Using anonymised spending data in public for facts/infographics

Hi everyone!

Yesterday I ran a report on our users’ spending data and found a fun fact that I put on Twitter:

Fun fact… our users have spent twice as much donating £ to good causes through @JustGiving as they have buying donuts at Krispy Kreme :doughnut::doughnut:

A similar kind of thing to when Tristan and Sam published an infographic on user spending back in April:

This blog post has been one of our most popular, and I for one find this kind of data really interesting, but there have been some negative reactions of the back of yesterday’s Tweet, including:

Guy Moorhouse said:
@getmondo I’m totally behind Mondo + what you’re doing but sharing user data like this (even if anonymised) feels a bit weird.

Rob Sterlini said:
@getmondo is there any way that we can remove our selves from this anonymised data?

Cameron Harris Wood said:
@getmondo bit creepy that your publicly talking about user’s spending habits already #MetadataIsntPrivacy

Data privacy is, of course, really important to us and we don’t want to jeopardise the trust between us and our users.

What does everyone think about this? Should we avoid any more of these types of blog posts/infographics/facts?

1 Like

Do it, I don’t care as long as it is anon.

1 Like

There’s no doubt it’s interesting data, but I do believe it belongs to the individual users, even when anonymised and in aggregate. This sort of data is valuable for a reason (companies spend millions on acquiring spending habit trends etc, which is why I asked the question about Mondo’s business plan). It allows companies to target and in some cases manipulate people into making commercial decisions - essentially, it can be used for reasons that I (the owner) might not agree with. If users could opt in (maybe for some benefit) then I don’t actually see a problem with the data being shared or sold. But doing it without permission makes me feel like the product, rather than the customer.

1 Like

Banks definitely do sell that data - it doesn’t make it right. :slight_smile:

I think even the wording of the statement may have changed peoples perspectives.

Having the same piece of information sound like Mondo’s data, rather than an aggregation of your users, I imagine would sit better with people.

For instance instead of

Fun fact… our users have spent twice as much donating £ to good causes through @JustGiving as they have buying donuts at Krispy Kreme :doughnut: :doughnut:

Fun fact… Mondo has transacted twice as much donating £ to good causes through @JustGiving as they have buying donuts at Krispy Kreme :doughnut: :doughnut:

But I know this then makes the post lose a little bit of it’s excitement because it doesn’t include the user, and therefore makes it less engaging. But because the context of the data is Mondo, it sounds like it’s Mondo’s data to share and shouldn’t offend users. You get my meaning! :relaxed:


I don’t see any problem with this - as long as it is anonymous. I’m always hearing on the news that people are spending more on this category then that category, I have no idea where they get that data from - I have always assumed that my bank already collects these details from me and does something similar to what Mondo does - I could be completely wrong. I think it’s the same with most things you use these days, for example on an iPhone, in the App Store you can see what apps are trending and what apps are in the charts - again the data must be coming from normal users such as you and I.

I agree with @danbeddows regarding the phrasing you are using in the communication.

As for the use of the data, as long as you make it clear in your privacy policy exactly how the information will be used and aggregated then that’s fine with me. I would suggest the following:

Make your privacy statement less wordy and more pictorial. No one reads T&Cs and therefore if they look boring you will get people who ignore them and then complain. Make the T&Cs fun (you can always have a boring version as well) so people understand what you will do and what you won’t do.

Put some example infographics into the privacy policy - make it visual.

Also why not describe how you aggregate the data? Give reassurance that you are doing it in a way that will make it impossible to identify a single user. For example I am assuming you have enough users that it would be impossible to identify Krispy Kreme buying charity donators… but if you sliced the data poorly then you may end up identifying individuals… so tell us about the controls you have in place to prevent that. Tell us which groups of employees have access to the “raw” data vs the aggregated data (and which levels of aggregated data). But tell us visually.

On a side note I found it really interesting that I could export my own data in the app and it wasn’t just date, amount, transaction. Really glad to see addresses etc. Perhaps a side use of the data might be ‘achievements’ that are either system wide or user configured:

“You spent more this month on charitable giving than 90% of mondo users”

“You backed local (independent) businesses to the tune of £350 this month - your best month yet!”

Complete tangent: Also have you looked at integrating local currencies? Bristol has the Bristol Pound which aims to keep money within the local community.

Further thought: Could your users have access to the aggregated data in some way through some sort of query tool?


This data (household expenditure) if often provided by the ONS (Office for National Statistics) by sampling then visiting selected addresses nationwide and recruiting households (for a small payment) to keep a diary of ALL their expenditure over a two week period.

Accuracy is only possible by strict representative sampling of the whole UK (as this information produces the RPI, etc. And is used to determine the uplift in the state pension and other benefits).

I worked for them for some 18 years …

I really love the visual privacy policy idea :slight_smile:

Also I agree around the ‘make it impossible to identify a single user’. Even now, without that many users, we have too many transactions in each of these categories/merchants to ever be able to pin it down, but we can quantify that and post it as a policy maybe.

1 Like

Great point, thanks… maybe “spending through Mondo has shown”?


This stuff is fascinating and would love to see more of it. A live page of anonymous data on spending through mondo would be great to see as well.

1 Like

As I said in the other thread:

Would be great it it were live like the Twitter emoji site

I love this kind of stuff, I’m all for it. If it’s anonymous and aggregated like that, I really don’t see how it could be a problem. That said, other people feel differently and that’s fine. Seems like adding an opt-out (or even forced choice upon activating for new users) would be a good option.


I’m fine with my data being used for general, informative purposes (an infographic is definitely ok), as long as it’s anonymous. I’m not okay with my transaction data being used to target me with financial products (credit cards, loans, overdraft etc.), so if this is part of your plans for the future I’d love a toggle to opt out from that.


I’m personally fine with this use of my data, even in a slightly more identifying form (based on demographic, etc.).

However, I would expect the option to remove myself from the statistics entirely, even for stats anonymized across the entire user base. I wouldn’t choose to opt-out, but I’d want to know that I could if I wanted.

1 Like

I can’t see any reason why this is would be an issue. I’ve long assumed that my spending data is aggregated by my bank in various ways to see how customers spend. My current bank knows a hell of a lot about me. I’ve been with them since I was 16. I have my mortgage with them, a credit card etc.

An option to opt-out is probably not unreasonable.

This is all great feedback, thanks to everyone (and keep it coming!)

We’ll review it and think about how to move forward. I would love to have a live data feed showing where people are spending (TransferWise do something similar on their homepage: but maybe we need to work on how this can happen without compromising privacy :slight_smile:

There should be an option to opt out of being included in this for sure.

One of the main arguments is that so called anonymous metadata isn’t really that anonymous.

To play devil’s advocate, when a company like Mondo starts getting access to how often we spend money at our weekly therapist, an odd visit to an abortion clinic, perhaps a coffee shop outside a sexual health clinic known for specialising in HIV, etc, things can get worrying and patterns for an individual emerge. With this kind of log on our spending and with linkability, we really have to consider how much trust we put in new start upstarts, especially with the brute force nature of GCHQ and their ‘collect all’ policy that as far as I’m aware is currently in place.

I trust Mondo now (I don’t know why!) but who knows if I will or can trust Mondo in 5 years time and new investors who may come in, the Privacy Policy clearly states our information may be disclosed to others if assets are sold. While I appreciate the transparency of the company with their Trello road map and periscope stream, I am sceptical since they think mass spending habits should be transparent too.

Yes, all other banks have access to this data, but I’ve never seen a bank so disgustingly and blantently wave spending habits and figures in my face. Very worrying. Since the Privacy Policy indicates user data is stored outside of the EEA, perhaps a nation where it is stored may enforce an order to reveal the information to a government or third party. With no solid encryption method in place, we may see a poor example of what happened with Edward Snowden and Lavabit email server, however where Lavabit was encrypted, user data couldn’t be handed over, but Mondo user data could be handed over quite easily since there is no robust encryption method meaning not even Mondo could access this. Very surprising Mondo are not following trends of other tech companies to ensure decent encryption, especially with such sensitive data.

Any thoughts on enabling some kind of PGP encryption between user and Mondo or differential privacy which is worth discussing?


More than happy to see data being used in this way. I’m a complete data nerd so love all this stuff!! :nerd: