Mullvad VPN

Mullvad VPN AB is registered with Bolagsverket as organisation number 559238-4001 at Box 53049, 400 14 Gothenburg, Sweden, with a visible office at Engelbrektsgatan 28. Its sole shareholder is Amagicom AB (organisation number 5567839807, same Gothenburg address), and Amagicom AB is in turn 100% owned by founders Fredrik Strömberg and Daniel Berntsson, who remain actively involved in the company. The about page states this verbatim: 'Both Mullvad VPN AB and our parent company Amagicom AB are 100% owned by us, the founders Fredrik Strömberg and Daniel Berntsson, who are actively involved in the company.' No venture capital, private-equity money, IPO or foreign holding entity sits above the group -- a distinguishing feature among consumer VPNs, where competitors typically sit under PE-style holding structures.

The Mullvad group has no US-incorporated entity. Mullvad VPN AB and Amagicom AB are both Swedish aktiebolag in Gothenburg, both founder-owned, and no US, UK or other foreign subsidiary is disclosed in any public source. There is therefore no corporate Mullvad entity the US CLOUD Act could compel directly. Mullvad does use two US subprocessors -- Stripe Inc. for credit-card payment processing (card data only; users who pay in cash, Monero or via Swish/SEPA do not touch Stripe) and Google LLC for the inbound MX terminator on non-customer-facing corporate mail (customer-facing support email was self-hosted in 2024) -- both of which are themselves CLOUD-Act-reachable, but neither sees VPN traffic, DNS queries or connection metadata. Mullvad does operate VPN servers physically located in the United States across roughly 19 cities; those are subject to in-country law-enforcement compulsion at the colocation level, but Mullvad's RAM-only / no-logs architecture means there is no historical customer data to hand over, and customers can choose to avoid US (or any other Five-Eyes) exit servers entirely.

Per the no-logs policy at mullvad.net/en/help/no-logging-data-policy: 'no logging of traffic, no logging of DNS requests, no logging of connections (including when one is made and when it disconnects), no logging of IP addresses, no logging of user bandwidth.' The data Mullvad does retain is limited to the random 16-digit account number, account expiry, the WireGuard public key and tunnel address when WireGuard is in use, short-retention payment metadata (20 days for transaction IDs) and statutory accounting records retained up to 7 years per the Swedish Bokföringslagen. The Swedish Police National Operations Department executed a search warrant on the Gothenburg office on 2023-04-18 -- the first in 14 years of operation -- and left empty-handed because there was no customer data to seize.

Mullvad generates a random 16-digit account number on demand at mullvad.net/account/create; no email, no username and no password are required. Pay anonymously by mailing physical cash in any of nine currencies (the envelope is destroyed after the cash is counted) or by sending Monero to Mullvad's own XMR wallet. Cash payments are non-refundable per AML rules; Mullvad records only the amount, the currency and the timestamp. Card, PayPal, bank wire and Swish are accepted but link the account to a name; in those cases the transaction ID is deleted after 20 days while statutory accounting records are retained 7 years per the Swedish Bokföringslagen.

Mullvad's verbatim stated policy at mullvad.net/en/help/how-we-handle-government-requests-user-data: 'We must -- and do -- make it impossible for us to fulfill any data request. There is simply no data to request, nor confiscate in the case of physical seizure.' On the question of being compelled to spy, the company adds: 'we will cease operation of our service in the affected jurisdiction and only resume it if the legal situation has been remedied.' Swedish law currently does not allow forced surveillance assistance. The 2023-04-18 Gothenburg search warrant is the only real-world stress test on record; Mullvad demonstrated the no-logs architecture, the prosecutor was consulted and no data was seized.