Skip to main content
Privacy Detection Database Download

Privacy Detection That Works at Decision Time, Locally.

Fraud reviews and security investigations lose critical context when anonymized traffic goes undetected at decision time. A VPN flag arrives after a payment is approved. A SOC analyst triages an alert without knowing the source IP was a Tor exit node.

98.124.34.221San Francisco, CA · AS7922 · Comcast Cable
ALLOW
vpn
residential proxy
tor
hosting
73.156.214.88Brooklyn, NY · AS701 · Verizon Fios
FLAG
vpn
residential proxy
tor
hosting
service: "NordVPN · commercial VPN exit"
47.221.180.55Austin, TX · AS33363 · Charter Spectrum
BLOCK
vpn
residential proxy
tor
hosting
service: "Bright Data · residential proxy"
17 of 20
VPN providers advertised exit-node locations that didn’t match their real infrastructure.
These providers advertised exit node countries did not consistently match observed infrastructure locations, indicating how critical accurate detection is.
The constraint

Three Environments Where an API-Based Lookup Doesn’t Fit.

An API is the right tool for plenty of privacy detection work. But some environments carry constraints an outbound lookup can’t satisfy.

Latency

An API call adds round-trip time at the exact moment a fraud or security decision is being made. A delayed VPN or proxy flag during login or payment review can turn a detectable event into an approved transaction or successful account takeover.

External dependency

An outage during a fraud campaign or active security incident means anonymized traffic goes unflagged entirely. Fraud teams approve transactions without VPN or proxy context, while SOC teams investigate alerts without visibility into masked infrastructure.

Data residency and compliance

Many regulated environments require all enrichment and decisioning to happen internally. Financial services, healthcare platforms, and government security operations often cannot route transaction or authentication data through external APIs during live workflows.

The stakes

When Anonymized Traffic Loses Context at Decision Time

Privacy signals shape fraud reviews, escalation workflows, and security investigations long before an incident reaches a human analyst. When VPN, proxy, Tor, or relay context arrives late, teams make decisions with incomplete visibility.

1Blind approval

One blind decision

A payment clears, or a login is allowed, before the VPN, proxy, or Tor signal reaches the review. The decision ships on time, just without the one piece of context that would have changed it.

2Missed escalation

And nothing catches it

Because nothing flagged the anonymized source, the event is never escalated or re-reviewed. The bad call now sits inside your system looking exactly like a good one.

3Silent spread

And it spreads

The same actor reuses the same anonymizing infrastructure across more sessions and accounts. With no signal tying them together, each one is treated as unrelated and clean.

4Cold investigation trail

And the trail goes cold

When the pattern finally surfaces, the proxy context is identified only in hindsight. Investigations drag, escalation quality drops, and the audit trail can't reconstruct what was actually connected.

RecoverableHardest to undo
Why now

Why Many Privacy Detection Tools Create Operational Gaps

Most privacy detection tools were built around convenience rather than operational control. That becomes a problem when fraud systems, security workflows, and compliance reviews depend on accurate anonymization signals at decision time.

Free / open-source

Free and open-source lists often provide limited coverage, infrequent updates, and little visibility into hosting or broader anonymization infrastructure.

Inference-based

Many privacy datasets rely on indirect indicators such as hosting classifications, ASN ownership, or historical reputation. Those signals can be useful, but they don't always reflect how an IP is being used today.

Black-box scoring

Black-box scoring models collapse VPN, proxy, Tor, and relay signals into a single score. IPinfo exposes the underlying signals directly so teams can apply their own fraud, security, and compliance logic.

Want to see the data in action? We’ll show you exactly what the gap looks like on your traffic.

Run a benchmark
The resolution

The Privacy Detection Database: Anonymizer Detection Without External Dependencies

The database lives inside your infrastructure. VPN, proxy, Tor, and relay detection happens through local lookups, with no outbound API calls, rate limits, or external dependencies at decision time.

That means privacy signals remain available inside fraud prevention systems, security workflows, and regulated environments where decisions need to happen immediately. Every detection type is exposed as a discrete field, giving your team direct access to the underlying signals and full control over how they are used.

What you get
  • Local lookups
  • No HTTP
  • Air-gapped friendly
  • Same verdict everywhere

Pull a Sample. Run It Against Your Own Traffic.

Download a sample of the privacy detection database and compare it against recent login, transaction, or security event data. See how our signal change the outcome.

What's in the file

What's in the file.

Every anonymization signal ships as a discrete field you can act on, across the full IPv4 and IPv6 space.

Features
Details
is_vpn
VPN detection
is_proxy
Open proxy detection
is_tor
Tor exit node detection
is_relay
Relay detection
is_hosting
Hosting / datacenter detection
service
Named VPN service, where known
Coverage
Full coverage of the IPv4 and IPv6 space
Update Cadence
Daily, weekly, or monthly updates
Deployment
Local database lookups inside your infrastructure
How we know it's accurate

Transparent Signals You Can Trust

IPinfo takes a different approach to privacy detection. VPN, proxy, Tor, and hosting detections are exposed as discrete fields, giving your team direct access to the underlying signals. Fraud teams, security analysts, and compliance teams can build logic around the factors that matter in their environment instead of adapting their workflows to a vendor-defined score.

MetricIPinfoIndustryEdge
Commercial VPN recall98.6%91.2%+7.4pt
Residential proxy recall96.0%74.5%+21.5pt
Tor exit identification100%99.1%+0.9pt
Service name attribution78%32%+46pt
Industry baseline = avg. of leading databases in the same category · sampled Q1 2026

Direct Provider Verification

Active subscriptions to the VPN services we track provide firsthand visibility into provider infrastructure. That direct verification helps identify anonymization infrastructure that legacy detection methods often miss.

210+
VPN providers tracked

Active Infrastructure Detection

Internet-wide scanning, VPN handshake testing, traceroute analysis, and infrastructure measurement help uncover anonymization services operating across the internet. This approach provides visibility into infrastructure that is otherwise difficult to identify.

Internet-wide
Infrastructure scanning

Daily Refreshes for Changing Infrastructure

Privacy datasets are most accurate when they reflect how anonymization infrastructure operates today. Daily refreshes help account for newly deployed exit nodes, infrastructure changes, and provider updates.

24 hours
Updates every 24 hours
The philosophy

The Signals Matter More Than the Score

Most privacy detection tools give you a score. Those abstract away the signal.

What constitutes a high-risk IP depends on your environment, your users, and your risk tolerance. IPinfo exposes VPN, proxy, Tor, and relay detections as discrete fields, giving your team the inputs to build scoring, decisioning, and investigation workflows that fit your use case.

What competitors ship
risk_score: 87 — opaque, vendor-defined, hard to defend in an audit.
What we ship
vpn: true, proxy: false, tor: false, hosting: true, service: "NordVPN" — your rule, your call.
Delivery

Switching Privacy Detection Databases Without Rebuilding Your Stack

One catalog. Four formats. Daily refresh. Pick the one your stack already speaks.

If you're already running a local privacy detection database, switching to IPinfo is a file swap: same place in your stack, richer signals underneath. The database ships as MMDB for fast binary lookups and CSV for database imports, with Parquet and JSON for data lake and warehouse pipelines like Snowflake, Databricks, and BigQuery. Daily updates drop straight into the tools you already run, from Splunk and Microsoft Security Copilot to your own fraud, SIEM or SOAR, and enrichment workflows.

MMDB

~140 MB

Memory-mapped binary. Sub-millisecond reads for authentication, fraud prevention, and security workflows.

CSV

~420 MB

Range-per-row. Easy imports into warehouses, enrichment pipelines, and internal tools.

JSON

~580 MB

One record per IP block. Built for APIs, automation, and systems that already speak JSON.

Parquet

~110 MB

Columnar and compressed. Optimized for Snowflake, Databricks, BigQuery, and large-scale analytics.

How it gets to you

Cloud storage push

AWS S3, Google Cloud Storage, or Azure Blob Storage. Pulled into your account via presigned URL. IAM-scoped, versioned, region-pinned.

Direct download

Signed HTTPS URL with a rotating token. Drop into a cron, ship to your CDN, mirror to your registry.

Webhook

POST to your endpoint the moment a new snapshot is signed and ready. Useful for time-sensitive fraud rules.

Cloud marketplace

Subscribe through Snowflake Marketplace or Google Cloud Marketplace. Procure on existing cloud commit, data flows into your account.

Plugs into your stack

The file lands in your environment. From there, it's a connector or a one-line load into whatever your team already runs.

Lookup CSV / KV store ingest
Microsoft Sentinel
Watchlist / custom log enrichment
Palo Alto Cortex XSOAR
Privacy-aware playbook lookups
External stage + Parquet copy
Federated Parquet or load job
Databricks
Auto Loader on the Parquet drop
Kafka Connect
Re-emit deltas as a topic
Elastic / OpenSearch
Enrich pipeline processor
Need a custom landing target? OEM, on-prem mirror, or air-gapped artifact registry — talk to sales.
Try before you talk to us

See What Anonymized Traffic Looks Like in Your Environment

Run IPinfo's privacy detection data against your own traffic. Evaluate VPN, proxy, Tor, hosting, and relay signals against real activity and see how additional context improves your day-to-day work.

Trusted for fraud and security decisioning
CiscoMicrosoftCloudflareDockerGoogleDataDogSnowflakeOpenAIAnthropic
Froyoo

IPinfo’s high-quality data and complete contextualized IP insights have significantly improved advertising revenue for our customers, and the seamless integration with IPinfo’s databases via API led to a smooth onboarding process for our development team.

Ilan Zweig
Ilan ZweigHead of Product at Froyoo
Fingerprint

We ended up evaluating two different vendors where IPInfo proved to be better both in terms of overall performance (number of correctly identified VPNs) and data labeling.

Petr Palata
Petr PalataSr Technical Product Manager at Fingerprint

We track something we call 'meantime to verdict'—from the moment an alert hits our API to the time we decide on an action. A human-led SOC might need minutes or hours, but we operate in milliseconds. IPinfo is part of that pipeline, and we've never once seen an outage or slowdown. Meanwhile, some big-name vendors go down every Sunday for maintenance, which is maddening. Thanks to IPinfo, we can stay under one second, because it provides the critical context we need.

Jake ReynoldsCo-Founder / CTO at Wirespeed
Froyoo

IPinfo’s high-quality data and complete contextualized IP insights have significantly improved advertising revenue for our customers, and the seamless integration with IPinfo’s databases via API led to a smooth onboarding process for our development team.

Ilan Zweig
Ilan ZweigHead of Product at Froyoo
Fingerprint

We ended up evaluating two different vendors where IPInfo proved to be better both in terms of overall performance (number of correctly identified VPNs) and data labeling.

Petr Palata
Petr PalataSr Technical Product Manager at Fingerprint

Not Sure You Need the Database?

If your volumes are modest or your lookups are occasional, the API or a standard subscription may serve you better: the same IP privacy data, delivered differently. We’d rather route you to the right fit than sell you more than you need.

Put the lookup next to your code.

Pull a sample dataset and run it against your traffic. Talk to sales when you're ready to size a license to the volume you're actually pushing.

Frequently Asked Questions

  • For the majority of teams, the transition is straightforward. IPinfo's privacy detection database is available in familiar formats and can be integrated into the same fraud, security, and enrichment workflows.

  • IPinfo combines direct observation, infrastructure verification, and continuous validation to classify VPN, proxy, Tor, relay, and hosting infrastructure. The dataset is refreshed daily and regularly verified against active anonymization services and observed network behavior.

  • Daily. VPN providers add exit nodes, hosting providers change ownership, and proxy infrastructure shifts constantly. Daily updates help keep classifications aligned with active infrastructure.

  • Yes. The database is designed for local deployment and can be used in environments where outbound API calls are restricted or unavailable.

  • MMDB, CSV, JSON, and Parquet. Teams use MMDB for high-performance local lookups, while CSV, JSON, and Parquet support enrichment pipelines, analytics environments, and data warehouse workflows.

  • Deploy the database locally and perform lookups directly inside your application, fraud platform, SIEM, SOAR, or enrichment workflow. All classifications are available without contacting an external service at decision time.

  • MMDB is a compact binary database format optimized for extremely fast IP lookups. It is widely used in production environments because it supports local lookups with minimal latency and resource overhead.

  • Yes. IPinfo supports OEM and redistribution use cases for organizations building commercial products and customer-facing platforms.

  • Synthetic identity operations often rely on VPNs and other anonymization services to create and manage accounts at scale. Privacy detection adds infrastructure context that helps fraud teams evaluate whether activity originates from environments commonly associated with account abuse.

  • Fraud velocity refers to the speed and frequency of suspicious activity. Privacy detection signals can provide additional context when identifying coordinated activity originating from anonymized infrastructure.

  • Yes. Privacy detection coverage includes both IPv4 and IPv6 address space, helping teams maintain visibility as IPv6 adoption continues to grow.