Apple Pay competitor arrives in Norway | The Verge

Pretty exciting stuff, especially for GrapheneOS users if alternatives to Google and Apple Wallet become more widespread. I’d expect to see this in the rest of the Nordics soon, given that Vipps / MobilePay exists in one form or another in all those countries. Also interesting is the payment processor, which is neither Mastercard nor Visa but rather BankAxept.

1 Like

Not that it is any privacy friendly, it at least comes with quite some things your really do not want or at least should be aware of. it is good that this field is opening up but not sure we should cheer for this player.

Vipps / MobilePay allow merchants to track their customers far more than what Apple Pay does f.x. It allows easy sharing of email, phone number, address and social security number to other companies. One good part in their defense is that you can revoke consent through them. How useful that will be remains to be seen.

The app does not need but will request access to contacts. Even if you don’t give up your details someone else will.

The app requests access to your phone permission on android to collect the IMEI number.

App uses location data.

Vipps/MobilePay conducts credit checks. It is unclear to me how they go about this.

It obtains your gender from your social security number (as is possible in most Scandinavia). The company uses that for marketing purposes, just as with your postal code and age under “basic segmentation”. It seems to me that this could easily pin point you as individual. This is also not opt in, but only opt out should you formally object.

If you consent to it the company will also amongst others use all your transaction data for (further) personalized ads.

Source: https://vipps.no/personvern-og-vilkar/vipps-privacy-protection-policy/

I would encourage you to re-read my post. It is undeniably a positive development that alternatives to Apple’s mobile payments monopoly are starting to emerge. I don’t appreciate you hijacking this post with largely incorrect information. No one is advocating for this specific software, which you also fail to meaningfully compare to the existing options.

You can’t just mention the ability to revoke consent and then dismiss that without evidence.

It doesn’t strictly need it, but the alternative is manually entering the phone numbers of people to whom you wish to send money. It’s a valid use of the permission.

This sounds like conjecture to me. They are just as likely to be using the phone permission to obtain the user’s phone number, which again is part of the app’s functionality.

Which is standard for 99% of all payment apps for fraud prevention purposes, which you fail to mention. Also, the tap-to-pay provider will inherently know where you make your payment from. AFAIK, you can disable location, and the app will continue to function just fine.

While I agree it’s bad to be using that information for marketing, any banking app needs that information for KYC purposes. It seems to be that by opting out of those practices, as is your right, it is a perfectly acceptable service to use, certainly no worse than the alternatives. The basic segmentation is also only first-party marketing and doesn’t involve the sale of any of that information.

1 Like

How do you know? That is not mentioned anywhere.

I find your comments quite offensive not really sure why? I am just pointing out issues with companies like these. Lets agree to disagree on whether this comapny entering the market is a positive thing.

As far as i know this is not even possible using that android permission. But in the privacy policy of Vipps it clearly says it is to obtain the mobile identification number.

I can and i just did. The privacy policy also mentions that revoking consent does not always mean your data will be deleted.

I would really suggest you to dive a bit deeper yourself instead of attacking me for not reading the article (which i did).

2 Likes

Apple Pay afaik does not use your social security number or details of it for marketing purposes. I do think that that is very troublesome. On the KYC note. GDPR actually restricts companies from repurposing data for usages it was not orginally collected for, using it because it is handy and you had it anyway is not quite allowed.

1 Like

It’s clearly mentioned in the privacy policy that you linked, which you apparently also neglected to read.

It allows access to the phone number as well, since that is required for a functioning phone app, which is the intended use of the phone permission. I could not find that specific section, but I will take your word for it. That is indeed concerning.

I do not appreciate being accused of attacking you for simply disagreeing with your arguments.

That is how the law works. As a financial service provider, they have legal obligations to retain certain data. I don’t like it either, but it’s out of their control.

It is important to note that the privacy policy applies to their entire service, which is broader than Apple Pay. Even just factoring in the fact that they provide the “credit/debit card” being used, many banks and payment processors conduct marketing, including selling purchase history from their cards.


Again, I don’t know why you felt the need to respond in such a condescending and aggressive tone when my original post was hardly focused on this specific service. A simple link to their privacy policy with a warning would have sufficed.

I will not be engaging with you further on this topic.

If someone knowa where it says this I would gladly see it linked or quoted. I really cant find it.

I just feel that the service isnt bringing in any good to privacy from what we have already.

Selling purchase history is not done by credit cards in Europe anymore under GDPR other than perhaps aggregated data.

I am aware that apple isnt great either but from what you are sharing without linking and from what I know Apple does not share your security number or your contact info with merchants. Correct me if I am wrong. Sharing the data to issuers and others involved jn the transaction processing is indeed inevitable, but not what I was meaning to say.

All I was saying is that I dont think this part is any better and it isn’t at all being better privacy. I fact from what I see it does look worse. Adding more data to more parties.

1 Like

What? Only privileged apps included in the base system with READ_PRIVILEGED_PHONE_STATE whitelisted can access these hardware identifiers.

As of Android 10, apps cannot obtain permission to access non-resettable hardware identifiers such as the serial number, MAC addresses, IMEIs/MEIDs, SIM card serial numbers and subscriber IDs.

2 Likes

Because a lot of people fall for Apple’s privacy marketing, and I don’t blame them because of the insane amount of marketing that they do.

2 Likes

Please differentiate between Apple Cash, Apple Card and Apple Pay. Apple Cash/Card is only available in the US, so it doesn’t matter if you’re outside of the US.

You don’t need to provide your social security number to use Apple Cash. However, thanks to KYC laws, its functionality will be severely limited. Green Dot Bank - a bank - is the one that handled the transaction between Apple Cash user. You’re basically dealing with a bank if you use Apple Cash. And you’re subject to Green Dot Bank’s privacy policy, too.

You don’t need to provide your ID to use Apple Pay in any capacity. However, with Vipps, for payments exceeding 2000 NOK, the application launches the Norwegian BankID electronic identification for user authentication. Not surprised. It’s owned by a bank, after all.

This is an area where if a company is a bank or not (and the laws) trumps any privacy policies.

2 Likes

Welcome to Privacy Guides… Clitus_Og

1 Like

No. You don’t get my point.

Apple is not a bank. You don’t need to provide your ID to use Apple Pay in any capacity. Period.

Vipps is a product of a bank. It’s a bank. You need to provide your ID for +2000 NOK transfers.

1 Like

Because if you don’t provide your ID, you don’t need to care how Apple handles it anyway.

You can provide fake data when creating Apple Account,… or you can just use other people’s card to… poisoning data, or whatever. AFAIK, Apple doesn’t care.

Because… the original question is whether this move improves privacy by any means?

That’s a good question. It’s because mainly of the laws, like you said, and… your banks, VISA, Mastercard, etc. are defined as third-party providers. Two parties need to know each other to complete an online transaction.

Hmm that is interresting. You are right indeed. I wonder then what they need the permission for as in their privacy policy it says it is used to collect the “phone identification number”.

1 Like

I think the point indeed is not that apple is perfect. I dont think so either, not at all. I do however have no indication that they share as much data with merchants and other advertising partners as Vipps does. I find it purely concerning that the opening of the market is seen as something bringing good for privacy. It surely could, potentionally, but from what i have seen so far now it does only bring more data hoarders in the game.

2 Likes

Indeed. Apple Pay is considered as an intermediary. Some payment methods are theirselves banks/financial institutions, so they have to abide by kyc. Most intermediaries have also integrated their own solutions as seen in Apple Cash, so they are not in the same category as Apple Pay.
A simple Google search will show everybody the difference btw Google Pay and Apple Pay. Those are mostly design choices, just as like in other products.

Apple doesn’t actually store your credit card information, which is great news for privacy, while Google Pay does store your card information, but it encrypts the data.

On top of the payments, Gpay tracks user’s transactions and even used them to serve ads.

1 Like

I looked a bit into this, and here’s what I found.

When being used in physical stores, Apple Pay effectively acts as an NFC-enabled card (a.k.a contactless card). It musts transfer what a contactless card musts transfer. Therefore, if merchants want to track Apple Pay users, they can use the same technique they use to track contactless card users. However, using Apple Pay is still more secured (not more private/anonymous) than contactless card because of MFA (you have to authenticate with Face ID, Touch ID, or passcode) and since you don’t risk leaking the card numbers.

In this case, I don’t think Vipps or any other mobile payment services can improve on privacy. Vipps uses contactless card infrastructure just like Apple Pay.


When you purchase things online, your shipping address will only be shared if the merchants asks for it, presumably for tax or shipping cost calculation. And, if you purchase physical things, of course, merchants will ask for your email or phone numbers. You can change all this information later or during the transaction.

If necessary, enter your billing, shipping, and contact information.

Also, it should be noted that Apple touts this as a convenient feature.

Use Apple Pay to seamlessly make purchases in Safari and other browsers — on iPhone, iPad, Mac, and other computers — without the lengthy checkout forms.

Your email, phone number, and shipping address is end-to-end encrypted with iCloud keychain.

Apple also securely transfers the user’s recently used contact, shipping, and billing addresses over iCloud Keychain.

This chain of trust is broken if you use third-party browsers.

Apple Pay also allows you to make payments in third-party browsers and use devices supporting Apple Pay to authorize the transaction. When using this feature, Apple will create a communication channel between the third-party browser and your authorizing device via Apple servers to allow you to update your shipping and payment details, and provide your authorization. Your shipping and billing information, and information about merchant charges, such as tax or shipping fees associated with your purchase, will briefly be visible to Apple. Apple does not retain any of this information in a form that personally identifies you.

Again, I don’t see how Vipps can improve privacy on this front. Merchants literary asks for your shipping address, phone number or email in order to complete the purchase.


Regarding sharing information with third-party business, under California Privacy Disclosure, Apple states that Apple Pay share your information with:

  • Merchants (as discussed above)
  • Your bank or card issuer when adding your card to Apple Pay
  • Green Dot Bank only if you use Apple Cash
  • Your school if you add student ID card to Apple Pay
  • A payment terminal if you use gift cards

So, the easiest way for advertising companies to get your data is through your bank or card issuer, payment terminal, and merchants.

1 Like

which would not be quite legal as that, as I see it, would not classify as legitimate interrest.