[dexterous]

> Plaid claims to not store this info, and I assume that they don't

Think of it as Plaid storing OAuth2 access tokens, sort of; and the tokens do expire (over pretty long periods), though, some bank integrations do allow them to generate their equivalent of refresh tokens.

Plaid didn't go into this blind; they know the tightrope they're walking. As someone who's worked with Plaid to build an integration into our product, I'd say they're definitely in a very gray area, but that's pretty much all of the Fintech space right now.

Although, I'd also say they're not malicious; even if it is just motivated by the fear of the bad press resulting in a customer exodus.