Truecaller’s True Colors

A Swedish adware & spyware app which fee ds a public phonebook aimed at preventing spam…

PLEASE READ IMPORTANT DISCLAIMER – PAGE 5

September 28, 2022 – Truecaller (TRUEB:SS) is a Swedish adware & spyware app which feeds an inferior caller-
identification service aimed at detecting spam. The EU’s General Data Protection Regulation (GDPR), and similar
legislation across the globe, threatens Truecaller’s business, which we believe is on the brink of redundancy.
It now resorts to skirting regulations and/or avoiding taxes through uncreative loopholes which we believe will
be inevitably cut-off.

Our report encompasses excellent reporting from various journalists across the world, interviews with former
employees, and many cybersecurity experts who have shared breaches freely. Kudos.

Viceroy Research is short Truecaller.

How the app works

Fundamentally, Truecaller builds a “phonebook” and refines its spam database by:

▪ Gathering identities of users and their address books (where they are allowed to). This is by far the most
valuable and invasive data users are providing to Truecaller.
▪ Processing user-submitted “spam” numbers.
▪ Identifying numbers which have exhibited spam-like behavior such as calling multiple unrelated Truecaller
users.

The app then functions as a “phone book”:

▪ Users can search phone numbers in the app, which will return names and other personal contact details
attached to the number (including non-users). This feature is, unsurprisingly, popular with scammer and
frauds.
▪ Flagged “spam” callers will be sometimes be identified and sometimes blocked.
▪ All calls are accompanied by pervasive ads. Ironically it is not in Truecaller’s interest to block spam calls.

“An Indian Company” – What we tell compliance.

GDPR threatened Truecaller’s spyware features which feed the spam detection service. In response Truecaller
moved all its data servers and substantially all of its operations to India where management appear to believe it
is safe from legislation designed protect the privacy of its customers. This is not the case.

▪ In 2017 Truecaller received a letter from the Article 29 Working Party (since replaced by the European Data
Protection Board). This letter highlighted concerns of Truecaller’s processing of personal data immediately
prior to the implementation date of GDPR:
- Truecaller scrapes personal information from its users, including personal information about non-users.
“[data protection law] applicability cannot be excluded by a unilateral declaration or signed away by a
user accepting contractual terms of True Software.”
- The personal data of non-users (collected without consent) is freely searchable by the public on
Truecaller’s website (with some geographical restrictions). Truecaller makes no attempt to inform these
non-users that their personal data has been accessed, or by whom.
- Truecaller associates phone numbers with contacts from users’ phones and makes no attempt to verify
the information is “not excessive, is accurate, and, where necessary, kept up to date”.

Viceroy Research Group 1 viceroyresearch.org

▪ In 2018, Truecaller moved its entire operations and data servers to India, believing this move will be
sufficient at keeping EU regulators at bay. Viceroy consulted GDPR specialists on Territorial Scope (Article
3) of GDPR, and note the following:
- Art 3(1): “GDPR applies to the processing of personal data in the context of activities of an
establishment of a controller or a processor in the Union, regardless of whether the processing takes
place in the Union or not.”
The bar for being regarded an establishment is low. Truecaller’s head office is in Sweden, and most of
Truecaller’s revenue is billed from Sweden1.
- Art 3(2): “This Regulation applies to the processing of personal data of data subjects who are in the
Union by a controller or processor not established in the Union”
Truecaller indiscriminately scrapes contacts from non-EU users, which undoubtedly will EU contact
data. Despite some protections offered to EU subjects, the same app is made available to EU customers
as a service.
▪ India’s own data protection bill is in draft and is expected to be published for consultation in the short term 2.
We expect that regulations, if passed, would pose similar problems for Truecaller as GDPR.
▪ Truecaller has been subject to two Public Interest Litigation cases in India. One is ongoing in the High Court
of Bombay3.
- Lexters reports that the petitioner “contended that [Truecaller] collects the user’s information and
without their consent or permission shares it with its partners, and then the liability is dumped on the
users. The app does this by asking to access of various features to use the application. Further, the
petitioner alleged that it is a manipulated set up as the users have no choice…”

Viceroy believe Truecaller will be made to comply with EU data privacy regulation, and be caught by incoming
Indian regulation nonetheless in the near term.

“A Swedish Company” – What we tell the accountants.

When the taxman comes knocking, Truecaller is a loud and proud Swedish company. Truecaller bills almost
exclusively from Sweden from advertising customers/agents despite substantially all operations being in India.
We believe Truecaller has failed to adhere to transfer pricing principles and is avoiding larger tax rates in India.

▪ Truecaller’s Indian auditors include an EOM in their audit opinion of Truecaller International LLC (Indian
Subsidiary).
- “The management is in the process of seeking necessary approvals and taking appropriate steps thereof
for the [transfer pricing transactions] under the Reserve Bank of India guidelines and GST tax laws”.
▪ Truecaller reported a loss in India for the local financial year ended March 2021, despite posting large
consolidated profits for the same period. Truecaller paid no income tax in India in the most recent financial
year.
▪ The Indian market comprises almost 80% of Truecaller revenues and over 70% of daily active users. 63% of
Truecaller’s workforce is based in India. Truecaller’s user terms of service outside the EEA is specifically with
“Truecaller International LLP”: which is Truecaller’s Indian subsidiary. Truecaller’s advertisement terms of
service outside of the EU is similarly with “True Software Services India LLP”.
▪ Truecaller’s blog frequently brag that India is their “home market”, and that “Truecaller and India are made
for each-other”.
▪ India’s effective corporate tax rates (~29%) are substantially higher than Sweden’s (20.6%). India also enacts
a dividend withholding tax of 20% for foreign investors4.

1 CJEU – C-131/12 Google Spain: Google argued that data processing activities were not conducted in the EU. CJEU held
that activities of its EU establishment Google Spain, which sold advertising space, and Google’s non-EU search engine were
“inextricably linked”, it must follow GDPR directives.
https://gdprhub.eu/index.php?title=CJEU_-_C%E2%80%91131/12_-_Google_Spain
2 https://www.thehindu.com/opinion/interview/ashwini-vaishnaw-interview-new-draft-data-protection-bill-to-be-out-

soon-for-consultation/article65822798.ece
3 Shashank S/o Dinesh Posture & Ors V. The Union of India & Ors. PILL 9776 2021
4 There is a double-taxation treaty between India & Sweden.

Viceroy Research Group 2 viceroyresearch.org

The Catch-22
Truecaller is an Indian company when subject to GDPR and conducts almost all its operations in India. It’s transfer
pricing method is reserved almost exclusively for undifferentiated services which don’t bear risk.

Truecaller is a Swedish company when it’s time to lodge its tax filings. It pays taxes almost exclusively in Sweden.
This is despite all processing risk and operations being carried out in India.

Financials
Truecaller operates a largely India-centric ad-based revenue model. It has evolved from various largely
unsuccessful, outdated, or (now) illegal models and finally landed on something that appears to consistently
generate cash and increase margins. Management no doubt want to cash-in while they can.

▪ Truecaller’s huge top-line growth since IPO was a one-time boost resulting from, ironically, spamming their
users with more ads.
- The Truecaller app advertisements historically were only pushed when unknown numbers called their
users. Now ads are pushed to users on every call, including their known contacts, this boosted ad
impressions by 4x, completely void of fundamentals.
- This created a huge one-time revenue bump spread across approximately 2 years. Impressions per-user
per-day are now flat or decreasing on a quarterly basis.Truecaller has pushed so many ads that it’s
impressions now vastly exceed its own market opportunity estimates from its 2021 prospectus,
barely a year old.
▪ Truecaller’s premium user base, previously stagnant, now appears to be falling.
▪ Management and key stakeholders have taken every opportunity to sell their stock and move on.
▪ Truecaller’s Indian auditor was also Wirecard’s local auditor for a time. They have more recently been
banned from auditing financial institutions.

Privacy concerns & third-party policy breaches

Viceroy believes that Truecaller is in violation of Google’s Privacy Policy, which states: “We don't allow
unauthorized publishing or disclosure of people's non-public contacts.” This appears to be a blanket statement.

▪ Truecaller’s app does not allow for an “enhanced search” if downloaded from the Play Store.
- Truecaller thinks that by enticing users into signing-in on its website (via Google accounts), it can then
“Enhance Search” contacts by circumventing the app store.
- Many phones in India are sold with Truecaller pre-installed, and the app is available for download
directly from the company website. These are not subject to Google Play rules, according to Truecaller.
- The “enhanced search” feature scrapes all contact data from users phones into the Truecaller database.
▪ Accordingly: Truecaller’s database absolutely allows for search of non-user numbers and names without
their consent.
▪ Freely available bootleg copies of Truecaller’s app are available with “premium enabled”. These likely
contain malware, do not push ads to free users, and can still directly communicate with Truecaller’s data.

Fundamental Short – Redundancy

▪ Most developed countries/regions have network spam filters operated by telecommunications agencies.
These network filters now threaten underdeveloped markets where Truecaller thrive and will rapidly limit
Truecaller’s TAM.
- The Telecom Regulatory Authority of India (TRAI) announced intention to create an ID-based network
filter which will make Truecaller’s spam filter redundant. The consultation paper is due next month.
- The Draft Indian Telecommunication Bill section on caller identification reads like a Truecaller design
brief, except using the national ID system and without ads. It also lists spam as an arrestable offence.
- Truecaller has claimed in various press pieces that Government regulation has not impacted their
business in other geographies. This is because Truecaller has minute business in geographies with spam
filters.
Viceroy Research Group 3 viceroyresearch.org
▪ Original equipment manufacturers such as Apple, Google, Xiami & Samsung all have in-house spam filtering
software, and capacity to wipe out Truecaller.
▪ Over-the-top services such as WhatsApp, are posing a greater threat to Truecaller through offering an
alternative spam-free communication channel.
- Call blocking is set on by default unless a user has the caller registered as a contact.
- Former employees expressed a view that it would be impossible for Truecaller to supplant Whatsapp
in India, or for the government to restrict Whatsapp.
- WhatsApp has integrated many business functions with tech players and is due to arrive in India in the
short term. This will deteriorate Truecaller’s aspirations to become a serious B2B player, spending only
USD ~2m on R&D in 2021.

The Sideshow
Truecaller’s constant breaches & data security failures are met with constant denial from management, and are
a spectacle to behold. Regulators in Truecaller target growth regions have cracked down on Truecaller out for
privacy breaches. In fact, Truecaller’s system has been so effective for fraudsters to identify individuals that even
international spy agencies have Truecaller slides in the training decks5.

▪ Indian Investigative Journal “The Caravan” published an in-depth report on Truecaller’s invasive app and
interviewed several concerned employees on exactly how much data the company was able to access .
- Former employees claimed that Truecaller had access to user SMS messages and was able to build out
a financial profile of each individual. In India most banking and transaction confirmations are done
through SMS which Truecaller’s algorithm can read
▪ Nigeria’s National Information Technology Development Agency investigated Truecaller for “collect[ing] far
more information than it needs to provide its primary service” among other things, and publicly urged
Nigerians to delist themselves from the service. Truecaller stated that it planned to remedy the situation
and fall in line with Nigeria’s Data Protection Regulation (NDPR)6.
- Truecaller’s new Nigerian Privacy Policy prohibits accessing a user’s address book if the app is
downloaded from the Google or Apple app stores.
▪ Anonymous developer Angry Wizard detailed in 2019 how Truecaller’s user-data is transferred to a third-
party mobile marketing company based out California on sign-up. User data is uploaded to Truecaller
servers over GET. Angry Wizard claims that at the time he could access the entire Truecaller database.
- Techpoint Africa verified this claim by sending user and non-user numbers, which Angry Wizard
identified.
- Screenshots show that EU resident data is still being processed by Truecaller until at least 2019, despite
implementation of GDPR.
▪ Privacy International broke a story of an investigative journalist who was identified by a cab driver using
true caller on her way to meet a secret whistleblower in West Africa. Ironically (and with sprinkle of victim
bashing) Truecaller responded that the Journalist should have set her phone settings to “Do Not Show Caller
ID”.
- Truecaller then claimed to be “especially appreciated by women” in India, claiming they have no other
way to protect themselves from abusive calls unless they subscribe to an app “like Truecaller”.
- Truecaller then claims responsibility for solving for two horrific child kidnapping cases because
kidnapper numbers were able to be reverse searched and their names identified.
▪ Millions of Truecaller users’ personal data were leaked and sold on the dark web in 20197.
- An investigation by the Economic Times suggested that European user data was sold for €25k, Indian
user data for €2k8.

5 https://privacyinternational.org/long-read/4289/revealed-eu-training-regime-teaching-neighbours-how-spy
6 NDPR is nascent secondary law, and awaits passing of the bill in the National Assembly.
7 https://www.indiatoday.in/technology/news/story/personal-data-of-millions-of-Truecaller-users-available-on-dark-web-

1531969-2anger019-05-22
8 https://www.darknetstats.com/Truecaller-data-breach-personal-data-leaked-company-denies-breach/

Viceroy Research Group 4 viceroyresearch.org

Attention: Whistleblowers

Viceroy encourage any parties with information pertaining to misconduct within Truecaller, its affiliates, or any other entity
to file a report with the appropriate regulatory body.

We also understand first-hand the retaliation whistleblowers sometimes face for championing these issues. Where possible,
Viceroy is happy act as intermediaries in providing information to regulators and reporting information in the public interest
in order to protect the identities of whistleblowers.

You can contact the Viceroy team via email on viceroy@viceroyresearch.com.

About Viceroy

Viceroy Research are an investigative financial research group. As global markets become increasingly opaque and complex
– and traditional gatekeepers and safeguards often compromised – investors and shareholders are at greater risk than ever
of being misled or uninformed by public companies and their promoters and sponsors. Our mission is to sift fact from fiction
and encourage greater management accountability through transparency in reporting and disclosure by public companies
and overall improve the quality of global capital markets.

Important Disclaimer – Please read before continuing

This report has been prepared for educational purposes only and expresses our opinions. This report and any statements
made in connection with it are the authors’ opinions, which have been based upon publicly available facts, field research,
information, and analysis through our due diligence process, and are not statements of fact. All expressions of opinion are
subject to change without notice, and we do not undertake to update or supplement any reports or any of the information,
analysis and opinion contained in them. We believe that the publication of our opinions about public companies that we
research is in the public interest. We are entitled to our opinions and to the right to express such opinions in a public forum.
You can access any information or evidence cited in this report or that we relied on to write this report from information in
the public domain.

To the best of our ability and belief, all information contained herein is accurate and reliable, and has been obtained from
public sources we believe to be accurate and reliable, and who are not insiders or connected persons of the stock covered
herein or who may otherwise owe any fiduciary duty or duty of confidentiality to the issuer. We have a good-faith belief in
everything we write; however, all such information is presented "as is," without warranty of any kind – whether express or
implied.

In no event will we be liable for any direct or indirect trading losses caused by any information available on this report. Think
critically about our opinions and do your own research and analysis before making any investment decisions. We are not
registered as an investment advisor in any jurisdiction. By downloading, reading or otherwise using this report, you agree to
do your own research and due diligence before making any investment decision with respect to securities discussed herein,
and by doing so, you represent to us that you have sufficient investment sophistication to critically assess the information,
analysis and opinions in this report. You should seek the advice of a security professional regarding your stock transactions.

This document or any information herein should not be interpreted as an offer, a solicitation of an offer, invitation, marketing
of services or products, advertisement, inducement, or representation of any kind, nor as investment advice or a
recommendation to buy or sell any investment products or to make any type of investment, or as an opinion on the merits
or otherwise of any particular investment or investment strategy.

Any examples or interpretations of investments and investment strategies or trade ideas are intended for illustrative and
educational purposes only and are not indicative of the historical or future performance or the chances of success of any
particular investment and/or strategy. As of the publication date of this report, you should assume that the authors have a
direct or indirect interest/position in all stocks (and/or options, swaps, and other derivative securities related to the stock)
and bonds covered herein, and therefore stand to realize monetary gains in the event that the price of either declines.

The authors may continue transacting directly and/or indirectly in the securities of issuers covered on this report for an
indefinite period and may be long, short, or neutral at any time hereafter regardless of their initial recommendation.

Viceroy Research Group 5 viceroyresearch.org

 1. How the App Works & Broad Privacy Concerns
To understand the risks Truecaller poses to users – and thus the risk privacy laws pose to Truecaller – we have
to understand how the app works.

Building the Data

Fundamentally, Truecaller builds a “phonebook” and refines its spam database by:

▪ Gathering identities of users and their address books (where they are allowed to). This is by far the most
valuable and invasive data users are providing to Truecaller.
▪ Processing user-submitted “spam” numbers.
▪ Identifying numbers which have exhibited spam-like behavior such as calling multiple unrelated Truecaller
users.

Using the App

Viceroy has created various Truecaller IDs on various dummy phones to play around with privacy settings, trace
data packets, check permissions and third-party trackers, and verify Truecaller’s privacy claims.

Meet Mike Rotch:

Figure 1 – Mike Rotch dummy Truecaller profile

Mike is a hypothetical French Truecaller user with full permissions granted. Mike allowed Truecaller access to
his contacts (John, Paul, George & Ringo) but because he is French, Truecaller cannot use this data in their
database (GDPR – Section 2).

Mike can search any number on the app, including random numbers in India, and find the person’s name if they
or someone who has them as a contact uses Truecaller. Creepy. Truecaller states that the reverse search by
name is not possible. This is untrue:

▪ Mike can search anyone’s name, for instance, an ex-girlfriend he wants to abuse. If she on the Truecaller
app, she only has to click accept and all details will be shared. Mike also doesn’t have to use his real
name: he can use any name he wants (maybe the name of a relative of this woman)9.
▪ This woman could retaliate and ask all her friends on the Truecaller app to flag Mike as “spam”,
inaccurately attributing incorrect personal information to Mike’s number.

We also note that, in some instances, Viceroy name searches across Europe immediately showed the users’
phone numbers.

9 For the sake of clarity, no member of Viceroy is named Mike Rotch and no ID was required to create this profile.
Viceroy Research Group 6 viceroyresearch.org
 2. “We are an Indian Company” - GDPR Analysis
GDPR violation
Viceroy Research have consulted with various GDPR experts on the intricacies of a business model resembling
Truecaller. We believe Truecaller is subject to GDPR, and in violation of:

▪ Article 7 – Conditions for consent.

- Truecaller does not ask for consent from third party non-users when it processes their data. It instead
asks users whether they have informed and obtained the consent of every contact they upload to
Truecaller.
▪ Article 14 – Information to be provided where personal data have not been obtained from the data subject
- Truecaller does not provide any of the information required to the data subject where their data was
not obtained from them directly. Exemptions to this rule (archival purposes, scientific or historical
research, statistical research) are not applicable to Truecaller.
▪ Article 34 – Communication of a data breach to a subject.
- We are unable to find any time that Truecaller has discharged their obligations to notify data subject of
a data breach. In fact, we are unable to find a single instance where Truecaller has been honest about
data breaches even when they were confirmed by third parties through Truecaller’s search function.
- We are unable to find any instances where Truecaller has notified non-user data subjects that their
personal information has been incorrectly publicly displayed without their consent.

Further, by failing to discharge their obligations under Articles 7 and 14, Truecaller is effectively depriving data
subjects of their following rights:

▪ Article 15 – Right of Access

▪ Article 16 – Right to Rectification
▪ Article 17 – Right to be Forgotten
▪ Article 18 – Right to Restriction of Processing

We tested this by adding several identities to Truecaller through a dummy account. None of these identities
were informed or even contacted by Truecaller. You, our reader, may be part of the Truecaller database without
knowing about it. You may even be marked as spam or under a different name.

These issues came to a head in 2017 when the Article 29 Data Protection Working Party sent a letter to Truecaller
about the information of third-party non-users10.

These are not violations that can be fixed with a patch or privacy policy update. These violations were exactly
the fundamental way Truecaller built its database.

Truecaller then moved their servers to India in 201811, we believe in part to take advantage of lax privacy and
data protection laws. Despite moving data centers to India, Viceroy believe Truecaller is still subject to GDPR
regulations, and that these regulations apply to all Truecaller users.

10https://ec.europa.eu/newsroom/article29/items/610173
11https://www.newindianexpress.com/business/2022/mar/29/bullish-about-indian-business-prospects-viewing-data-
protection-law-positively-Truecaller-ceo-2435516.html
Viceroy Research Group 7 viceroyresearch.org
Does GDPR apply?
Viceroy believe Truecaller is a data controller established in the EU under Article 3 of GDPR and bears the
relevant responsibilities regardless of their data subjects’ location or nationality.

The European Data Protection Board recommends a 3-step approach to determining applicability of GDPR12:

3(1) – Establishment within the union.

Truecaller’s head office is in Sweden, where it employs staff and therefore qualifies as an establishment. Experts
told us that a small office or a branch would suffice, and that in some cases a single employee or agent with
enough stability would satisfy the test. The billing of clients in Sweden is inextricably linked to the operational
activities of Truecaller (whether in India, or abroad).

3(2) – Processing of personal data carried out “in the context of the activities” of an establishment.

Truecaller collects EU citizens phone numbers and information associated with it and uses this information to
provide a service to EU citizen users which constitutes both monitoring EU citizen behavior and offering a service
to them.

True Software Scandinavia AB is the billing entity for all Truecaller revenues worldwide and the contracting entity
and processor for users in the EEA.

3(3) – Application of the GDPR to the establishment of a controller or a processor in the Union,
regardless of whether the processing takes place in the Union or not.

It should be noted that these criteria are not applied in aggregate but individually. By all measurements,
Truecaller falls within the criteria for a company subject to GDPR.

Further a guidance document by the EDPB clarifies that Article 3(1) considers “any personal data processing in
the context of the activities of an establishment in the Union would fall under the scope of GDPR, regardless of
the location and nationality of the data subject whose personal data are being processed.

Figure 2 – Guidelines 3/2018 on the territorial scope of the GDPR (Article 3)

We are seeking clarification but it appears that through being a Swedish company Truecaller are responsible for
GDPR-compliant treatment of all their customers, not just those in the EEA.

As a Swedish company Truecaller is under the remit of the Swedish Authority for Privacy Protection
(Integritetsskyddsmyndigheten). We have sent a copy of this report to the Integritetsskyddsmyndigheten.

12 https://edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_3_2018_territorial_scope_en.pdf
Viceroy Research Group 8 viceroyresearch.org
 3. “We are a Swedish Company” – A Hot Take on Taxes
Immediately after it received a list of concerns from the Article 29 Working Group (Section 2), Truecaller moved
“100%” of its data centers and substantially all its operations to India to be GDPR “compliant”.

We fully expect Truecaller to respond to our report of GDPR breaches with something like this:

“European Data Protection Board guidelines 3/2018 on the territorial scope of the GDPR Article 3 state
that the mere presence of having employees in India is not sufficient to trigger the application of GDPR.
For processing in question to fall under GDPR, it must also be carried out in the context of the activities
of the EU-based employees.”

The argument Truecaller will no doubt make is that it is first and foremost an Indian company with all respect to
operations and R&D. It only maintains billing and other head office activities in Sweden 13. This has clearly caught
the attention of the Royal Bank of India and Truecaller’s auditors.

In 2021: 56% of “average number of employees” and 63% of “new hires” were in India.

Figures 3 & 4 – Truecaller Annual Report 2021

Even substantially all Truecaller’s global R&D appears to be done in India (an embarrassing SEK ~20m in 2021).

Figure 5 – Truecaller International LLP Annual Report 2021

India is also Truecaller’s biggest market, representing over 70% of users and 78% of revenues as of Q2 2022.

Figure 6 – Truecaller Annual Report 2021

How much tax does Truecaller pay in India? Zero.

This is incompatible with Truecaller’s GDPR stance.

13
ICEJ Google Spain case found that activities related to Google Spain’s billing (in Spain) and data processing (outside EU)
were inextricably linked, thus subject to GDPR.
Viceroy Research Group 9 viceroyresearch.org
A dive into a loss-making Indian subsidiary
Truecaller’s Indian Subsidiary, “Truecaller International LLP”, has an emphasis of matter in its audit report for
2021, stating that management is “seeking approvals” and “taking steps thereof” under the Reserve Bank of
India’s guidelines for transfer pricing and GST (VAT). Reading between the lines, Viceroy believe Truecaller are
under investigation for tax fraud in India.

Figure 7 – Truecaller International LLP Annual Report 2021

Truecaller bills almost all services and ads from Sweden. It does not appear to charge or pay GST, as it classifies
ad sales to Indian consumers as an export service. This includes ad sales to Indian users by Indian companies. In
these respects Truecaller now considers itself a “Swedish Company”14.

A dive into local Indian accounts show that Truecaller India bills substantially all its revenue from Sweden.
However, these bills are not even sufficient to break-even.

Figures 8 & 9 – Truecaller International LLP Annual Report 2021

Truecaller International’s reported loss was SEK 15m, despite itself recording SEK ~15m in
profits in the same period.

14
We note that local advertisement agencies may indeed collect GST on behalf of end users. There is an argument to be
made here on competitive nature of this from a basic pricing perspective.
Viceroy Research Group 10 viceroyresearch.org
Transfer Pricing Methodology
Currently, Truecaller prescribes a “cost-plus” method for transfer pricing out of India. This is a prescribed
transfer pricing method but is more commonly used for undifferentiated manufacturing goods with various
comparable market prices.

Figure 10 – Truecaller International LLP

Viceroy do not believe this method will be accepted by the RBI for the development and operational running
costs of Swedish software being sold primarily to the Indian market15. We highly suspect that this is the
underlying reason for the auditor’s EOM in Truecaller International LLP’s financial accounts.

Case studies already exist where Transfer Pricing Officers have disputed cost-plus models from industries trying
to abuse Indian cost-plus transfer pricing, and were forced to recognize profits on an appropriate ratio based on
the “functional profiles” of international customers and local taxpayer “suppliers”16.

The effective tax rate in India is ~29%, and income is subject to a further dividend withholding tax of 20% 17 18.

Thus, the Catch-22:

▪ Truecaller is an Indian company when subject to GDPR and conducts almost all its operations in India. It’s
transfer pricing method is reserved almost exclusively for undifferentiated services which don’t bear risk.
▪ Truecaller is a Swedish company when it’s time to lodge its tax filings. It pays taxes almost exclusively in
Sweden. This is despite all processing risk and operations being carried out in India.

Viceroy will not place value on possible tax implications given the complexity of transfer pricing guidelines and
the tax treaty between Sweden & India. We have high conviction that Truecaller will be subject to far higher tax
obligations when properly accounted for.

15 Readers should research intricacies and various limitations to cost-plus transfer pricing, including how tax agencies view
risk-taking activity, and how parties are inextricably linked.
16 https://www.pwc.com/gx/en/international-transfer-pricing/assets/india.pdf
17 https://taxsummaries.pwc.com/india/corporate/taxes-on-corporate-

income#:~:text=A%20beneficial%20CIT%20rate%20of,from%20tax%20year%202019%2F20.
18 https://taxsummaries.pwc.com/india/corporate/withholding-taxes

Viceroy Research Group 11 viceroyresearch.org

 4. Financial Analysis
Revenue Growth One-Off
Truecaller’s ad revenues have increased massive since its IPO, completely uncorrelated from user growth. This
is because Truecaller ironically spammed customers with more ads.

A transcript of a Tegus19 interview with a former Truecaller employee, sighted by Viceroy, stated the following
stated the following:

“One thing that Truecaller said recently, how they increase their ads per user, right? If you look at the
history, in the last couple of years, it seems to have increased, right, the number of use of ads per
user…maybe the one thing that's very important to understand…let us say I get a phone call… from a
user who is not in my address book or my phone book, Truecaller will show a pop-up with some name
or whatever…then there would be an advertisement attached to it

So, if my mom or dad or somebody else called, then Truecaller would not have a pop-up because there
is no value to be added because I know who is calling… my phone itself will tell me that my dad is calling.

Just before their IPO, they decided to just open it up to everybody, just show [ads] for every call that
comes… that means if I get 10 calls per day, earlier, I might have seen the ad once. But suddenly, I see
[ads] 10 times, right, because it's from known people, which means that growth is a onetime thing. It's
not sustainable.”

- Tegus Interview (emphasis added)

The Truecaller app advertisements historically were only pushed when unknown numbers called their users.
Now ads are pushed to users on every call, including their known contacts. If you block some spam calls, you
can’t monetize ads on those calls. It’s all very ironic.

This created a huge one-time revenue bump driven by a 3-4x increase in user impressions spread across
approximately 1 year, with no visible or consistent improvement to impressions monetized. Impressions per-
user per-day are now flat/decreasing q/q.

Advertising Analysis - Truecaller 2020 2021 2022

Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2
Average Daily Active Users 174 178 190 201 211 218 229 239 248 255
qoq change 2% 7% 6% 5% 3% 5% 4% 4% 3%
Advertising revenue SEKm 111 103 149 146 199 266 339 339 414
qoq change 44% -2% 37% 34% 28% 0% 22%
Impressions/user/day n 3 5 7 9 10 11 12 12 12
qoq change 61% 41% 30% 12% 13% 8% 4% -1%
CPM SEK 1.18 1.28 1.24 0.89 1.05 1.18 1.34 1.24 1.49
Figure 11 – Advertising Analysis – Viceroy Research

19 https://www.tegus.com/
Viceroy Research Group 12 viceroyresearch.org
Somehow exceeding “market opportunity”
To get a sense of how absurd Truecaller’s ad placement has become, it already exceeded its total “market
opportunity” as identified in its prospectus issued in Q3 2021, by Q2 2021. As of Q2 2022, Truecaller’s annualized
impressions have flatlined around 1,100 billion:

Advertising Analysis - Truecaller 2020 2021 2022

Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2
Advertising revenue SEKm 103 149 146 199 266 339 339 414
CPM SEK 1.28 1.24 0.89 1.05 1.18 1.34 1.24 1.49
Impressions annualized billions 323 480 654 757 901 1,012 1,093 1,112

Figures 12 & 1314 – Viceroy Analysis and Truecaller Prospectusm respectively

Readers can also observe that increases in CPM are negatively correlated with impression growth. Viceroy
believe growth has or will plateau over the coming 12 months, data protection issues aside.

Premium userbase falling

Truecaller’s premium subscriber counts appear to be falling as raw user counts are increasing. We can determine
premium user numbers through the following equation.
𝑄𝑢𝑎𝑟𝑡𝑒𝑟𝑙𝑦 𝑃𝑟𝑒𝑚𝑖𝑢𝑚 𝑈𝑠𝑒𝑟 𝑅𝑒𝑣𝑒𝑛𝑢𝑒
= 𝑈𝑠𝑒𝑟 𝐶𝑜𝑢𝑛𝑡
𝑀𝑜𝑛𝑡ℎ𝑙𝑦 𝑃𝑟𝑒𝑚𝑖𝑢𝑚 𝑈𝑠𝑒𝑟 𝐴𝑅𝑃𝑈 × 3

Premium User Analysis - Truecaller 2020 2021 2022

Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2
ARPU per premium subscriber SEK/mth 8.1 8.1 7.4 7.6 8.8 8.4 8.1 8.7
India SEK/mth 5.0 4.9 4.1 4.3 6.1 5.4 4.5 5.2
MEA SEK/mth 10.7 10.8 10.0 9.9 10.0 9.9 10.1 10.6
Rest of world SEK/mth 13.9 13.5 12.7 12.1 11.9 11.6 11.8 12.5

Premium user revenue 31.0 33.3 34.0 34.5 35.0 35.6 38.9 41.4
Premium subscribers 1,275,720 1,373,762 1,533,604 1,521,164 1,322,751 1,407,671 1,610,766 1,582,569
Est. premium user penetration 0.67% 0.68% 0.73% 0.70% 0.58% 0.59% 0.65% 0.62%
Figure 15 – Premium User Analysis – Viceroy Research

Truecaller claims premium growth has been stumped due to a Google dispute with the Royal Bank of India which
has temporarily disallowed subscription auto-renewals. The reality remains that Truecaller’s revenue growth
from premium customers can be largely attributed to pricing increases.

Interviews with former employees did not corroborate management’s views on premium subscriber growth. A
Tegus interview with a former Truecaller employee, sighted by Viceroy, stated the following:

“So, the thing is subscriptions, again, approximately, again you can check it from their prospectus, but
there were about 1m to 1.5m subscribers paying about, I don't know, $2 a month or something like that,
right? So probably even lesser because in India, it is about $0.50 a month approximately. But that is a
stagnant business. It is not growing since the last couple of years.”

- Tegus Interview (emphasis added)

Viceroy Research Group 13 viceroyresearch.org

No skin in the game
Don’t be fooled: Truecaller management is laughing all the way to the bank. Management and early investors
have taken every opportunity available to offload as much stock as possible. A non-exhaustive list of enormous
placements follows:

The Truecaller IPO comprised of only 19m newly issued B-shares against 34m B-shares sold by existing
shareholders, including the company’s founders and venture capitalists.

Figure 16 – Truecaller IPO brief20

Major early backers Sequoia, Kleiner Perkins & Atomico sold a further 21 million B-shares on 17 May 2022:

Figure 17 – Press Release Sale of B Shares by major backers21

Atomico sold the remainder of its position earlier this month: 5 September 2022

Figure 18 – Press Release Sale of B Shares by Atomico22

Sequoia remains Truecaller’s largest shareholder and a part of the company’s board, but the existence of
directors’ A-shares dilutes Sequoia’s ~20% financial interest to little over 8% voting rights:

Figure 19 – Truecaller’s top shareholders as of 27 Sep 202223

It largely appears as though major backers are losing interest. Buyer beware.

20 https://www.aktiespararna.se/analysguiden/nyheter/truecaller-ab-offering-price-truecallers-initial-public-offering-has-
been-set-sek-52-class-b
21 https://news.cision.com/carnegie/r/sale-of-b-shares-in-truecaller-ab--publ-,c3569268
22 https://news.cision.com/se/carnegie/r/sale-of-b-shares-in-truecaller-ab--publ-,c3626238
23 https://corporate.truecaller.com/investors/the-share

Viceroy Research Group 14 viceroyresearch.org

Indian Auditors: SR Batliboi
Truecaller’s local Indian auditor has received the largest fine handed to auditors in India’s history for its audits
of Axis Bank and Yes Bank.

Figure 20 – RBI bars EY group Batliboi from auditing bank books for one year- Business Standard24

SR Batliboi was also the local auditor for some of Wirecard’s Indian subsidiaries.

We note that SR Batliboi cited ‘inability to continue’ for the Star Global audit on 12 July 2017. SR Batliboi also
signed for Visa Processing Services (Wirecard India) on 26 September 2016.

The firm was also found prima facie guilty by the Institute of Chartered Accountants of India for its audit of
Infrastructure Leasing and Financial Services25.

Figure 21 – Extract from The Analyst report on Wirecard26

Enough said.

24https://www.business-standard.com/article/companies/rbi-bars-ey-group-s-batliboi-from-auditing-bank-books-for-one-
year-119060301662_1.html
25
https://www.taxscan.in/icai-ilfs-auditors-guilty-professional-misconduct/31368/
26https://d1o32tunh0h64a.cloudfront.net/6465/Wirecard---Audits-and-Revenue-Recognition-Concern-14-02-2019_FINAL-
VERSION.pdf
Viceroy Research Group 15 viceroyresearch.org
 5. Privacy concerns & third-party policy breaches
Google Privacy Policy Violation
Viceroy believes that Truecaller is in violation of Google’s Privacy Policy. Google’s privacy policy states, “We
don't allow unauthorized publishing or disclosure of people's non-public contacts.” and has remained unchanged
since at least 201627.

Figure 22 Google User Data Guidelines

Without re-exploring GDPR and limitations already placed on play-store downloads: Truecaller uploads entire
contact books of Truecaller pre-installed phones & from APK website downloads. These contacts are searchable
without the consent of non-users. We know: Viceroy have conducted several successful searches of non-user
Indian friends who actively appear on Truecaller’s contact book.

Former employees confirmed that the Truecaller app downloaded from the Google Play store does not scrape
contact book data.

However: former employees also advised that Truecaller have ingeniously (sarcasm) bypassed Google Play’s
policy by enticing users to sign into their accounts via web browser through their Google accounts where
“Enhanced Search” feature is auto-clicked “on”. Truecaller allegedly believes this is not a breach of the Play
Store’s privacy policy.

Figure 23 – Sign-In Landing Page snippet – 27 Sep 202228

27 https://support.google.com/googleplay/android-developer/answer/10144311?hl=en
The above site was indexed by google on June 15, 2016
28 https://www.truecaller.com/auth/sign-in

Viceroy Research Group 16 viceroyresearch.org

Viceroy believe Truecaller has also intentionally misconstrued “publishing and disclosure” with “searchability”
in its Google Play Store privacy notice:

Figure 24 – How Truecaller’s Caller ID Works – Your Questions Answered29

To be clear: Truecaller non-users are searchable on the Truecaller App downloaded from the Play Store, thus
disclosing people’s non-public contacts from Truecaller’s historic data and direct-install users. This will only
continue as the company pursues pre-installed versions as a bridgehead into newer markets30.

Truecaller’s publicly searchable numbers have already been used to perpetrate the very scams it claims to stop
with perpetrators using Truecaller’s number search to find targets to contact on WhatsApp and ask for funds.

Figure 25 – The world of WhatsApp impersonation scams - newslaundry31

Truecaller’s prospectus states that it had approximately 5.7b consumer and business identities and that the
company, far exceeding the number of users.

Figure 26 – Truecaller prospectus

29 https://www.Truecaller.com/blog/features/how-Truecallers-caller-id-works-your-questions-answered
30 https://timesofindia.indiatimes.com/gadgets-news/android-phones-may-soon-come-preloaded-with-Truecaller-app-in-
these-countries/articleshow/89423906.cms
31 https://www.newslaundry.com/2022/09/16/the-world-of-whatsapp-impersonation-scams-using-the-identities-of-the-

rich-and-powerful
Viceroy Research Group 17 viceroyresearch.org
Unnecessary levels of access
Truecaller’s website features a page called “permissions required at the time of registering your number on
Truecaller”32. This list is already extremely invasive; however, Viceroy’s own checks show many more
permissions are sought, and many trackers active in order to sell you advertisements.

Trackers

Figures 27 & 28 – Exodus Privacy Truecaller Tracker Report – Sample dated 17 Sep 2022

We make note that several of these third-party trackers do not appear on Truecaller’s disclosed list of third-
party data processors:

▪ Amazon is not a listed third-party data processor in any advertising or marketing category.
▪ Vungle, or its parent company Chartboost, is not a listed third-party data processor in any advertising or
marketing category.

Another persistent concern notably raised in The Caravan investigation into Truecaller is the app’s ability to read
SMS messages to build a full financial profile of the user33. A former employee confirmed that the company’s
algorithm can read SMS messages, which the company denies.

Figures 29 & 30 – Extract from Truecaller “List of third-party data providers” – 21 Sep 202134

32 https://support.Truecaller.com/support/solutions/articles/81000392522-permissions-required-at-the-time-of-
registering-your-number-on-Truecaller
33 https://caravanmagazine.in/technology/Truecaller-data-consent-india-privacy-laws
34 https://www.Truecaller.com/third-party-data-processors

Viceroy Research Group 18 viceroyresearch.org

 Permissions

Figures 31, 32, 33, 34 & 35 – Exodus Privacy Truecaller Tracker Report – Sample dated 17 Sep 2022

▪ Location data is shared to Truecaller, who claim that it is to “share location via SMS/Chat or Flash” and to
“regionalize the top spammer list”. This is laughable. Truecaller does not disclose that location is shared to
third party marketing agencies to sell user advertisements.
▪ Truecaller accessed users’ network locations, wifi, and network states. This is not disclosed in their
“permissions” page.

Truecaller claims it on its “permissions” page that Contact book access is needed to know if callers are in users’
contact books to show caller ID. It fails to mention that in many countries your data is used to fill their database.

Viceroy Research Group 19 viceroyresearch.org

Bootleg copies
For an app that claims to be all about privacy and security the Truecaller app appears to be remarkably unsecure.
Despite the high-tech impression of the Truecaller app, there are literally hundreds of listings for downloading
the premium or gold bootleg or “cracked” versions of the app on most torrent or .apk download sites.

This is concerning as it shows that the Truecaller app has been compromised, and has been for some time, likely
through exploiting its license verification code.

Viceroy confirmed these cracked versions can communicate with Truecaller servers and appear as legitimate
Truecaller Gold service users. We used an account registered on the official Truecaller website (Mike Rotch,
mentioned above) and were able to log in without issue and were able to call other Truecaller numbers.

Figures 36 & 37 – Truecaller Packet capture and Truecaller Premium page on cracked app

Experts contacted by Viceroy stated that it would be fairly easy to modify these cracked versions to extract
Truecaller’s entire database. While the app seemed to restrict searches after a period of intense searching, a
simple reinstallation seemed to reset our connection.

Further the number of versions that have been cracked and the timespan implies these vulnerabilities have
existed since 2016: over 300 versions of the app were found on one site alone.

Viceroy Research Group 20 viceroyresearch.org

Security Breaches
Truecaller has been hacked several times in the past. This is a non-exhaustive list:

The SEA
In 2013 the Syrian Electronic Army, a group of Syrian hackers backing the Assad regime hacked into Truecaller’s
website and claimed to have downloaded more than seven Truecaller databases with data worth 450GB. The
SEA claimed it was able to exploit the website as it was based on an outdated wordpress platform and later
published the database host ID, username and password35.

Cheetah Mobile Security Research Lab

In 2016 Cheetah Mobile Security Research Lab discovered that Truecaller only used a user’s IMEI number to
authenticate users. The IMEI code allowed them to retrieve user details as well as modify account settings, add
other users to block lists and delete block lists. It was also possible to write scripts to query random IMEI codes
to find user details36.

The Economic Times Report

In May 2019 a researcher reported that the mobile numbers and other user information of 300m Indian
Truecaller users was for sale on the dark web. A spokesperson for Truecaller suggested that the data was
obtained from within the app, corroborating our view that cracked versions of the app are a serious danger.

Figure 38 – Data Leaked for 300 Million Truecaller Users37

The data from the leak resurfaced in May 2020 when cyber risk firm Cyble identified a reputable seller selling
the records of 47.5m Indian Truecaller records for only USD1,000 38.

POC Malicious Link

In November 2019 another researcher found a design flaw that allowed users to insert a malicious link in place
of a profile picture to target attacks on other users viewing their profile39.

35 https://timesofindia.indiatimes.com/tech-news/Truecaller-hacked-1-million-indians-data-at-
risk/articleshow/21144470.cms
36 https://news.softpedia.com/news/flaw-in-Truecaller-android-app-leaves-data-of-millions-of-users-exposed-

502263.shtml
37 https://www.bankinfosecurity.asia/researcher-data-leaked-for-300-million-Truecaller-users-a-12519
38 https://blog.cyble.com/2020/05/26/47-5-million-indian-Truecaller-records-on-sale-for-only-1000/
39 https://www.forbes.com/sites/zakdoffman/2019/11/24/critical-flaw-in-android-ios-phone-app-left-150-million-users-at-

risk/?sh=6c54ef381ec0
Viceroy Research Group 21 viceroyresearch.org
The Angry Wizard
A 2019 report by a developer by the name of AngryWizard claimed that Truecaller’s data was transmitted to
external servers without user consent and that this data was easily accessible due to the method with which it
was uploaded.40

The report went on to claim that they were able to pull 30,000 contacts and names of scammers. At the time
public and requiring no authentication, AngryWizard claimed they had access to over 10m identities41. They
were also able to pull information on Truecaller users and non-users with their phone numbers.

Angry Wizard also claimed the data was uploaded via GET, with screenshots to match:

Figure 39 AngryWizard report on Truecaller

Basically, anyone could pull entire data of all user uploads. Techpoint Africa reached out to Angry Wizard to test
this:

Figure 40 – What exactly does Truecaller do with your data? – Techpoint Africa

It is important to note that contact data pulled by Angry Wizard included European numbers. This vulnerability
was exposed in 2019: after the implementation of GDPR. Viceroy are unable to ascertain if this is still an active
breach, but would very much like to hear from the Angry Wizard.

40 https://web.archive.org/web/20210204184354/https://techpoint.africa/wp-content/uploads/2019/12/Angry-Wizards-
Truecaller-Explanation.pdf
41 https://techpoint.africa/2019/12/18/Truecaller-data-developer-dive

Viceroy Research Group 22 viceroyresearch.org

The “Guardians”
In 2021 Truecaller launched Guardians, designed to share a user’s location and other information with contacts
for their safety. The app launched with a vulnerability that allowed malicious actors to log in to any account with
their phone number and take over the account42. The bug allowed malicious actors to view family member
details including live locations.

In response the company said the issue was due to a development configuration being rolled out by mistake.

We don’t doubt that more vulnerabilities will be discovered and that Truecaller’s cavalier approach to security
is one reason the Indian government is looking at building its own alternative.

The Caravan Article

On March 9, 2022, Indian Investigative Journal “The Caravan” published a fantastic in-depth report on
Truecaller’s invasive app and interviewed several concerned employees on exactly how much data the company
was able to access43.

Former employees claimed that Truecaller had access to user SMS messages and was able to build out a financial
profile of each individual. In India most banking and transaction confirmations are done through SMS which
Truecaller’s algorithm can read.

Truecaller denies that any SMS data is processed on its servers and that all SMS filtering is done locally,
nonetheless in 2019 a bug automatically created Unified Payments Interface accounts with ICICI bank for many
Truecaller users.

Public Interest Litigation

A PIL case in the Bombay High Court against Truecaller appears to be going forward. The PIL alleged a breach of
data privacy of the cell phone users related to Truecaller’s Unified Payment Interface failure44.

Spy Agency Must-Haves

On November 10, 2020 Privacy International reported that leaked training slides from the European Union
Agency for Law Enforcement Training showed that government spy agencies were being recommended
Truecaller as a method for identifying phone numbers.

Figure 41 – Revealed: The EU Training Regime Teaching Neighbours How to Spy – Privacy International

42 https://thenextweb.com/news/Truecallers-guardian-app-fixes-bug-that-let-hackers-secretly-track-your-family
43 https://caravanmagazine.in/technology/truecaller-data-consent-india-privacy-laws
44 https://timesofindia.indiatimes.com/business/india-business/bombay-hc-issues-notice-to-govt-npci-in-a-pil-over-

truecaller-app/articleshow/84213800.cms
Viceroy Research Group 23 viceroyresearch.org
 6. Competitive environments
Truecaller faces a deteriorating competitive environment as larger players encroach on its territory.

Government solutions
On September 17th it was reported that the Telecom Regulatory Authority of India’s caller ID feature would
“show KYC-based names on the user’s phone”45, meaning instead of a Truecaller profiles identity, it would be
the callers real identity. TRAI’s consultation paper, a TRAI official said, would be released within a month.

The new Draft Indian Telecommunication Bill 2022 also makes provisions for a government-owned alternative
to Truecaller.

Figures 42 & 43 – Draft Indian Telecommunication Bill 2022 and Explanatory Notes

Further to snippets below, the bill makes now makes spamming an arrestable offence. Viceroy believe this will
be a further significant deterrent to spammers. Less spam calls is bad for Truecaller business.

Despite what Truecaller claims, we believe that the Indian government has every intention of supplanting it in
its key market with a state-owned solution. The draft bill reading like a Truecaller design brief only reinforces
our view.

45https://www.newindianexpress.com/business/2022/sep/17/trai-to-bring-out-consultation-paper-on-Truecaller-like-id-
feature-within-month-2499023.html
Viceroy Research Group 24 viceroyresearch.org
Original Equipment Manufacturers
Original Equipment Manufacturers (OEMs) have started rolling out their own spam and call filters.

Google’s Android operating system now comes with caller ID and spam protection as standard on most
compatible android devices. These are inbuilt to the Google dialer46 which comes as the preset dialer application
for most android devices. Xiaomi, vivo, realme and oppo phones all come with Google dialers pre-installed.
Truecaller has attempted to work around this through preloading the app on phones (referred to as preloads)
but only has a 50% activation rate.

Samsung’s dialer which comes as the preset dialer for its phones also has the Smart Call caller ID and spam
protection with the option to activate Hiya, a Truecaller competitor service, for further protection. Originally
rolled out in North America and Europe, the feature is now available in India47.

The iPhone Issue

Something widely acknowledged in Apple App store reviews of Truecaller is that the app just doesn’t work. This
is due to Apple OS effectively locking Truecaller and other third parties out of the access required. A recent iOS
rebuild was meant to improve performance on iPhones through Apple’s CallKit API but this seems to have failed
with reviews since the update remaining overwhelmingly negative48.

Figure 44 – data.ai Truecaller Apple App store ratings data from September 2, 2022 to September 26, 2022

Former Truecaller employees noted that many who can afford Truecaller premium are moving to iPhones, but
iPhone live access to Truecaller is hampered by Apple’s privacy protections:

“On iPhones, there's no way you are the third party to get [live spam number data]. So that means that
blocking a call as soon as it comes in is really hard unless Truecaller goes and says, okay, here are the
list of spam numbers. So what happens is that has to be stored on the phone and only those can be
blocked real time.

All the others, the new spam numbers are such that will not get blocked automatically because that's
not stored on your phone as a spam number, right? So when you get a call and then you realize that,
okay, and then you search Truecaller, this happens to me all the time, I search Truecaller, then I find
that, oh, this was a spam number.”

- Tegus Interview (emphasis added)

As stated above, we believe Truecaller’s user lookup functionality is in violation of Google’s privacy guidelines,
while Google has historically been slow to adjust, we believe they are already moving in this direction with their
recent ban on call recording and the effect it had on Truecaller’s functionality 49.

46 https://play.google.com/store/apps/details?id=com.google.android.dialer&hl=en&gl=US
47 https://www.samsung.com/in/apps/smart-call/
48 https://www.Truecaller.com/blog/features/Truecaller-for-iphone-revamped
49 https://www.indiatoday.in/technology/news/story/Truecaller-no-longer-offers-call-recording-feature-here-is-how-to-

auto-record-calls-1948224-2022-05-11
Viceroy Research Group 25 viceroyresearch.org
Over-the-top services
Over-the-top services such as WhatsApp, are posing a greater threat to Truecaller through offering an alternative
spam-free communication channel. Call blocking is set on by default unless a user has the caller registered as a
contact. Former employees expressed a view that it would be impossible for Truecaller to supplant Whatsapp
in India, or for the government to restrict Whatsapp.

A transcript of a Tegus50 interview with a former Truecaller employee, sighted by Viceroy, stated the following
stated the following:

“I mean, totally, the typical Indian user, right? They're not sophisticated, not technical, but they know
to use an app or two, right? And they are moving from phone app to WhatsApp. I mean, it's just in the
last two years that this happened, like two, three years when data became cheap to almost free in
India, right? It's extremely cheap right now in India to get the gigabytes of data per day. So,
everybody is going to WhatsApp because of the seamless way you can communicate with
attachments and so on. And in WhatsApp, you cannot get spams, right, because WhatsApp is very strict
about regulating their platform, right?

So, people are moving like crazy to WhatsApp, and I agree with you. It's one of the biggest threats to
Truecaller, just like you have all these legal challenges, but I also think the behavior of users to
moving to WhatsApp. Earlier, there were other messengers like Hike and LINE, but those have gone
away now.

It's only WhatsApp. It's like really ruling the Indian market, and it's getting stronger by the year. Like
everybody who downloads a phone earlier might have downloaded Truecaller as one of the first few
apps, but now it has completely shifted to WhatsApp, right?

- Tegus Interview (emphasis added)

India is the world’s largest WhatsApp market by far, with 487m users.

In Brazil, WhatsApp has integrated many business functions with tech players and is a largely ubiquitous app.
These services are due to arrive in India in the short term and will deteriorate Truecaller’s aspirations to become
a serious B2B player.

Figure 45 – JioMart comes to WhatsApp 51

50https://www.tegus.com/
51https://economictimes.indiatimes.com/tech/newsletters/tech-top-5/jiomart-comes-to-whatsapp-byjus-receives-clean-
fy21-audit/articleshow/93858982.cms?from=mdr
Viceroy Research Group 26 viceroyresearch.org
Truecaller spent USD ~$2m on R&D in 2021.

7. Conclusion
Viceroy believe Truecaller have evolved from many different failed shapes on something that finally makes
money. Unfortunately, this shape appears to be non-compliant.

We do not assign a target price to Truecaller but believe there is significant short & medium term downside as
the app becomes redundant and regulatory breaches are enforced.

Viceroy Research is short Truecaller.

Viceroy Research Group 27 viceroyresearch.org

 8. Appendix
Europe
Effective May 25, 2018, General Data Protection Regulation (GDPR) went into effect in the European Economic
Area (EEA)52. Truecaller’s EU policy unequivocally states that:

“We do not: store or share any personal information of contacts from Your address book…provide
reverse number look up of contacts from Your address book”

Figure 46 – Truecaller Privacy Policy - EU53

Former Truecaller employees told us that GDPR adoption in the EU effectively killed the app’s utility there,
adding that Truecaller deleted all non-business data and moved their data centres to India as a consequence.

“I think a very easy way to see that is what happened in EU, right? If you have subscription to things
like App Annie or one of these sites, which show you the usage of apps in various geos, right? If you
can go back and see there what happened to Truecaller in, let's say, Italy or Sweden or U.K. before
and after GDPR. And you can see it. Like there's a sudden fall in rankings, and nobody downloads
the app anymore. Because after that, it's only for businesses that are calling you, right? It's not for
end users….”
“So, which means about 90%, it's a guesstimate, of their data is unconsented, which means, in India,
of the Indian population, also approximately 90%, maybe 80%, it's something in that range, is
unconsented data. So, they may end up having to delete the data. Just like in Europe, they were
forced to delete all the data, nonbusiness data.”
- Tegus Interview (emphasis added)

We were unable to verify that deletion of data obtained prior to GDPR was required but were able to verify that
GDPR travels with the data: it applies regardless of geography.

Nigeria
In 2019 the National Information Technology Development Agency (NITDA) of Nigeria opened an investigation
into alleged privacy breaches of over 7 million Nigerians by Truecaller. Their findings alleged 3 instances of
Trucaller’s Privacy Policy as incompatible with Nigeria Data Protection Regulations (NDPR).

52 EU countries an Iceland, Liechtenstein and Norway

53 https://www.Truecaller.com/privacy-policy-eu
Viceroy Research Group 28 viceroyresearch.org
A month later at a conference NITDA’s Director General stated that Truecaller would “find ways to harmonise
operations to comply with [NDPR].” 54.

Truecaller’s Nigerian Privacy Policy, effective March 29, 2021, differs from the Rest of World policy in one key
area: app downloads from the Apple App store or Google Play store will not access the user’s address book in
any case. Users who obtain the app another way (preloaded on their phone, for example) will need to enable
the enhanced search feature.

Figure 47 – Truecaller Privacy Policy - Nigeria55

As of April 1, 2021, Nigeria has roughly 170m mobile phone users, though only 10-20% use smartphones56. At
the time of the NITDA’s investigation the agency reported that Truecaller had 7 million active users. We doubt
that Truecaller will be able to grow further in Nigeria without paying heavily for preloaded installations on
phones sold in the country.

California
Truecaller’s California privacy policy is largely the same as the EEA’s due to the California Consumer Privacy Act.

Brazil
Truecaller’s Brazil privacy policy effective October 8, 202157 specifically states that if the Truecaller app is
downloaded from the Apple App or Google Play stores then “[Truecaller] does not receive, store or share any of
the contact information in your address book”.

South Africa
Truecaller’s South Africa privacy policy effective July 1, 202158 specifically states that if the Truecaller app is
downloaded from the Apple App or Google Play stores then “[Truecaller] does not receive, store or share any of
the contact information in your address book”.

54 https://www.premiumtimesng.com/news/more-news/356531-Truecaller-to-harmonise-operations-in-nigeria-nitda.html
55 https://www.Truecaller.com/nigeria-privacy-policy
56 https://guardian.ng/technology/the-growth-of-smartphone-usage-in-nigeria/
57 https://www.Truecaller.com/brazil-privacy-policy
58 https://www.Truecaller.com/south-africa-privacy-policy

Viceroy Research Group 29 viceroyresearch.org