- Information We Collect and Categories of Sources
- How We Use Your Information
- Our Lawful Bases for Processing (EEA and UK End Users Only)
- How We Share Your Information
- Some Final Details…
Effective Date: February 22, 2022
Please note: this Policy applies to Plaid Inc. and its affiliates and subsidiaries, including Plaid Financial Ltd. and Plaid, B.V. (collectively, “Plaid”, “we”, “our”, and “us”). To determine the relevant Plaid entity that is responsible for processing your information, please see the “Contacting Plaid” section below.
First, Some Background
A quick note about Plaid
Our mission at Plaid is to unlock financial freedom for everyone. Our technology provides an easy way for you to connect your bank account, investment account, payroll account, or other types of financial accounts to software applications that can help you do things like save for retirement, manage your spending, streamline credit applications, or transfer money. These software applications are built and provided by our business customers (we’ll call them “developers” here), and powered by Plaid. By delivering access to high-quality, usable financial account data that we’ve translated and standardized, we enable developers to focus on building experiences that benefit you.
About this Policy
Our goal with this Policy is to provide a simple and straightforward explanation of what information Plaid collects from and about end users of developer applications (“End User Information”), and how we use and share that information. We value transparency and want to provide you with a clear and concise description of how we treat your End User Information.
Please note that this Policy only covers End User Information that Plaid collects, uses, and shares. It does not explain what developers do with any End User Information we provide to them (or any other information they may collect about you separately from Plaid). This Policy also does not cover any websites, products, or services provided by others. We encourage you to review the privacy policies or notices of developers or those third parties for information about their practices.
Our Data Practices
This section describes Plaid’s data practices relating to our processing of information about you. We also provide summaries of our practices organized by category of information collected and by product at the end of this Policy in the Summaries of Processing Activities section.
Information We Collect and Categories of Sources
As explained in greater detail below, Plaid may collect the following:
Identifiers (for example, name, email address, phone number, and username);
Location information (for example, timezone setting and device location);
Financial information (for example, financial account name and number, balance, and transaction history);
Commercial information (for example, data relating to which of our services you use through developer apps and the dates and times of your use);
Electronic network activity information (for example, your device hardware model and operating system, and browser data);
Professional information (for example, information about your employer and payroll information); and
Inferences that we have derived from the information we’ve collected (for example, we may derive location from IP address or your annual income from your pay stubs).
Information you provide. When you connect your financial accounts with a developer application or otherwise connect your financial accounts through Plaid, where applicable, we collect identifiers and login information required by the provider of your account, such as your username and password, or a security token. In some cases, we also collect your Social Security number, date of birth, phone number, email address, security questions and answers, and one-time password (OTP) to help verify your identity and connect your financial accounts. When providing this information, you give the developer and Plaid the authority to act on your behalf to access and transmit your End User Information from the relevant bank or other entity that provides your financial accounts (we’ll call them “financial product and service providers” in this Policy). You may also provide us with identifiers and other information, including your name, email address, and phone number, when you contact us or enter any such information on our websites.
Information we collect from your financial accounts. The information we receive from the financial product and service providers that maintain your financial accounts varies depending on a number of factors, including the specific Plaid services developers use, as well as the information made available by those providers. But, in general, we collect identifiers, commercial information, financial information, and professional information from your financial product and service providers, which include the following types of information:
Account information, including financial institution name, account name, account type, account ownership, branch number, IBAN, BIC, account number, routing number, and sort code;
Information about an account balance, including current and available balance;
Information about credit accounts, including due dates, balances owed, payment amounts and dates, transaction history, credit limit, repayment status, and interest rate;
Information about loan accounts, including due dates, repayment status, balances, payment amounts and dates, interest rate, guarantor, loan type, payment plan, and terms;
Information about investment accounts, including transaction information, type of asset, identifying details about the asset, quantity, price, fees, and cost basis;
Identifiers and information about the account owner(s), including name, email address, phone number, date of birth, and address information;
Information about account transactions, including amount, date, payee, type, quantity, price, location, involved securities, and a description of the transaction; and
Professional information, including information about your employer, in limited cases where you’ve connected your payroll accounts or provided us with your pay stub information.
The data collected from your financial accounts may include information from all accounts (e.g., checking, savings, and credit card) accessible through a single set of account credentials.
Information we receive about you from other sources. We also receive identifiers and commercial information about you directly from the relevant developer or other third parties, including our service providers, bank partners, and identity verification services. For example, developers may provide information such as your full name, Social Security number, email address, phone number, or information about your financial accounts and account transactions, and our bank partners or service providers may provide information such as the status of a transaction you have initiated.
Inferences we derive from the data we collect. We may use the information we collect about you to derive inferences. Here are a few examples of the types of inferences we may derive from data we have collected about you from you or other sources:
We may infer your geolocation or your annual income;
We may infer the type of account or subaccount you’ve chosen to connect―for example, when you connect your loan accounts, we can let the developer know whether the account is for a mortgage, student loan, or credit card;
We may derive inferences from your financial information, including your transaction data, and from other sources to help enable the developers of your connected applications to provide a better user experience to you, like providing you with faster access to your funds.
How We Use Your Information
We use End User Information for a number of business and commercial purposes, including to operate, improve, and help protect the services we provide, and to develop new services. More specifically, we use your End User Information as follows:
Provide Services: To operate, provide, and maintain our services.
Develop Existing Services: To improve, enhance, modify, add to, and further develop our services.
Help Prevent Fraud or Protect Privacy: To help protect you, developers, our partners, Plaid, and others from fraud, malicious activity, and other privacy and security-related concerns.
Develop New Services: To develop new products and services, and in some cases insights based on the data we’ve collected about you.
Provide Support: To provide customer support to you or to developers, including to help respond to your inquiries related to our service or developers’ applications.
Investigate Misuse and Misconduct: To investigate any misuse of our service or developers’ applications, including violations of our Developer Policy, criminal activity, or other unauthorized access to our services;
For Legal Purposes: To comply with contractual and legal obligations under applicable law and for other legal purposes such as to establish and defend against claims.
With Your Consent: For other notified purposes with your consent or at your direction.
Our Lawful Bases for Processing (EEA and UK End Users Only)
For individuals in the European Economic Area (“EEA”) or the United Kingdom (“UK”), our legal basis for processing your End User Information will depend on the information concerned and the context in which we collected or processed it. Generally, however, we will normally only collect and process End User Information where:
we need to fulfill our responsibilities and obligations in any contract or agreement with you (for example, to comply with our end user services agreements);
to comply with our legal obligations under applicable law;
the processing is necessary for our legitimate interests and not overridden by your data protection interests or fundamental rights and freedoms (for example, to safeguard our services; to communicate with you; or to update our services); or
you have given your consent to do so.
To the extent we rely on consent to collect and process End User Information, you have the right to withdraw your consent at any time per the instructions provided in this Policy.
How We Share Your Information
We share End User Information for a number of business purposes:
With the developer of the application you are using and as directed by that developer (such as with another third party if directed by you);
To enforce any contract with you;
With our data processors and other service providers, partners, or contractors in connection with the services they perform for us or developers;
With your connected financial institution(s) to help establish or maintain a connection you’ve chosen to make;
If we believe in good faith that disclosure is appropriate to comply with applicable law, regulation, or legal process (such as a court order or subpoena);
In connection with a change in ownership or control of all or a part of our business (such as a merger, acquisition, reorganization, or bankruptcy);
Between and among Plaid and our current and future parents, affiliates, subsidiaries and other companies under common control or ownership;
As we believe reasonably appropriate to protect the rights, privacy, safety, or property of you, developers, our partners, Plaid, and others; or
For any other notified purpose with your consent or at your direction.
We may collect, use, and share End User Information in an aggregated, de-identified, or anonymized manner (that does not identify you personally) for any purpose permitted under applicable law. This includes creating or using aggregated, de-identified, or anonymized data based on the collected information to develop new services and to facilitate research to the extent permitted under applicable law.
We do not sell or rent personal information that we collect.
Our Retention and Deletion Practices
We retain End User Information for no longer than necessary to fulfill the purposes for which it was collected and used, as described in this Policy, unless a longer retention period is required under applicable law. As permitted under applicable law, even after you stop using an application or terminate your account with one or more developer, we may still retain your information (for example, if you still have an account with another developer). However, your information will only be processed as required by law or in accordance with this Policy.
Plaid’s systems are designed to automatically delete your personal information when a developer removes your connection from their application to your End User Information, which they might do, for example, if you close your account with them. The exceptions to this may be if: (a) you’ve established a connection with another application through Plaid that is still active; (b) Plaid needs your End User Information to continue providing you with a Plaid service you requested, or to carry out another notified purpose with your consent; (c) Plaid is required by law to keep your End User Information; or (d) Plaid needs your information to help prevent fraud or protect privacy, provide support, or investigate misuse and misconduct.
Please refer to the “Your Data Protection Rights” section of this Policy for options that may be available to you, including the right to request deletion of End User Information. The “Your Privacy Controls” section of this Policy also provides information about tools available to you to help you view and manage the connections you’ve made using Plaid. You can also contact us about our data retention practices using the contact information in the “Contacting Plaid” section below.
Protection of Information
Plaid implements security policies and practices designed to protect the confidentiality and integrity of information about you, including the information you provide to us (such as Social Security number and other identifying information), as well as any other information we collect about you. Plaid implements control measures designed to limit access to this information to personnel who have a business reason to know it and prohibits its personnel from unlawfully disclosing this information.
Some Final Details…
International Data Transfers
We operate internationally, and as a result, will transfer the information we collect about you across international borders, including from the EEA or UK to the United States, for processing and storage. To the extent that the information we collect about you is transferred from the EEA or UK to territories/countries for which the EU Commission or UK Secretary of State (as applicable) has not made a finding that the legal framework in that territory/country provides adequate protection for individuals' rights and freedoms for their personal data, we may transfer such data consistent with applicable data protection laws based on prior assessment of the level of data protection afforded in the context of the transfer, including through the use of the EU Commission-approved or UK Secretary of State-approved (as applicable) standard contractual clauses, if necessary in combination with additional safeguards. You can ask for a copy of these standard contractual clauses by contacting us as set out below.
Your Data Protection Rights
Under applicable law, and subject to limitations and exceptions provided by law, if you are located in the EEA or UK, and in certain other jurisdictions, you may have certain rights in relation to the End User Information collected about you and how it is used, including the right to:
Access End User Information collected about you;
Request that we rectify or update your End User Information that is inaccurate or incomplete;
Request, under certain circumstances, that we restrict the processing of or erase your End User Information;
Object to our processing of your End User Information under certain conditions provided by law;
Where processing of your End User Information is based on consent, withdraw that consent;
Request that we provide End User Information collected about you in a structured, commonly used and machine-readable format so that you can transfer it to another company, where technically feasible; and
File a complaint regarding our data protection practices with a supervisory authority. If you are in the EEA please refer to the European Data Protection Board website for contact details. If you are in the UK please refer to the Information Commissioner’s Office website for contact details.
Under the California Consumer Privacy Act (“CCPA”), and subject to certain limitations and exceptions, if you are a California resident, you may have the following rights with respect to End User Information we have collected about you that constitutes personal information under the CCPA:
To request access to more details about the categories and specific pieces of personal information we may have collected about you in the last 12 months (including personal information disclosed for business purposes);
To request deletion of your personal information;
To opt-out of any “sales” of your personal information, if a business is selling your information; and
To not be discriminated against for exercising these rights.
To exercise your access or deletion rights, where applicable, you can submit a request using our online form. You can also contact us as described in the “Contacting Plaid” section below to exercise any of your data protection rights, where applicable. You may be required to provide additional information necessary to confirm your identity before we can respond to your request.
If we receive your request from an authorized agent, we may ask for evidence that you have provided such agent with a power of attorney or that the agent otherwise has valid written authority to submit requests to exercise rights on your behalf. If you are an authorized agent seeking to make a request, please contact us as described in the “Contacting Plaid” section below.
We will consider all such requests and provide our response within a reasonable period of time (and within any time period required by applicable law). Please note, however, that certain information may be exempt from such requests, for example if we need to keep the information to comply with our own legal obligations or to establish, exercise, or defend legal claims.
Your Privacy Controls
Plaid developed the Plaid Portal to provide End Users with a convenient, centralized way to view and manage the connections they’ve made using Plaid.
If you’re located in the U.S., you can create a Plaid Portal account by visiting my.plaid.com, verifying your phone number and email address, and creating a password. Once you’ve created a Plaid Portal account, you’ll be directed to a dashboard that can show you the financial accounts you’ve connected with Plaid and each of your chosen applications, and the types of data shared with each application. Additionally, the Plaid Portal provides you with controls to terminate the connection between applications and your financial accounts and delete data stored in Plaid’s systems if you so choose.
Depending on where you’re located, you may have certain rights in relation to the End User Information collected about you and how it is used. Please refer to the Your Data Protection Rights section for more detail to determine whether those rights apply to you and how you can exercise those rights, as applicable.
Changes To This Policy
We may update or change this Policy from time to time. If we make any updates or changes, we will post the new policy on Plaid’s website at https://plaid.com/legal and update the effective date at the top of this Policy. We will also notify developers of any material changes in accordance with our developer agreements, as they are generally best positioned to notify their end users about such changes to this Policy, as appropriate.
If you have any questions or complaints about this Policy, or about our privacy practices generally, you can contact us at firstname.lastname@example.org or by mail at:
If you reside outside the EEA or UK:
PO Box 7775 #35278
San Francisco, California 94120-7775
If you reside in the UK:
New Penderel House, 4th Floor
283-288 High Holborn
London, United Kingdom, WC1V 7HP
If you reside in the EEA:
Summaries of Processing Activities
Summary of Processing Activities by Category of Information
To help provide even greater transparency around our practices, we consolidated the information provided in our Policy above into a table that matches the categories of information Plaid collects about you with the sources of the information, Plaid’s uses of the information, and the categories of recipients with whom Plaid shares the information. You can find more detailed descriptions of our data collection, use, and sharing practices in the respective sections of the Policy above.
Summary of Processing Activities by Product
For our current U.S. product suite, we have also identified by product the categories of information Plaid collects about you and Plaid’s uses of the information collected. If you would like to know which Plaid product(s) your connected applications use, please contact the developer of the application. Note that this list reflects Plaid’s product suite as of the effective date of this Policy and may not include products or services in development as of that date.
Assets enables you to provide access to a point-in-time consolidated summary of your financial account information—such as account balances, transaction histories, and account holder identity information—with the apps and services you choose. We collect identifiers, financial information, commercial information, location information, electronic network activity information, and we derive inferences from this information. We use this information as specified above in the How We Use Your Information section of this Policy.
Auth helps to enable you to authenticate your financial account information and provide access to your account and routing numbers with the apps and services you choose. We collect identifiers, financial information, commercial information, location information, and electronic network activity information. We use this information as specified above in the How We Use Your Information section of this Policy.
Balance enables you to provide access to your real-time financial account balances with the apps and services you choose so they can help you do things like avoid overdrawing your account before you make a money transfer. We collect identifiers, financial information, commercial information, location information, and electronic network activity information. We use this information as specified above in the How We Use Your Information section of this Policy.
Identity enables you to provide access to the account holder information held by your financial institution—such as your name, email address, phone number, and mailing address—with the apps and services you choose to help them do things like verify your identity or prefill your account information within the app. We collect identifiers, financial information, commercial information, location information, and electronic network activity information. We use this information as specified above in the How We Use Your Information section of this Policy.
Income enables you to provide access to information pertaining to your income and employment with the apps and services you choose. We collect identifiers, financial information, commercial information, location information, professional information, electronic network activity information, and we derive inferences from this information. We use this information as specified above in the How We Use Your Information section of this Policy.
Investments enables you to provide access to data from your retirement, brokerage, education savings, and health savings accounts with the apps or services you choose so they can do things like provide you with personal financial and wealth management tools. We collect identifiers, financial information, commercial information, location information, professional information, electronic network activity information, and we derive inferences from this information. We use this information as specified above in the How We Use Your Information section of this Policy.
Liabilities enables you to provide access to financial information from your credit card, mortgage, and student loan accounts with the apps and services you choose. We collect identifiers, financial information, commercial information, location information, electronic network activity information, and we derive inferences from this information. We use this information as specified above in the How We Use Your Information section of this Policy.
Plaid Portal enables you to create a Plaid Portal account at my.plaid.com to view and manage the financial connections you’ve established using Plaid. We collect identifiers, financial information, commercial information, location information, and electronic network activity information. We use this information as specified above in the How We Use Your Information section of this Policy.
Signal helps the apps and services you use provide a better user experience to you, like providing you with faster access to your funds. We collect identifiers, financial information, commercial information, location information, electronic network activity information, and we derive inferences from this information. We use this information as specified above in the How We Use Your Information section of this Policy.
Transactions enable you to provide access to transaction histories from your financial accounts with apps and services you choose so they can provide you with things like personal finance management tools, expense reporting, cash flow modeling, and more. We collect identifiers, financial information, commercial information, location information, electronic network activity information, and we derive inferences from this information. We use this information as specified above in the How We Use Your Information section of this Policy.