You should resolve the discrepancy between this comment and your Privacy Policy. A message board comment is not legally binding, and what I linked to has substantial wiggle room in interpretation.
Yup - a HN comment is definitely not legally binding. Given some of the flame wars on some of the threads over the years, that would definitely be a scary world.
Based on a number of lawyers (we've gone deep on this over the past several years), I'm confident this is resolved through the combination of our terms and privacy policy - the EU/Swiss privacy shield stipulations, which drove the privacy policy encompasses the specific data there that's shared (check out the section entitled "Collection", which is then what's referenced in the shared section). These are common information to engage in internet commerce like email, billing info, etc. This is actually specifically why we had language in our Terms to encompass the actual financial data. The ironic part of all this is we repeatedly told our legal folks we needed to simplify, simplify, simplify.
All that being said - you clearly came to the page and thought the worst based on the language, so I guess it doesn't really matter if we're legally doing the right thing, we need to make sure you (and other folks who reach us) are interpreting and seeing what we're doing as intended.
Give me/us a little bit of time to figure out how to make this instantly obvious. As I mentioned, we're in the midst of clearing up our house based on GDPR requirements, so it's a good time to revisit. Really appreciate the feedback - only way we get better. :)
For greater context, the reason why I’m saying your Privacy Policy needs to be revised for precision is because:
1. I have experience acquiring data for the financial industry, and your privacy policy looks like the kind used to discreetly allow data brokering for free apps that have a lot of user data, and
2. I’ve seen executives who do sell data deny that they sell data by being overly literal and obtuse about what users mean when they ask if their data is sold. When users ask if their data is sold they’re usually including “data sharing with affiliates”, even if they aren’t savvy enough to use that terminology. The concern there is that user data collected by third parties is allowed to be reshared by their affiliates and under opaque terms that do not preclude monetization.
In EU, you need to write something like "...share data with third-party service providers..." already if you use AWS, because customer data will not only be held at your premises, but also held by another company (Amazon).
It seems to be difficult to phrase the Privacy Policy in a way that will satisfy this condition, and at the same time remove the 'wiggle room' you see.
That has the big disadvantage that if you switch from AWS to Google Cloud, you need to notify all of your customers about the changed policy and ask them for consent again. I have not seen any Privacy Policy yet which lists the service providers.
You don't need to ask for consent, because it's typical that a clause will simply state, "Continued use of this service indicates acceptance of these terms", etc. That seems like a non-problem as far as these things go.
The reason you don't see privacy policies which list that information is not because it has an exorbitant inconvenience cost, it's because they benefit directly from that information asymmetry.
You actually do, because now you want to send data to Google Inc., for which you don't have the consent of your customers yet. They only agreed to sending it to Amazon. You can't make them agree to any future changes of your Privacy Policy.
edit: yes, you can send out a notification on every change and tell your customers that it is an implicit consent if they don't object. But I still wouldn't want to do that for every change of service provider, and there can be quite a few such providers in an SaaS.
Based on a number of lawyers (we've gone deep on this over the past several years), I'm confident this is resolved through the combination of our terms and privacy policy - the EU/Swiss privacy shield stipulations, which drove the privacy policy encompasses the specific data there that's shared (check out the section entitled "Collection", which is then what's referenced in the shared section). These are common information to engage in internet commerce like email, billing info, etc. This is actually specifically why we had language in our Terms to encompass the actual financial data. The ironic part of all this is we repeatedly told our legal folks we needed to simplify, simplify, simplify.
All that being said - you clearly came to the page and thought the worst based on the language, so I guess it doesn't really matter if we're legally doing the right thing, we need to make sure you (and other folks who reach us) are interpreting and seeing what we're doing as intended.
Give me/us a little bit of time to figure out how to make this instantly obvious. As I mentioned, we're in the midst of clearing up our house based on GDPR requirements, so it's a good time to revisit. Really appreciate the feedback - only way we get better. :)