8 Total
0 High severity
6 Medium severity
2 Low severity
Summary

This policy establishes Affirm's data collection, use, and disclosure practices for users of its buy-now-pay-later lending platform. Affirm collects and processes personal, financial, and behavioral data including loan information, device identifiers, geolocation, browsing activity, and data from external sources such as credit bureaus and data brokers. The policy authorizes use of this data for Affirm's operational and marketing purposes, and permits disclosure to merchant partners, advertising partners, and other third parties specified in the policy.

Technical / Legal Breakdown

This document is Affirm's consumer privacy policy governing the collection, use, and sharing of personal information in connection with its buy-now-pay-later lending products and related financial services, operating under applicable U.S. consumer financial privacy law including the Gramm-Leach-Bliley Act (GLBA) and state privacy statutes such as the California Consumer Privacy Act (CCPA). The policy states that Affirm collects a broad range of data categories including identifiers, financial account information, transaction history, credit-related information, device and usage data, geolocation, and inferences drawn from these data points to build consumer profiles; the terms authorize sharing this information with affiliated companies, merchant partners, service providers, and third-party marketing partners, with opt-out rights available only for certain non-essential sharing categories. A notable operational feature is Affirm's stated collection of data from third-party sources including credit bureaus, data brokers, and merchant partners, combined with device-level tracking and behavioral inference, which creates a layered data profile that extends beyond transactional lending data; the policy also reserves the right to use consumer data for marketing and targeted advertising, though CCPA and related state laws may constrain some of these uses for California residents and similar frameworks may apply in other jurisdictions. The policy engages GLBA financial privacy requirements, CCPA and its amendments under CPRA, the Fair Credit Reporting Act (FCRA) with respect to credit-related data use, and FTC Act unfair or deceptive practices standards; CFPB oversight is directly relevant given Affirm's status as a nonbank financial services provider subject to supervisory authority. Material compliance considerations include the breadth of third-party data sharing for marketing purposes, the adequacy of opt-out mechanisms relative to CCPA requirements, and whether data retention and deletion practices align with GLBA and CCPA obligations.

Institutional Analysis

Institutional analysis available with Compliance

Regulatory exposure by statute, material risk assessment, vendor due diligence action items, and enforcement precedent. Available on Compliance.

Start Compliance free trial

2 important changes detected

4 versions captured · Last updated: June 2026

June 3, 2026

medium
What changed Affirm substantially expanded its Privacy Policy on June 3, 2026, adding over 200 sentences of new disclosure and structural content. The updated policy explicitly identifies Affirm as a financial institution under the Gramm-Leach-Bliley Act, clarifies that certain personal information is governed by federal banking law rather than state privacy laws, and adds detailed sections explaining how Affirm collects, uses, and discloses information, including new disclosures about sharing with fraud prevention and identity verification providers. The previous version lacked this regulatory framing and level of operational detail.
Why this matters The updated Privacy Policy establishes that Affirm qualifies as a financial institution under the Gramm-Leach-Bliley Act, meaning personal information collected in connection with Affirm services is governed by federal banking law rather than applicable state privacy laws. The policy now explicitly discloses collection of identity and profile information including full name, date of birth, Social Security number, email, mailing address, phone number, and password. The updated terms also disclose new data sharing arrangements with fraud prevention, identity verification, and risk intelligence providers, which were not previously detailed. You can contact Affirm's privacy team using the phone number provided in the updated policy to exercise data privacy rights.
View full change record →
What changed Affirm updated the marketing language describing its products and features on the privacy policy's app download section. The previous text highlighted account management and payments; the updated language emphasizes purchasing power discovery and multi-channel shopping. Additionally, references to specific features like the Affirm Card, browser extension, and Apple Pay integration were reworded for clarity, and a standalone 'Terms apply' disclaimer was removed from the Apple Pay section.
Why this matters The updated privacy policy revises the marketing text describing Affirm's mobile app and available shopping features, but makes no changes to data collection, processing, or sharing practices. The removal of the 'Terms apply' disclaimer from the Apple Pay section is a formatting change to the policy document itself, not a substantive change to how Affirm's terms operate or what data Affirm collects. Users' actual rights and obligations under Affirm's privacy and service terms remain unchanged.
View full change record →

Recent Provision Changes Jun 3, 2026

8 provisions unchanged.

View full change record →
Medium — 6 provisions
Low — 2 provisions

Monitoring

Affirm has updated this document before.

Monitor includes same-day alerts, structured change summaries, and monitoring for up to 25 platforms.

Start Monitor free trial Or create a free account →

Compliance Governance Intelligence

Need provision-level monitoring and regulatory mapping?

Compliance includes governance timelines, compliance memos, audit-ready analysis, and full provision tracking.

Start Compliance free trial

Cross-platform context

See how other platforms handle Collection of Sensitive Financial and Identity Data and similar clauses.

Compare across platforms →

Mapped Governance Frameworks

CCPA/CPRA
California, USA
View official text ↗
Connecticut Data Privacy Act Amendments
US-CT
View official text ↗
CAN-SPAM
United States Federal
View official text ↗
FCRA
United States Federal
View official text ↗
FTC Act Section 5
United States Federal
View official text ↗
GDPR
European Union
View official text ↗
GLBA
United States Federal
View official text ↗
Indiana Consumer Data Protection Act
US-IN
View official text ↗
Kentucky Consumer Data Protection Act
US-KY
View official text ↗
Universal Opt-Out Mechanism Expansion 2026
US
View official text ↗
Archival ProvenanceSource & Archival Record
Last Captured June 3, 2026 00:25 UTC
Capture Method Automated scheduled archival capture
Document ID CA-D-000168
Version ID CA-V-003369
SHA-256 ba97baa9cad2df678720179d4de4830b6a96ed4be484953a4aceb87a701fffe7
✓ Snapshot stored ✓ Text extracted ✓ Change verified ✓ Hash verified

Governance Monitoring

Monitor governance changes across the platforms you rely on.

Structured alerts for policy changes, governance events, and provision updates across 318+ platforms.

Create free account Compare plans