End User Privacy Policy
- Background
- Data We Collect and Categories of Sources
- How We Use Your Data
- Our Lawful Bases for Processing (EEA and UK End Users)
- How We Share Your Data
- Some Final Details…
End User Privacy Policy
Effective Date: February 28, 2023
Privacy and security are very important to us at Plaid. This End User Privacy Policy (“Policy”) is meant to help you (the “end user”) understand how we at Plaid collect, use, and share your data when you use Plaid products or services - for example, when you use Plaid Portal, or when you use Plaid to connect and share your data to power the applications (“apps”) you use. These apps, which offer many consumer services and products such as helping you save for retirement, manage your spending, streamline credit applications, or transfer money, are built and provided by our business customers (we’ll call them “developers” here), and powered by Plaid.
This Policy applies to Plaid Inc. and its affiliates and subsidiaries, including Plaid Financial Ltd. and Plaid, B.V. (collectively, “Plaid,” “we,” “our,” and “us”). (Please see the “Contacting Plaid” section below for which of these entities is responsible for processing your data.) You should read this Policy carefully, it contains important information about your privacy rights and choices.
First, Some Background
A quick note about Plaid
Our mission at Plaid is to unlock financial freedom for everyone. By delivering access to high-quality, usable financial account data that we’ve translated and standardized, we enable developers to focus on building experiences that benefit you.
About this Policy
Our goal with this Policy is to provide a simple and straightforward explanation of what data Plaid collects from and about you and how we use and share that information. We value transparency and want to provide you with a clear and concise description of how we treat your data.
This Policy does not cover what developers of the apps you use do with your data. You should review the privacy policies or terms of service for those apps for information about their practices. This Policy also does not cover data we collect through our websites or when you interact with Plaid outside of using our product or services, such as emailing Plaid directly. Please see our All Audience Privacy Statement and Cookie Policy for more information.
Plaid’s services are not directed to individuals under 18 and we do not knowingly collect data relating to children.
Our Data Practices
Plaid is committed to providing end users with meaningful control over their data. This section describes Plaid’s data practices relating to our processing of information about you. We also provide summaries of our practices organized by category of information collected and by product at the end of this Policy in the Summaries of Processing Activities section.
Data We Collect and Categories of Sources
As explained in greater detail below, the data we collect, use, and share depends on the Plaid products and services that you, and or the app you have connected to, use. Depending on which of Plaid’s products or services you or the developer you are connecting to use, Plaid may collect the following:
Data you provide to us;
Data from financial partners when you connect your financial account;
Data from the electronic device you use to connect;
Data from the developer of the app you have connected to; and
Data from other sources, including service providers and identity verification services.
Data you provide to us. When you use Plaid’s products or services, like when you connect your financial accounts (like your bank accounts) to a developer’s app through Plaid, we may collect the following data from you:
identifiers like name, email address, and phone number;
login data when required by the provider of your account, like your username and password, account and routing number, or a security token.
when needed, data to help verify your identity and connect your accounts, including your Social Security number, date of birth, security questions and answers, and one-time password (OTP).
When you provide this data, you also give Plaid permission and authority to act on your behalf to access and transmit your data to and from the relevant bank or financial service provider that holds your financial account (we’ll call them “financial partners” in this Policy).
Data we collect from financial partners when you connect your financial account. Depending on which Plaid products you or the developer of your app use, as well as what and how information is made available by your financial product and service providers, we may collect the following data from financial partners when you connect your financial accounts with or through Plaid:
Account data, including financial institution name, account name, account type, account ownership, branch number, IBAN, BIC, account number, routing number, and sort code;
Data about an account balance, including current and available balance;
Data about credit accounts, including due dates, balances owed, payment amounts and dates, transaction history, credit limit, repayment status, and interest rate;
Data about loan accounts, including due dates, repayment status, balances, payment amounts and dates, interest rate, guarantor, loan type, payment plan, and terms;
Data about investment accounts, including transaction information, type of asset, identifying details about the asset, quantity, price, fees, and cost basis;
Identifiers and data about the account owner(s), including name, email address, phone number, date of birth, and address information; interest rate;
Data about account transactions, including amount, date, payee, type, quantity, price, location, involved securities, and a description of the transaction; and/or
Professional data, including data about your employer, in cases where you’ve connected your payroll accounts or provided us with your pay stub or tax form information.
Depending on the Plaid service you or the developer of your app use, and the manner in which the data is made available, the data collected from your financial accounts may include data from all accounts (e.g., checking, savings, credit card, and joint accounts) accessible through a single set of account credentials. For more specifics about data collected in connection with different products and services, see Summary of Processing Activities by Product.
Data we receive from your devices. When you use a device, like your smartphone, tablet, or computer, to connect to our services through a developer’s application, we receive data about that device, including:
internet protocol (IP) address;
timezone setting and location, device location;
hardware model and operating system;
which features within our services you access, browser data, and other technical data about the device.
Data we receive about you from the developers of apps powered by Plaid. When needed for Plaid to provide a service, the developers of the apps you use may provide us with identifiers and commercial information about you, like your name, Social Security number, email address, phone number, or information about your financial accounts and account transactions. One example of this kind of service are Plaid Identity Verification and Monitor services, which are used so the developer you are connecting to can verify your identity, detect fraud, and screen their users against watchlists.
Data we receive about you from other sources. When needed to provide a service or to help prevent fraud, abuse, or security threats, we may also receive data about you directly from third parties, including our service providers or identity verification services.
Information we derive from the data we collect. We may derive additional information about you from the data we collect. For example, we may infer your geolocation, your annual income, or the type of account or subaccount you’ve chosen to connect―such as when you connect your loan accounts, so we can let the developer know whether the account is for a mortgage, student loan, or credit card.
How We Use Your Data
We use your data for the following business and commercial purposes:
Provide Services: To operate, provide, and maintain our services.
Develop Existing Services: To improve, enhance, modify, add to, and further develop our services.
Help Prevent Fraud or Protect Privacy: To help protect you, developers, our partners, Plaid, and others from fraud, malicious activity, and other privacy and security-related concerns.
Develop New Services: To develop new products and services.
Develop Insights: To develop insights based on the data we’ve collected about you. This includes your transaction data and data from other sources, to help developers of your connected apps provide services and/or a better user experience to you, like providing you with faster access to your funds or to help detect and prevent potentially fraudulent activity.
Provide Support: To provide support to you or to developers, including to help respond to your inquiries related to our services or developers’ apps.
Investigate Misuse and Misconduct: To investigate any misuse of our service or developers’ apps, including violations of our Developer Policy, criminal activity, or other unauthorized access to our services.
For Legal Purposes: To comply with contractual and legal obligations under applicable law and for other legal purposes such as to establish and defend against claims.
With Your Consent: For other notified purposes with your consent or at your direction.
Our Lawful Bases for Processing (EEA and UK End Users)
For individuals in the European Economic Area (“EEA”) or the United Kingdom (“UK”), Plaid only processes your personal data when we have a valid legal basis to do so. Our legal basis for processing the data we collect will depend on what information we collected and the context for processing it. Generally, we will only collect and process your data where:
we need to fulfill our responsibilities and obligations in any contract or agreement with you (for example, to comply with our end user services agreements);
to comply with our legal obligations under applicable law;
the processing is necessary for our legitimate interests and not overridden by your data protection interests or fundamental rights and freedoms (for example, to safeguard our services; to communicate with you; or to update our services); or
you have given your consent to do so.
To the extent we rely on consent to collect and process your data, you have the right to withdraw your consent at any time per the instructions provided in this Policy.
How We Share Your Data
We share your data for the following reasons:
With the developer of the app you are using and as directed by that developer;
To enforce any contract with you;
With our data processors and other service providers, partners, or contractors in connection with the services they perform for us or developers;
With financial partners to help establish, maintain, or manage a connection you’ve chosen to make between your financial institution accounts and an app;
If we believe in good faith that disclosure is appropriate to comply with applicable law, regulation, or legal process (like a court order or subpoena);
In connection with a change in ownership or control of all or a part of our business (like a merger, acquisition, reorganization, or bankruptcy);
Between and among Plaid and our current and future parents, affiliates, subsidiaries and other companies under common control or ownership ;
As we believe reasonably appropriate to prevent malicious or fraudulent activities, or otherwise protect the rights, privacy, safety, or property of you, developers, our partners, Plaid, and others; or
For any other notified purpose with your consent or at your direction.
(For US users) We do not share your data with non-affiliated third parties except as permitted by law (as authorized by 12 C.F.R. s 1016.14 and 1016.15).
We may collect, use, and share data that has been aggregated or anonymized in a manner that does not identify you personally for any purpose permitted under applicable law. This includes creating or using aggregated or anonymized data to develop new services or to facilitate research, to the extent permitted under applicable law.
When you link your financial accounts through Plaid, we typically use Google’s reCaptcha service to help detect fraud and abuse. When reCaptcha is used, Google’s Privacy Policy and Terms of Use apply to reCaptcha and information Google collects through reCaptcha.
We do not sell or rent personal data that we collect under this policy.
We may collect and share cookie data with third parties when you visit our website, or we may allow third parties to collect this cookie data from our sites. Please see our Cookie Policy and All Audience Privacy Policy for more details.
Our Retention and Deletion Practices
We retain your data only as long as it is needed. To determine whether the data is needed, we consider the reason your data was collected and used and any legal requirements to hold onto your data. We review your data periodically to ensure it is still needed to fulfill the purpose for which it was collected or any other legal requirements. If a developer removes your connection from their app to your data, Plaid’s systems are designed to automatically delete your personal data, subject to certain exceptions where we may still retain your information which we talk about below.
The exceptions to this may be if: (a) you’ve established a connection with another developer’s app through Plaid that is still active; (b) Plaid needs your data to continue providing you with a Plaid service you requested; (c) Plaid is required by law to keep your data; (d) Plaid needs your data to help prevent fraud or protect privacy, provide support, or investigate misuse and misconduct; or (e) we request - and you specifically agree - to allow us to retain your data longer.
Your data will only be processed as required by law or in accordance with this Policy.
Please refer to the “Your Data Protection Rights” section of this Policy for options that may be available to you, including how to request deletion of your data. The “Your Privacy Controls” section of this Policy also provides details about tools available to you to help you view and manage the connections you’ve made using Plaid. You can also contact us about our data retention practices using the contact information in the “Contacting Plaid” section below.
Protection of Data
Plaid’s security policies and practices are designed to protect the confidentiality and integrity of your data (such as Social Security number and other identifying data), as well as any other data we collect about you. Plaid implements controls designed to limit access to this data to personnel who have a business reason to know it and prohibits its personnel from unlawfully disclosing this data.
Some Final Details…
International Data Transfers
We operate internationally, and so we may transfer the data we collect about you across international borders for processing and storage (for example, we may transfer data from the EEA or UK to the United States). When we transfer data to a different country or territory, we follow applicable data protection laws in doing so. In particular, when we transfer data from the EEA or UK across other international borders, we rely on adequacy decisions, data transfer agreements, or other EU Commission- or UK Secretary of State-approved (as applicable) mechanisms for such transfers, including standard contractual clauses. You can ask for a copy of these standard contractual clauses by contacting us as set out below. Prior to transferring data from the EEA or UK, we carry out transfer impact assessments and implement any supplementary measures to ensure any data transferred will be maintained in accordance with EEA and UK requirements.
Your Data Protection Rights
Regardless of where you live, we will honor the following rights related to your personal data, subject to some limitations and exceptions provided by law, and you will not be discriminated against for exercising them:
Access data collected about you;
Request access to more details about the categories and specific pieces of personal information we may have collected about you in the last 12 months (including personal information disclosed for business purposes);
Request, under certain circumstances, that we rectify or update your data that is inaccurate or incomplete;
Request, under certain circumstances, that we erase or restrict the processing of your data;
Object to our processing of your data under certain conditions provided by law;
Where processing of your data is based on consent, withdraw that consent;
Request that we provide data collected about you in a structured, commonly used and machine-readable format so that you can transfer it to another company, where technically feasible.
For both Plaid Financial Ltd. and Plaid, B.V. we have appointed a data protection officer (DPO) who is also responsible for overseeing questions in relation to this Policy and can be contacted via email at privacy@plaid.com.
We welcome and appreciate the chance to address any concerns you may have and encourage you to contact us. In addition, and depending on your jurisdiction, you may have the right to make a complaint at any time to your (data protection) supervisory authority. For end users in the EEA, you can find contact information for the European Data Protection Board (EDPB) on the EDPB’s website here. For end users in the UK, you can find contact information for the Information Commissioner’s Office (ICO) on the ICO’s website here.
To exercise any rights you have, you can submit a request using our online form. You can also contact us as described in the “Contacting Plaid” section below to exercise any of your data protection rights. You may be required to provide additional information necessary to confirm your identity before we can respond to your request.
If we receive your request from an authorized agent, we may ask for evidence that the agent has valid written authority, like a power of attorney, to submit requests on your behalf.
We will consider requests and provide our response within a reasonable period of time (and within any time period required by applicable law). Please note, however, that certain data may be exempt from such requests, for example if we need to keep the data to comply with our own legal obligations or to establish, exercise, or defend legal claims.
Your Additional Privacy Controls
Plaid developed the Plaid Portal to provide you with a convenient, centralized way to view and manage the connections you’ve made using Plaid.
If you’re located in the U.S., you can create a Plaid Portal account by visiting my.plaid.com, verifying your phone number and email address, and creating a password. Once you’ve created a Plaid Portal account, you’ll be directed to a dashboard that can show you financial accounts you’ve connected to your chosen apps using Plaid, and the types of data shared with those apps. Additionally, the Plaid Portal provides you with controls to terminate the connection between apps and your financial accounts and delete associated data stored in Plaid’s systems.
Changes To This Policy
We may update or change this Policy from time to time. If we make any updates or changes, we will post the new policy on Plaid’s website at https://plaid.com/legal and update the effective date at the top of this Policy. We will also notify developers of any material changes in accordance with our developer agreements, as they may be better positioned to notify you about changes to this Policy. If you have an active Plaid Portal account, we will also send you an email notifying you of the update.
Contacting Plaid
If you have any questions or complaints about this Policy, or about our privacy practices generally, you can contact us at privacy@plaid.com or by mail at:
If you reside outside the EEA or UK:
Attn: Legal
PO Box 7775 #35278
San Francisco, California 94120-7775
U.S.A.
For both Plaid Financial Ltd. and Plaid, B.V. we have appointed a data protection officer (DPO) who is also responsible for overseeing questions in relation to this Policy and can be contacted via email at privacy@plaid.com.
If you reside in the UK:
Attn: Legal
New Penderel House, 4th Floor
283-288 High Holborn
London, United Kingdom, WC1V 7HP
If you reside in the EEA:
Attn: Legal
Muiderstraat 1
1011PZ Amsterdam
The Netherlands
Summaries of Processing Activities
Summary of Processing Activities by Category of Information
To help provide even greater transparency around our practices, we consolidated the information provided in our Policy above into a table that matches the categories of data Plaid collects about you with the sources of the data, uses of the data, and the categories of recipients with whom Plaid shares the data. For more detailed descriptions of our data collection, use, and sharing practices, please refer back to the sections of the Policy above.
Category of Personal Information & Examples | Source of Personal Information | Uses of Personal Information | Categories of Parties with Whom Personal Information May Be Shared |
Identifiers for example: name, email address, phone number, and username |
|
|
|
Financial Data for example: financial account name and number, balance, and transaction history |
|
|
|
Commercial Data for example: data relating to which of our services you use through developer apps and the dates and times of your use |
|
|
|
Location Data for example: timezone setting and device location |
|
|
|
Professional Data for example: information about your employer and payroll information |
|
|
|
Electronic Network Activity Data for example: your device hardware model and operating system, and browser data |
|
|
|
Information We Derive for example: we may derive location from IP address or your annual income from your pay stubs |
|
|
|
Summary of Processing Activities by Product
As noted above, the data we collect and use depends on the Plaid products and services that you and the developer use. To make it easier to understand what data is collected and used for which product and service, we put together the below summaries of our data collection and use by product. Some of these products are only available to US based users, and others are only available to EEA and UK based users. If you are not sure which Plaid products or services your connected applications use, please contact the developer of the application. (Note that this list reflects Plaid’s product suite as of the effective date of this Policy and may not include products or services in development as of that date.)
Assets
Assets enables you to provide access to a point-in-time consolidated summary of your financial account data—like account balances, transaction histories, and account holder identity information—to Plaid and the apps and services you choose. We collect identifiers, financial information, commercial data, location data, electronic network activity data, and we derive inferences from this data. We use this data as described in the How We Use Your Data section of this Policy.
Auth
Auth helps to enable you to authenticate your financial account data and provide access to your account and routing numbers to Plaid and the apps and services you choose. We collect identifiers, financial data, commercial data, location data, and electronic network activity data. We use this information as described in the How We Use Your Data section of this Policy.
Balance
Balance enables you to provide access to your real-time financial account balances to Plaid and the apps and services you choose so they can help you do things like avoid overdrawing your account before you make a money transfer. We collect identifiers, financial data, commercial data, location data, and electronic network activity data. We use this data as described in the How We Use Your Data section of this Policy.
Identity
Identity enables you to provide access to the account holder data held by your financial institution—such as your name, email address, phone number, and mailing address—to Plaid and the apps and services you choose to help them do things like verify your identity or prefill your account data within the app. We collect identifiers, financial data, commercial data, location data, and electronic network activity data. We use this data as described above in the How We Use Your Data section of this Policy.
Identity Verification and Monitor
Identity Verification and Monitor facilitate identity verification, fraud detection, and watchlist screening services globally for developers. When we provide Identity Verification and Monitor services to developers, we only collect and process your data as a service provider to that developer, and so the developers determine the purpose and means by which your data is processed. For more details on how we process end user data for developers and on the developer’s instruction to provide Identity Verification and Monitor services, see our affiliate’s End User Privacy Statement.
Income
Income enables you to provide access to data pertaining to your income and employment to Plaid and the apps and services you choose. We collect identifiers, financial data, commercial data, location data, professional data, electronic network activity data, and we derive inferences from this data. We use this data as described in the How We Use Your Data section of this Policy.
Investments
Investments enables you to provide access to data from your retirement, brokerage, education savings, and health savings accounts to Plaid and the apps or services you choose so they can do things like provide you with personal financial and wealth management tools. We collect identifiers, financial data, commercial data, location data, professional data, electronic network activity data, and we derive inferences from this data. We use this data as described in the How We Use Your Data section of this Policy.
Liabilities
Liabilities enables you to provide access to financial data from your credit card, mortgage, and student loan accounts to Plaid and the apps and services you choose. We collect identifiers, financial data, commercial data, location data, electronic network activity data, and we derive inferences from this data. We use this data as described in the How We Use Your Data section of this Policy.
Payment Initiation and Variable Recurring Payments
Payment Initiation enables you to make one time, recurring, or variable recurring payments into accounts. This is for services like bank transfers, standing orders, and variable recurring payments and one-off or recurring payments out of accounts, like withdrawals and refunds. Variable Recurring Payments enables our EU and UK users to authenticate a bank account one time, and then make future payments without the need for additional authentication. We collect identifiers, financial data, commercial data, location data, electronic network activity data, and we derive inferences from this data. We use this data as described in the How We Use Your Data section of this Policy.
Payouts
Payouts enables you to seamlessly and instantly make withdrawals and refunds from an app or service that you are using, by opening and pre-funding an e-money account from which funds can be sent to users that are requesting a payout. We collect identifiers, financial data, commercial data, location data, electronic network activity data, and we derive inferences from this data. We use this data as described in the How We Use Your Data section of this Policy.
Plaid Portal
Plaid Portal is a privacy tool that US end users can use as a way to control the connections to apps that they’ve made through Plaid. End users can use Plaid Portal to view connections to apps in a single dashboard, disconnect financial accounts from apps, or delete data from Plaid’s systems. We collect identifiers, financial data, commercial data, location data, and electronic network activity data. We use this data as described in the How We Use Your Data section of this Policy.
Signal
Signal helps the apps and services you use provide a better user experience to you, like providing you with faster access to your funds and reducing the risk of fraud or a payment not being completed. We collect identifiers, financial data, commercial data, location data, electronic network activity data, and we derive inferences from this data. We use this data as described in the How We Use Your Data section of this Policy.
Transactions
Transactions enable you to provide access to transaction histories from your financial accounts to Plaid and apps and services you choose so they can provide you with things like personal finance management tools, expense reporting, cash flow modeling, and more. We collect identifiers, financial data, commercial data, location data, electronic network activity data, and we derive inferences from this data. We use this data as specified above in the How We Use Your Data section of this Policy.
Transfer
Transfer enables you to authorize a developer to send payments to you, or collect payments from you, through bank transfers, on either a one time or recurring basis. This includes verifying you own the account to or from which the payment will be sent, assessing the risk that the payment may not be completed or is fraudulent, electronically moving the money, and confirmation that the money was moved. We may collect identifiers, financial data, location data, and electronic network activity data. We use this data as described in the How We Use Your Data section of this Policy.
Wallet Onboard
Wallet Onboard lets you connect your crypto wallet with the apps and services you choose. We only collect IP address and data associated with the device you use to connect. When you make this connection, you might choose to pass your wallet address on to the third party app or service you are connecting to - in that instance, Plaid does not collect or store that wallet address. We use this data as described in the How We Use Your Data section of this Policy.
Consumer Privacy Notice
Last Updated: February 28, 2023
WHAT DOES PLAID DO WITH YOUR PERSONAL INFORMATION? | |
Why? | Financial companies choose how they share your personal information. Federal law gives consumers the right to limit some but not all sharing. Federal law also requires us to tell you how we collect, share, and protect your personal information. Please read this notice carefully to understand what we do. |
What? | The types of personal information we collect and share depend on the product or service you, or the app developer you are connecting to, use. This information can include:
For more information on the types of personal information we collect, please see the Data We Collect or Derive section of our End User Privacy Policy. When you are no longer our consumer, we continue to use and share your information as described in this notice. |
How? | All financial companies need to share consumers’ personal information to provide their products and services. In the section below, we list the reasons financial companies can share their consumers’ personal information; the reasons Plaid chooses to share; and whether you can limit this sharing. |
Reasons we can share your personal information | Does Plaid share? | Can you limit this sharing? |
For our everyday business purposes – | Yes | No |
For our marketing purposes | No | We don’t share |
For joint marketing with other financial companies | No | We don’t share |
For our affiliates' everyday business purposes - information about transactions and experiences | No | We don’t share |
For our affiliates' everyday business purposes - information about creditworthiness | No | We don’t share |
For nonaffiliates to market to you | No | We don’t share |
Questions | Contact us privacy@plaid.com |
Who we are | |
Who is providing this notice? | Plaid Inc. |
What we do | |
How does Plaid protect my personal information? | To protect your personal information from unauthorized access and use, we use security measures that comply with federal law. These measures include computer safeguards and secured files and buildings. |
How does Plaid collect my personal information? | As explained in more detail in the Data We Collect or Derive section of our End User Privacy Policy, we collect personal information you provide to us and collect your personal information from other companies when you use our products or services. This includes, for example, when you use Plaid Portal or when you use Plaid to connect and share your data to power the applications (“apps”) you use. |
Why can’t I limit all sharing? | Federal law gives you the right to limit only:
State laws and individual companies may give you additional rights to limit sharing. See below for more on your rights under state law. |
Definitions | |
Affiliates | Companies related by common ownership or control. They can be financial and nonfinancial companies.
|
Nonaffiliates | Companies not related by common ownership or control. They can be financial and nonfinancial companies.
|
Joint marketing | A formal agreement between nonaffiliated financial companies that together market financial products or services to you.
|
Other Important Information | |
California: If you are a resident of California, we will not share personal information we collect about you except to the extent permitted under California law. Vermont: If you are a resident of Vermont, we will not share personal information we collect about you with non-affiliates unless the law allows or you provide authorization. |