The built-in VPN: our relays, zero logs by design.

A VPN is supposed to hide where you are and who you are. Most of them quietly do the opposite — logging your activity and selling it, or handing it over the moment someone asks. Helix bakes a real VPN into the app, running on our own network: choose your exit country, rotate your exit IP, fail closed if the tunnel drops, and keep nothing to hand over. Here's how it works, and why "free VPN" is usually the trap.

1. What a VPN actually does

A VPN — virtual private network — does one core thing: it routes your internet traffic through an encrypted tunnel to a server somewhere else, and the wider internet sees that server's address instead of yours. Two consequences follow. First, whoever is between you and the VPN server — your internet provider, the café Wi-Fi, a state-run telecom — sees only an encrypted tunnel, not the sites and services you reach through it. Second, the websites and services you connect to see the VPN server's location and address, not your real one. You appear to be somewhere you are not, and your real address stays hidden from the destination.

That is genuinely useful. It stops the local network from profiling your browsing, frustrates address-based tracking and geo-fencing, and puts a layer between your real location and everything you touch. But it comes with a catch that almost nobody thinks hard enough about: the VPN provider now sits in the middle of all your traffic. Whatever your provider sees, logs or chooses to keep is the new single point of failure. You have not removed the watcher — you have moved it, and you had better trust where you moved it to.

2. The problem with most VPNs

The commercial VPN market is enormous, loud, and largely built on a promise it cannot prove: "we don't log." Here is why that promise is so often hollow:

• "Free" VPNs sell you. Running a global VPN costs real money. If you are not paying, the business model is your data — many free VPNs have been caught logging activity, injecting ads and trackers, or outright selling browsing records. You are not the customer; you are the product being shipped.
• "No-logs" is mostly unverifiable marketing. A provider can write "zero logs" on its homepage while quietly retaining connection records on the back end. The claim is only as good as the architecture behind it, and most users have no way to check. Court cases have repeatedly surfaced logs from providers who swore they kept none.
• Someone else owns the servers. Most VPN companies rent their servers from third-party hosting providers. Even an honest VPN operator does not fully control that hardware — the hosting company, and whoever can lean on it, may.
• It is still one company in the middle. Whatever they keep, they can be compelled to produce, breached to leak, or tempted to monetize. The VPN consolidates your entire traffic stream into one place — which is exactly what an adversary wants.

The honest summary: a VPN only improves your privacy if the provider's incentives and architecture are aligned with not betraying you. For most of the market, they are not.

3. Our own relays, baked in

Helix takes a different approach on both counts. First, the VPN is built into the app — not a separate subscription you bolt on, not a "partner" service, but part of the same suite as your encrypted messaging, calls and files, riding the same private infrastructure. Second, and more importantly, it runs on Helix's own relays and Helix's own protocol — not rented capacity from a third-party host, and not an off-the-shelf VPN stack with a known shape for an attacker to target.

Owning the network changes the security story fundamentally. There is no separate VPN company in the middle to log you, no hosting provider sitting under the servers, no external operator to subpoena or breach. The VPN, the onion network and the encrypted transport are one private network, controlled end to end, rather than a chain of third parties each with their own logs and their own legal exposure. When the same people who built the encryption also build and run the relays, the "trust the provider" problem shrinks to a single, accountable party with a design built specifically to have nothing worth keeping.

4. Choose your exit country

The "exit" is the point where your traffic leaves the private network and rejoins the ordinary internet — and therefore the location and address the outside world sees. Helix lets you choose your exit country from a set of privacy-friendly regions. Surface in another country with a single selection: to every website and service you reach, you appear to be there, while your real location stays yours.

This matters for more than convenience. Where you appear to be can affect what an adversary can infer about you, which jurisdiction's services you appear to be using, and whether your real movements can be correlated with your online activity. Picking your exit country puts that decision in your hands rather than leaving it as an accident of which server you happened to connect to. If you are traveling through a region with aggressive network surveillance, surfacing your traffic somewhere else means the local watcher sees only an encrypted tunnel leaving the country, not the destinations you actually reach — and the destinations see a location that has nothing to do with where you physically are.

It is also worth noting what a VPN exit does not do, so you choose it for the right reasons. Appearing to be in another country changes the address and location the destination sees; it does not, by itself, make you anonymous, because anonymity is about breaking the link between you and your activity over time, which is the onion network's job. Think of the exit country as controlling your apparent location, while the onion routing controls your apparent relationships. Helix gives you both, on the same infrastructure, so you don't have to pick one and lose the other.

5. Rotating exit IP

A fixed exit address is a fixed identity. If all your traffic always leaves from the same IP, that address becomes a stable handle an observer can pin to you — a single dot they can watch, build a profile around, and follow across services and over time. Even without your name, "the person who always exits from this address" is trackable.

Helix offers a rotating exit IP (on Operator and up): your outbound address changes over time rather than staying fixed. Instead of one stable dot on the map, you are a moving target. Correlating your activity across sessions and services becomes meaningfully harder, because the address that ties it all together keeps changing underneath the watcher. It is the difference between always wearing the same coat and changing it as you move through a crowd.

6. Fail-closed: the leak that isn't

Here is the failure mode that quietly undoes most VPNs. The tunnel drops — a flaky connection, a server hiccup, a network change as you walk between Wi-Fi and cellular. For a fraction of a second, or longer, your device falls back to its ordinary connection and sends traffic in the clear, from your real address. You never see it happen. But in that gap, your real IP leaked to whatever you were connected to, and any local watcher saw your raw traffic. Everything the VPN was protecting was undone by a momentary stumble you didn't even notice.

Helix is fail-closed, sometimes called a kill switch but stricter: nothing connects unless the secure tunnel is up first, and traffic never silently falls back to your real connection. If the tunnel is not established, the app simply does not send — it does not quietly route around the protection to keep things working. The fail-safe is privacy, not connectivity. A VPN that "helpfully" drops to your raw connection when it struggles is worse than no VPN, because it lulls you into trusting a shield that turns itself off without telling you. Fail-closed means the shield is either up or you're not connected — never the dangerous in-between.

The distinction between a kill switch and being fail-closed by design is real. A typical kill switch is reactive: it watches for the tunnel to drop and then scrambles to block traffic — leaving a small window where packets can escape before the switch trips. Fail-closed is the opposite posture: the default state is blocked, and traffic is only ever permitted once the secure tunnel is confirmed up. There is no race condition, because nothing was ever allowed out by default. Network changes that quietly bite ordinary VPNs — switching from Wi-Fi to cellular, a sleeping phone waking up, a captive-portal hijack at a hotel — don't open a leak window, because the starting assumption is always "send nothing until the tunnel is proven." For someone whose real address leaking even briefly is a genuine risk, that difference is the whole value of the feature.

7. Zero logs by design

"We don't keep logs" is a promise. "There are no logs to keep" is an architecture. The distinction is everything.

Helix is built for zero logs by design: the network and systems are constructed so that there is nothing meaningful to retain in the first place. This is not a policy that could be quietly reversed in a settings file, and it is not a marketing line on a homepage — it is a structural choice about what the infrastructure even records. The reasoning is simple and a little ruthless: data you never collect cannot be subpoenaed, cannot be breached, cannot leak, and cannot be sold or mined later. The only logs that are truly safe from compulsion and accident are the ones that were never created. By designing the system to have nothing worth keeping, Helix removes the single richest target an adversary or a court could go after.

The safest record is the one that doesn't exist. Helix doesn't promise to guard your logs — it's built so there's nothing worth keeping in the first place.

There is a second reason the design-level claim is stronger than a policy. A logging policy lives in a document and a configuration that a company can change — under pressure, after an acquisition, or quietly to chase a new revenue line — without you ever knowing. An architecture that doesn't generate the records in the first place can't be flipped with a setting, because the data was never on the table. The honest version of "no logs" is not a vow of restraint by people who could see everything; it is a system deliberately built so that the sensitive records never come into existence. That is the standard worth holding a VPN to, and the one most of the market quietly fails.

8. Why it matters to you

A VPN you actually control matters most to the people for whom a leaked address or a retained log is not an inconvenience but a real exposure:

• Executives. Travel, deal activity and the locations you connect from can themselves be intelligence. A fail-closed tunnel on your own relays means a hotel network or a borrowed connection never sees your real traffic, and there is no provider log of where you were and what you reached.
• Lawyers. The same connection that protects privileged content has to not leak it during a momentary drop. Fail-closed behavior and zero-logs-by-design mean a flaky courthouse Wi-Fi can't expose you and there's no record to be compelled later.
• Journalists and the targeted. A real exit IP leaking for even a second can be the difference between safe and identified. Rotating exits and a fail-closed tunnel are not features here — they are the whole point. And no logs means nothing for a hostile party to seize.
• Crypto whales and family offices. An address that consistently connects to particular services maps your holdings and habits. Choosing and rotating your exit breaks that fixed handle, and owning the relays means no third party is quietly recording the pattern.

For everyone in that group, the difference between a free VPN that sells your data and a fail-closed VPN on your own relays with nothing to log is not a feature comparison — it is the difference between protection and a false sense of it.

9. How Helix does it

The VPN is part of the Helix suite, not a separate product. It runs on the same private relays and protocol that carry your encrypted messages and calls, so there is one private network underneath everything rather than a stack of third-party services. You pick your exit country from privacy-friendly regions; on Operator and up, your exit IP rotates. The tunnel is fail-closed — up first or not at all — and the systems are designed for zero logs by design. Because Helix builds and runs the relays itself, there is no external VPN company, no rented hosting under the servers, and no off-the-shelf stack to fingerprint.

Pairing the VPN with the rest of the suite is deliberate. A VPN hides your address and your local traffic; it does not encrypt your conversations end to end, hide the who-talks-to-whom metadata, or defend a device that is already infected. Helix layers the VPN with post-quantum encryption, an onion network and a device-level shield so that each protection covers a different gap — which is the honest way to build security, because no single layer does everything.

10. The honest limits

A VPN is one layer, and it's worth being clear about what it is not:

• A VPN is not anonymity by itself. It hides your address from the destination and your traffic from the local network, but on its own it does not break the who-talks-to-whom metadata pattern the way the onion network does. For metadata resistance, the VPN works with the onion routing, not instead of it.
• A VPN does not encrypt your conversations end to end. It protects the transport. The privacy of your actual messages and calls comes from Helix's post-quantum encryption layered on top — the VPN tunnel is not a substitute for it.
• A VPN cannot protect a compromised device. If spyware is on your phone, it reads your screen before any tunnel is involved. That is why the device shield exists alongside the VPN, and is honest that detection is a strong signal, not a guarantee.
• "Zero logs by design" describes the architecture, not a magic shield. It means the systems are built not to retain meaningful records — the strongest honest posture available. It is not a claim that any party could see something and chooses to forget it; it is a claim that there is nothing worth keeping to begin with.

Within those limits, the goal is a VPN that does the job the marketing market mostly fakes: your own relays, your chosen and rotating exit, a tunnel that fails closed, and nothing worth keeping behind it.