Xeovo VPN

A Finland-based VPN with a strict no-logs policy (no IP, no traffic, no timestamps, no DNS, no MAC addresses), a Tor v3 mirror that matches the clearnet `Onion-Location` header, and over nine years of published transparency reports. Listed at Grade B because the privacy posture is solid (GDPR-compliant, can't comply with court orders for user activity), the operator has a real company (Xeovo Oy, Finland) with demonstrable tenure since April 2016, and two peer directories list it — held under A by no published independent audit of the no-logs claim and a 30-day refund policy that explicitly excludes cryptocurrency payments.

What it is. A VPN service with Stealth Proxy censorship-circumvention, WireGuard + AmneziaWG + Shadowsocks + VLESS + VMess + TrojanGFW protocol support, a Tor onion mirror, and a strict no-logs posture documented in public policy. Listed at Grade B because the privacy documentation is specific (naming exactly what isn't logged) and the operator publishes annual transparency reports dating to 2019, but no independent third-party audit verifies the no-logs claims.

Background. Xeovo VPN is operated by Xeovo Oy (company number 3233901-7), a company registered in Finland (operator-published, `/tos/`). The service has been running since April 2016 (operator-published, `/about/` — timeline starts at 'APR 2016: The journey begins'). The about page positions the company as independent: 'Our customers come first because they're our only investors.' (operator-published, `/about/`). The operator publishes annual transparency reports (December 2019 through December 2024, with the 2024 report published December 2024 — operator-published, `/about/` timeline). The privacy policy was last updated April 7, 2025 (operator-published, `/privacy/`). The service supports VPN and Stealth Proxy products, with a blog launched June 2019 and a hub/community platform launched November 2024. A bug bounty program is advertised on the website. The operator can be reached via support@xeovo.com, Telegram / `@XeovoVPN`, and a `/contact/` page. The service is listed on monerica.com (direct hit at monerica.com/site/xeovo-vpn) and name-matched in kycnot.me's services sitemap — two peer-directory matches. The clearnet site supports a Tor v3 mirror at `xeovok4d6ehoclmlyviwuq7zlmcvucuekhrt2677r33ny2csyd4yldyd.onion` with matching `Onion-Location` header.

What you trust.

• Published bug-bounty program with explicit good-faith safe-harbor. `/bug-bounty/` documents in-scope assets (`xeovo.com`, `core.xeovo.com`, VPN/Stealth Proxy gateways), out-of-scope categories, and what researchers can expect in return. Operating a public bounty is rare among no-KYC VPNs and is a real signal of how the operator thinks about security — they want to be told.
• Strict no-logs policy — specifically named, not hand-wavy. The privacy policy lists exactly what is NOT logged: 'no logging of IP addresses, no logging of traffic, no logging of timestamps, no logging of DNS requests, no logging of MAC addresses, no logging of individual user bandwidth volumes.' (operator-published, `/privacy/`). The FAQ reinforces: 'We do not store any logs.' (operator-published, `/faq/`). The ToS repeats: 'Xeovo does not log any activity of its users.' (operator-published, `/tos/`). This is more specific than most VPN policies — it names six distinct categories of non-logged data rather than using a blanket 'no logs' statement.
• Cannot comply with court orders for user activity — structurally. The privacy policy explicitly states: 'Xeovo can not provide any activity information or logs about users if a court order was issued asking us to provide that information. As previously mentioned, no information about what our users do when connected is stored.' (operator-published, `/privacy/`). The only information available would be 'account information... as well as the method of payment' — and only for a specific person, with a verified court order. The operator adds: 'We have not provided any information about our users to any government entities.'
• Real company jurisdiction — Finland (EU, GDPR). Xeovo Oy is a registered Finnish company (operator-published, `/tos/`: 'Xeovo is a service provided and developed by Xeovo Oy (3233901-7), a company registered in Finland.'). Finland is an EU/GDPR jurisdiction with strong privacy laws — structurally aligned with the service's privacy claims rather than working against them. The operator has a named legal entity with a verifiable company number.
• Annual transparency reports since 2019. The operator has published transparency reports every December from 2019 through 2024 (operator-published, `/about/` timeline). Each report covers the calendar year. This is a six-year unbroken reporting cadence — unusual for a privacy VPN and suggests institutional commitment to accountability rather than a fly-by-night operator.
• Nine years of operational tenure. Operating since April 2016 — over nine years at fold-time. This is among the longest-running VPN services in this directory. A service that disappears after 6 months doesn't publish six years of annual reports.
• Tor v3 onion mirror with matching Onion-Location header. The clearnet site publishes `Onion-Location: http://xeovok4d6ehoclmlyviwuq7zlmcvucuekhrt2677r33ny2csyd4yldyd.onion/`, matching the advertised onion. Properly configured — Tor users get the onion redirect automatically.
• No refunds for cryptocurrency payments — quoted verbatim. The ToS states: 'We do not offer refunds for cryptocurrency payments.' (operator-published, `/tos/`). This is a hard caveat for XMR payers — if the service doesn't work for you, your crypto payment is non-refundable. This is disclosed rather than hidden, but it's a significant asymmetry compared to fiat payers who get a 30-day guarantee.
• Account registration — username + password only. Probed signup form: `<input type="text" name="username" maxlength=16>`, `<input type="email" name="email" placeholder="Email (optional)">` — email field is genuinely optional (no `required` attribute, placeholder says "optional"). No phone, no name, no country, no DOB. Matches the operator's `/pricing/` claim of "No email required."
• Site. https://xeovo.com — conventional multi-page web app (not an SPA). 9/39 conventional paths return 200 with distinct content; 30 return styled 404 pages. Published pages: `/` (home), `/about/`, `/faq/`, `/tos/`, `/privacy/`, `/legal` (redirects to `/tos/`), `/contact/`, `/signup/`, `/login/`.
• Tor mirror. `http://xeovok4d6ehoclmlyviwuq7zlmcvucuekhrt2677r33ny2csyd4yldyd.onion/` — v3 hidden service. `Onion-Location` header on clearnet matches the advertised onion. Properly configured.
• Payment channels (operator-published, `/pricing/`). Cryptocurrency (Bitcoin, Litecoin, Monero — per FAQ), credit/debit cards (Visa, Mastercard, Amex, Discover), PayPal, Apple Pay, Google Pay, and cash (€). Cash payment channel independently corroborated by kycnot.me's review.
• Company. Xeovo Oy (3233901-7), registered in Helsinki, Finland (per the operator's X profile location). EU/GDPR-compliant. Privacy policy last updated April 7, 2025.
• Protocols. WireGuard, AmneziaWG, Shadowsocks, VLESS, VMess, TrojanGFW — censorship-resistant protocols available for countries that use DPI to block VPN connections (operator-published, `/faq/`). Custom ports for WireGuard, IPv6 support.
• Products. VPN and Stealth Proxy. The Stealth Proxy is a censorship-circumvention tool launched January 2022 and overhauled August 2023 (operator-published, `/about/` timeline).
• Pricing. Standalone `/pricing/` page publishes a full rate card: €4.99/mo, €23.94/6 months (save 20%), €35.88/year (save 40%). Currency switcher (EUR/GBP/USD). 30-day money-back guarantee (excluding crypto payments, see Caveats). Up to 5 devices per account, 28+ server locations.
• No free trial. The FAQ explicitly states: 'Do you offer a free trial? No, but we offer a 30-day money-back guarantee.' (operator-published, `/faq/`). The 30-day refund is once per account/customer and excludes cryptocurrency payments.
• Server locations. At least 17 country locations listed in the about-page timeline (Albania, Ukraine, Sweden, Germany, Norway, Switzerland, Canada, Romania, South Korea, UK, Poland, Australia, Singapore, plus locations from earlier years). Full server list not published on the public site.
• Contact channels — seven published surfaces. Operator runs a dedicated multi-channel stack visible in the `/contact/` page footer + their X profile: `support@xeovo.com` (general) + `press@xeovo.com` (separate press contact), X `@xeovo` (~1.1k followers / 635+ posts, joined September 2016), Telegram `@XeovoVPN`, Mastodon `@xeovo@mastodon.social`, Bluesky `@xeovo.bsky.social`, dedicated subreddit `r/xeovo`, and the Tor v3 mirror. No Matrix, Signal, SimpleX, or published PGP key — but the stack itself reads as a small team that wants to be reachable on the channels their users actually use. The dedicated subreddit (rather than a generic Twitter/X-only presence) is a positive engagement signal.
• Transparency reports. Annual, published every December from 2019 through 2024 (operator-published, `/about/`). Six years of unbroken reporting.
• Bug bounty. Program advertised on the website (operator-published, navigation). Terms and scope not surfaced on the public site.
• Peer directories. Two independent peer directories carry dedicated review pages: monerica.com (`/site/xeovo-vpn`) and kycnot.me (`/service/xeovo`, scored 9/10 Overall — Excellent, 100 Privacy — Excellent, 71 Trust — Good, "Verified — Repeated checks over time passed", four user ratings averaging 5/5). Both independently confirm the 2016 founding year and the Finland-based self-funded operator description. Not present on orangefren, web3privacy, monero.fail, or privacyguides.
• Domain. `xeovo.com` — `.com` TLD, standard commercial. Registered since at least 2016 (nine years of site operation).

Operator philosophy. The about page frames Xeovo as an independent privacy company: 'Your Beacon in the Dark. At Xeovo, we believe that everyone deserves unrestricted access to the internet, free from surveillance and censorship.' The tagline 'Independent — Our customers come first because they're our only investors.' (operator-published, `/about/`) positions the service as customer-funded rather than VC-backed or ad-supported. The no-logs policy is stated across three separate pages (ToS, Privacy, FAQ) in consistent language — suggesting it's a core operational principle rather than a one-off marketing claim. The transparency-report tradition (six years, annual, unbroken) and the bug bounty program signal a security-conscious operator who invites external scrutiny. The Finland jurisdiction is a deliberate choice for privacy — Finnish law and EU GDPR provide the strongest data-protection framework available for a commercial VPN. The Stealth Proxy product and the censorship-resistant protocol stack (Shadowsocks, VLESS, VMess, TrojanGFW) suggest the operator serves users in high-censorship jurisdictions (China, Russia, Iran, UAE, Egypt — all explicitly addressed in the FAQ) rather than just the casual-privacy market.

Grade rationale. Listed at Grade A on the strength of a stack of independent positive signals: nine years of operation (since April 2016) cross-confirmed by three independent sources (monerica.com curated listing, kycnot.me Verified review at 9/10, and the `@xeovo` X account creation date of September 2016), six years of annual transparency reports, a real registered company (Xeovo Oy, 3233901-7, Finland — EU/GDPR jurisdiction), a strict no-logs policy that names six specific categories of data not collected, an optional-only email at signup (probed `/signup/`: `<input type="email" placeholder="Email (optional)">`, no `required` attribute), a Tor v3 mirror with matching `Onion-Location` header, a transparent published rate card at `/pricing/`, a six-channel contact stack including a dedicated `r/xeovo` subreddit (rare for a no-KYC VPN), and a published `/bug-bounty/` program with explicit good-faith safe-harbor. The kycnot.me peer review scores Xeovo 9/10 Overall — Excellent, 100 Privacy — Excellent, "Verified — Repeated checks over time passed", with four user ratings averaging 5/5. The lone editorial gap — no published independent third-party audit of the no-logs claim — is real and a reader could legitimately want one, but the operator's behavioural stack (transparency reports, bounty program, multi-channel reachability) is the next-best thing in the absence of one and the comp set's A-grade peers don't all have audits either. Crypto payments excluded from the 30-day refund is a caveat (worth knowing) but not an A-blocker on its own — the comp set has comparable refund posture and the operator surfaces the exclusion at the pricing page.

Useful when.

• You want a VPN with a strict, specifically-named no-logs policy from a GDPR-jurisdiction operator with a real registered company and nine years of operating history.
• You need censorship circumvention — Xeovo ships Shadowsocks, AmneziaWG, VLESS, VMess, and TrojanGFW in addition to standard WireGuard, and the FAQ explicitly addresses use in China, Russia, Iran, UAE, and Egypt.
• You want to pay for a VPN with Monero and route through a Tor onion — the Tor mirror is properly configured with matching `Onion-Location` header, and XMR is an accepted payment method.
• You're comparing VPN privacy policies and want to see what a strong no-logs posture looks like — Xeovo names six categories of non-collected data, states it cannot comply with court orders for user activity, and has published annual transparency reports since 2019.
• You want a VPN that has survived long enough to prove its privacy posture — nine years without a public breach, data leak, or log-disclosure incident is a meaningful tenure signal in a category where many services last months.

Caveats.

• Cryptocurrency payments are explicitly excluded from the 30-day refund policy. The ToS states: 'We do not offer refunds for cryptocurrency payments.' (operator-published, `/tos/`). Fiat payers get a 30-day money-back guarantee; crypto payers do not. If you pay in XMR and the service doesn't work in your region, you cannot get a refund. This is acknowledged in the trust section as a verifiable caveat.
• No independent third-party audit of the no-logs policy. The operator's claims are strong and consistent, and the transparency reports are a positive signal, but no external security firm has verified that the logging infrastructure actually matches the policy. This is the single largest gap between B and A.