What your pay apps share with third parties
During his US Senate testimony Wednesday in the wake of the Cambridge Analytica data leak, Republican Senator Lindsey Graham asked Facebook Chief Executive Officer Mark Zuckerberg whether he thought the average consumer understood what they were signing up for on Facebook when it came to the company’s terms of service. Zuckerberg replied: “I don’t think that the average person likely reads that whole document”.
It is not only on Facebook that users usually ignore the terms of service. In agreeing to the terms of service for payment apps in India across digital platforms, users allow access to information that includes personal data such as transaction passwords, bank account and credit card details, mobile phone numbers and addresses.
It also means permission to share with third parties data like bank account and transaction records, Aadhaar related information, the UPI PIN, virtual payment address, payment details, credit and debit card information, demographic and profile data about users’ activity on apps, information about transaction behaviour and even details of the recipient of the transaction.
The Indian Express analysed privacy policies and terms of service of five companies in the digital payments space in India — Paytm Payments Bank, WhatsApp, Google Tez, PhonePe and Amazon Pay — and found all companies are entitled to collect from users, some of which is shared with third parties.
While all of these five firms, in their terms of use, tell users that they collect primary personal information that is necessary to provide services on their platforms and that the information will be shared with the authorities when the need arises, none of them explicitly lists the third party players with whom the data can be shared.
Collection and sharing of data notwithstanding, some of these entities have indemnity clauses in their terms absolving them of liabilities that an average consumer would otherwise hold the company responsible for.
For instance, Paytm Payments Bank (PPBL), which operates the Paytm wallet, states in its terms and conditions that the payments bank is entitled “at its discretion” and “at the risk and cost of the customer” to engage services from any person, third-party provider, agent or agency for “anything” required to be done for the services that it offers. This includes getting or verifying any information about customers.
The terms and conditions about using the Unified Payments Interface (UPI) facility on Paytm, state that the customer shall “fully indemnify and hold harmless” PPBL and National Payments Corporation of India (NPCI) against any loss, costs, expenses, demands or liabilities arising from a claim by a “third party”. In both the cases, PPBL has not “explicitly” defined a third party.
When you sign up for Paytm Payments Bank, you give it consent to disclose your Aadhaar number or “other details” to a regulatory or statutory body. PPBL also states that it collects details including “name, address, mailing address, telephone number, email ID and any details that may have been voluntarily provided” by the user.
It also shares user information for legal or marketing purposes with “specific consent” by users and for external processing on explicit consent or authorisation of the user.
PPBL also says that subject to the user’s explicit consent, it communicates or discloses data or information to third parties. In this case, its group companies, agents or any system participant or member of the banking, clearing, settlement, payment system and also for offering or marketing other services.
E-mails and text messages to a Paytm spokesperson with specific queries did not elicit a response. Paytm founder Vijay Shekhar Sharma did not respond to a text message.
The Flipkart-owned payments firm PhonePe also collects personally identifiable information and uses contact information to send offers based on transaction history and interests. In its policy, PhonePe says it may also disclose “anonymised data” from personal information to third parties.
It does not clearly define who the third parties are. PhonePe, which claimed 28 million UPI transactions from 6 million unique users in February, did not respond to queries sent by The Indian Express.
Three of the latest entrants in this sector — all foreign players — Google Tez, Amazon Pay and Facebook-owned WhatsApp also collect similar personal data from consumers. In its privacy policy, WhatsApp, which is permitted to offer UPI-based payment services to 1 per cent of its 200 million user base in India, says it does not retain the UPI PIN information.
It states: “To send payment instructions to PSPs (payment service provider), maintain your transaction history, provide customer support, and keep our services safe and secure… we share information we collect under this Payments Privacy Policy with third-party service providers including Facebook. To provide Payments to you, we share information with third-party services including PSPs, such as your mobile phone number, registration information, device identifiers, virtual payment addresses, the sender’s UPI PIN, and payment amount.”
“We are currently beta testing a payments feature using India’s UPI system. To provide this service, we need to rely on Facebook infrastructure and have placed limits on how this works. WhatsApp shares basic information with Facebook to deliver and receive payments, provide customer support, and protect everyone who is testing this service. There are no plans for Facebook to use this information for other commercial purposes at this time,” a WhatsApp executive told The Indian Express, on requesting anonymity.
A company spokesperson said in an email response that since the payments feature was still in a beta mode, WhatsApp would not comment on the issue.
According to a Google official, Tez only shares information deemed necessary with third parties to complete the payment process on its platform. A Google spokesperson responded to a detailed questionnaire by The Indian Express with a link to Tez’s terms of service.
“By electing to use Tez, you authorise Google to communicate with the Payment Participants or any third party provider to provide or obtain… your personal information, for the purpose of processing transaction or providing Tez Services or for risk management and fraud assessment purposes,” the terms of service states.
The company defines a payment participant as “all the parties involved in the payment system including but not limited to payment/bill aggregators, payments system providers, acquiring banks, partner banks, the issuer of the sender’s funding account, the issuer bank of the recipient bank account, the issuer of the payment instruments, card associations, NPCI, Reserve Bank of India, etc.”
Amazon, which operates a semi-closed wallet Amazon Pay derives its privacy policies in line with the e-commerce marketplace Amazon.in. Responding to a query, the company’s spokesperson said: “At Amazon, we take customer trust seriously. All information shared with us is kept safe and secure as per Amazon’s stringent security standards and the laws of the land”.
In its privacy policy, Amazon Pay claims that it shares certain user information with third parties that it employs to perform functions on its behalf. These include payment processing and settlement of transactions using Amazon Pay balance, sending postal mail or e-mail, analysing data, processing credit card payments and providing customer service. “They have access to personal information needed to perform their functions, but may not use it for other purposes,” the policy reads.
Source — Indian Express
