PrivadoVPN has formalized its departure from Switzerland, updating its Terms of Service to establish Privado Networks ehf. as a legal entity headquartered in Garðabær, near Reykjavík. The move, long signaled and now legally binding, is a direct response to Switzerland's proposed surveillance law amendments - changes that threatened to undermine the privacy protections VPN providers like PrivadoVPN built their reputations on. For users, this is not a branding exercise. It is a shift in legal jurisdiction with meaningful, concrete consequences for how their data is - or is not - handled.
Why Switzerland Lost Its Privacy Crown
For much of the past decade, Switzerland occupied a privileged position in the privacy conversation. Sitting outside the European Union, it was not bound by EU data retention directives, and its strong domestic privacy traditions made it the jurisdiction of choice for companies serious about protecting user data. That perception began eroding in early 2025, when the Swiss government proposed amendments to its surveillance legislation that would extend mandatory monitoring and data collection obligations to what the proposals termed "derived service providers" - a category broad enough to capture VPNs, messaging applications, and social media platforms alike.
The implications were significant. A VPN operating under such rules would be legally compelled to collect and retain user data, fundamentally contradicting its core function. For PrivadoVPN, remaining in Switzerland under those conditions would have meant either complying with obligations that hollow out the product's privacy promise, or fighting a legal battle with an uncertain outcome. The provider chose a third path: exit the jurisdiction entirely.
What Iceland Offers That Switzerland No Longer Can
Iceland's appeal is not incidental. The country has developed a legal framework that categorizes VPNs as application-layer service providers rather than telecommunications companies. That distinction is decisive. Telecommunications providers in most jurisdictions face mandatory data retention obligations - requirements to log connection metadata, timestamps, and sometimes more. Application-layer providers, by contrast, fall outside those mandates entirely. In Iceland, PrivadoVPN is not required by law to retain logs of user activity. It is a structural protection, not a policy choice that can be quietly reversed under pressure.
Iceland also sits within the European Economic Area, meaning it participates in the broader European digital single market while retaining distinct national legislation on data and communications. The country has historically maintained strong press freedom and civil liberties protections, and its small, stable regulatory environment offers fewer political pressure points than larger jurisdictions. For a privacy-focused company, this combination - legal exemption from data retention, EEA participation, and political stability - is difficult to replicate elsewhere.
The Legal Transition and What the New Terms of Service Establish
The updated Terms of Service replace both the previous Swiss legal framework and the former corporate entity, Privado Networks AG, registered in Zug. The new document is substantially more detailed than the August 2023 version it supersedes. Where the earlier Terms were relatively brief, the Icelandic version introduces explicit sections covering the bounds of the service, user obligations, and provider commitments - language designed to reduce legal ambiguity and anchor the product's privacy claims to enforceable, jurisdiction-specific standards.
One notable addition is a clarification regarding the provider's 30-day money-back guarantee, which the new Terms specify may be used only once per user. Beyond that commercial detail, the revised document signals that PrivadoVPN is building a legal infrastructure intended to withstand scrutiny - both from regulators and from users who want to understand precisely what protections they are purchasing.
Broader Significance for the VPN Industry
PrivadoVPN's departure from Switzerland is part of a wider pattern. As European governments - and now Switzerland, acting in alignment with EU-adjacent surveillance priorities - tighten their legal grip on digital services, the definition of a "privacy-friendly jurisdiction" is becoming a moving target. Companies that built their positioning around Swiss or European incorporation are being forced to reassess whether that positioning still holds.
PrivadoVPN has responded by backing its privacy claims with a concrete legal action rather than a public statement. The free tier, which offers 10GB of monthly data with no speed restrictions and includes a kill switch, has already made the provider notable in a crowded market. The premium service adds unlimited data, up to ten simultaneous connections, and server access across more than 60 countries. Those features now operate under a legal framework specifically constructed to prevent mandatory data collection. For security-conscious users, that alignment between product promise and legal reality is exactly the kind of accountability that distinguishes a credible privacy tool from one that simply markets itself as one.
