Millions of South Africans have ordered from Temu. Most got their parcels. But every time you open the app, log in, scroll a product page, or enter a shipping address, something else is also being collected — and the question of what Temu actually does with that information is more pressing now than it has ever been.
“Stealing” Data Is the Wrong Frame. Here’s the Right One.
The word “steal” implies something done in secret without permission. Temu’s data collection, for the most part, is not secret — it’s disclosed in a lengthy privacy policy that almost nobody reads. That distinction matters enormously in any honest security analysis, because it separates the question of legality from the question of ethics and risk.
What Temu collects when you use the platform is extensive: your name, email address, phone number, shipping address, payment card details (tokenised), browsing history within the app, search queries, time spent on each product, device type, operating system version, approximate location, and advertising identifiers. According to Apple’s App Store privacy labels, Temu also shares identifiers, purchase data, and product interaction data with third parties — which includes its parent company, PDD Holdings, and affiliated ad-tech firms.
None of this is technically theft. You consented to it — or at least, you clicked “I agree” without reading what you were consenting to. The ethical and risk question is whether the scope of that collection is proportionate to what you need in order to buy a R120 phone case.
What Temu Actually Collects From You
Personal identifiers · Payment card tokens · Device fingerprints · Browsing and search behaviour · Approximate location · Ad tracking IDs · Purchase history · Time-on-page analytics · Cart abandonment patterns
South Africa’s Regulators Are Already Watching
This is not abstract concern. In November 2025, South Africa’s National Consumer Commission (NCC) launched a formal investigation into both Temu and Shein. The probe — announced at a G20 summit by NCC Executive Head Prudence Moilwa — focuses on compliance with the Consumer Protection Act, including misleading marketing, product labelling, undisclosed fees, and the platforms’ use of algorithms and data-mining to shape what consumers see and buy.
Moilwa was explicit about the algorithmic concern: “platforms must be transparent about the data they collect and how their automated systems use the data to target customers.” If violations are confirmed, Temu faces penalties of up to R1 million or 10% of its annual South African turnover — the latter being potentially far more significant given the platform’s estimated local transaction volumes.
Active SA Regulatory Investigation — 2025/2026
South Africa’s NCC has formally investigated Temu since November 2025, with findings originally expected by late February 2026. Both Temu and Shein have cooperated with investigators. The probe is ongoing and its outcome could result in formal enforcement action under the Consumer Protection Act.
Internationally, the pressure is intensifying. In 2025, South Korea fined Temu roughly USD 978,000 for undisclosed cross-border data transfers. The US Federal Trade Commission imposed a USD 2 million civil penalty for transparency failures related to seller information disclosure. The European Commission has also issued preliminary findings that Temu may have breached the Digital Services Act — with potential fines reaching 6% of global annual turnover.
Closer to home, Nigeria’s Data Protection Commission opened its own formal investigation into Temu in February 2026, examining online surveillance, cross-border data transfers, and whether the platform collects more information than is strictly necessary — affecting data on an estimated 12.7 million Nigerian users. South Africa’s Information Regulator, which enforces POPIA, has not yet announced a parallel investigation into Temu specifically, but its 2026/27 annual performance plan explicitly prioritises the retail sector among its targeted compliance assessments.
What POPIA Means for South African Temu Users
South Africa’s Protection of Personal Information Act (POPIA) is the country’s comprehensive data protection law, broadly similar in intent to the EU’s GDPR. Under POPIA, any organisation that processes personal data of South Africans — including foreign platforms like Temu — is legally required to collect only what is necessary, be transparent about how that data is used, obtain meaningful consent, and report any security breach to both the Information Regulator and affected individuals.
Crucially, POPIA grants you rights. You can formally request access to the personal information Temu holds about you. You can request corrections. You can ask for deletion. Whether Temu’s cross-border data transfer practices — with data stored on servers in Singapore and the US, and subject to Chinese law through its parent company PDD Holdings — comply fully with POPIA’s requirements around transborder information flows is an open question that South Africa’s Information Regulator has not yet formally resolved.
| Data Right Under POPIA | What It Means for You | Temu Status |
|---|---|---|
| Right of access | Request a copy of all data held about you | Via Data Request Portal only — process is cumbersome |
| Right to correction | Fix inaccurate personal information | Available via account settings |
| Right to deletion | Request erasure of your data | Possible, but financial/legal records are retained regardless |
| Breach notification | Be told if your data is exposed | Required under POPIA — Temu has had no confirmed large-scale breach to date |
| Transborder transfer rules | Your data must be protected when sent overseas | Under review — Information Regulator finalising guidance on transborder flows |
The PDD Holdings Question: Does Chinese Ownership Matter?
Temu is owned by PDD Holdings, a Nasdaq-listed company whose other major platform — Pinduoduo — was temporarily removed from Google Play in 2023 after security researchers found malicious code in some versions of the app. Temu operates independently of Pinduoduo and is headquartered in Boston, which subjects it to US laws. However, PDD Holdings’ corporate structure means user data stored on its infrastructure is potentially subject to China’s 2021 Personal Information Protection Law (PIPL), which allows government access requests without the judicial oversight that South African or EU law would require.
Temu states it has never complied with such a request. But PIPL compliance does not preclude future obligations — and the inability to independently verify this creates a legitimate uncertainty that data-conscious South African shoppers should weigh. In 2024, 21 US state attorneys general called for a federal investigation into Temu’s ties to the Chinese government; an interim report was produced but no definitive conclusions were reached.
What is documented is that Temu’s app requests extensive device permissions — including access to approximate location and device identifiers — that go beyond what is necessary purely for e-commerce. Whether this represents aggressive personalisation engineering or something more troubling is a question that regulators across three continents are actively trying to answer. For most ordinary South African shoppers, the practical data risk is not government surveillance but algorithmic profiling that affects what prices you’re shown, what ads follow you around the internet, and how much of your behavioural data ends up in hands you never consented to directly. If this concern resonates, it’s worth also reviewing whether your credit card is safe on Temu in South Africa, since payment data and personal data risks are interconnected.
The Phishing Layer: Fraud That Wears Temu’s Face
Separate from Temu’s own data practices, there is a thriving criminal industry built on impersonating the platform. South African shoppers have been targeted by fake SMS messages mimicking Buffalo Logistics — Temu’s primary courier partner — claiming a small fee (typically R15–R25) is needed to release a parcel. Capitec’s Head of Financial Crime, Nick Harris, publicly flagged this scam in early 2026, describing how the links harvest card details for card-not-present fraud.
Lookalike websites — spoof versions of temu.com designed to capture login credentials and payment details — are a related vector. These sites often appear in search results close to, but not on, the official domain. The data risk from these third-party fraud operations is, for most South African shoppers, more immediately dangerous than anything in Temu’s own privacy policy.
Seven Steps to Limit Your Data Exposure on Temu
Use the website, not the app
The Temu app requests significantly more device permissions than the mobile website. Shopping at temu.com from a browser limits the platform’s access to your device sensors, clipboard, and advertising identifiers.
Create a separate email for Temu
Use a dedicated Gmail or ProtonMail address for your Temu account. This limits what Temu and its ad partners can cross-reference about you, and contains the damage if your account details are ever exposed.
Never save your card on the platform
Enter your payment details fresh at each checkout and opt out of the “save card” feature. If a data breach were ever confirmed, saved payment tokens are the highest-value targets for exploitation.
Reset your ad identifier regularly
On Android, go to Settings → Privacy → Ads → Reset Advertising ID. On iPhone, go to Settings → Privacy & Security → Tracking and disable cross-app tracking. This disrupts the behavioural profile platforms like Temu build across apps and websites.
Never click delivery SMS links
No courier requires payment via an SMS link. Always track your parcel directly through the official Temu app or Buffalo Logistics website. If you’re unsure about the status of a parcel, it’s also worth understanding what real Temu delivery problems in South Africa look like — knowing the difference between a legitimate delay and a scam notification could save your card details.
Request your data or delete your account if you’re done
Under POPIA, you have the right to request a copy of all information Temu holds about you, and to request its deletion. Go to the Temu app → Me → Settings → Privacy Settings → Data Request. Note: financial and legal records are retained regardless of deletion requests, as this is a standard regulatory requirement globally.
Consider delivery lockers over your home address
Sharing your home address with a platform whose data-handling practices are under active regulatory scrutiny is a form of risk that many shoppers overlook. Check whether Temu lets you choose alternative delivery options in South Africa — using a pickup point or locker limits the amount of identifying data tied to your account.
The Delivery Angle: Data Exposure Doesn’t End at Checkout
One data exposure point that most shoppers overlook is delivery itself. Every time a parcel is in transit, you receive tracking updates — sometimes from Temu directly, sometimes from Buffalo Logistics, and sometimes from third-party aggregators. Each of these touchpoints knows your name, physical address, and purchase details. The scam ecosystem that has grown around Temu exploits exactly this information flow. Understanding how Temu’s delivery schedule in South Africa works — including weekend delivery — helps you predict when to expect legitimate updates, making fraudulent notifications easier to identify. If you want to reduce the tracking window entirely, knowing the fastest delivery methods for Temu orders in South Africa means your parcel is in your hands sooner and in transit for less time.
Is Temu Safe For Credit Cards In South Africa? 💳
Worried about using your credit card on Temu? This guide breaks down the real safety risks and protections — helping South African shoppers understand when it’s safe, what to watch out for, and how to protect their money online.
- Learn how Temu uses encryption, PCI compliance, and 3D Secure protection :contentReference[oaicite:0]{index=0}
- Understand the real risks like data sharing and phishing scams :contentReference[oaicite:1]{index=1}
- See why credit cards are safer than debit cards for online shopping :contentReference[oaicite:2]{index=2}
- Get smart tips to protect your card and avoid fraud when using Temu 🔐
Quick Security Checklist for SA Temu Shoppers
The Bottom Line
Temu is not stealing your data in any criminal sense. But it is collecting far more of it than most South African shoppers realise — and regulators on three continents, including the NCC right here at home, are asking hard questions about what happens to it.
The practical risks are layered: there is Temu’s own extensive data collection, the uncertainty around PDD Holdings’ Chinese corporate structure, the phishing and impersonation scams that have attached themselves to the platform’s popularity, and the broader profiling that follows you around the internet after every session. None of these are reasons to avoid Temu entirely — but they are reasons to shop on it deliberately, with the right settings, the right payment method, and a clear understanding of what you’re exchanging for those R120 deals.
