Shein — Roadget Business Pte

⚠️ The bottom line

Microsoft researchers caught Shein's Android app red-handed: version 7.9.2 was silently reading your clipboard — every URL, every price, every password you'd copied — testing if it contained "://" and "$", then packaging whatever it found and shipping it to a remote server. Sophos published the findings, calling the app "rogue." You might have copied a bank password, a private message, or a medical result. Shein's app was reading all of it, all the time, and sending it to their servers. A shopping app had no business touching your clipboard, let alone exfiltrating its contents. In 2018, hackers stole data from 39 million Shein customers. The company told the public only 6.4 million were affected — a lie by a factor of six. Worse, Zoetop (Shein's parent) already knew credit card data had been stolen when it published a press release claiming "no credit card information was taken." It waited 45 days to tell even the fraction it acknowledged. New York's Attorney General fined them $1.9 million. That means 32.6 million people whose data was stolen were never told. They may still not know.

Legal jurisdiction

🇸🇬 Singapore (headquarters)

●PDPA read more →

Data protection law with broad national security exemption — govt agencies are entirely excluded

🇺🇸 United States (data storage)

⚠CLOUD Act read more →

US govt can demand your data from this company even if stored overseas

⚠FISA §702 / PRISM read more →

NSA collects stored emails, photos, messages without individual warrants

●Geofence warrants read more →

Police can demand location data for everyone near a crime scene

Spying

3/4 HIGH

Is someone spying on me?

Data Sharing

3/4 HIGH

Who gets my data?

Security

3/4 HIGH

Is it actually secure?

Honesty

4/4 EXTREME

Can I trust what they say?

10Contradictions

3Critical

7High

0Medium

10Sources

Findings by concern

Spying 3/4 HIGH 2 findings

⚠️ criticalpolicy claims vs app permissions

What they claim: Shein's privacy policy states it collects data necessary to provide its shopping service.

What we found: Microsoft researchers found Shein's Android app version 7.9.2 silently reading clipboard contents, testing for URLs with prices, packaging clipboard data into POST requests sent to a remote server. Passwords, bank details, private messages — all read and potentially exfiltrated. Sophos called it rogue behavior.

⚡ highpolicy claims vs regulatory findings

Shein agreed to pay $75 million in December 2025 to settle a class action covering six years of privacy violations. Individual customers get $45-$450 — less than a Shein haul. Add the $1.9M New York fine for lying about the breach, the EUR150M French fine for fake cookie consent, and the ongoing Texas lawsuit: Shein's privacy bill exceeds $250 million. The company that claims to take privacy "seriously" has been caught lying about breaches, faking consent buttons, spying on clipboards, and routing data through shell companies.

What they claim: Shein claims to provide a safe, secure shopping experience and takes privacy seriously.

What we found: Class action settlement of $75 million received final approval December 2025 for privacy violations spanning 2018-2024. Combined with $1.9M NY fine, EUR150M CNIL fine, and ongoing Texas lawsuit, privacy bill exceeds $250 million.

Data Sharing 3/4 HIGH 3 findings

⚡ highpolicy claims vs regulatory findings

France's CNIL fined Shein EUR150 million in September 2025 for one of the most brazen cookie frauds ever documented. Tracking cookies were placed the instant you loaded shein.com — before you had a chance to consent. But the real insult: clicking "Refuse all" didn't actually refuse anything. New cookies kept being placed, old ones kept running. The button was theater — a prop designed to make 12 million monthly French visitors believe they had a choice when they had none. That's not a bug. That's fraud.

What they claim: Shein provides users with meaningful cookie consent choices.

What we found: France's CNIL fined Shein EUR150 million in September 2025. Advertising cookies were placed the instant users visited shein.com — before consent. Clicking Refuse all did nothing: new cookies kept being placed, existing ones continued. Affected 12 million monthly French visitors.

⚡ highpolicy claims vs regulatory findings

Shein says it's a Singapore company (Roadget Business Pte Ltd) storing data in the US and Singapore. But Shein was founded in Nanjing, China, with significant Chinese operations. Texas AG Ken Paxton's February 2026 lawsuit accused Shein of hiding that your data is accessible to the Chinese government. Governor Abbott added Shein to Texas's Prohibited Technologies List. In March 2026, the FBI formally warned Americans about Chinese-owned apps. The Singapore address is a shell — a corporate magic trick to make "Made in China" look like "Based in Singapore."

What they claim: Shein claims to store user data in the US and Singapore with appropriate protections.

What we found: Shein operates through Roadget Business Pte Ltd (Singapore shell) while founded in Nanjing, China. Texas AG alleged Shein fails to disclose data may be accessible to the Chinese government. Texas Governor Abbott added Shein to the Prohibited Technologies List in January 2026. The FBI warned about Chinese-owned apps in March 2026.

⚡ highpolicy vs regulatory

Ireland's data watchdog opened a formal investigation into Shein in May 2026, asking why European customers' data is being shipped to China. A month earlier, Texas sued Shein for hiding the fact that Chinese law can force the company to hand your data to Beijing. Shein's privacy policy says nothing about any of this.

What they claim: Shein's privacy policy does not disclose that consumer data may be accessible to the Chinese government.

What we found: In May 2026, the Irish Data Protection Commission opened a formal investigation into Shein's transfer of customer data to China under GDPR. In February 2026, Texas AG sued Shein for failing to disclose that Chinese national intelligence laws can compel data access, calling the omission "material and deceptive."

Security 3/4 HIGH 2 findings

⚠️ criticalpolicy claims vs regulatory findings

In 2018, hackers stole data from 39 million Shein customers. The company told the public only 6.4 million were affected — a lie by a factor of six. Worse, Zoetop (Shein's parent) already knew credit card data had been stolen when it published a press release claiming "no credit card information was taken." It waited 45 days to tell even the fraction it acknowledged. New York's Attorney General fined them $1.9 million. That means 32.6 million people whose data was stolen were never told. They may still not know.

What they claim: Shein (Zoetop) claimed the 2018 data breach affected 6.4 million customers and no credit card data was taken.

What we found: New York found the breach actually affected 39 million customers — six times more than disclosed. Zoetop already knew credit cards were stolen when it published a press release claiming otherwise. Waited 45 days to notify even the reduced number. NY AG fined Zoetop $1.9 million. 32.6 million people were never informed their data was stolen.

⚡ highpolicy claims vs regulatory findings

Texas AG Paxton's lawsuit didn't just target Shein's data practices — it alleged the company sells clothes laced with toxic chemicals, including lead at levels exceeding legal limits. Independent labs found Shein products with lead at 20 times the safe limit and PFAS "forever chemicals" that accumulate in your body. A shopping app that steals your data and sells you poisoned clothing. The $7 jacket is cheap because it's made by exploited workers, sold through a shell company, tracked by fake consent buttons, and seasoned with lead.

What they claim: Shein claims products meet safety standards and are safe for consumers.

What we found: Texas AG's February 2026 lawsuit alleged Shein sells clothing with toxic chemicals including lead at levels exceeding legal limits. Independent labs found lead at 20 times the safe limit and PFAS forever chemicals. California Proposition 65 violations documented.

Honesty 4/4 EXTREME 3 findings

⚠️ criticalprivacy policy vs regulatory

Shein put a "Reject All" button on its website. It didn't work. Click "Reject All" and the tracking cookies stayed. 12 million French visitors every month, explicitly refusing to be tracked, tracked anyway. The button was decoration. €150 million fine.

What they claim: Shein provides cookie consent mechanisms for EU users

What we found: CNIL fined Shein €150 million after finding the "Reject All" button on shein.com did not actually reject tracking cookies. Clicking "Reject All" left cookies in place. 12 million monthly French visitors were tracked even after explicitly refusing. Shein is appealing.

⚡ highpolicy claims vs regulatory findings

A UK parliamentary inquiry investigated forced labor in Shein's supply chain. Channel 4's undercover investigation found workers earning 3 pence per garment — roughly $0.04 per dress — working 18-hour days. Shein's response? Fly fashion influencers to a staged factory tour. The influencers posted glowing TikToks about "happy workers," then faced massive backlash when viewers pointed out they were filming a showroom, not a supply chain. The $4 dress costs that little for a reason, and the reason isn't efficient logistics.

What they claim: Shein claims to uphold ethical labor standards and supply chain transparency.

What we found: UK parliamentary inquiry investigated forced labor. Channel 4 found workers earning 3 pence per garment in 18-hour days. Shein flew influencers to a staged factory tour in June 2023 which backfired when viewed as propaganda. Independent audits found consistent labor violations.

⚡ highpolicy claim vs regulatory finding

Shein put up a cookie consent banner. You clicked "Refuse all." Cookies were placed anyway. CNIL fined them €150 million. The banner was decoration. Tracking started before the banner loaded. Clicking refuse didn't stop the cookies. 12 million French visitors every month, tracked regardless of what button they pressed. A consent mechanism that doesn't respond to your choice isn't consent. It's a prop. €150 million is the price for putting a "refuse" button on a website that ignores the word refuse.

What they claim: Shein's website presents a cookie consent banner to European users.

What we found: France's CNIL fined Shein €150 million for placing tracking cookies before users interacted with the consent banner. Even after users clicked "Refuse all," new cookies were still placed. 12 million monthly French visitors were affected. The cookie banner existed. It didn't work. Clicking "refuse" didn't refuse. The consent mechanism was decoration — cookies were placed regardless of what button you pressed. CNIL found cookies loading before the banner appeared, meaning tracking began before you had a chance to object.

Sources

Microsoft: Shein app silently reading clipboard contents (2023-03-20)
Hacker News: Shein app caught transmitting clipboard data to remote servers(link unavailable) (2023-03-07)
NY AG: $1.9M fine — Shein breach affected 39M customers not 6.4M disclosed(link unavailable) (2022-10-01)
TechCrunch: Shein fined .9M — told public 6.4M when 39M were affected(link unavailable) (2022-10-13)
CNIL: Shein fined EUR 150M for cookies placed before consent (2025-09-01)
Exodus Privacy: SHEIN app (2024-01-01)
NY AG: SHEIN $1.9M settlement for data breach cover-up(link unavailable) (2022-10-12)
Fast fashion giant Shein is being investigated over the transfer of customers' data to China (2026-05-01)
Texas AG Sues Shein Over Alleged Deceptive Practices and Data Privacy Risks (2026-02-20)