Plaid shares your financial account data with the app you used to initiate the connection, and that app's own privacy policy then governs what happens to your data on the app's side.
This analysis describes what Plaid's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
Once your financial data is shared with a developer application, Plaid's privacy policy no longer governs it, meaning the protections you receive depend on the privacy practices of each individual app you connect to.
Interpretive note: The verbatim policy text was not available due to document truncation; this provision reflects Plaid's publicly documented third-party sharing framework.
End consumers may see their financial data accessed by a broader range of people under developer accounts, but Plaid now requires developers to formally designate and manage these 'Authorized Users' and take responsibility for their conduct. The introduction of session replay and activity monitoring means developer interactions with your financial data may be recorded for audit or security purposes. The policy does not specify what data is covered by monitoring or how long recordings are retained, which creates operational uncertainty for developers handling sensitive consumer financial information.
View change record →Plaid's updated terms establish a new direct relationship with you through the Plaid Account and introduce a monitoring service that operates through a web app. The terms now authorize Plaid to share financial information needed for third-party apps to initiate payments to or from you, which is a broader statement of data-sharing scope than the previous language. This means Plaid's role shifts from primarily facilitating connections to third-party apps toward directly providing account services, including monitoring. The effective date is April 14, 2026, though the change was detected on April 19, 2026. Review your Plaid Account settings to understand what data Plaid holds and how the monitoring service works.
View change record →The updated terms clarify that Plaid may request and collect phone numbers, email addresses, and other contact information when you connect financial accounts or verify your identity through a Plaid-connected application. The terms no longer describe a separate Plaid Monitoring Service or Plaid Web-App. The Plaid Account is now framed primarily as a tool to accelerate onboarding and use of third-party applications rather than as a standalone service for monitoring and alerts. The updated language authorizes Plaid to store identity verification data within your Plaid Account if you choose to do so.
View change record →Your bank transaction data and account information is passed to each third-party app you connect through Plaid, and Plaid's privacy protections do not follow your data into those apps, each of which has its own data practices.
How other platforms handle this
At Ledger, earning and maintaining our users' trust is a top priority. That's why we are deeply committed not only to protecting your privacy and securing your personal data, but also to being fully transparent about how we handle it.
We may share your information with third-party vendors and service providers that perform services on our behalf, such as payment processing, data analysis, email delivery, hosting services, customer service, and marketing assistance. We may also share your information with third-party advertising p...
We may also share your personal information with third parties that assist us in providing our services, or where we are under an obligation to report to. But rest assured: we will only ever share your personal information in the limited circumstances described in this Policy.
Monitoring
Plaid has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
"We share your information with the developer applications and services that you connect to through Plaid. When you use a developer application that uses Plaid, that application receives the financial data you authorize Plaid to share, subject to the developer's own privacy policy and terms of service.— Excerpt from Plaid's Plaid End User Privacy Policy
REGULATORY LANDSCAPE: Data sharing with third-party developers implicates GLBA's affiliate and non-affiliate sharing provisions, CCPA/CPRA's disclosure requirements for sharing personal information, and GDPR Article 28 requirements for data processing agreements where the developer may act as a separate controller. The FTC Act's standards for adequate disclosure apply to the chain of data sharing that users may not be aware of at the point of consent. GOVERNANCE EXPOSURE: Medium. The downstream privacy risk from developer data sharing is structurally significant but is partially mitigated by the consent architecture in Plaid Link, where users explicitly select which accounts to connect and authorize the transfer. However, the adequacy of that consent for each downstream developer's data practices is not guaranteed, and regulators have examined whether bundled consent flows satisfy granularity requirements. JURISDICTION FLAGS: GDPR requires that users be informed of each data controller's identity and purposes at the point of consent. Where Plaid Link consent flows do not name each developer's data practices, this may create GDPR compliance gaps in EU and UK deployments. California users have a right to know the categories of third parties with whom their personal information is shared under CPRA. CONTRACT AND VENDOR IMPLICATIONS: Developer partners receive personal financial data as data controllers in their own right and should maintain their own privacy programs adequate to the sensitivity of the data received. B2B contracts between Plaid and developers should address data use limitations, deletion obligations, and breach notification requirements. Procurement teams at enterprises using Plaid-enabled apps should conduct due diligence on both Plaid's and the developer's privacy programs. COMPLIANCE CONSIDERATIONS: Legal teams should map the full data sharing chain for any application using Plaid, identify each downstream recipient's privacy policy and data retention practices, and ensure end-user disclosures accurately describe the multi-party data sharing structure. For GDPR-covered deployments, a Data Protection Impact Assessment may be warranted given the sensitivity of financial data being shared with multiple controllers.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.
ConductAtlas detected a major restructuring of Meta’s privacy policy that removed detailed consumer rights disclosures and relocated them to separate documents.
Your genetic data may be transferred to a new owner as a business asset. Here is what the Terms of Service actually say and what you can do right now.
Compliance Governance Intelligence
Need to monitor specific governance provisions?
Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
Once your financial data is shared with a developer application, Plaid's privacy policy no longer governs it, meaning the protections you receive depend on the privacy practices of each individual app you connect to.
Your bank transaction data and account information is passed to each third-party app you connect through Plaid, and Plaid's privacy protections do not follow your data into those apps, each of which has its own data practices.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Plaid.