← Home
DE | EN
Privacy Analysis · Klarna Bank AB · 2025

KLARNA
& YOUR
DATA

111 million users. $180 million in advertising revenue. Purchase history, bank accounts, AI-generated behavioural profiles — and confirmed data sales to advertising partners. What Klarna really collects, how long it's stored, and why the Swedish data protection authority had to intervene twice.

111 M
Active Users
$180 M
Ad Revenue 2024
790 K
Merchant Partners
45
Markets Worldwide
€671 K
GDPR Fine
Scroll
01 Key Figures at a Glance

The Scale of
the Data Appetite

Figures that show how Klarna has transformed from a payment service into a data-driven advertising platform — and what that means for 111 million users.

📈
$180 M
Advertising revenue 2024 — 13× more than 2020. User data has long since become the actual product alongside credit services.
Klarna F-1 SEC Filing, Sept. 2025
10 Years
Maximum retention period for contract data. Even after account closure, most data remains legally required to be kept.
Klarna Privacy Policy v11.1.0, Mar. 2025
⚖️
€671,000
GDPR fine from the Swedish IMY — for simultaneous violation of 7 GDPR articles. Upheld by the Stockholm Court of Appeal in March 2024.
IMY Decision SE-2022-06 / Ruling 2829-23
🤖
2.3 M
AI customer conversations in the first month of the OpenAI assistant (Feb. 2024) — 66% of all support contacts in one month.
Klarna Press Release, February 2024
🔓
288,000
Internal estimate of potentially affected login accounts in the app data breach of November 2025 — estimated legal risk: $41.8 M.
Leaked internal Klarna documents, Nov. 2025
🏦
4,300+
European banks in the open banking network. 150 million transactions/year — Klarna sees all account movements of connected users.
Klarna Open Banking Platform, 24 markets
⚠️
The business model behind it: Klarna earns in three ways: (1) merchant fees per transaction, (2) interest on instalment payments, (3) advertising revenue through data profiling. This explains why Klarna has a fundamental economic interest in the most comprehensive user data possible — independent of the actual payment processing.
02 Full Data Inventory

What Klarna Knows About You

Klarna's Privacy Policy v11.1.0 lists 12 categories of personal data. Entries highlighted in red are particularly sensitive or disproportionate for a payment service.

🪪 Identity & Contact 13 types
Name & title Date of birth Place of birth National ID number Social security number Nationality Email address Mobile number Billing address Delivery address ID document photo Video recordings Audio recordings (phone)
💳 Payment & Financial 10 types
Credit card number + CVV Bank account number Transaction history Income level Existing credit agreements Payment defaults Bank statements (open banking) Credit score (external) Credit history Repayment behaviour
🛍️ Purchase Behaviour & Profiling 10 types
Items & categories Purchase prices & quantities Merchant interactions Shipment tracking Return behaviour AI-derived interests AI-derived hobbies Behavioural tendencies Attitudes & preferences Wish lists
📱 Device, App & Tracking 12 types
IP address OS & version Browser & version Screen resolution Time zone & language setting Device fingerprint In-app browser history GPS location data Clickstream data Scroll depth Time on page Session patterns
🏦 Open Banking Data 7 types · particularly critical
All accounts & balances All transactions (30–90 days) Rent & standing payments Subscription spending Leisure spending Salary deposits Debt level
⚠️ Sensitive Special Categories Art. 9 GDPR
Health data (with consent) Religious beliefs Political opinions Trade union membership Biometric characteristics Politically exposed person (PEP) Sanctions list entries
🔍
Open Banking: The invisible access. The German consumer organisation Verbraucherzentrale Baden-Württemberg explicitly warns: anyone who grants Klarna access to their account via PSD2 reveals a complete financial portrait — rent payments, streaming subscriptions, medical appointments, bar tabs. "This data enables a detailed profile of the actual standard of living that goes far beyond a simple credit check."
03 Data Collection Channels

7 Ways Klarna
Collects Data

Klarna uses a multi-layered data collection system that extends far beyond the individual payment transaction — even without an active purchase at a merchant.

01
🛒
Checkout Tracking
At every payment at one of 790,000 merchants — the Klarna web SDK captures user data at checkout before the purchase is completed
02
📲
Klarna App
Integrated in-app browser tracks every move on merchant sites; GPS location; push notification click behaviour; app usage patterns
03
🍪
Web SDK & Cookies
Klarna widget on merchant websites tracks non-buyers too. Performance cookies up to 3 years, targeting cookies up to 180 days
04
🏦
Open Banking (PSD2)
Direct access to bank accounts — 150 M transactions/year via 4,300+ banks in 24 European countries (formerly Sofort GmbH)
05
📊
Credit Reference Agencies
Schufa, Creditreform Boniversum, infoscore, Deutsche Post Direkt — automatically queried with every BNPL request
06
📧
Email Connect
Optional access to the user's email account to automatically capture purchase confirmations, subscriptions and delivery information
07
🤝
Data Brokers & Partners
External "data vendors", marketing/advertising partners, banks, public databases, debt collection agencies as a back-channel
🧠
AI Real-Time Scoring
100+ data points are analysed in real time per transaction by ML models → credit decision in under 1 second
04 Purposes & Advertising Business

What Klarna
Uses Your Data For

Officially for payment processing and fraud protection — but Klarna's growing advertising business shows that user data is increasingly being commercialised.

01
Payment Processing & Credit Services
Core function: creditworthiness checks, transaction processing, invoicing to merchants and customers
Core Business
02
Real-Time ML Credit Scoring
100+ data points per transaction; ML models have reduced credit defaults by 56%; global default rate below 1%
Risk Assessment
03
Behaviour-Based Ad Profiling
Interests, hobbies, attitudes from clickstream & purchase behaviour; own Klarna Ads Manager since Nov. 2023
Ad Revenue
04
Cross-Context Behavioural Advertising
Confirmed data sale/sharing to Rakuten, Criteo, PubMatic, Google DoubleClick (CCPA disclosure)
Data Sale
05
AI Training & Product Optimisation
Anonymised usage data for ML models; legal basis: legitimate interest (Art. 6(1)(f) GDPR) — without explicit consent
AI Training
06
Personalised Product Recommendations
Shopping feed in the app based on purchase history + browsing behaviour; 5.6 million products indexed
Engagement
07
Reporting to Credit Reference Agencies
In case of late payment: Schufa entry. Since Feb. 2023 (following consumer pressure): no impact on Schufa score for standard enquiries
Financial Market
Advertising Revenue Growth (USD)
2020
$13 M
2021
$22 M
2022
$40 M
2023
$91 M
2024
$180 M
+1,285%
Growth 2020 → 2024 · Klarna F-1 Filing
Ads Manager (since Nov. 2023): Merchants buy advertising space directly within the Klarna ecosystem — based on purchase history, browsing behaviour and search terms of the 111 M users. Ad formats: Product Cards, Sponsored Search, Native Banners, Post-Purchase Offers.
05 Data Sharing & Data Sales

Who Gets
Your Data?

🚨
Confirmed by CCPA disclosure: Klarna's US privacy policy (forced into full disclosure by California's privacy law) confirms: Klarna has in the past 12 months sold and shared email addresses, device IDs, IP addresses and app usage data with marketing and media companies — explicitly for "cross-context behavioural advertising". The European privacy policy is silent on this.
06 Data Storage & Retention Periods

Up to 10 Years —
Even After Account Closure

Klarna's privacy policy sets out staggered retention periods. Complete deletion of all data is practically impossible — statutory retention obligations ensure that relevant data remains for years.

📜 Contract data (limitation period)
up to 10 years
🚨 Anti-money laundering data (AML)
up to 10 years
💼 Accounting data
7 years
🕵️ Data held by fraud agencies
up to 6 years
⚖️ Debt-related data
3 years
📞 Phone recordings (fraud)
up to 3 years
🍪 Performance cookies
up to 3 years
📞 Phone recordings (quality)
90 days
🔍 Creditworthiness check enquiries
90 days
🎯 Targeting cookies
180 days
⏱️
Record: 3 years and 7 months. In one documented case, Klarna needed more than three years to comply with a subject access request under Art. 15 GDPR — instead of the required 30 days. The IMY also formally reprimanded Klarna in 2024 because a user could not change their email address on their Klarna account: Klarna stated this was "technically not possible" — a clear violation of the right to rectification under Art. 16 GDPR.
07 Fines, Data Breaches & Regulatory Proceedings

A Chronicle
of Lost Control

From data breaches to GDPR fines to anti-money laundering penalties — Klarna has accumulated a remarkable collection of regulatory conflicts in just a few years.

2021 Data Breach
App Security Flaw: Other Users' Accounts Visible
For 31 minutes, logged-in Klarna users could access the accounts of other customers: name, address, purchase history and partially masked card data were readable. Klarna officially admitted ~9,500 affected users — but internal documents that surfaced during a further incident in 2025 estimate 288,000 potentially exposed login accounts with an internal legal risk of $41.8 million USD. Klarna refused to disclose the true extent.
2022 GDPR Fine
Swedish IMY Penalises Klarna — 7 GDPR Articles Violated
Following 372 user complaints since 2018 and a coordinated investigation by data protection authorities from 8 EU countries (Austria, Denmark, Germany, Finland, Italy, Netherlands, Norway, Sweden), the IMY imposed the fine. Simultaneously violated: missing purposes and legal bases, contradictory third-country transfer information, inadequate retention periods, insufficient information on data subject rights, missing profiling disclosure. In March 2024, the Stockholm Court of Appeal (case 2829-23) upheld the penalty in full.
€671,000
2022 Big Brother Award
Digitalcourage: Klarna Is a "Grand Smoke Machine"
Digitalcourage awarded Klarna the BigBrotherAward 2022 in the consumer protection category. The reasoning: "Klarna bundles data and power in an opaque way as a shopping service, payment processor, price comparison portal, personal finance manager, creditworthiness controller and bank." Dr. Thilo Weichert (German Data Protection Association) added that Klarna's privacy policy was a "grand smoke machine from which the specific data processing operations can neither be understood nor checked for plausibility."
2024 IMY Reprimand
Right to Rectification Violated — Email Change "Technically Impossible"
A user wanted to correct the email address stored in their Klarna account. Klarna declined, stating this was "technically not possible" — a direct violation of Art. 16 GDPR (right to rectification). The IMY formally reprimanded Klarna. In parallel, a further IMY investigation is underway into excessive identification requirements that make submitting data protection requests practically difficult, thereby undermining data subject rights.
2024 AML Penalty
Finansinspektionen: Serious Deficiencies in Anti-Money Laundering Compliance
The Swedish financial regulator imposed a penalty of 500 million SEK for "serious deficiencies" in money laundering risk analysis. This penalty also has privacy implications: Klarna partly justifies its extensive data collection (proof of income, bank statements, occupation details) with AML obligations — an argument that consumer advocates consider disproportionate.
~$46 M
2025 Data Breach
Post-IPO Leak: Recycled Phone Numbers Open Other Users' Accounts
Just weeks after the NYSE listing (10 September 2025, valuation ~$15 B), a critical security issue came to light: new owners of recycled mobile numbers were automatically logged into the Klarna accounts of the previous holders — with full access to purchase history, saved payment methods and personal data. Internal documents (leaked to media) estimate 288,000 potentially affected logins and a legal risk of $41.8 million USD. The share price subsequently fell more than 20% below the IPO issue price.
$41.8 M risk
08 AI Assistant, OpenAI & Automated Decisions

Your Financial Data —
Processed via OpenAI

Klarna was the most prominent example of AI use in financial customer service in 2024. The data protection implications largely went undiscussed.

Conversations — first month
2.3 M
= 66% of all Klarna customer service contacts in February 2024
OpenAI assistant replaces the work of 700 full-time positions
853
Jobs replaced by Q3 2025
$60M
Savings through AI in 2024
~2 min.
Avg. response time (vs. 11 min.)
25%
Fewer repeat enquiries
🔓
Unclear: Which data flows to OpenAI?
Klarna does not explicitly document anywhere which customer data (account numbers, order details, financial situation) is actually transferred to OpenAI servers. The Pragmatic Engineer warned: "Trusting it with sensitive financial data is a bad idea."
🇺🇸
US Server Processing Until 2025
Before the introduction of OpenAI's EU data residency (2025), all conversations were processed on US servers — legally problematic under Schrems II and without adequate safeguards for financial data.
⚖️
AlgorithmWatch: Wrongly Flagged as Fraudster
Klarna's automated scoring incorrectly classified a user as a fraudster and forwarded her directly to a debt collection agency without any human oversight — a potential violation of GDPR Art. 22 (prohibition of fully automated decisions).
🛒
Agentic Protocol: 100 M Products for External AI
Since December 2025, Klarna makes structured data on over 100 million products and 400 million prices available to external AI agents — a new level of data linkage with third-party services without a clear GDPR legal basis.
🤖
EU AI Act: Credit Scoring = High-Risk AI
Klarna's ML credit scoring falls under the EU AI Act as a high-risk AI system — from 2026, strict requirements apply regarding transparency, bias detection and human oversight for automated credit decisions.
09 Direct Comparison of Payment Services

Klarna vs. Apple Pay
vs. Google Pay vs. PayPal

The comparison reveals: Klarna occupies a unique position among the major payment services — as the only service with full creditworthiness profiling, open banking access and confirmed data sales.

Criterion
🍎 Apple Pay
🤖 Google Pay
🅿️ PayPal
🛍️ Klarna
💳 Card Storage
Apple PayLocal (Secure Element), no server copy
Google PayEncrypted on Google servers
PayPalOn PayPal servers
KlarnaOn Klarna servers incl. CVV storage
🔍 Transaction Tracking
Apple PayNo tracking by Apple
Google PayPartial (Google Wallet)
PayPalPurchase history stored
KlarnaComprehensive profiling of all transactions
🏦 Bank Account Access
Apple PayNo access
Google PayNo access
PayPalNo access
KlarnaYes — open banking (PSD2), all account movements
📉 Creditworthiness Check
Apple PayNone
Google PayNone
PayPalOnly for credit features
KlarnaYes — with every BNPL transaction
📢 Behavioural Profiling
Apple PayNot present
Google PayLimited / Google ecosystem
PayPalLimited
KlarnaComprehensive — own Ads Manager since 2023
💰 Confirmed Data Sales
Apple PayNo — policy prohibits it
Google PayLimited
PayPalLimited, for advertising
KlarnaYes — confirmed by CCPA disclosure
🤖 AI Customer Interaction
Apple PayNot present
Google PayGoogle Assistant (optional)
PayPalLimited, isolated
KlarnaOpenAI assistant processes financial data
⏳ Retention After Cancellation
Apple PayImmediate deletion possible
Google PayStandard deletion within 18 months
PayPalSeveral years (receipts)
KlarnaUp to 10 years, no real deletion
💼 Business Model
Apple PayHardware & Services (no ad model)
Google PayAdvertising (Alphabet group)
PayPalTransaction fees
KlarnaTransactions + interest + advertising data
10 Regulatory Outlook

The Regulatory
Storm Is Gathering

Three new regulatory frameworks will put Klarna's data business under pressure — with fundamental implications for the BNPL model.

CCD2 — from Nov. 2026
EU Consumer Credit Directive
The previous exemption for small loans under €200 is abolished. Klarna must now conduct a full creditworthiness check to EBA standards for every BNPL transaction, provide standardised information sheets and grant a 14-day right of withdrawal. Terms like "interest-free" may be regulated. EU BNPL volume: ~$191 B (2025), forecast $294 B (2030).
EU AI Act — from 2026
Credit Scoring as High-Risk AI
Klarna's ML credit scoring system falls under the high-risk AI category of the EU AI Act (Annex III). From 2026: transparency obligations on scoring logic, bias detection and mitigation, human oversight for all automated credit decisions, full technical documentation. AlgorithmWatch has already documented cases where Klarna does not meet these standards.
Ongoing IMY Proceedings
Swedish Data Protection Authority
Two parallel proceedings: (1) Investigation into excessive identification requirements when submitting GDPR requests. (2) Ongoing complaints (372 since 2018). At the same time: the GDPR fine of €671,000 represents only 0.024% of annual revenue with a turnover of $2.81 B — far below the GDPR maximum of 4%.
💡
The IPO as a turning point: Klarna's stock market listing on 10 September 2025 (NYSE: KLAR) requires increased transparency through SEC reporting obligations. The F-1 filing revealed the actual advertising revenues for the first time — and showed how far Klarna has moved from being a pure payment service. At the same time, being publicly listed increases the pressure to report data protection incidents publicly.
11 Your Rights & Countermeasures

What You Can Do —
And What Actually Works

GDPR rights exist for Klarna on paper, but are often difficult to enforce in practice. These measures are genuinely effective.

🔍
Request a Data Copy
privacy@klarna.com

Art. 15 GDPR gives you the right to a complete copy of all stored data. Submit a written, dated request by email. Klarna must respond within 30 days. Klarna provides an encrypted PDF — in one documented extreme case, however, it took 3 years and 7 months.

⏱ Medium — 1 to 4 weeks
🏦
Do NOT Grant Bank Access
App → Personal Finance → Deactivate

Consumer organisations explicitly recommend: do not grant open banking access to your account as a matter of principle. Once activated, Klarna reads all account movements from the past 30–90 days — rent, medical costs, supermarket spending.

✓ Easy — immediately effective
🚫
Opt Out of Advertising
App → Settings → Notifications

You have an absolute right to object to direct marketing without needing to give reasons (Art. 21(2) GDPR). Disable push notifications in app settings. Unsubscribe from newsletters via the link in Klarna emails.

✓ Easy — immediately effective
✏️
Object to Profiling
privacy@klarna.com (in writing)

Cite personal circumstances when objecting to profiling based on "legitimate interests" (Art. 21(1) GDPR). Klarna must then assess whether its interest outweighs yours. Without a written justification, the objection has little prospect of success.

⏱ Medium — outcome uncertain
🗑️
Close Your Account
Customer service · Live chat in app

There is no delete button. Contact customer service, provide all email addresses used, settle all outstanding balances. Processing time up to 2 weeks. Important: statutory retention obligations keep data for up to 10 years regardless — the account is suspended, not truly deleted.

⚠ Difficult — incomplete
🔒
Use an Alternative
Apple Pay · Bank transfer · Cash

Strongest protection. Apple Pay: no server capture, no profiling, no data sales. Direct bank transfer: no external credit check. Those who want to use BNPL can request instalment payment through their own bank — without cross-platform profiling.

✓ Best option
📮
File a complaint: With the Federal Commissioner for Data Protection and Freedom of Information (BfDI) at bfdi.bund.de — or with the data protection authority of your federal state. Alternatively, directly with the Swedish IMY (imy.se) — responsible for Klarna Bank AB as the primary data controller. Since 2018, 372 complaints have been submitted there against Klarna. The EDPB coordinates cross-border proceedings.