Plaid End User Privacy Policy

This document governs Plaid's collection, use, storage, and sharing of personal and financial data through its data network and API infrastructure, operating under a stated basis of user consent obtained through partner application flows and Plaid's own Link product. The policy states that Plaid collects financial account data (including account numbers, balances, transaction history, and credentials in some flows), identity information, and device/usage data, and the terms authorize sharing this data with financial institution partners, developers building on Plaid's platform, and third-party service providers. Notably, Plaid's data collection model is operationally distinct from many consumer-facing privacy policies in that the end user typically interacts with Plaid through a third-party application rather than directly, creating a layered consent structure where users may not be fully aware of Plaid's role as a data intermediary; the policy asserts broad rights to retain and use transaction data for product improvement and network-level analytics, which the agreement states is done in de-identified or aggregated form, though the scope of re-identification risk under applicable standards warrants evaluation. The policy engages CCPA and CPRA for California residents, GLBA for financial data contexts, and GDPR and UK GDPR for European and UK users respectively, with the FTC and CFPB representing the primary federal enforcement authorities given Plaid's role in financial data intermediation. Compliance teams should note that Plaid entered a 2021 FTC consent order resolving allegations about data collection and use practices, which creates a regulatory baseline against which current policy language should be evaluated, particularly regarding the scope of credential collection and data use for purposes beyond the user's stated transaction.