Hello. This issue is intended to reply to this post authored by @Enegnei and make any needed changes to our (Zap/Strike) privacy policy, terms, product, and so on.
The Strike homepage describes their service as 'private.'
I agree this can be misleading. The intention is data we have is never shared and one can spend money to friends and on services through us as a proxy of sorts. However, with Cognito and Plaid, I can understand the concern with displaying Private
without further clarification. This has been updated to Fast
on our website.
They also reserve the right to "block access to the Services from certain IP addresses and unique device identifiers."
Of course. This is not unique to our service. If we need to block service for a user for regulatory, compliance, or malicious behavior we need to ensure we have that right.
Transaction terms
Reserving the right to change limits is based on our ongoing dialog with regulators. Currently, a LIGHT user has the following limits:
- $100 per payment
- $2,000 lifetime
I work with regulators to raise these limits and eventually remove them. This was discussed publicly (on your podcast @Enegnei)
However they also use "pixel tags / web beacons," and engage in other automated collection activities:
Technology such as Cookies is required for such features as persisting a user's login. Web beacons or pixel tags are the politically correct, lawyer-speak, way of acknowledging we use analytical tools. The definition is defined in the Privacy Policy. This is standard across all web and mobile applications.
Cognito
Yes, it is true that we use Cognito to do a wider search based on the information provided to us. I clarified publicly (on your podcast @Enegnei) that this "LIGHT KYC" effort was designed to prevent users from sharing information with a third party (Strike) if they don't have to. One of the many dangers KYC authors is a given individual's data being scattered across various services. The concept was if a user gives us their name and phone number, is that enough? If so, we aren't interested in anything else. It in theory should benefit the individual and the UX of our product.
Do you have an issue with the above? Would you like me to document this intention somewhere? How can I better communicate how we use Cognito?
VISA and Plaid
It should be fairly obvious, but our early-stage Bitcoin startup has zero relation to VISA making a multi-billion dollar acquisition. I have clarified publicly on many occasions that our relationship with VISA is through their Fast Track program and our relationship with Plaid is simply signing up, creating an account, and integrating with their API.
A user has a relationship directly with Plaid. This is outlined in their documentation
. When a user adds a payment method through Plaid (regardless of the service), they are shown the following screen:
The user, therefore, agrees to Plaid's terms and privacy policy before adding a payment method. Plaid's privacy policies can be found here.
Plaid is the number one service in the US to allow deposits from a consumer's bank account. Services such as CashApp, Venmo, Robinhood, and Coinbase use Plaid. I stated publicly (on your podcast @Enegnei) that our effort with Plaid was based on advice from others and the quickest way to accomplish an MVP. We allow users to deposit funds via a debit card currently and plan on allowing other ways for users to deposit funds.
I understand the concern that Plaid is not mentioned in our privacy policy and have reached out to our counsel with an ask to have that updated.
At this time, contrary to my initial determination, I do not believe that applying this term to Strike would be accurate
How would you define it then? Is it fair to make a distinction between full KYC and what we provide? So far, LIGHT has worked as a way to communicate the feature, however, I am open to suggestions of course.
Summary
In summary, Strike is a regulated, proprietary service. It does not market itself otherwise and does not market itself to be for those that don't want to share any personal information. It requires an individual's personal information and the ability for that given individual to deposit fiat currency. In order to support the service, third party relationships are required. If one is not comfortable with companies like VISA, Plaid, and so on, that is fair and entirely your decision.
After reviewing your piece @Enegnei it's unclear to me what exactly we need to improve on. Yes, we are regulated and require personal information by law. Yes, we require depositing fiat currency which in turn requires some form of linkage to a payment method. I believe all of our efforts have been public, transparent, and honest. I've publicly stated this project is in BETA and we have been iterating based on feedback and concerns and intend to continue doing so.