Truecaller — True Software Scandinavia

⚠️ The bottom line

You have never installed Truecaller. You have never agreed to their terms. But your phone number, your name, and your workplace are in their database — because your colleague installed the app and it uploaded their entire contact list. 4 billion phone numbers harvested from other people's phones. Your privacy, decided by someone else's app store impulse. 47.5 million Indian users' data appeared on the dark web — names, phone numbers, carrier details. Truecaller denied a breach. Researchers confirmed the data was real. Nigeria fined them for processing data without consent. A company that builds its database from other people's contacts was shocked — shocked — when that data leaked.

Legal jurisdiction

🇸🇪 Sweden (headquarters)

●GDPR (IMY) read more →

First to rule Google Analytics illegal in EU. FRA Law allows signals intelligence on all cross-border cables

Spying

3/4 HIGH

Is someone spying on me?

Data Sharing

2/4 MODERATE

Who gets my data?

Security

3/4 HIGH

Is it actually secure?

Honesty

3/4 HIGH

Can I trust what they say?

3Contradictions

2Critical

1High

0Medium

3Sources

Findings by concern

Spying 3/4 HIGH 2 findings

⚠️ criticalmarketing vs third party research

What they claim: Truecaller promotes itself as a caller ID and spam blocking service

What we found: Truecaller builds its database by uploading the entire contact list of every user who installs the app. If your friend installs Truecaller, your name, phone number, and any other contact details they stored are uploaded to Truecaller's servers — without your knowledge or consent. An estimated 4 billion phone numbers are in Truecaller's database. You do not need to be a user to be in it.

⚡ highprivacy policy vs third party research

You can ask Truecaller to remove your number. They will. Then your aunt installs the app and your number goes right back in. The opt-out lasts until the next person uploads their contacts. To stay removed, you would need every human who has your phone number to also opt out. That is not an opt-out. That is a fiction.

What they claim: Truecaller states users can request removal of their phone number from the database

What we found: The opt-out process requires visiting Truecaller's website, entering your phone number, and submitting a delisting request. Privacy researchers found the delisting is often temporary — numbers reappear when another Truecaller user uploads a contact list containing that number. Effectively, opting out is futile unless every person who has your number also delists you.

Security 3/4 HIGH 1 finding

⚠️ criticalprivacy policy vs regulatory

47.5 million Indian users' data appeared on the dark web — names, phone numbers, carrier details. Truecaller denied a breach. Researchers confirmed the data was real. Nigeria fined them for processing data without consent. A company that builds its database from other people's contacts was shocked — shocked — when that data leaked.

What they claim: Truecaller describes data collection as necessary for caller identification services

What we found: In 2022, the Nigerian government fined Truecaller for processing personal data without consent, violating Nigeria's data protection law. The Indian government investigated Truecaller after reports that data on 47.5 million Indian users was available for sale on the dark web. Truecaller denied a breach, but security researchers confirmed the data was legitimate and included names, phone numbers, and carrier information.

Sources

Truecaller: The privacy problem of uploading contacts(link unavailable) (2021-05-15)
Truecaller denies breach after millions of records found for sale(link unavailable) (2019-05-25)
EFF: Truecaller and the problem of crowdsourced caller ID(link unavailable) (2020-06-15)