10 minutes of reading

The Overlooked Risks of Buy Now, Pay Later Apps: A Data-Privacy Perspective

Buy now, pay later (BNPL) apps have been steadily gaining in popularity these past several years, with anywhere from a quarter to a third of all Americans having tried at least one. These apps represent what is perhaps the lowest barrier to entry in obtaining credit yet and, in doing so, bring with them a host of risks, some more likely to capture the popular imagination than others.

Like with any form of credit, there’s a risk that people will overspend and get into or worsen preexisting financial trouble. It’s these hidden costs that most people focus on: late fees, interest, and the dangers of fraud and financial exploitation. But there’s a more insidious side to the true costs of these apps and the services with which they interface.

BNPL apps require a lot of personal and sensitive information from their users to function properly and meet regulatory requirements. Users provide some of this information during sign-up and onboarding, but some is harvested from their devices and interactions as they use the app. Like with any proprietary code, there’s no way to know what’s collected, how it’s stored, and who it’s shared with, if anyone.

Yet even relying on the good-faith assumption that developers’ voluntary disclosures are accurate, Incogni’s researchers have found ample cause for concern.

Table of Contents
Key insights
Overview of BNPL app data practices
Purposes declared for data handling
Other noteworthy observations
Conclusion
Methodology

Key insights

  • Afterpay collects the most data about its users, interacting with 20 different data types. It’s followed by Klarna and Uplift, each interacting with 19 data types.
  • Sezzle and Zip collect web-browsing histories, while Klarna collects in-app messages
  • Most apps, except for Four | Buy Now, Pay Later, collect and/or share location information.
  • Afterpay reported sharing a whopping 17 data types with third parties, including credit scores.
  • A total of 9 data types were found to be both collected and shared for the purposes of advertising, mostly by Afterpay.

Overview of BNPL app data practices

On average, the apps collected 14 data types concerning their users and shared 5 with third parties.

When it comes to the data collected and shared by BNPL apps, Afterpay comes out on top in terms of how many data types it interacts with, handling 20 different types of user data. Klarna and Uplift share second place, each interacting with 19 data types. Notably, Uplift is the only app that handles such varied data without indicating that most of the data is shared with third parties. Affirm and Sezzle each interact with 16 types of user data.

As can be expected, all the investigated apps collected (and sometimes shared) at least some financial and personal information. However, perhaps less expectedly, Incogni’s researchers found that both Sezzle and Zip collect web-browsing histories, while Klarna collects in-app messages


Most apps also collected and/or shared location information, with only Four | Buy Now, Pay Later claiming not to use such data.

Afterpay reported sharing a whopping 17 data types with third parties, followed by Sezzle with 9 shared types with Klarna, Four and Affirm with 4 each. To understand the impact of this, Incogni’s researchers also considered the apps’ download numbers in the US. 

Some notable shared data points:

  • Precise location, shared by Affirm, Afterpay, and Zip. The locations of as many as approximately 53 million devices and their users were shared by these three apps.
  • Name, shared by Afterpay and Sezzle. Almost 30 million users are estimated to have been affected.
  • Address, shared by Afterpay and Four. With a combined 21 million downloads, as many addresses could have been shared by just these two apps.
  • Phone number, shared by Afterpay and Four. A combined 21 million downloads, representing potentially as many phone numbers shared with third parties.
  • Credit score, shared by Afterpay. This sensitive data point may have been shared for as many as 20 million users (the app having been downloaded that many times).

Some notable collected data points:

  • Photos, collected by Klarna and Afterpay. These apps have a combined 52 million downloads.
  • Web-browsing history, collected by Zip and Sezzle. 15.4 million downloads in total.
  • Purchase history, collected by Klarna, Afterpay, and Uplift. Over 52 million downloads in total.
  • Credit score, collected by Klarna, Afterpay, and Uplift.

Purposes declared for data handling

Knowing what data was collected or shared doesn’t capture the whole story. The researchers also looked at what purposes were provided for handling user data. While not exhaustive, these are indicative of how liberal companies can be with gathering and utilizing user data.

On average, the apps’ developers disclosed 42 purposes behind collecting user data, claiming just over 2.5 purposes for every data type collected. When it comes to shared data, the apps’ developers provided a more modest average of over 2.2 purposes for each shared data point. 

When it comes to the purposes given for collecting data:

  • App functionality is the most prominent purpose (28% of all purposes given), followed by analytics (20%), with fraud prevention and security (18%) coming in third. 
  • Afterpay, Klarna, and Four claimed the most purposes for collecting user data (3.1, 2.9, and 2.8 respectively). Airfordable and Affirm had the fewest, at 1.5 and 2, respectively.

As for the purposes claimed to be behind the sharing of user data:

  • Analytics is the most common purpose given for sharing user data (24% of all purposes given for sharing data). App functionality and fraud prevention and security are tied for the second-most common reason for sharing user data (each accounting for 20% of observed purposes), with advertising or marketing being the third-most common purpose (16%).

Afterpay had the greatest number of stated purposes for sharing user data, providing 3.2 purposes for each data point shared. In second place, we find both Zip and Four which give an average of 2 purposes each for each shared data point.

Data collection and sharing for the purpose of advertising

While knowing just how extensively your data is used is interesting, something that Incogni’s researchers highlighted was the collection and even sharing of user data for the purpose of advertising or marketing by the investigated apps.

A total of 9 data points were found to be both collected and shared for the purpose of advertising, mostly by Afterpay. This means that as many as approximately 20 million users had their data used for advertising by the app. Afterpay handles 8 data points for this purpose, including users’ names, email (and physical) addresses, and purchase histories. Afterpay and Klarna also disclose collecting and sharing users’ app interactions for advertising purposes, potentially including how many times users visited certain pages. This means that, through these two apps, as many as an estimated 52 million users had their in-app activity used for advertising, both by app developers and third parties.

When it comes to sharing (but not collecting) data ostensibly to aid in advertising efforts, Four discloses doing so most frequently. Four’s app data safety section indicates that it shares users’ names, emails, addresses, and phone numbers with third parties for the purpose of advertising, impacting as many as an estimated 750,000 devices and their users.

Interestingly, some app developers claim to collect data for the purpose of advertising without sharing it. Data that was collected (but not shared) for advertising includes:

  • Email addresses, collected by Zip and Uplift with an estimated 10 million devices and their owners affected.
  • Purchase history, collected by Klarna with an estimated 30 million devices and their owners affected.
  • In-app search history, collected by Affirm and Airfordable with an estimated 23.7 million devices and their owners affected.
  • Web browsing history, collected by Sezzle with an estimated 6 million devices and their users affected.

Other noteworthy observations

Even though the scope of this research is limited to user data that’s collected through the apps under investigation and potentially shared with third parties as reflected in app data safety disclosures, there are some interesting observations to be made by examining other indicators of these apps’ data-handling practices. Although not suitable for making comparisons between the apps, the following considerations may prove illustrative.

Data breaches

Data breaches fall outside the disclosures made in app data safety notices but they nonetheless speak to the safety of personal data collected through the apps and held by their developers. 

Klarna, for example, experienced a major security breach in mid 2021. The incident resulted in Klarna’s users being able to see each other’s accounts. Finansinspektionen, Sweden’s financial watchdog, was already investigating Klarna’s data-handling and security practices when the breach occurred.

Block, shortly before acquiring Afterpay, also suffered a serious data breach. The breach occurred in late 2021 but wasn’t reported until April of 2023. The user data of 8.2 million customers was stolen during the breach. The breach resulted in Block’s share prices dropping 15% in a single day as well as a class-action lawsuit being filed against Block and its co-founders by former Afterpay shareholders.
Finally, an example of how personal data can be compromised even if the primary company to which that data was given isn’t breached. Affirm’s partner, Evolve Bank, suffered a security breach that resulted in some Affirm customers’ personal data being stolen. It’s incidents like this that underscore the importance of maintaining an awareness of what personal data is shared, and with whom.

Data storage and transfer

On its Play Store data safety pages, Uplift indicates that users can’t request that their data be deleted. While this could have been indicated in error, it seems unlikely given that the rest of the data safety sections look to be completed and in line with similar apps. 

If accurate, this has grave implications for users, not to mention potential legal implications for the developers if they operate in jurisdictions with data-privacy legislation in place, like California, Virginia, Colorado, New York, and others.

Conclusion

Although some of the BNPL apps Incogni’s research team examined do indeed perform “better” (or less poorly) than others overall, this isn’t a study that lends itself to generating a ranking or recommendations as far as individual apps are concerned. Rather, this study serves to highlight and elucidate some of the data-privacy risks associated with using BNPL apps in general.

And the risks are many. BNPL apps gather personal data (including some sensitive data) and use it for often ill-defined and purely self-reported purposes. They also often share this data with third parties that may use it for their own purposes or share it with others. This creates a pipeline that terminates in a fire hose, effectively spraying personal information far and wide.

But then there’s the fact that such data, whether at rest or in transit, is vulnerable to unauthorized access, interception, capture, and exfiltration—in short: breach. The BNPL developer’s systems can be breached, their partners’ systems can be breached, and their partners’ partners’ systems, and so on.

Especially in these trying economic times, access to relatively safe and inexpensive credit is something that can allow people to smooth out cash flows and even ultimately aid them in making ends meet. Credit is never free, though, and when apps and a tech culture distorted by data monetization enter the picture, consumers have to keep the data-privacy, as well as financial, costs in mind when making their decisions.

Methodology

Incogni’s researchers looked at applications categorized by AppTweak as being payments and pay by installments apps, specifically looking at the most popular applications by downloads for the past 6 months in the U.S. To narrow the sample to strictly buy now, pay later apps, they examined the 50 most downloaded applications and removed those that did not directly mention “buy now, pay later” or an alternative phrase that could reasonably be interpreted to describe the same functionality. They then excluded apps with fewer than 10,000 total downloads and that were unusable in the US. 

On June 27th, 2025, the research team collected information about their selected apps from the Google Play store, noting what user information the selected apps’ developers claimed to collect and share as well as the purposes given. 

For detailed information used in this study, see our public dataset

Notes on data:

Zip seems to have two different apps on the Google Play store, with differing data safety practices (i.e. data collected and/or shared and the purposes given). Focusing on the US, Incogni’s researchers investigated the app to which the URL embedded in the QR code on zip.co/us/app points. This Zip app also has a US-based developer. The other version of the app is likely targeted at the Australian market. 

Download numbers referenced in the research above are estimated by AppTweak for users in the US over the period January 2019 to June 2025. The numbers of downloads likely exceed the number of users.

Application nameDownloads in the US since 2019
Klarna | Shop now. Pay later.32.1M
Affirm: Buy now, pay over time23.7M
Afterpay: Pay over time19.8M
Zip – Buy Now, Pay Later9.5M
Sezzle – Buy Now, Pay Later6M
Four | Buy Now, Pay Later770K
Uplift – Buy Now, Pay Later480K
AirfordableUnder 10K
Is this article helpful?
YesNo
Scroll to Top