Likely, in Lithuania, where they are subject to data retention laws, which means they are obliged to keep data for 6 month. I can suggest to search for "NordVPN Tesonet", the scandal that happened a year ago or so. The data mining possibility is horrible on its own, but Reddit and Hacker News users have discovered much more on the way. Everything is already said and exposed, hard to believe how much influence in general media they have that they could bury the whole story.