"I paid for the product, therefore, I have nothing to worry about"

10/3/22: this post is being updated and may contain outdated information.

If the product is free, you are the product

A commonly repeated phrase stated by many when talks of privacy and software come about.  And to be fair, there aren't many instances where the person saying that is wrong. However, this often leads to an unintended, maybe even subconscious, assumption that can be detrimental.

Since I'm paying for the product, I have nothing to worry about

On the surface, I could see how this passes the eyeball test.  After all, we're giving them money which means they don't need to collect all kinds of data to share or sell, right?  

Sadly, not the case.  The truth of the matter is that even if we're paying for the product, we're still potentially in the frying pan.  We still need to properly vet the products and services we use, read their privacy policy, and ask questions.  You'll be amazed at some of the stuff you'll find and it's rather eye opening to see the amount of privacy we hand over on a silver platter.

Everyone already knows that Microsoft, Apple, Google, Facebook, Amazon are all looking to get a piece of our data pie, so let's talk about an example that isn't related to any of them but still fairly popular that an everyday person would know about.  Let's talk about the incredibly popular budgeting software/service, You Need A Budget.

They currently charge just shy of $100 per year, or $14.99/mo, to allow us to use their software and services.   You'd think it would be safe to assume that since we're paying them almost $100 a year that our data stays in their loving hands, right?

So let's run through their privacy policy real quick.

We do not sell users’ data. (And we never have!)

This is good, no, great news! The last thing we want to see is a company selling the data of its users, especially when it comes to finances.  Let's keep reading.

We share data to fulfill the purposes for which you provide it; to enforce or apply our Terms of Service, including billing. We may disclose or transfer personal information that we collect or you provide as described in this privacy policy:
To contractors, service providers, and other third parties we use to support our business, in particular providing infrastructure and analytics services, and who are bound by contractual obligations to keep personal information confidential and use it only for the purposes for which we disclose it to them.
With respect to aggregating your banking and other financial accounts, we will transmit your account credentials to third-party aggregation partners, who will use them to gather and maintain your account balances, transactions, and holdings used to provide our services.
To a buyer or other successor in the event of a merger, divestiture, restructuring, reorganization, dissolution or other sale or transfer of some or all of our assets, whether as a going concern or as part of bankruptcy, liquidation or similar proceeding, in which personal information held by us about our Website users is among the assets transferred.
To fulfill the purpose for which you provide it.
In aggregated form, and/or information that does not identify any individual.
For any other purpose disclosed by us when you provide the information.
With your consent.

This is where things start getting rough.  Nobody has any idea who these contractors, third parties, and analytical companies are or how they handle and store our data since they aren't beholden to YNABs privacy policy.  Transmitting our account credentials to third party partners is something we don't want either.

They also state they aggregate our information in a way that doesn't identify any individual person yet it's been proven time and time again that there is no such thing as anonymized data.

So, just because they aren't selling our data doesn't mean they aren't sharing it.  We're giving them access to all of our sensitive financial information yet some or all of it ends up in the hands of third parties and analytic companies.  To make matters worse,  YNAB and its employees can access our accounts and view all of the data and information we've provided at any time they want to.  Take a peek.

The YNAB Team does not access or interact with customers’ budget data as part of normal operations. There are cases where a customer requests that YNAB access their budget, or where required by law. All budget data is access-controlled, accompanied by customer approval, and carries with it documentation surrounding the reason for access and the access start and end time. A YNAB Team member’s violation of our customer data access policy will result in immediate dismissal.

They try to reassure us by saying they'll fire anyone on the spot who accesses our data without our consent but those promises hold little value.  The point is they can still access it and who knows for how long or how many times before they're caught, if they ever are.  

This isn't uncharted waters or tin foil hat territory either.  A damning report on SnapChat came out regarding employees accessing user information.

Those sources, as well as an additional two former employees, a current employee, and a cache of internal company emails obtained by Motherboard, described internal tools that allowed Snap employees at the time to access user data, including in some cases location information, their own saved Snaps and personal information such as phone numbers and email addresses.

They aren't the only ones caught with their pants down either.  Uber was seen doing something similar.

Uber employees regularly abused the company’s “God view” to spy on the movements of “high-profile politicians, celebrities and even personal acquaintances of Uber employees, including ex-boyfriends/girlfriends, and ex-spouses”, according to testimony from the company’s former forensic investigator Samuel Ward Spangenberg. Even Beyoncé’s account was monitored, the investigator said.

Lyft has a similar story

When asked if staffers, ranging from core team members to customer service reps, abused this privilege, the source said “Hell yes. I definitely looked at my friends’ rider history and looked at what drivers said about them. I never got in trouble.” Another supposed employee anonymously reported on workplace app Blind that staffers had access to this private information and that the access was abused.
Our source says that the data insights tool logs all usage, so staffers were warned by their peers to be careful when accessing it surreptitiously. For example, some thought that repeatedly searching for the same person might get noticed. But despite Lyft logging the access, enforcement was weak, so team members still abused it.

You Need A Budget is merely one of many companies who still collect and share information even though they're handed our cold, hard cash.  This is a friendly reminder to always check all the services you use regardless if it costs money or not.

Side note: In case you're curious about YNAB alternatives that are better for your privacy, here's a few recommendation.  I will say, some of these choices won't have fancy graphics or flashy animations and are gear more towards utility.

If you're into self hosting for full control Firefly III is tough to beat.

There's also nothing wrong with a simple spreadsheet or good old fashioned pen and paper.

Want to join the discussion?  Check out this post, and others, over at the CupWire subreddit and leave a comment.