Hi,
I think this topic should have its own thread under GDPR, as an Android user I’d never have found it if I hadn’t messaged the Admins via the app.
I’m still extremely concerned by what happens here.
Your customers ( e.g. me) are caught by the effects of GDPR upon them, (I.e. your customers’ employers) IF they have any business contact data on their phones. Put another way, my contacts are somebody elses’s personal data. They own it, not me, and they now determine what can happen to it and must be told if it is used without their consent.
From reading this explanation, their data is used in some way, to create whatever a hash is and then matched with a larger has from someone else’s personal data.
I run a head hunting business with some extremely sensitive contact data on my phone, yet my business makes no provision for this in its GDPR declaration, how can it? I shudder to think what my contacts would think if they knew their data is being used by a fledgling bank (that must be considered at financial risk as it is not making profits and still making cash calls on its shareholders).
Honestly, I am alarmed by phrases such as (can’t remember exactly) “we will not contact your contacts without your consent” implies you have the ability to contact them and “if Monzo shares / benefits from their data with third parties…” reinforces the belief you have access to their data.
It looks to me as though you are putting your customers and their employers at risk of breach of GDPR without their knowledge. The minimum I think you should do is seek legal clarification and clearance from reputable and suitably knowledgeable solicitors (or barrister) to reassure us that us, your customers, and our employers are not at risk.
I believe this to be urgent and I hope you will give it the highest priority.
Thanks