IT and KPMG.

Does an audit prove PureVPN never keeps logs?

No audit can provide a permanent guarantee. It provides evidence about the systems, configurations and period within its scope.

Why did PureVPN move to the British Virgin Islands?

PureVPN says it chose the BVI after reviewing multiple jurisdictions because it considered the legal environment more compatible with its privacy commitments.

Is PureVPN still connected to Hong Kong?

The service launched in Hong Kong, but current legal terms identify the operator as a British Virgin Islands company.

Is PureVPN’s current service the same as it was in 2017?

No. The provider says its privacy policy and technical practices changed, and later assessments reviewed the newer environment. The 2017 event remains relevant history, but it should not be described as direct proof of current logging without current evidence.

What is the fairest conclusion about PureVPN’s history?

PureVPN has a genuine historical privacy failure and a documented later effort to improve policy, verification and jurisdiction. Both should be considered when assessing trust.

Martin Needs, cybersecurity expert

Written by Martin Needs

Director at NeedSec LTD | Cybersecurity Expert | 10+ Years Experience

“A fair history should preserve the uncomfortable evidence while recognising genuine later improvements. Trust is built from current practices, but history helps users decide how much evidence they require.”

OSCP CertifiedCyber Essentials AssessorCompTIA PenTest+Network SecurityPrivacy Audits

Important Sources