Lydia leaks your email address

Shall I send you a Lydia? The payment app leaks your personal data to several third parties

Published by Pixel de Tracking on May 8, 2020

Lydia loves trackers

Lydia is a very practical app, used in particular to reimburse friends easily and create money pools. It is a French “fintech” that raised 40 million euros this year, notably from the Chinese giant Tencent. Since Lydia handles financial transactions, I did not expect to be tracked.

To identify the tracking tools Lydia may have implemented, I followed this procedure on my iPhone:

  • Close the different background applications
  • Launch the Charles Proxy application and enable tracking
  • Launch Lydia, then browse the app
  • Export the logs from my Charles Proxy session to my computer

Lydia_iPhone

As you can see in the screenshot, the Lydia app is talkative and sends your personal data to several companies:

  • Google : via the Firebase developer toolbox, Lydia measures your use of the app and its crashes (Crashlytics), thereby sending your personal data to the Mountain View giant.
  • Braze : this company lets Lydia send you tailored messages (in-app messages, notifications, emails) at the “right time”. Braze tracks all your actions on Lydia, in particular the details of your payments.
  • Vero : another company that lets Lydia send you tailored messages at the right time. Lydia also sends Vero your navigation data and payment details so it can adapt future communications. More seriously, Lydia does not merely leak a pseudonym attached to your various actions: it also leaks your email address.
  • Appsflyer : a mobile marketing company offering, among other things, an attribution product that lets Lydia know which advertising campaigns triggered installation of the app.
  • Amplitude : an analytics tool that lets Lydia analyze your behavior in detail on its app. Here too, everything is tracked: each screen viewed, the details of your transactions, your smartphone model, your mobile operator, even your smartphone identifier.

A poor privacy policy, offering users no control

The "Personal data protection policy Lydia" is not directly accessible in the app. You have to search for it from your profile, open the T&Cs at the bottom of the page, and finally find the right link. Section 4 covers the transfer of personal data: "to Lydia's banking partners and suppliers and to their operational service providers".

In contradiction with the GDPR, Lydia does not inform users of the marketing partners to which it leaks their personal data. We can only assume they are included among the "operational service providers". Lydia also violates its own policy by leaking your email address, because it claims to anonymize your personal data beforehand:

Lydia may also be required to communicate the personal data of its individual Customers to one of its suppliers or other partners, provided that the data has first been anonymized. This anonymization consists of removing the following elements: first and last name, e-mail address, telephone number, postal address and any other element allowing the Customer, as a natural person, to be identified or contacted directly.

Lydia's privacy policy is also difficult to find: you have to go directly through the Lydia website (note also the typo in the page URL, "confidentilaite" instead of "confidentialité"). On this page, Lydia states:

Your personal data will not be sold, exchanged, transferred, or given to another company for any reason, without your consent, other than what is necessary to respond to an operational request, such as completing a transaction. This does not include trusted third parties who enable us to carry out our activity (legislator, banking partner, host), provided these parties agree to keep this information confidential.

Once again, Lydia does not honor its commitment: your personal data is transferred to other companies (marketing companies, not a legislator, banking partner or host), without your consent. Lydia also says:

The security of your personal data is protected by an encryption system and access codes. Only employees who need to perform specific work such as sales or customer support have access to some of your personally identifiable information. The servers used to store personally identifiable information are kept in a secure environment.

Here too, this is false: Lydia leaks your personal data to several third parties, including your email address to Vero. Some Vero employees can therefore retrace your behavior on Lydia and your transaction history. Finally, Lydia has a very particular definition of consent, in flagrant violation of the GDPR:

By using our services, you agree to our privacy policy.

Obviously, Lydia offers no control over these personal data leaks. Your only option is to use apps such as DNSCloak, Adguard or NextDNS on iOS.