For many, this is an invisible tradeoff. For others, it's dangerous.
Privacy Protector examines how payment systems collect, retain, and share data—so you can see where exposure happens and take steps to reduce risk.
Payment systems are designed to be seamless and easy to ignore.
They don't just move money. They create records of behavior—persistent, linkable, and monetized.
A payment can be used as evidence. A transaction with a provider links your identity to the care you received.
A transfer can make support networks traceable. Who you send money to, and when, becomes a map of your relationships.
Transaction histories can become tools of control. Over time, they track movement, map behavior, and infer intent.
This is not a failure of the system. This is how it's designed to work.
Privacy is not a niche technical concern. It's a precondition for safety, autonomy, and participation.
Understanding how these systems work is the first step. This work continues with ongoing analysis, platform breakdowns, and practical guidance.
Privacy Protector is a public-interest initiative focused on digital autonomy. We examine how everyday financial and digital infrastructure—payments, billing systems, platforms, and data flows—can expose individuals to surveillance, control, and harm.
While security has improved for institutions, individuals are left to navigate complex, opaque systems on their own. Most harm doesn't come from major breaches, but from everyday defaults—transaction metadata, shared accounts, billing systems, and secondary data markets.
They generate and use data beyond the transaction itself, making behavior visible and trackable. Exposure comes from ordinary mechanisms—not edge cases or failures.
The same system produces radically different outcomes depending on context, with the greatest impact on those already vulnerable.
Privacy-preserving infrastructure will not emerge from existing platforms because it contradicts their core business model.
Privacy Protector draws on decades of experience across financial systems, payment infrastructure, and healthcare access—contexts where exposure has real consequences.
CEO of Ecostemic LLC and founder of Big Swing Collective, a nonprofit innovation lab in partnership with ReproHub. Her career has spanned political strategy, healthcare transformation, and privacy-preserving technology—from running the campaign that defeated Nazi-Klan leader David Duke in Louisiana to leading strategy and innovation at Planned Parenthood Federation of America, where she oversaw global and domestic strategy and championed innovations in patient navigation, telehealth, and access infrastructure. She has served as an Expert in Residence at global design firm IDEO and was named #5 on Fast Company's Queer 50. She is a CLIO Award-winning strategist who has spoken at TEDx, SXSW, the Aspen Ideas Festival, the Aspen Design Conference, and the Fortune Women's Summit.
Founder of Metta Labs, where she designs and builds systems-level products that address complex social and economic challenges. Her work focuses on financial infrastructure, digital identity, and privacy-preserving systems, particularly in high-risk and resource-constrained environments. She has led the development of ventures and platforms across multiple countries, working with global institutions, corporations, and early-stage teams to deploy products with measurable impact. Previously, she was a Project Leader at Boston Consulting Group and served as Director of Innovation at the International Rescue Committee. She also teaches systems design and innovation at the California College of the Arts.
We publish ongoing analysis of how payment systems work in practice—and what the real-world consequences are in different contexts. Platform breakdowns, scenario-based analysis, and research as this system evolves.
Subscribe for new analysis →Not all payment apps treat your data the same way. We analyzed the privacy settings, data collection practices, and default protections of major payment platforms—so you can make informed choices about where your financial data goes.
What happens the moment you sign up — before you change a single setting? The defaults tell you what the company wants you to share.
| Platform | Transaction Visibility | Profile Visibility | Friends / Contacts |
|---|---|---|---|
| Venmo | PUBLIC Anyone on the internet can see who you paid, the note, and the timestamp. Dollar amounts hidden, but metadata is highly revealing. Must manually change to Private. | PUBLIC Username, name, profile photo, account creation date all visible. Business profiles indexed by search engines. | VISIBLE Friends list visible to any logged-in Venmo user. Must manually hide and opt out of appearing on others' lists. |
| Cash App | PRIVATE Transactions private between sender and recipient. | PARTIAL $Cashtag (username) is public and searchable. Profile photo visible. | PRIVATE No public friends list or social feed. |
| Apple Cash / Apple Pay | PRIVATE Transactions visible only to sender and recipient. No social feed. Apple doesn't see your card number. | PRIVATE No public profile. Operates within Messages/Wallet. | PRIVATE No friends list or social discovery features. |
| Google Pay / Wallet | PRIVATE Transactions private between parties. But Google retains detailed transaction history including merchant name, category, amount, date, and location. | PARTIAL Name visible to recipients. Profile tied to Google Account. | PRIVATE Alerts if you try to pay someone outside contacts. No public list. |
| Zelle | PRIVATE Transfers between bank accounts. No social layer. | PARTIAL Name and phone/email visible to recipients. No public profile. | PRIVATE No friends list. Contacts accessed locally only. |
| PayPal | PRIVATE Transactions private between parties. No social feed. | PARTIAL Name and email visible to counterparties. Business profiles are public. | PRIVATE No friends list or social features in core PayPal. |
| Stripe | COMPLEX No consumer-facing transaction feed, but Stripe's "Link" product creates a cross-merchant consumer identity that tracks your transactions across every Stripe-powered checkout. Link uses cookies and email matching to recognize you even without an account. | VIA LINK Link stores name, payment methods, contact info, addresses, identity documents, and bank account data. This profile persists across all Stripe merchants. | N/A No social features. But merchant-to-merchant data flows create invisible connections between your purchases. |
Every platform collects transaction data (amounts, dates, recipients). The question is: what else do they collect that they don't need to move your money?
| Data Type | Venmo | Cash App | Apple Cash | Google Pay | Zelle | Stripe |
|---|---|---|---|---|---|---|
| Geolocation | YES | YES | OPT-INMerchant ID only | YESUsed for fraud + receipt details + personalization | YES | YESIP-based location, merchant location, and may "link a location with you to tailor Services" |
| Phone contacts | YES | OPTIONAL | NOUses iMessage natively | OPTIONALAddresses and contacts accessed | OPTIONAL | NO |
| Social media contacts | YES | NO | NO | NO | NO | NO |
| Profile photos | YES | YES | NO | GOOGLE ACCT | YES | NO |
| Government ID / biometrics | VERIFICATION | YESMay collect passport & license #s | VERIFICATIONVia Green Dot Bank | VERIFICATION | VERIFICATION | EXTENSIVEStripe Identity compares selfies with IDs using biometric technology. Link can store your ID documents for future use across merchants. |
| Bank account data | YESMay collect bank login info | VIA PLAID | NO | NOLinks via bank's own auth | NODirect bank integration | EXTENSIVEFinancial Connections periodically collects account balances, transactions, and in some cases login credentials. Ongoing access, not one-time. |
| Browsing / device data | EXTENSIVE | EXTENSIVE | LIMITEDDevice patterns for fraud only | EXTENSIVEFeeds into Google's broader data ecosystem. Collects installed apps, SMS. | EXTENSIVE | EXTENSIVECollects IP, device info, browser plugins, mouse activity, pages visited, links clicked across Sites AND third-party sites. Also collects data from abandoned checkouts. |
| Purchase details (what you bought) | NOTES ONLYUser-written payment notes | NOTES ONLY | MINIMALApproximate amount, anonymous | YESMerchant name, category, amount, date, location | NOBank-to-bank only | YESItem-level data including "what was purchased, order fulfilment status, subscription status, tax amounts." Via Link, this data accumulates across all Stripe merchants. |
| Data from incomplete transactions | NO | NO | NO | NO | NO | YESExplicitly collects "information entered into a checkout form even if you opt not to complete the form or transaction." You don't have to buy anything for Stripe to capture your data. |
| AI / model training | LIKELY | LIKELY | NO | LIKELY | UNCLEAR | YESPrivacy policy explicitly states data is used for "training artificial intelligence models to power our Services." |
Once collected, where does your data go — and how long do they keep it after you leave?
| Policy | Venmo | Cash App | Apple Cash | Google Pay | Zelle | Stripe |
|---|---|---|---|---|---|---|
| Sells or shares data for advertising? | YES Data used for advertising. | UNCLEAR Vague disclosure language. | NO Clearly states it does not sell data. | NOT DIRECTLY Says no ad use of transaction data — but data feeds Google's profile of you. | UNCLEAR Vague on the subject. | EFFECTIVELY YES Policy says they don't transfer data "in exchange for payment" — then admits that providing data to ad partners "may be considered a data 'sale' or 'sharing'" under CCPA. Shares with advertising partners, analytics providers, and social networks. Non-affiliates can market to you unless you opt out. |
| Third-party data sharing | EXTENSIVE Vague vendor descriptions. Claims right to collect data via methods "not described" in its own policy. | MODERATE Shares with Block, Inc. affiliates. | LIMITED Only Green Dot Bank + Apple Payments Inc. | MODERATE Shared between Google entities. Discloses to merchants whether you have Google Pay. | MODERATE Shares with co-owning banks and unspecified "service providers." | EXTENSIVE Shares with: Stripe affiliates globally, Financial Partners (banks, card networks, payment processors), Business Users and their authorized third parties, service providers (primarily in EU, US, and India), institutional investors/lenders (for Stripe Capital), advertising partners, analytics providers, social networks, credit bureaus, law enforcement, and governments. If a merchant doesn't finish checkout for you, the merchant still gets your data for their own advertising. |
| Data retention after closure | VAGUE No clear deletion timeline. | VAGUE No definitive deletion policy. | UP TO 5 YEARS At least they state a number. | UNCLEAR Disabling Google Pay doesn't close Google Account. Policy "continues to apply." | VAGUE No clear commitment. | OPEN-ENDED Retains data "for as long as we continue to provide Services" and even after you stop transacting, for fraud monitoring, legal compliance, tax reporting, and "contractual agreements with Financial Partners." No stated maximum period. |
| Transparency of disclosures | POOR 5 sets of disclosures scattered across app and website. | FAIR Committed to work with CR on improvements. | GOOD Relatively clear and consolidated. | FAIR Settings exist but are buried. Personalization on by default. | FAIR Vague catch-all language. | MIXED The policy is detailed and thorough (23 pages, CBPR/PRP certified), but its sheer length and complexity obscure aggressive practices. "Learn More" links lead to further nested documents. The most troubling provisions — abandoned checkout collection, AI training, the CCPA "sale" admission — are buried deep. |
How well is your money protected — and what happens when something goes wrong?
| Feature | Venmo | Cash App | Apple Cash | Google Pay | Zelle | Stripe |
|---|---|---|---|---|---|---|
| FDIC insurance by default? | NO Only direct deposit / check capture funds. | NO Must apply for Cash Card. | NO Must register with Green Dot. | VARIES Depends on linked funding source. | YES Direct bank-to-bank transfer. | N/A Merchant processor. |
| Unauthorized transaction liability | $0 IF <60 DAYS Full coverage within 60 days. | $50 IF <2 DAYS Up to $500 after 2 days. | $50 IF <2 DAYS Same tiered structure. | CARD NETWORK Follows linked card's rules. 120-day fraud reporting. | $50 IF <4 DAYS Up to $500 after 4 days. | MERCHANT LEVEL Chargeback via card networks. |
| Scam reimbursement? | NO | NO | NO | NO | NO | N/A |
| Security architecture | STANDARDPayPal parent compliance | STANDARDBlock, Inc. compliance | STRONGHardware Secure Element. Biometrics never leave device. Data isolation via Apple Payments Inc. | GOODSecure Element on supported devices. Tokenization. But data flows into Google's broader ecosystem. | STANDARDMajor bank infrastructure | STRONG (INFRA)PCI Level 1, NIST-aligned, CBPR/PRP certified, E2E encryption. The security of the pipe is excellent — the problem is what flows through it and where it goes. |
| Binding arbitration? | YES30-day opt-out | YES30-day opt-out | YESNo opt-out | YES30-day opt-out | YES30-day opt-out | MERCHANT TERMS |
BNPL services like Affirm, Klarna, and Afterpay aren't just payment apps — they're lenders. That means they collect even more data, including what you bought, not just that you paid. The CFPB has described their practices as "digital surveillance."
Stripe processes payments for millions of businesses — including many healthcare, telehealth, and clinic platforms. Its January 2026 privacy policy reveals a data collection apparatus far more extensive than most consumers or merchants realize.
Stripe explicitly states it collects information from checkout forms even when customers abandon the transaction. If a patient begins to pay a healthcare provider online, enters their name and card number, then closes the browser — Stripe has already captured that data. The intent to transact with a specific provider is recorded without a transaction ever occurring.
Policy language: "We may also collect information entered into a checkout form even if you opt not to complete the form or transaction with the Business User."Stripe's Link product stores your name, payment methods, contact info, addresses, and even identity documents. It uses cookies and email matching to recognize you across any Stripe-powered checkout — even if you've never created a Link account. Link also integrates with BNPL services and crypto wallets, expanding the data web. If you bought shoes from one Stripe merchant and then visited a reproductive health clinic's Stripe-powered checkout, Link is architecturally designed to connect those identities.
Policy language: "Stripe may use cookies and similar technologies or the data you provide to our Business Users (such as when you input your email address on a Business User's website) to recognise you and help you use Link."If a merchant uses Stripe's Financial Connections product, Stripe doesn't just verify your bank account once — it "periodically collects and processes" your account balances, transaction history, and in some cases, your login credentials. This is continuous access to your financial life, not a one-time verification.
Policy language: "Stripe will periodically collect and process your account information (such as bank account owner information, account balances, account number and details, account transactions, and, in some cases, log-in credentials)."Stripe says it doesn't sell data "in exchange for payment." But in the same section, it acknowledges that providing data to advertising partners, analytics providers, and social networks "may be considered a data 'sale' or 'sharing' (for behavioural advertising) as those terms are defined under the CCPA." This is a remarkable admission buried 19 pages into the policy. Under the Gramm-Leach-Bliley framework, non-affiliates can use your Stripe data to market to you — opt-out is on you.
Policy language: "Because these third parties may use the data Stripe provides for their own purposes, Stripe's provision of data to these parties may be considered a data 'sale' or 'sharing' (for behavioural advertising)."The policy explicitly states Stripe uses personal data for "training artificial intelligence models to power our Services." This means transaction data from healthcare payments — including from sensitive providers — may be fed into Stripe's fraud models and other AI systems that operate across their entire merchant network.
Policy language: "Training artificial intelligence models to power our Services and protect against fraud and other harm."Stripe collects mouse activity indicators, device and browser fingerprints, and browsing behavior not just on its own sites but across third-party sites where its code runs. It also records and transcribes phone calls. Every Stripe-powered checkout page is a data collection surface — and that surface extends to fraud detection signals shared with Business Users via Stripe Radar.
Policy language: "We also collect activity indicators, such as mouse activity indicators, to help us detect fraud... The devices and browsers you use across our Sites and third-party websites, apps, and other online services."After you stop using Stripe — after you close your account, complete a transaction, or stop doing business with a Stripe merchant — your data persists. Stripe retains it for fraud monitoring, legal compliance, tax reporting, and "contractual agreements with Financial Partners." Unlike Apple (which states 5 years), Stripe defines no maximum retention period for most data categories.
Policy language: "Even after we stop providing Services directly to you... we may continue to retain your Personal Data."Venmo is the only major P2P app that defaults to making transactions public. A 2018 researcher reconstructed detailed personal profiles — shopping habits, relationships, pet ownership, utility providers — from 207 million public Venmo transactions.
Stripe's data collection is the most expansive of any platform we reviewed — abandoned checkout capture, cross-merchant identity via Link, ongoing bank account surveillance via Financial Connections, AI training on transaction data, and an effective admission that data sharing with ad partners constitutes a "sale" under CCPA. The security of the infrastructure is excellent; the problem is what happens to the data that flows through it.
Apple created a separate subsidiary (Apple Payments Inc.) specifically to wall off financial data from the rest of the company. It's the only platform that clearly doesn't sell data. The Secure Element means biometrics never leave your device. Google Pay uses similar hardware security but feeds transaction data into Google's broader ecosystem.
The CFPB described BNPL business models as "dependent on digital surveillance." These services know what you bought, not just that you paid — and they monetize it. Stripe's Link product now bridges into BNPL, creating a pipeline from payment infrastructure to surveillance lending.
If you're tricked into sending money voluntarily — even through a sophisticated scam — no platform will reimburse you. Consumer Reports argues providers should create dedicated funds for scam victims, but none have committed to this.
When a patient pays a healthcare provider through any of these platforms, that payment creates a data trail linking the patient to the provider — and by extension, to the type of care they received. None of this data is protected by HIPAA, because payment processors are not covered entities or business associates under health privacy law.
For patients accessing reproductive healthcare, gender-affirming care, substance use treatment, or mental health services, that metadata trail can be surveilled, subpoenaed, or exploited.
Stripe deserves particular scrutiny because it processes payments for a huge number of telehealth and clinic platforms. A patient who begins — but doesn't even complete — a checkout at a reproductive health clinic has already had their data captured. If that clinic uses Stripe, the patient's name, card details, and intent to transact with that specific provider are now in Stripe's system, available for cross-merchant identity linking via Link, potentially feeding AI training models, and retained indefinitely. The transaction note "Dr. Smith — follow-up" on a public Venmo feed is bad. A persistent, cross-merchant identity profile that connects your pharmacy visits, clinic payments, and insurance transactions across every Stripe-powered checkout is worse — because it's invisible.
Privacy-preserving payment infrastructure isn't a nice-to-have for healthcare. It's a patient safety issue. The gap between what these platforms collect and what they actually need to collect is where patient harm happens.
There is strong work being done across digital safety, privacy, and security. What's often missing is translation—how these risks show up in everyday payment and billing systems. This page curates the most useful resources through that lens.
Foundational work on digital privacy and surveillance. Useful for understanding how data is collected, tracked, and used across systems.
Clear explanations of how financial systems work, including payments, billing, and consumer protections.
Practical digital safety guidance for sensitive situations, especially where privacy is directly tied to healthcare access.
Resources on technology-facilitated abuse, including how shared accounts, devices, and financial tools can be used for monitoring or control.
Context on how data from everyday systems can be accessed and used by institutions, including law enforcement.
These resources are part of a broader system. Understanding how they connect—across platforms and real-world use—is what makes them useful.
Follow our investigative work →