You’ve heard the phrase dozens of times. In news headlines, in tech commentary, from friends who’ve switched to privacy-focused apps. “They’re selling your data.” It’s delivered with a kind of knowing gravity, as if the implications are obvious.
But when you actually stop and ask — who is selling what to whom, and what are they doing with it — the answers are less obvious than the phrase suggests. And understanding them properly changes what you think is worth worrying about, and what you can actually do.
What “Your Data” Actually Refers To
“Data” in this context isn’t one thing. It’s several different categories of information, collected by different parties, in different ways, for different purposes.
What apps collect. When you install an app and accept its permissions, you’re often granting access to things like your location, your contacts, your camera, your microphone, and your browsing history within the app. Many apps collect this information continuously — not just when you’re actively using them. A free game might request location access not because the game needs it, but because location data is valuable to the advertising networks the developer works with.
What websites track. Every website you visit knows your IP address, which browser you’re using, your screen resolution, roughly where you are, and which pages you look at. Many sites also use cookies — small files stored on your device — to track you across sessions and, in some cases, across different websites entirely. This is how an ad for something you looked at on one site follows you to a completely different site an hour later.
What gets sold. The companies that aggregate this information — data brokers — compile profiles: your interests, your likely income bracket, your shopping behaviour, your political leanings based on the sites you visit. These profiles are sold to advertisers, to political campaigns, to insurers, to anyone willing to pay for targeted access to people like you. You are not the customer in this transaction. You’re the product.
Why “Selling Your Data” Is Slightly Misleading
The phrase implies that someone takes your personal file and hands it to a stranger. The reality is usually more abstracted than that.
Most data isn’t sold as individual records with your name attached. It’s aggregated and anonymised — or supposedly anonymised — into audience segments. “People aged 25–40 in urban areas who have recently searched for car insurance and show interest in outdoor activities.” Your name isn’t in that description, but your behaviour contributed to it, and the targeting that results from it reaches you specifically.
The line between “anonymised data” and “identifiable data” is thinner than data brokers tend to acknowledge. Researchers have repeatedly demonstrated that combining a small number of data points — location history, age, browsing patterns — is enough to re-identify individuals even in datasets that were supposed to be anonymous. So the reassurance that “we don’t sell personal data, only anonymised insights” deserves some scepticism.
What a VPN Does and Doesn’t Address
A VPN protects what happens between your device and the internet — the traffic that travels over the network you’re connected to. It encrypts that traffic and replaces your IP address with the server’s. This is sometimes called the “network layer,” and it’s a real and specific category of exposure: what’s visible to others on the same network, and what your IP address reveals about your location wherever you go online.
What it doesn’t address is everything that happens at the app and website layer. If you’ve granted an app permission to access your location, a VPN doesn’t revoke that permission. If a website tracks you through cookies, a VPN doesn’t block those cookies. If you’re logged into a service, that service knows who you are regardless of your IP address.
This is an important distinction, and it’s worth being honest about. A VPN is not a privacy magic wand. It closes one window that was open; there are other windows.
That said, the window it closes is a real one. Your IP address is a persistent identifier that follows you across the web, linking your activity across different sites and services without you doing anything to enable it. Replacing it with a VPN server’s address disrupts that linkage. Combined with other habits — reviewing app permissions, using a browser that limits tracking, being thoughtful about what you log into — it’s a meaningful part of a sensible approach.
Starting Without Handing Over More Data
There’s a reasonable irony in addressing data privacy concerns by signing up for another service. The good news is that you don’t have to.
For most people, the phone is where this matters most — and for most people, that phone runs Android. A VPN for Android is available directly through the Google Play Store, installed the same way as any other app. What matters is choosing a provider whose business model doesn’t involve the same data practices you’re trying to reduce exposure to.
That means looking for a provider with a genuine no-logs policy, a transparent privacy policy, and a free tier that doesn’t fund itself through data collection. X-VPN offers a free VPN with no sign-up — no email address, no payment details required to get started. For someone who’s just read an article about data collection and is feeling appropriately cautious about handing over more information, starting without an account is a meaningful design choice, not just a convenience.
The Realistic Picture
“They’re selling your data” is true, in the way that most simplified versions of complicated things are true. The practice is real, it’s widespread, and most people would opt out of it if opting out were easy.
The full picture is more layered: different parties collect different things, the line between “anonymised” and “identifiable” is blurry, and the tools available to you address some parts of the problem and not others.
Knowing which parts a VPN covers — and which parts require different approaches — puts you in a more useful position than either dismissing the concern entirely or assuming one tool solves everything. Both of those miss something. Doing one thing well, knowing its limits, and building from there is a more honest starting point than either extreme.
