Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Affirm is a US based buy now pay later (BNPL) and point of sale financing provider operated by Affirm Holdings, Inc. Merchants embed the affirm.js script to display monthly payment estimates on product pages and open a hosted credit application at checkout. The widget transmits visitor and transaction data to Affirm servers in the United States, which triggers full GDPR and ePrivacy obligations for EU merchants.
Affirm is a buy now pay later and point of sale lending platform operated by Affirm Holdings, Inc., a publicly listed company headquartered in San Francisco. Unlike short instalment products, Affirm offers loans ranging from a few weeks to several years, with disclosed interest and a hard or soft credit check depending on the offer. Merchants integrate Affirm through affirm.js, which renders the As low as monthly payment widget on product pages and opens a hosted credit application flow at checkout.
On product pages, Affirm collects IP address, User Agent, page URL, basket value and merchant ID through the widget script, and sets analytics and fraud cookies. During the credit application, Affirm collects name, date of birth, address, phone, email, the last four digits of a social security number or a national identifier, employment data and bank verification. Affirm queries credit bureaus and fraud databases to issue the lending decision and shares the outcome with the merchant.
Affirm cookies set on category and product pages are not strictly necessary and require consent under Article 5(3) of the ePrivacy Directive. The credit application performed at checkout falls under Article 6(1)(b) GDPR as it is necessary to enter into a contract requested by the data subject. Automated credit scoring is subject to Article 22 GDPR safeguards: the user must be informed, can ask for human intervention and can contest the decision. Cross border transfers to the US trigger Chapter V obligations.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
For the marketing widget and any analytics cookies dropped before checkout, yes: gate the affirm.js script behind the consent manager. Inside the checkout, when the user has actively chosen Affirm as the financing option, the application processing can run under contract. The privacy notice must still clearly describe what data goes to Affirm and that an automated decision will be taken.
Affirm Holdings, Inc. is a US controller and processes data on US infrastructure. Affirm self certified under the EU US Data Privacy Framework, which provides an adequacy decision for transfers to Affirm. Affirm also publishes Standard Contractual Clauses for international customers and clarifies how it handles requests for access by US authorities under FISA 702. Merchants must reference these mechanisms in their privacy policy and inform users of the international nature of the processing.
Gate the Affirm widget behind your consent manager, document the integration in your record of processing, conduct a DPIA covering automated decisions and US transfers, and sign the appropriate agreement with Affirm (controller to controller for the lending decision, processor terms for analytics passed through the merchant). Update the privacy policy with the categories of data, the legal bases, the SCC or DPF mechanism and the user rights regarding Article 22.
Websites using Affirm must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is recommended whenever Affirm is integrated. The processing involves automated credit decisions, financial data, fraud profiling and systematic transfers of personal data to the United States, three of the nine WP29 criteria for high risk processing. Document the necessity and proportionality of the integration, and the safeguards implemented (consent gate, transfer mechanism, retention).
Sample consent text
We use Affirm to display payment plans and process credit applications. This sets cookies and shares your IP address and transaction data with Affirm Holdings, Inc. in the United States. Do you accept?
Third-party domains contacted
affirm.comcdn-assets.affirm.comapi.affirm.comtracker.affirm.comwww.affirm.comcdn1.affirm.comsift.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| _affirm_session | third party | Session | Maintains the user session between the merchant site and the Affirm hosted application flow. |
| affirm_sift_session_id | third party | 1 year | Sift fraud detection session identifier used by Affirm to score risk on incoming credit applications. |
| mp_<token>_mixpanel | third party | 1 year | Mixpanel analytics cookie set on affirm.com to measure the funnel of the credit application. |
| _ga | third party | 2 years | Google Analytics first party cookie set on affirm.com to track usage of Affirm marketing and merchant facing pages. |
| csrftoken | third party | 1 year | Cross site request forgery protection token used during the hosted credit application flow. |
This service may collect user data. Ensure GDPR compliance with FlowConsent.
The widget sets cookies such as _affirm_session, affirm_sift_session_id (a fraud session identifier provided by Sift), and various analytics cookies (Mixpanel, Google Analytics) on Affirm domains. These cookies are not strictly necessary on a merchant site and require consent under the ePrivacy rules.
Yes, for the As low as widget rendered on category and product pages, and for any analytics cookies the script triggers. Inside the checkout, once the user has chosen Affirm, processing can run under contract, but the consent layer should already have classified those cookies as marketing or functional.
Contract (Art. 6(1)(b) GDPR) for the credit application, legitimate interest (Art. 6(1)(f)) for fraud prevention via Sift and risk modelling, and consent (Art. 6(1)(a)) for non essential cookies and marketing widgets. Automated decision making requires the Article 22 safeguards.
Yes. Affirm is a US controller and processes everything in the United States. Affirm is self certified under the EU US Data Privacy Framework and offers Standard Contractual Clauses. Both should be referenced in the merchant's privacy policy together with the list of recipients.
Yes in most cases. Automated credit scoring on potentially every customer that lands on a product page meets several DPIA criteria. A DPIA should cover the data flows, the credit decisioning logic, the user rights under Article 22, and the safeguards for cross border transfers.
Block affirm.js until consent is granted, route the financing flow through a dedicated path that the user actively chooses, sign the relevant contractual instruments with Affirm, and update the privacy policy. Provide a clear notice when the user is about to be subject to an automated credit decision and explain how to request human review.
For European merchants, Klarna, Alma, Scalapay, Riverty and Cofidis offer regulated BNPL services with stronger EU presence. They still come with their own privacy obligations but often process data within the EU. Traditional financing solutions through partner banks remain available for high value purchases.
Add an entry under Marketing or Functional. List the relevant cookies (_affirm_session, affirm_sift_session_id, analytics cookies), the provider (Affirm Holdings, Inc., San Francisco, USA), the purpose (rendering the widget, fraud prevention, analytics), and the transfer mechanism (EU US Data Privacy Framework or SCC).