When it comes to data collection, Kraken falls into the below-average bracket among the platforms and services we have evaluated. Our analysts reviewed the publicly available privacy policy, terms of service, and any supplementary data-processing disclosures filed with regulatory bodies in the United States, European Union, and other major jurisdictions. The service collects a range of personal data points including, but not limited to, device identifiers, IP addresses, approximate or precise geolocation (depending on user permissions), browsing and usage telemetry, purchase and transaction histories where applicable, and contact-list or social-graph information when the user grants access. The breadth of data ingestion is a key factor dragging down—or, in some cases, buoying—the overall privacy score of 30 out of 100.
Encryption practices across the service vary across its product surface. While the service does employ TLS for data in transit, our review found that end-to-end encryption is either absent, opt-in only, or limited to a narrow subset of features. Data at rest is encrypted, but the company retains the decryption keys, meaning it can—and in many cases does—access user content for ad targeting, content moderation, or compliance purposes. This encryption posture is directly reflected in the encryption sub-score we have assigned.
Third-party data sharing is one of the most consequential dimensions of any privacy evaluation. Kraken shares data with a moderate number of third parties, primarily for analytics and advertising purposes. The privacy policy discloses these relationships, but the specifics—such as exactly which partners receive which data categories—are often buried in supplementary documents or not disclosed at all. Users have limited visibility into the downstream flow of their information.
User control encompasses the tools and mechanisms provided for individuals to access, export, correct, and delete their personal data. The platform provides basic account settings but falls short of offering comprehensive data-management tools. Data-export options are limited or produce incomplete archives. Account deletion, where available, may involve multi-step processes, waiting periods, or caveats that certain data is retained for undefined "business purposes." Our testers found the DSAR process to be slow and inconsistent.
Our scoring methodology weighs four equally important pillars: data collection scope (25%), encryption strength (25%), third-party sharing extent (25%), and user control and transparency (25%). Each pillar is scored on a 0-to-100 scale, and the overall score is the weighted average. We update scores quarterly based on policy changes, breach disclosures, regulatory actions, and independent audits. The company received an overall privacy score of 30/100, which places it in the below-average category. We encourage users to review the privacy policy directly and to adjust account settings to minimize unnecessary data exposure. For those seeking higher-privacy alternatives, our comparison and alternative guides provide curated recommendations tailored to each use case.
From a regulatory standpoint, the company operates under the jurisdiction of multiple data-protection frameworks including GDPR (EU), CCPA/CPRA (California), LGPD (Brazil), PIPEDA (Canada), and the UK Data Protection Act. It has generally maintained compliance with applicable regulations, though the adequacy of self-reported compliance varies. We monitor enforcement actions and will adjust scores accordingly if new regulatory findings emerge. Users in different jurisdictions may have varying rights and remedies available to them, and we recommend consulting local privacy advocacy organizations for jurisdiction-specific guidance.
In summary, Kraken earns a privacy score of 30 out of 100. This score reflects a mixed privacy posture with notable room for improvement. Users should take advantage of whatever privacy controls are available and consider supplementing their setup with privacy-enhancing tools such as VPNs, ad blockers, and encrypted alternatives.