[staringispolite]

I was also thinking through which rules would apply here. (What entity owns a Stripe account? What constitutes a transfer of data? How does this case differ from say, an acquisition?)

The medium article only shows info you can get from a Stripe card_id request. Not using https on that page is troublesome, but I don't think there's any evidence to suggest FlyMaids (or even HomeJoy) ever had access to actual CC information.

It seems more likely that this depends on Homejoy's ToS/Privacy Policy. (Although it's certainly possible the transfer was done in a way that violates Stripe's policies, I'm just not familiar with those)

Edit: It might even be the same business entity with different d.b.a names. Good discussion here: https://news.ycombinator.com/item?id=10468161