Lydia loves trackers
Lydia is a very practical application, allowing you to simply reimburse your friends and create prize pools. It’s a French “fintech” which raised 40 million euros this year, notably with the Chinese giant Tencent. Lydia managing financial transactions, I didn't expect to be monitored.
To see any tracking tools set up by Lydia, I followed the following procedure on my iPhone:
- Closing different background applications
- Launch of the Charles Proxy application and activation of tracking
- Launching the application Lydia, then navigation in the App
- Export of logs from my Charles Proxy session to my computer
As you can see in the screenshot, the Lydia app is talkative and communicates your personal data to several actors:
- Google : via the Firebase developer toolbox, Lydia measures your use of the application, crashes (Crashlytics) and therefore sends your personal data to the Mountain View giant.
- Braze : this company allows Lydia to send you tailored messages (in-App, notifications, emails) at the “right time”. Braze tracks all your actions on Lydia, and in particular the details of your payments.
- Vero : another company allowing Lydia to send you tailored messages at the right time. Lydia also sends your navigation and payment details to Vero in order to adapt its future communications. More serious, attached to your various actions, Lydia is not simply leaking a pseudonym but also your email address.
- Appsflyer : mobile marketing company offering an attribution product, which allows Lydia to know which advertising campaigns triggered the installation of the application.
- Amplitude : analytics tool, allows Lydia to analyze your behavior in detail on its application. Here too, everything is tracked: each screen viewed, the details of your transactions, the model of your smartphone, your mobile operator or even your smartphone identifier.
A poor privacy policy, offering no control to the user
The "Personal data protection policy Lydia" is not accessible directly in the App, you must search for it from your profile, then at the bottom of the page open the T&Cs, and finally find the right link. Section 4. deals with the transfer of personal data: "to Lydia's banking partners and suppliers and to their operational service providers".
In contradiction with the GDPR, Lydia does not inform the user of the marketing partners to whom it leaks your personal data, we can simply assume that they are included in the "operational providers". Also, Lydia flouts its own policy by leaking your email address, because it claims to anonymize your personal data beforehand:
Lydia may also be required to communicate the personal data of its Customers who are individuals to one of its suppliers or other partners, provided that they have been previously anonymized. This anonymization consists of removing the following elements: first and last name, e-mail address, telephone number, postal address and any other element allowing the Customer to be identified or directly contacted as a natural person.
The Lydia's privacy policy is also difficult to find, you have to go directly through the Lydia website (also note the spelling mistake in the URL of the page, "confidentilaite" instead of "confidentialité"). Lydia indicates on this page:
Your personal data will not be sold, exchanged, transferred, or given to another company for any reason, without your consent, other than what is necessary to respond to an operational request, such as completing a transaction. This does not include trusted third parties who enable us to carry out our activity (legislator, banking partner, host) as long as these parties agree to keep this information confidential.
Once again, Lydia does not respect its commitment: your personal data is transferred to other companies (marketing and not legislator, banking partner or host), without your consent. Lydia also says:
The security of your personal data is protected by an encryption system and access codes. Only employees who need to perform specific work such as sales or customer support have access to some of your personally identifiable information. The servers used to store personally identifiable information are kept in a secure environment.
Here too, it is false: Lydia leaks your personal data to several third parties, including your email to Vero. Certain Vero employees can therefore trace your behavior on Lydia and your transaction history. Finally, Lydia has a very particular definition of consent, in flagrant violation of the GDPR:
By using our services, you agree to our privacy policy.
Obviously, Lydia does not offer any control over these leaks of personal data. Your only option is to go through apps like DNSCloak, Adguard or NextDNS on iOS.