When ChatGPT feels risky: use a VPN to protect your chats

Using ChatGPT with a VPN can be straightforward — but if you care about privacy, there are traps to avoid. This guide explains what goes wrong, how browser extensions and some “free VPNs” can leak or sell your prompts, and concrete steps South African users should take to keep AI conversations private and secure.

Why you might need a VPN when using ChatGPT AI chat tools are powerful, but they gather data: prompts, replies, session IDs and metadata that services may log. A VPN primarily protects your network traffic by encrypting the path between your device and the VPN server and by masking your IP. That hides your public IP address from the AI provider and your ISP, helps avoid ISP throttling, and can reduce location-based restrictions.

But: a VPN is not a cure-all. It protects network-layer data, not everything inside your browser. Recent reports and investigations show that some browser extensions inject scripts (for example chatgpt.js) that intercept fetch() and XMLHttpRequest() calls and capture prompts, responses, conversation IDs and session metadata before traffic is even presented by the browser. Those captured records can be compressed and sent to analytics domains — meaning a VPN alone won’t stop an extension from exfiltrating your chat contents.

What the biggest risks look like (real examples)

• Malicious or sloppy browser extensions: An extension with millions of installs can inject JavaScript into the page, capture AI inputs/responses and transmit them to third-party analytics. That happens even when a VPN is active because the extension runs inside your browser, not on the network level. (See the Urban VPN extension investigation and aggregated reporting.)
• “Free” VPNs and proxies that log: Some free VPNs monetize by collecting and selling telemetry. They might appear to protect you while quietly keeping records that can be tied back to your sessions.
• Fake VPNs or browser “secure network” features that are really proxies: Not all built-in browser features are full VPNs; some are limited proxies that give a false sense of security. Independent researchers have flagged such limitations.
• DNS leaks and local telemetry: Poorly configured clients can leak DNS queries to your ISP even with a VPN running. Advanced attackers or misconfigurations can still correlate activity.

A practical checklist before you open ChatGPT

1. Audit extensions: Disable browser extensions that you don’t trust. Remove any free VPN/proxy extension you haven’t verified. If an extension must stay, inspect its permissions and recent security reporting. Extensions can capture chats locally and send them out even with a VPN active.
2. Choose a reputable VPN provider: Pick a provider with a clear no-logs policy, strong encryption (WireGuard/OpenVPN/IKEv2), and audited claims. Paid providers are generally safer than “free” ones that need to monetize.
3. Use a secure browser profile or a separate browser: Create a dedicated browser profile (or a separate browser) for AI chat sessions with only the minimal extensions installed. This reduces the chance of cross-site interception by unrelated extensions.
4. Check DNS handling: Enable the VPN’s DNS or set DNS over HTTPS/TLS in your browser. Confirm the VPN prevents DNS leaks with a test site.
5. Keep software up to date: Browser, OS, VPN client — updates often patch security issues that attackers exploit.
6. Avoid installing “featured” extensions blindly: Large marketplaces sometimes highlight extensions that still carry risks. Vet them before installing.

Step-by-step: using ChatGPT with a VPN safely (desktop)

1. Install a trusted VPN app from the official provider website or app store. Log in and enable the VPN. Choose a nearby server for speed (South African or nearest region).
2. Open a fresh browser profile (no extensions). If you prefer to keep a default profile, create a new one labelled “AI-chat”.
3. Confirm the VPN is active and test for IP/DNS leaks using a privacy check tool. Ensure the visible IP corresponds to the VPN location.
4. Navigate to ChatGPT. Do not install or enable any browser extension that declares it integrates with ChatGPT unless you’ve verified its source and code review.
5. Use account-level privacy settings where available: check chat export options, conversation retention settings, or data-sharing toggles in the AI provider UI.
6. When finished, clear local site data or use the browser’s “clear cookies and site data” for chat.openai.com to remove cached tokens or session data.

Step-by-step: using ChatGPT with a VPN safely (mobile)

1. Use the VPN app from a trusted provider installed via the official store. Ensure the VPN uses modern protocols and has a kill switch option — enable it.
2. Use the official ChatGPT mobile app or a browser in private/incognito mode with no extra extensions.
3. Confirm the VPN is connected before opening the app. If the VPN disconnects unexpectedly, the kill switch should block traffic to prevent leaks.
4. Avoid using “VPN” browser extensions on mobile; they are often proxies or limited and may not protect app traffic.

Advanced tips and settings

• Kill switch: Always enable the VPN kill switch so that if the VPN drops, your device won’t fall back to an unprotected connection and leak your IP or in-progress chat traffic.
• Split tunneling: Use split-tunneling carefully. If you exclude your browser from the tunnel, the browser traffic will bypass the VPN — only enable split tunneling if you intentionally want traffic outside the VPN.
• Account hygiene: Use strong, unique passwords and enable 2FA on your AI service accounts. If a provider offers workspace or team settings, verify who can access conversation logs.
• Threat detection: For corporate or sensitive use, consider endpoint protection that monitors for unusual extension behaviors and blocks scripts that attempt to intercept fetch() or XMLHttpRequest() calls.
• Local encryption: For extremely sensitive prompts (e.g., proprietary IP or patient data), avoid sending them to public AI services at all, or use on-premises/private LLM deployments.

What to do if you suspect an extension leaked your chats

• Uninstall the suspicious extension immediately from every browser.
• Revoke tokens and change passwords for AI accounts that were active during the suspected leak.
• Clear cookies and local storage for the AI site(s).
• If personal data was exposed, follow local data breach guidance and, when relevant, notify affected parties.

Choosing the right VPN for private AI chat (criteria)

• No-logs policy, preferably audited by an independent firm.
• Strong encryption and modern protocols.
• Built-in DNS leak protection and a verified kill switch.
• Good speed for real-time chat responsiveness.
• Clear privacy policy that describes telemetry and metadata retention.
• Transparent ownership and jurisdiction — consider how local laws may affect data requests.

Common myths, debunked

• “If I use a VPN, nothing can see my prompts.” False — browser-level code (extensions, injected scripts) can capture input before the network layer.
• “Free VPNs are safe if they show an IP change.” Not necessarily — many free services log and sell metadata.
• “Built-in browser VPN = same as full VPN.” Some browser features are lightweight proxies and do not encrypt DNS or protect all apps.

Local considerations for South African users

• Server choice: Use South African or nearby African servers for the best latency if available. If your VPN lacks local servers, choose the closest region to balance speed and privacy.
• Payment and anonymity: If you prefer extra privacy when subscribing, choose providers that accept privacy-respecting payments (crypto or gift card options).
• ISP behaviour: ISPs may throttle or monitor certain traffic types. A VPN can prevent ISP profiling, but remember it won’t stop data capture inside your browser by hostile extensions.

Quick checklist to follow now

• Remove unknown Chrome extensions and audit permissions.
• Install a reputable paid VPN and enable kill switch + DNS protection.
• Use a separate browser profile or incognito window for AI chats.
• Test for DNS/IP leaks.
• Revoke compromised tokens and change passwords if you suspect leakage.

Conclusion A VPN is a vital privacy tool for South African users who want to protect their ChatGPT sessions from network-level observers and ISP profiling. However, the real weak link can be inside your browser: extensions and injected scripts that capture prompts and session data. Combine a good VPN with disciplined extension management, secure browser profiles, and endpoint hygiene to keep your AI conversations private and under your control.

📚 Further reading

Here are three useful sources to learn more about VPN risks, best practices, and recent investigations.

🔸 “Urban VPN extension data-collection report”
🗞️ Source: top3vpn.us – 📅 2026-02-24
🔗 Read the report

🔸 “VPN tricks and tips you didn’t know you needed (but definitely do)”
🗞️ Source: ZDNet – 📅 2026-02-23
🔗 Read the article

🔸 “Le "VPN gratuit" de Edge ne protège presque rien, selon un expert de Brave”
🗞️ Source: Clubic – 📅 2026-02-23
🔗 Read the article

📌 Disclaimer

This post blends publicly available information with a touch of AI assistance.
It’s for sharing and discussion only — not all details are officially verified.
If anything looks off, ping me and I’ll fix it.