PayPal EU Alternative 2026: Why the Luxembourg Entity Doesn't Solve Your CLOUD Act Problem
Post #929 in the sota.io EU Cyber Compliance Series | EU-PAYMENT-SERIE Post #2
PayPal is the most-recognised payment button on the internet. For B2C SaaS products and digital goods sellers in the EU, adding PayPal checkout is often the path of least resistance — conversion rates improve, the integration is documented, and customers trust the brand. The GDPR compliance analysis, however, is less comfortable than the integration experience.
PayPal Holdings Inc. is incorporated in Delaware and headquartered in San Jose, California. The US entity controls PayPal's global technology infrastructure, fraud detection systems, and data governance. PayPal's European customers transact through PayPal (Europe) S.à r.l. et Cie, S.C.A. — a Luxembourg limited partnership regulated by the Commission de Surveillance du Secteur Financier (CSSF) under PSD2. This structure satisfies EU licensing requirements. It does not resolve the CLOUD Act question.
This guide examines the specific legal exposure that EU businesses accept when using PayPal or Braintree, what the Luxembourg entity actually covers and what it cannot, and which EU-incorporated alternatives provide structural separation from US government data access authority.
The PayPal Corporate Structure: Luxembourg Entity vs. US Parent
Understanding the GDPR risk begins with understanding what PayPal (Europe) S.à r.l. et Cie actually is and what it controls.
PayPal (Europe) S.à r.l. et Cie, S.C.A. is the licensed payment institution for EU transactions. It holds PSD2 authorisation under Luxembourg law, allowing it to provide payment services across the EU under passporting rules. From a regulatory licensing perspective, EU customers are contracting with a Luxembourg entity.
What the Luxembourg entity controls:
- PSD2 licensing and regulatory compliance for EU payment services
- VAT remittance for Luxembourg tax purposes
- Customer-facing payment service obligations under PSD2 Article 94
What PayPal Holdings Inc. (Delaware) controls:
- The technology infrastructure processing transactions
- The fraud detection and risk management systems (ML models trained on global PayPal data)
- The PayPal account ecosystem and user identity systems
- Braintree (payment gateway subsidiary, separate US entity)
- Data governance for the global PayPal platform
The distinction matters because the CLOUD Act, codified at 18 U.S.C. § 2713, requires US entities to produce data they "store, are in possession of, or control" — regardless of where that data physically resides. PayPal Holdings Inc. has operational control over the technology that processes EU transaction data, even when the contractual relationship is with the Luxembourg subsidiary.
The "control" test under the CLOUD Act does not require that US parent servers physically hold the data. Courts applying the CLOUD Act have found that control is established when a US entity has practical access to data held by a subsidiary or affiliated infrastructure. PayPal's integrated global platform — where fraud detection, account management, and transaction processing flow through shared US-controlled systems — satisfies that control test.
Braintree: The Developer Integration That Inherits PayPal's Exposure
Many EU developers who consciously choose not to add a PayPal button still end up with PayPal exposure through Braintree.
Braintree is a payment gateway acquired by PayPal in 2013 for $800 million. It operates as a wholly-owned subsidiary of PayPal Holdings Inc. — a US-incorporated entity subject to CLOUD Act jurisdiction as a direct subsidiary of a US parent.
Braintree is frequently chosen as a "neutral" Stripe alternative. Its API is well-designed, it supports PayPal as a payment method alongside cards, and its developer experience is comparable to Stripe. EU developers evaluating alternatives to Stripe sometimes select Braintree without recognising that they are moving from one US-parent entity (Stripe Inc.) to another (PayPal Holdings Inc. via Braintree).
The CLOUD Act analysis for Braintree is structurally identical to Stripe: a US government agency can serve PayPal Holdings Inc. with a CLOUD Act warrant compelling production of Braintree transaction data, including card details, IBAN records, billing information, and purchase history for EU customers.
For GDPR compliance purposes, if your Transfer Impact Assessment (TIA) concludes that Stripe's CLOUD Act exposure is unacceptable, a migration to Braintree does not resolve that TIA conclusion.
PayPal's Data Practices: GDPR Complications Beyond CLOUD Act
The CLOUD Act is the structural legal exposure, but PayPal's data practices create additional GDPR friction that EU businesses need to assess.
People-Based Advertising Matching
PayPal operates a people-based advertising network that uses transaction data — what PayPal users buy, where they shop, what amount they spend — to enable advertisers to target audiences based on purchase behaviour. This program was disclosed in PayPal's 2023 privacy policy update and generated significant regulatory attention in the EU.
Under GDPR Article 6, processing for advertising purposes requires either consent (Art.6(1)(a)) or legitimate interests (Art.6(1)(f)) with a balancing test that favours the data subject when sensitive behavioural data is involved. Transaction data processed for third-party advertising targeting creates an Art.22 automated profiling question and potentially a secondary purpose incompatibility issue under Art.5(1)(b).
EU businesses who are data controllers sharing customer payment data with PayPal need to assess whether PayPal's advertising use of transaction data is disclosed in their own Privacy Policy and Art.13/14 information notices — and whether it is compatible with the purpose for which data was originally collected (completing a payment, not enabling third-party advertising targeting).
Data Retention Periods
PayPal retains transaction records for a minimum of ten years under financial services regulatory requirements. For GDPR purposes, retention under a legal obligation (Art.17(3)(b)) is a valid exception to the right to erasure — but the retention period and its basis must be disclosed and proportionate. EU businesses whose customers request erasure of payment data must communicate accurately that PayPal's retention of transaction records falls under regulatory obligation, not business preference.
Cross-Border Data Flows Within PayPal
PayPal's global risk and fraud systems require sharing transaction signals across its international infrastructure. EU transaction data flows into PayPal's fraud detection system, which operates on US infrastructure and is trained on global data. This cross-border transfer for fraud prevention purposes is covered under GDPR Article 6(1)(c) (legal obligation) and Art.6(1)(f) (legitimate interest in fraud prevention), but the data flow itself should be documented in your GDPR data mapping and disclosed in your RoPA under Art.30.
The Transfer Impact Assessment Challenge
Post-Schrems II (C-311/18), EU data controllers are required to conduct a Transfer Impact Assessment before transferring personal data to a third country relying on Standard Contractual Clauses (SCCs). For payment processors, the TIA must assess whether US surveillance law undermines the effectiveness of the SCCs.
PayPal's transfer mechanism: PayPal relies on the EU-US Data Privacy Framework (DPF) and SCCs for data transfers from EU subsidiaries to US parent infrastructure. DPF certification does not remove CLOUD Act obligations — it creates a commitment to "necessary and proportionate" collection standards, which the CLOUD Act's broad warrant authority does not satisfy for all scenarios.
The TIA problem for PayPal: A TIA that concludes PayPal's SCCs are effective despite CLOUD Act exposure faces the same structural challenge identified in Schrems II: US surveillance law — including the CLOUD Act, FISA Section 702, and Executive Order 12333 — gives US authorities access authority that EU SCCs cannot contractually override. The EDPB's Recommendations 01/2020 are explicit that when the TIA concludes SCCs are insufficient, transfers must either cease or implement supplementary technical measures.
For payment processing — where PayPal necessarily processes unencrypted payment data to complete transactions — end-to-end encryption that would meaningfully limit US government access is operationally impossible, identical to the Stripe analysis.
Enterprise customer consequences: EU businesses contracting with enterprise clients increasingly receive vendor assessment questionnaires that include explicit questions about CLOUD Act exposure for sub-processors. A PayPal dependency in your payment stack — disclosed in your DPA sub-processor list — can become a procurement blocker with German, French, or Scandinavian enterprise customers who have legal teams evaluating CLOUD Act exposure.
EU-Native PayPal Alternatives: Checkout and Processing
The EU payment landscape has matured to the point where EU-incorporated alternatives exist for both PayPal's consumer checkout experience and its underlying payment processing infrastructure.
Mollie — Amsterdam, Netherlands (Primary Recommendation)
Mollie B.V. is incorporated in Amsterdam and regulated by De Nederlandsche Bank (DNB). Mollie's primary legal entity is Dutch — no US parent, no CLOUD Act exposure from corporate structure.
As a PayPal checkout replacement: Mollie supports card payments, SEPA Direct Debit, iDEAL, Bancontact, Klarna, Sofort, and — importantly — PayPal itself as a payment method option. Merchants who need to offer PayPal as a checkout option can do so through Mollie's integration, where Mollie handles the primary payment processing relationship. The PayPal component becomes a specific payment method choice rather than the primary processor.
Developer integration: REST API, webhook-based, SDKs for Node, PHP, Python, Go, Java, Ruby. Checkout components available. Good documentation.
Pricing: 1.8% + €0.25 per EU card transaction. PayPal payments via Mollie follow PayPal's own fee structure.
Sub-processor verification: Mollie publishes its sub-processor list. As of 2026, infrastructure is EU-based. Verify current list before finalising TIA documentation.
Adyen — Amsterdam, Netherlands (Enterprise)
Adyen N.V. is incorporated in Amsterdam and listed on Euronext Amsterdam (ADYEN). Adyen offers direct card acquiring without US intermediary routing for EU transactions.
As a PayPal checkout replacement: Adyen supports all major EU payment methods including SEPA, iDEAL, Bancontact, Giropay/Wero, and PayPal as a payment method option — structurally similar to Mollie. For enterprise merchants, Adyen's direct card scheme connections offer superior interchange rates.
Developer integration: Full API, hosted fields, Drop-in Web Component for checkout. Enterprise onboarding — volume requirements apply.
Pricing: Interchange++ model. More cost-effective at high volume (typically above €1M GMV/year).
Klarna — Stockholm, Sweden (BNPL / Consumer Checkout)
Klarna Bank AB is incorporated in Stockholm, Sweden. Klarna is an EU-incorporated entity regulated as a bank by Finansinspektionen (Sweden's financial regulator).
As a PayPal checkout replacement: Klarna addresses the "pay later" and "pay in instalments" consumer checkout experience that PayPal Credit and Pay Later offer. Klarna is particularly strong for e-commerce conversion on higher-value purchases.
Important caveat: Klarna has US operations and processes data for US customers. Verify whether your use case routes EU customer data exclusively through EU Klarna entities. For B2C EU-to-EU payment flows, Klarna's EU structure is GDPR-appropriate. Validate sub-processor list and data processing terms specifically for your use case.
Mangopay — Luxembourg (Marketplace / Platform Payments)
Mangopay S.A. is incorporated in Luxembourg and regulated by the CSSF — the same regulator that licenses PayPal's European entity, but Mangopay is an independent entity without US parent control.
As a PayPal alternative for marketplace models: Mangopay specialises in multi-party payment flows — platforms that collect payment from buyers, split funds to sellers, and manage escrow and payout workflows. PayPal has historically been used in marketplace contexts (eBay's heritage); Mangopay is built specifically for platform payment architectures.
Developer integration: REST API, webhooks, EU banking licence enabling IBAN issuance and SEPA transfers.
Worldline — Paris, France (EU-Listed)
Worldline S.A. is incorporated in France and listed on Euronext Paris (WLN). Worldline is one of the largest EU-native payment processors, resulting from the merger of various European payment infrastructure companies.
As a PayPal processor alternative: Worldline provides acquiring, gateway, and checkout services across the EU. It acquired Ingenico in 2020, giving it significant merchant coverage. Less developer-focused than Stripe/Mollie but strong for mid-market and enterprise merchants requiring EU-native full-stack payment infrastructure.
Migration Path: Replacing PayPal Checkout
For SaaS developers replacing PayPal as their primary checkout or payment processing layer:
Step 1: Identify your PayPal use case
- Consumer checkout button (PayPal wallet login) → Mollie or Adyen Drop-in (includes PayPal as method option)
- Braintree as payment gateway (cards + PayPal combined) → Mollie or Adyen (full API migration)
- PayPal Invoicing for B2B → SEPA B2B Direct Debit via Mollie/Adyen, or GoCardless (UK entity, evaluate separately)
- PayPal BNPL/Pay Later → Klarna EU checkout
Step 2: Update stored payment methods
PayPal wallet tokens and stored card tokens in Braintree's vault cannot be migrated between processors — card network rules prohibit inter-processor vault transfers. Existing customers with stored payment methods must re-enter payment details or be migrated via network tokenisation where supported.
Step 3: Update GDPR documentation
Remove PayPal and Braintree from your Art.30 RoPA sub-processor list. Update DPAs with customers. Update Privacy Policy. Verify Art.13/14 disclosures accurately reflect the new processor's data practices, retention periods, and transfer mechanisms.
Developer Reality Check: PayPal vs. Structural GDPR Compliance
PayPal's developer experience is adequate but not exceptional — particularly compared to Stripe. PayPal's API documentation has historically been fragmented across legacy versions. The brand recognition benefit is real for consumer checkout: many EU consumers have PayPal accounts and prefer the one-click checkout experience.
For EU businesses at the early stage — pre-revenue or low-volume — the PayPal CLOUD Act risk is theoretical. For businesses actively seeking enterprise EU customers, or operating in regulated sectors (healthcare software, legal technology, financial services), the risk becomes operational: procurement questionnaires, vendor assessments, and DPA negotiations will surface PayPal's US parent exposure.
The EU alternatives have closed the developer experience gap significantly. Mollie offers a checkout flow that consumer-facing products can adopt without material conversion impact, while eliminating the structural CLOUD Act exposure that PayPal's Delaware parent creates.
sota.io and Full-Stack EU Payment Compliance
Payment processing is one layer of the EU compliance stack. Compute infrastructure carries the same GDPR transfer analysis.
sota.io is EU-native managed PaaS on Hetzner infrastructure in Germany. No US parent. No CLOUD Act exposure at the compute layer. Deploy any language or runtime, with structural GDPR separation at the hosting level.
For EU SaaS developers building payment-integrated products: pairing Mollie or Adyen with sota.io compute creates a consistent GDPR posture — payment processing, application compute, and data storage all within EU-incorporated entities without US parent corporations.
→ Start with sota.io — EU-native PaaS, deploy in minutes
Summary: PayPal EU Alternative Decision Matrix
| Criterion | PayPal / Braintree | Mollie | Adyen | Klarna | Mangopay |
|---|---|---|---|---|---|
| EU incorporation | ❌ US/Delaware parent | ✅ Netherlands | ✅ Netherlands | ✅ Sweden | ✅ Luxembourg |
| CLOUD Act exposure | ❌ US parent controls infra | ✅ No US parent | ✅ No US parent | ⚠️ Evaluate EU entity | ✅ No US parent |
| PSD2 regulated | ✅ CSSF Luxembourg | ✅ DNB | ✅ DNB, AFM | ✅ Finansinspektionen | ✅ CSSF |
| Consumer checkout UX | ✅ Recognised brand | ✅ Good | ✅ Good (enterprise) | ✅ BNPL strength | ⚠️ B2B/marketplace |
| Marketplace / platform | ✅ Available | ⚠️ Basic | ✅ Advanced | ❌ Consumer focus | ✅ Core use case |
| BNPL / Pay Later | ✅ Pay Later | ⚠️ Via Klarna | ⚠️ Via partners | ✅ Core product | ❌ |
| Developer experience | ⚠️ Fragmented docs | ✅ Good | ✅ Enterprise-grade | ✅ Good | ✅ Good |
| SME pricing | ✅ 2.9% + fixed fee | ✅ 1.8% + €0.25 | ⚠️ Volume minimums | ✅ Variable | ✅ Volume-based |
Recommendation: Mollie for EU consumer checkout replacement (direct drop-in for PayPal button); Adyen for enterprise and high-volume; Klarna if BNPL is the primary PayPal use case; Mangopay for marketplace payment flows.
This post is part of the sota.io EU Payment Series. Previous: Stripe EU Alternative 2026. Next: Mollie vs Adyen — a technical comparison for EU SaaS developers.
Part of the ongoing sota.io EU Cyber Compliance Series — practical GDPR guidance for SaaS developers building on EU infrastructure.
EU-Native Hosting
Ready to move to EU-sovereign infrastructure?
sota.io is a German-hosted PaaS — no CLOUD Act exposure, no US jurisdiction, full GDPR compliance by design. Deploy your first app in minutes.