This isn’t an unexpected move by Mullvad. They were already reducing payment data stored back in November when they canceled remaining Paypal subscriptions, with more explanation in a similar 2022 post.
But I do agree that the information is lacking. After reading the privacy policy I get the impression most data is stored for 7 years anyway and can’t find any data retention duration mentioned that changed (the other mentioned duration is still 40 days).
As seen by this discussion and others it’s causing doubts and confusion, so I wouldn’t be surprised if they talk more about it. But if not, or if this is especially important to you, you could contact their support team.
Per Brave Search AI (which is very reliable in my experience):
The Swedish Accounting Act, known as bokföringslagen , does not specifically detail customer payment requirements. However, it does mandate that all business transactions, including customer payments, must be accurately recorded and documented to ensure transparency and compliance with tax laws. Here are the key points relevant to customer payments:
Documentation : Every transaction, including customer payments, must be supported by proper documentation such as invoices, receipts, and payment confirmations. These documents must be kept for at least seven years from the date of issue.
The way I interpret it is that Mullvad will keep time and date of those payments, but not necessarily the account numbers. (speculation) They might just keep last 4 digits or something I imagine they might keep date-time-payment-method-account last 4 digits.
One doesn’t have to interpret. Mullvad is pretty upfront that the payment data is all there and retrievable on demand.
As a customer of [payment] services, these entities would allow us to request this information if we chose to do so. In short, your payment actions with these two methods are not anonymous and the GDPR and other relevant data protection regulations may apply if you are making a payment by credit card, PayPal, Swish or by bank wire.
The data must be kept for the statutory retention period described in applicable local laws such as the Swedish Accounting Act (some information must be stored for seven years from the end of the fiscal year).