User data and privacy
Vipps MobilePay is designed with privacy as a default. Users can complete payments without sharing personal data with merchants, and any data sharing requires explicit user consent. Understanding these boundaries is important for integration design and GDPR compliance.
For information about who is eligible to use Vipps MobilePay, see Who can use Vipps MobilePay.
Anonymity by default​
Users can pay without sharing personal data with the merchant. Phone numbers entered on the payment landing page are used only for push notifications — they are not passed to the merchant.
If your point-of-sale integration allows cashiers to enter customer phone numbers, you may store them, but must do so in compliance with GDPR.
Requesting user data​
Merchants can request user information — such as phone number, name, email address, and postal address — but only as part of a payment or login flow, and only with explicit user consent.
| Method | When | API |
|---|---|---|
| Profile sharing | During payment | ePayment API |
| User info | During authentication | Login API |
| Userinfo (legacy) | After payment | eCom API |
There is no API to look up a user's address or retrieve purchase history without their consent. Users must always actively grant permission before data is shared with a merchant.
See also: Customer protection.
The business portal shows customer names for Vippsnummer and MobilePay-nummer payments, but shows payment IDs for online payments.
User lookup and privacy protection​
Vipps MobilePay does not offer a phone number lookup service — checking whether a number belongs to a registered user would expose private information. Payment attempts with an invalid or unregistered phone number will fail with an error, but the error response deliberately does not indicate which of the following applies:
- Not a Vipps MobilePay user
- The user is too young to pay businesses
- Account has been deleted
- Account is blocked (temporarily or permanently)
This is by design. Users with unlisted or secret numbers can still use Vipps MobilePay, and users can always pay without sharing their phone number with the merchant.
Customer presence requirements​
Whether the customer is physically present at the time of payment affects both compliance obligations and how the payment must be initiated.
Customer present (POS, restaurants, in-person): Specify "customerInteraction": "CUSTOMER_PRESENT" in the ePayment API request. This is required for compliance and reporting. See Specify customer present.
Customer not present (online, e-commerce): Use Payment Integration online payment methods. Order details must be provided via the receipt property (ePayment API) or the Order Management API (eCom API legacy). An online sales log must be available as an alternative to digital receipts.