Start selling with AliDrop today

Try AliDrop for free and explore all the tools and services you need to start, run, and grow your AliExpress dropshipping business with AliDrop.

GET STARTED
Table of Contents
Text LinkText Link
Home
/
Blog
/
Does Temu Steal Your Information?

Does Temu Steal Your Information?

Mansi B
Published on
May 19, 2026
Last updated on
May 19, 2026

You’ve been shopping from Temu for quite a while now or maybe you’re new there.

This question shows up in search bars and social threads every day. People want the same thing: a straight answer about whether the app on their phone is doing something it should not. Temu delivers millions of packages at prices that feel too good to be true, and that gap between the deal and the doubt is where the worry lives.

This post walks through what regulators, court filings, and Temu's own disclosures actually say. You will see the documented data practices, the fines, the lawsuits, and the security measures the company has put in place. By the end, you will have enough context to decide whether the platform belongs on your device.

What Data Does Temu Actually Collect?

Every shopping app collects some amount of information to function. The question is how much and whether users know about it.

According to Temu's privacy policy, the platform collects several categories of data. Account details include your name, email address, phone number, and shipping address. Order information covers transaction IDs, payment card numbers, billing addresses, and product size preferences. Device data spans your device model, operating system version, language settings, and unique advertising identifiers. Location data is gathered through your IP address to provide approximate positioning. The platform also tracks browsing behavior such as pages viewed, duration on each page, and how you arrived at the site.

Beyond standard e‑commerce data, Temu's disclosures mention biometric information in specific contexts. The company states it may collect facial images for identity verification and fraud prevention, subject to user consent. The privacy policy notes this data is processed for legal compliance and account security purposes. In separate documentation aimed at California residents, Temu explicitly states it does not use sensitive personal information to infer characteristics about users, a distinction required under the California Consumer Privacy Act.

The debate is not really about whether Temu collects data. It does, and so does every major marketplace. The harder question is where that data ends up and whether users were properly told.

The South Korea Fine: What Regulators Uncovered

Last year, South Korea's Personal Information Protection Commission fined Temu KRW 1.386 billion, roughly USD 978,000, after an investigation found the company transferred user data to entities in China, Singapore, Japan, and other countries without telling anyone.

The regulator discovered that Temu outsourced and stored personal information with multiple companies across several countries for order fulfillment purposes, but never disclosed those transfers in its privacy policy or notified users individually. Under South Korean law, companies that transfer or store personal data overseas must either publish that information in their privacy policy or inform users directly through email.

The PIPC also found that Temu failed to appoint a local domestic representative as required by the country's Personal Information Protection Act, despite drawing roughly 2.9 million Korean users per day. The account deletion process required seven separate steps, which the regulator said made it unreasonably difficult for users to exercise their rights. In addition, the investigation revealed that Temu had collected resident registration numbers and facial video recordings from Korean sellers without proper legal grounds. The company deleted that data during the investigation and took voluntary corrective measures, including revising its privacy policy, appointing a local agent, and streamlining the withdrawal process.

The Spyware Allegations and Legal Actions

Multiple lawsuits across several jurisdictions accuse Temu of collecting more data than a shopping app needs and doing so without meaningful consent.

In the United States, Kentucky's Attorney General filed a lawsuit last July alleging Temu violates state consumer protection law and common law privacy protections. The AG's press release claimed the app can infect devices with malware, steal personal data, and send it directly to the Chinese government. Arizona, Oklahoma, and other states have launched similar actions. One Arizona complaint alleges the Temu app is designed to evade detection, with the ability to reconfigure itself on a user's phone without their knowledge.

A proposed class action filed in Quebec alleges Temu has been collecting, compiling, storing, and disseminating user data beyond what is necessary for an online shopping application, using malware and spyware without user knowledge or consent. Another proposed class action in the United States names PDD Holdings and WhaleCo under federal wiretap statutes, specifically 18 U.S.C. § 2510 covering wire interception claims.

In California, a class action filed in April 2026 accuses Temu of "modern spam abuse," including falsified subject lines, misleading headers, and spoofed domains to trick recipients into opening marketing emails. The complaint also alleges Temu installed tracking pixels on users' devices after they visited the website, enabling the platform to follow behavior across the internet.

Temu has consistently denied these allegations. The company's written statements describe the claims as lacking merit, and it has filed motions to dismiss in several cases. Temu maintains that its data practices align closely with those of other e‑commerce platforms.

The 87 Million Record Breach Claim That Was Not

A threat actor using the alias "smokinthashit" posted on a hacking forum claiming to have stolen a database containing 87 million customer records from Temu. The sample data listed included usernames, full names, shipping addresses, birth dates, phone numbers, IP addresses, and hashed passwords.

Temu's security team cross‑checked the sample against its database and found zero matches. The company stated plainly that not a single line of data matched its transaction records and that the claims were categorically false. The threat actor was subsequently banned from the forum for misrepresenting publicly available data as a breach. BleepingComputer and Cyber Daily both reported that no evidence supported the breach claim.

No confirmed security breach of Temu's systems exists in the public record. The claim that gained attention turned out to be fabricated, but it contributed to the broader unease around the platform.

About Temu's Security Infrastructure

Temu has invested in several security measures that are verifiable through independent third parties.

The company holds a Mobile Application Security Assessment (MASA) certification from DEKRA, an independent validation that tests mobile app security against international standards. Temu participates in a vulnerability disclosure program through HackerOne, a bug bounty platform that pays independent researchers to find and report security flaws before malicious actors do. Payment information is handled under PCI DSS compliance, the industry standard that governs how card data is stored, transmitted, and processed.

The platform supports multi‑factor authentication to protect accounts from unauthorized access. Users can enable it in their account settings to add a second verification layer beyond a password. Temu also maintains membership in the Anti‑Phishing Working Group, a global coalition that fights phishing and email spoofing.

On the infrastructure side, Temu stores user data in the United States through cloud providers like Microsoft Azure and similar services. The company has also disclosed a partnership with Oracle to keep US consumer data on American servers, a move described as part of localizing its US operations.

What Governments Are Doing About It?

The regulatory scrutiny around Temu is not limited to South Korea. In October 2024, the European Commission opened formal proceedings against Temu to determine whether the platform violated the Digital Services Act. The investigation focused on how Temu restricts the sale of non‑compliant products in the EU, how it recommends content and products to users, and its data access practices. The Commission also found that Temu submitted a risk assessment it described as "inaccurate."

Nigeria's Data Protection Commission launched a probe in February 2026 examining how Temu collects, processes, and transfers personal data for approximately 12.7 million Nigerian users. The regulator cited concerns around online surveillance, accountability, data minimization, transparency, duty of care, and cross‑border data transfers. Temu responded by stating it is committed to complying with applicable laws and engaging in open dialogue with the commission.

In the United States, the FTC and DOJ secured a USD 2 million civil penalty against Temu in September 2025 for violations of the INFORM Consumers Act, which requires online marketplaces to disclose identifying information about high‑volume third‑party sellers and provide clear reporting mechanisms for suspicious listings. The case did not directly involve data privacy but showed that US regulators are actively examining Temu's business practices.

Is Temu Safe to Use?

The answer splits into two parts. On the technical security side, Temu runs industry standard protections: MASA certification, PCI DSS compliance, a bug bounty program, multi‑factor authentication, and cloud storage on recognized infrastructure. There is no confirmed data breach in the platform's history.

On the data collection side, the story is more complicated. Temu's privacy policy discloses extensive data gathering, and at least one national regulator has formally found that the company failed to tell users where their data was going. Multiple state‑level lawsuits in the US allege the app exceeds reasonable data collection boundaries, though those cases remain ongoing and unproven. If you are sourcing products from Temu suppliers, whether for personal shopping or dropshipping, understanding these data practices matters. Platforms that aggregate supplier catalogs, such as the Alidrop marketplace which connects users to vetted best US and EU suppliers alongside Alibaba and Temu options, can offer a layer of separation when you want sourcing variety without installing every supplier's app.

Practical Steps to Protect Your Temu Data

If you use Temu or are considering it, a few concrete actions shrink your exposure.

  • Read the privacy policy before signing up. Temu's policy lists the exact data categories it collects and the third parties it shares with. Reading it takes ten minutes and removes ambiguity.
  • Limit app permissions. On iOS, go to Settings, Privacy, Tracking, and disable "Allow Apps to Request to Track." On Android, open Google Settings, Ads, and enable "Opt out of interest‑based advertising." These steps reduce ad‑tracking reach.
  • Use a separate email address for shopping accounts. If a breach or spam campaign hits, your primary inbox stays clean.
  • Avoid storing payment details inside the app. Enter card information at checkout and decline the "save for future use" prompt when possible.
  • Enable multi‑factor authentication. A stolen password alone will not grant access to your account.
  • Delete unused accounts. If you stop using the platform, request account deletion rather than letting dormant data sit on servers.

Conclusion

Regulators on three continents have found that Temu has not always been transparent about where user data goes, particularly across borders. Multiple government lawsuits allege the app collects more than users reasonably expect, though those claims are being contested in court and remain unproven. The South Korea fine is an established fact. The cross‑border transfer disclosure failure is an established fact. The state lawsuits are ongoing and unresolved.

The choice to use Temu comes down to whether you are comfortable with a platform whose data practices have drawn formal regulatory action in multiple countries. The facts do not support the claim of outright theft. They do support the case for caution, reading the fine print, and locking down app permissions.Want to start Temu dropshipping? Use Alidrop today.

Does Temu Steal Your Information? FAQs

Does Temu actually steal personal information? 

No confirmed evidence shows Temu stealing data in the criminal sense. The company publishes a privacy policy that details what it collects and why. However, South Korean regulators fined Temu nearly USD 978,000 for transferring user data overseas without proper disclosure, and multiple state attorneys general in the US have filed lawsuits alleging excessive data collection without adequate consent.

What kind of data does the Temu app collect? 

Temu collects account information like name, email, and shipping address. It also gathers device details including model, operating system, and unique advertising identifiers. Browsing activity, approximate location via IP address, and purchase history are tracked. In some cases, biometric data such as facial images may be collected for identity verification with user consent.

Is Temu safe for credit card payments? 

Temu is PCI DSS compliant, which means its payment infrastructure meets the security standards required for processing card transactions. The platform also supports multi‑factor authentication for account access and holds MASA certification for its mobile app security. From a transactional standpoint, the payment environment operates under industry‑standard protections.

Where does Temu store user data? 

Temu stores user data on cloud infrastructure provided by Microsoft Azure and similar services, with servers located in the United States. The company has also disclosed a partnership with Oracle to keep US consumer data on American servers. South Korean regulators found that Temu had previously outsourced data to entities in China, Singapore, and Japan for delivery purposes without informing users.

Has Temu ever had a data breach? 

No confirmed data breach of Temu's systems exists. In September 2024, a threat actor claimed to have stolen 87 million records, but Temu investigated the sample data and found zero matches with its own database. The threat actor was banned from the hacking forum for misrepresenting publicly available information as stolen data.

Can I get my data deleted from Temu? 

Yes. You can request account deletion through the app settings. After South Korea's regulator found the deletion process unnecessarily complex at seven steps, Temu streamlined the procedure. You can also email privacy@temu.com with a data access or deletion request. The privacy policy outlines user rights under GDPR, CCPA, and other applicable regulations.

Launch your dropshipping business now!

Start free trial

Start your dropshipping business today.

Start for FREE
check icon
No upfront charge

Related blogs

Dropshipping
Alibaba Dropshipping Guide: How to Start and Scale Your Store
Khushi Saluja
May 22, 2026
10 min read
Dropshipping
Built a Shopify or Dropshipping Tool? Here's What Happens After You Hit $5k MRR"
Ashutosh Ranjan
May 22, 2026
10 min read
Dropshipping
The Complete Checklist to Scale Your AliExpress Dropshipping Business Beyond 100 Orders a Day
The AliDrop Team
May 19, 2026
10 min read
AliDrop Logo

Start and grow your AliExpress dropshipping business with AliDrop

General
HomePricingBlogsStatisticsReviewsAffiliates
Services
US & EU suppliersAliDrop marketplaceAI Shopify StoreAI Description Generator
Why AliDrop?
AliExpress DropshippingTemu DropshippingAlibaba DropshippingDsers Dropshipping
Support
Help centerLive chat support

© 2026 - AliDrop. All rights reserved

Privacy Policy
|
Terms of Service
|
Refund Policy