Ask HN: Play Store removed our app, but allows WhatsApp
We are a FinTech startup in India. We give unserved people a credit card. To ensure recovery we collect user's contacts and use them to remind people of their bill if they don't pay. All of this is covered in our TnC, and we warn users of the actions we will take before we do so.
About two weeks ago, Google Play banned updates to our app from the Play Store citing this section of their Policy, here: https://play.google.com/about/privacy-security-deception/use...
We complied. This is how the screen looked before the change: https://imgur.com/a/o4Cvh7F
Here's how it looked after the change: https://imgur.com/a/gHP8BDR
We were approved after the change. However 3 days later, we were removed from the Play Store. So now no one can download our app, or update their app if they have a buggy outdated version.
Despite regular appeals, Google keeps redirecting us to the policy above.
Today I checked how WhatsApp handled user uploads, as it's the same thing we do; sync contacts on each launch(we don't sync when the app is not being used though). Here's how WhatsApp looks: https://vimeo.com/user112475576/review/406480240/9ca7c4e2c1
Can anyone help us with what should we do? With the COVID crisis our users are unable to depend on us for their daily spends. We're are the primary credit card for a lot of them, and not being able to service them now, is making us look bad. > we collect user's contacts and use them to remind people of their bill if they don't pay Are you saying you contact the user's contacts to try to get them to pressure the user to pay their bill? --- I read through your TOS and it looks like this is the relevant line: > In case of default or late payment, GalaxyCard reserves the right to use suitable means to collect dues including electronic and or physical communication to the debtor and the debtor's known contacts I think this is a digusting practice, and I am not surprised Google is blocking your app. This is nothing like what WhatsApp does - in fact I don't know of any service at all that does this. I can understand your dislike to the practice, however, this is something common among a lot of online lending businesses for people who are defaulting on purpose, without a reasonable cause. Here are a few examples: Z2P - Get Instant Loans, Borrow Money, Loan App Instant Personal Loan Online-MoneyWOW I’m sorry but this is still scummy. Good on Google for banning you. In the US, discussing financial issues with anyone other than the people on the account is HIGHLY illegal. There are very strict rules around who you can contact and what you are allowed to say. Legalities aside, so just because other companies have scummy practices makes it okay for you to? Yeah I am sick of this excuse. I have seen it a lot around privacy issues. People always say things like "everyone including google is doing it so its perfectly ethical to copy them". Yes. We first contact the user if they don't pay despite calls/emails/push notification/sms for 45 days. Then we warn them for 15 days that their contacts will be asked to remind them of the bill, as per the terms. Finally we contact the contacts. We do this to prevent having to file legal cases against the users as those can drag on for very long in India and are a pain for both parties Telling your customers' friends and family about their financial problems seems like a pretty terrible thing to do. Edit: And doing so in the hope that they shame or pressure your customers is awful. I agree with ccmcarey upthread: This is disgusting. Stop it. We do understand that some people may have a financial problem. When user's approach us and tell us that they are not paying due to such issues, we are more than happy to accommodate them in every possible way. One such example of that is that we told our users that we won't be charging them any late fee during the lockdown as we understand they have issues. We did this even before our government came up with such an option. Such issues? Accommodate them? What are you even saying, you purposefully cause those issues. People should contact you AFTER it happened to ask "please do not contact my contacts" or what? I suspect that kind of innovation is frowned upon by Google. It's not the same context as WhatsApp at all Here's what Google is telling us: Your app is uploading users' [Contact] information to [URL] without a prominent disclosure. Prior to the collection and transmission, it must prominently highlight how the user data will be used, describe the type of data being collected and have the user provide affirmative consent for such use. I think that’s pretty clear. Google are telling you that you must explicitly outline what you’ll do with peoples contacts (i.e. you’ll harass them if the debtor does pay). Your current tick box doesn’t say that at all. They probably want you have a nice big tick box that says: “I agree for [company] to harass my phone contacts if I don’t repay” That might be part of your issue. You are solicitating their friend and familly as well as sharing with them financial information without their consent. Why such a weird practice and not simply consider repeated failed payment as a form of cancelation? Public-shaming people is not a socially acceptable solution to this problem "Can anyone help us with what should we do?" Stop using unethical practices. If you use your clients contacts to spam them, to put pressure on your client, then it seems obvious that you have been removed. And this is not the same as what WhatsApp does. Their method is not quite ethical as well, but your method is way below. > With the COVID crisis our users are unable to depend on us for their daily spends. If this is truly a humanitarian issue, then then disable the contact harvesting feature Did these contacts of the user give consent to be contacted? Your behaviour seems spammy. Also the Google page states the following "We don't allow unauthorized publishing or disclosure of people's non-public contacts. " Arguably contacting these people is disclosing they are in a user's contacts. You do seem to breaching Google's policy. I'm on Google's side here. In that sense, isn't Facebook showing people you may know, also disclosing to people that they are in my contact list? Contact book presence is but one input into that algorithm, which also incorporates friends of friends, friends of people who've logged in from the same IP, people who frequently interact with the same people/content. Its not directly "You might know Alice, we know because she has your number" Actually, I think that there's 2 different problems here: - first is compliance with Google's term. Obviously, you don't say that the USER's contact will be contacted when the USER bill is out of time and the USER doesn't pay... so your USER might not have understood that this will be the case. I think that you should be clearer about the consequences of allowing your app to access the USER contact list. - second, the morality of the app: obviously, some people in occidental (US / europe) countries might find the app principle awful... because we rely more on Justice than peer-to-peer social pressure. But it's more a cultural difference. If the principle is agreed between the people giving and receiving money... why not ? (I guess that the people giving the money is the one requiring the USER to download the app... Am I right ?) BTW: what happens if the people receving the money desinstall the app ? Or empty its contact list ? Or has no contact ? If I would like to trick your system, I would fill my contact list with garbage, get the money, spend it, then let you contact these garbage contact... Or do you require contacts to use your app too (forced "net effect") ? Anyway: nothing common with WhatsApp > If the principle is agreed between the people giving and receiving money... why not ? (I guess that the people giving the money is the one requiring the USER to download the app... Am I right I think your misunderstanding the model. You borrow money from this company using this app that harvests your contacts without explicitly stating why. If you don't repay the loan this company starts spamming and harassing your contacts forcing them to pressure you into repaying your loan. We do give a clear label before asking for user's contacts as to why we need your contacts. See here: https://imgur.com/a/gHP8BDR From the wording it's not at all clear that you plan to message their contacts telling them to remind the customer/victim about their outstanding loan. Furthermore, do you get the consent of the people in their contact list in the first place? I am curious. As a thought experiment, how else can having the contacts of your friend and family be use to remind you of your bills, without contacting them to remind you? Personally I can see no other way to read it. I’m sorry but their warning really is not very clear. They write: “I understand that my contacts will be uploaded and saved on GalaxyCard, and that they will be used to calculate my eligibility and remind me of my bills.” Note the use of ‘remind me of my bills’ at the end of that sentence. If this company truly wanted to be clear, they could have written that: “I understand that my contacts will be uploaded and saved to GalaxyCard, where they will be used for two major reasons. First, they will be used to verify that I am eligible for this service. Second, if I am late to pay my bills, I understand that GalaxyCard will contact my contacts to tell them that I have not paid my bills.” That is significantly more clear as it specifically states they will contact your contacts if you are late. Or they will contact them to look for you... like every debt collection service in the world. That you aren’t paying your bills, might be inferred by your friends but they aren’t forced to come right out and say you are delinquent from the get go. https://news.ycombinator.com/item?id=22840880 They pointed to another app that does this as an example of what they do. The reviews from that app indicate that coming out and saying they are delinquent is exactly what they do. Here’s how OP describes their collection process: “We first contact the user if they don't pay despite calls/emails/push notification/sms for 45 days. Then we warn them for 15 days that their contacts will be asked to remind them of the bill, as per the terms. Finally we contact the contacts.“ This company specifically contacts the contacts to remind the delinquent person of their bill. I don’t think that warning is very good in light of this practice. Do you? Considering that, I would concede that they could have spent a sentence or two more detailing what they intend to do, instead of burying it in a contract. - We added a checkbox which reads out everything about how the contacts will be contacted, after Google first asked us. The user is required to check the checkbox before he can even get the permission dialog to give the permission. - You are right. We are not doing something out the jurisdiction. The contacts notified are the ones who have agreed to be sent "promotional" messages. So we don't spam these people. We are also working on something to make the loans a "group" loan that will make it a requirement for other people to be "fiscally" responsible for your unpaid loan We run an algorithm which tries to ascertain that the contacts list is not fake/empty. Uninstalling the app would only prevent us from getting new contacts, and ability to notify you of your pending bills via push notification. The commonality I was referring to is not having a "Checkbox" before uploading contacts as is required by Play Store. Reading the reviews of the similar apps OP mentioned, I don't even think the users are aware of the implications. > To ensure recovery we collect user's contacts and use them to remind people of their bill if they don't pay. Could you explain this sentence in more detail please. I should add, this is a common practice for low ticket, high risk loans in the FinTech lending space in India Can you find an example of another app doing this? Here's one that gave us the idea to do this: https://play.google.com/store/apps/details?id=com.wbt.royal Look at the reviews: > This app so far was good. Recently I has got worse. I had my dues 2days back .and they keep calling, I know it's their job but they should understand the current situation going on because of lock down. Even worse they are threatening to call all the people from my contacts lists. I don't evenknow how they got the all the contact lists. > Dont install . One of the worst app Kindly dont ever try One of the harassing app My due date was 26mar due to lock down I was unable to pay I had inform then they started texting to my whatsApp contacts.. > One of the worst app Kindly dont ever try One of the harassing app My due date was 14 mar due to some problems I was unable to pay I had inform them On 15 th they started texting to my whatsApp contacts > Worst service i have taken 6times loan everytime i paid on time but this time 2day late, they hacked my contacts and start sending the sms and create problem for me --- Do not do this. We first contact the user if they don't pay despite calls/emails/push notification/sms for 45 days. Then we warn them for 15 days that their contacts will be asked to remind them of the bill, as per the terms. Finally we contact the contacts. We do this to prevent having to file legal cases against the users as those can drag on for very long in India and are a pain for both parties So it's basically blackmail? If you don't pay we will let your family and friends know? Cause the whole reminder thing sounds like a thin veil covering that, seeing as you remind them already. It's not about the reminder. Social pressure is actually a big part of the success of microcredit initiatives. In many ways it mirrors arrangements that were common in the now-developed world at the time of the industrial revolution (i.e. your social circle would likely know about your outstanding debts, because anyone’s entire world was very restricted). I wonder if this is a case of “internet friction”: Indian people would see no problem with such a behaviour, but one “western” person would be horrified (because this part of the world has largely moved on from those practices). In France for example, such a practice is totally illegal and you would have serious issues with justice if you tried to apply this policy.
But most of all, and more broaldly, in Europe your app would be shamed publicly in media and no one would use it. I am not sure this is illegal in France. The fact that you share someone's contact means that you checked with them that this is ok. It is your (the one who shares) duty to do the check. So it may not fall into the unsolicited mail clause. This is of course independent on the fact that this is a despicable practice. When you collect contacts, shouldn't you state the purpose of the communication? If so, I would assume most of the contacts in the address book never consented to being contacted about the non-payment of the bill. So European citizens can't use the app legally. Yes, but you can always get back to them and ask for permission. The point I am trying to make is that the person who is sharing the information takes the responsibility, not the application (which uses it as advertized, at least according to the quotes here as I did not read the tos myself). I am almost sure (I must admit I am a bit too lazy to search more deeply :-) ) that the new European regulation about data privacy makes it impossible.
I have a cousin who his lawyer. I ll ask him tomorrow and get back here to tell you (just for curiosity... this is an interesting question) Thank you, I would be very interested. I will also ask our DPO when back from "vacation". I mildly participated in the preparations for GDPR in my (large) company and the sharing of third party personal data was one of the points. It was a few years back so my memory may be at fault here. T'es Français ? Oué :) Moi aussi j'ai bossé sur la RGPD pour mon ancienne boite (grosse boite industrielle) et j'ai cru mourir :-) Je suis manager dans l'IT. Le gros moment de solitude quand tu réalises qu'au niveau de tes outils, produits, méthodes, voire même de tes objectifs, rien n'est GDPR-compliant, ni de près ni de loin... ^^ Something sure is that when they (OP app) starts sending mail or SMS to user contact to shame him/her, it will definitely be unsolicited mail/sms. Imagine you have a friend in debt and start receiving such notices ? They’re collecting private information on you (your name, your phone number or your email) without your consent. IANAL but I’m pretty confident it falls under GDPR. (Sans parler du fait que les mecs qui font ça sont quand même une belle bande d’enfoirés) Except if the app user went to their contacts to ask them for authorization, as they should do under EU law. If they do not, they are to blame because they willingly shared the contacts. The app used them per their tos. (et oui, je suis d'accord que c'est un vrai dick move, aparamment c'est une pratique courante en Inde pour ce genre d'apps) Whatsapp surely doesn't contact anyones contacts to collect bills or harass people in other ways. The contacts have not agreed to be spammed for these purposes. Therefore it is understandable Google doesn't want you in their store, since these contacts are quite likely to be other google Android users and Google has an interest in protecting their user experience. I would suggest you remove this 'feature' and use a debt collecting agency instead. The reason they give is i think irrelevant. They keep using the same reason which means they don't want to spend anymore time on you. Maybe you could pay for a google consultant to have your app become compliant again. I can understand that the specificity of the Indian market can prompt this kind of policy. We, Westerners, would not like it for cultural reasons but we do not have to deal with the Indian reality... However your issue inspires me 2 thoughts: - On strict business perspective, if your business model and your economic success rely on the ability to apply this policy, your business model has a problem. - Google and Apple cannot cope with national specificities and their own policies are driven by western ethics and business logic. Do not expect it changes soon... Maybe you should instead contract with;
- a bank that accepts to insure your income even if your are not paid.
- and a third party company in charge of recovery > Limit your collection and use of this data to purposes directly related to providing and improving the features of the app (e.g. user anticipated functionality that is documented and promoted in the app's description). This is section seems relevant. It could be argued that whatsapp's use of a user's contacts is related to directly improving the user experience and functionality of the application itself by adding those of your contacts that have whatsapp installed. Your usecase is not directly related to the functionality of the application. When giving loans, we have something called references, who are people the lender can request to get the loans repaid. We are using the user's contacts in the same way. A reference without their prior consent though, apart from the obvious unethical issues with doing something like this I can't see how it can possibly be legally binding if the referee had no say in the matter or signed any contracts? Well, this is obviously a different use case for what Whatsapp uses the contact list for. I really do not like Whatsapp's harvesting, but I can easily see why Google can make different calls on your app and Whatsapp. Especially since what you do could be construed as blackmail. Google isn't citing the use case as issue: This is what they told us as the reason: Your app is uploading users' [Contact] information to [URL] without a prominent disclosure. Prior to the collection and transmission, it must prominently highlight how the user data will be used, describe the type of data being collected and have the user provide affirmative consent for such use. See there's the problem. Harassing other people that are not responsible for your client debt. So you contact people's friends, family, colleagues, and random contacts saying: "This person you know is too poor to pay their credit card bill, can you pressure them into paying it?" Damn. That's a new level of crazy. These people are not poor. They assume that since it's an app they taking money from, they can simply refuse to pay. We can, and do, go for the legal route, but it's much much more painful for the user, and for us, even if we want to settle it once a case is filed. Dude you LOST, you and India's laws are morally bankrupt about it, you are NOT heroic! You claim that your customers are not poor but by definition you stupid lending app is praying in the poor and low IQ people to make you money. STOP Not solutions, but two potential workarounds. Is it possible to open source the app itself and then distribute via F-Droid?[1] Can you provide your customers with a direct apk download? Although, you will then need to educate your customers about the "scarey" warnings about doing so. I do not have Google Play Store installed on my phone and it is an annoyance when app developers do not provide a direct apk download. Initially, from an ease of update point of view, I guess neither option is quite as convenient as the Play Store. However, once you've broken your reliance on Google to distribute your application, you'll never have to deal with such a situation again. We are giving the APK as an option to people who are reaching out on support about bugs. But most people don't have the know how of how to enable installing from unknown sources I hope to god fdroid does not allow this. They will probably newer open source their build app and let fdroid build it anyway. It's a scummy business and even if its fully legal under the text of the law, you should be ashamed of your tactics and business model. You'll get no sympathy if a private business will remove you from their store. Holy false equivalence Batman! First, afaik WhatsApp doesn't store your contacts but checks if they're available on WhatsApp. Second, it most definitely doesn't contact them. I'm from India and your service seems unethical to me. Good job by Google banning you. Period. This has got to be one of the scummiest business models I’ve seen in ages. Do not do this. This is what worries me about building on these platforms they giveth and taketh at will