Instead, I asked privacy insiders and advocates to help identify the types of companies that had given themselves access to my sweep for purposes unrelated to payment and fraud prevention. "Where does it end? Nobody really knows," says Ted Rossman, an analyst at the CreditCards.com comparison site.
I pore over the privacy policies of these companies. Then I asked more than two dozen to be specific about what they actually do with our transactions. What data do they share and with whom?
Some did not answer. Others sent me to a Bermuda triangle of legalese where few straight answers escaped. In 201
What I learned: The card data business is booming for advertisers, to help investors, and to help retailers and banks encourage more spending. And there are many ways a card sweep can be exploited that doesn't always require a transaction to be "sold" or "shared" in a way that fully identifies you. Data can be aggregated, anonymized, hashes or pseudonymized (renamed), or used to target you without ever technically changing hands.
What is the damage? We are legally protected from fraudulent charges and unfair lending. But usage patterns can reveal a lot, possibly enough to blackmail you. Each time data goes to new hands, there is a new chance that it may be stolen. (Witness: Equifax.)
And card data certainly helps businesses, but can put consumers at a relative disadvantage.
"The more they know they know about you, the more opportunities there are for manipulation," said Chris Hoofnagle, a law and information professor at the University of California, Berkeley.
Data can be used to model behavior, such as finding out exactly how many price rises or horrific experiences customers will find themselves in before resolving.
People may have different views on whether it is worth exchanging airline or refund data. But how do we make informed decisions when we don't know where our data is going?
So who can all track, mine or share your transactions? Where does the Apple Card help? Let's uncover the six companies that sold me out. It's bananas.
1. The bank
When I swiped my cards, the banks of course received my data. What is surprising is who they can share it with. My data helped identify me to Chase's marketing partners, who sent me spam. Some were even fed to the Amazon retail giant because it was labeled with my card.
Banks have long been required to report suspicious transactions to the government. But the 1999 Gramm-Leach-Bliley Act also allows banks to share personally identifiable data with companies. They just need to send a privacy notice and give you the right to opt out. (More on opting out below.)
When I used Visa, Chase's privacy statement reserves the right to share my data for seven different reasons. The most appalling category is: "For unaffiliated companies to promote you." Who are "unaffiliated companies?" Who the bank darn well will. The term only means a company not owned by Chase.
Chase would not tell me the specific data it shared from my card or the companies it shared it with. Instead, spokeswoman Patricia Wexler states the types of data Chase does not share, including "personalized transaction level data". But it gives room for many uses. For example, Chase chooses to receive offers from affiliate companies based on our consumer habits.
This is where the Apple card is different. In the Goldman Sachs privacy statement, the answers to most types of sharing are "no." Goldman continues to share information with credit bureaus if you pay the bills. But it says it does not provide transactions to marketers or a sister company that mines card data.
Card partners with co-branded also get part of the action. Of course, Amazon receives data when you buy things on Amazon with the card.
What about other purchases? Chase says it shares information with co-brand partners "only at a high level – not specific details about which merchant and non-specific goods purchased", but Wexler declined to be specific. Amazon would also not say exactly what it receives. (Amazon CEO Jeff Bezos owns The Washington Post .)
As a co-branded partner, Apple says it cannot access data about your transactions outside of Apple. Details of your purchases, visible in the Wallet app, are encrypted so Apple can't see them.
2. Card Network
This is where Apple's advantage begins to fade. When my banana purchase switched to card networks run by Visa and Mastercard, both may have shared them – in anonymous form – with companies ranging from travel agencies to Google.
in collecting purchases and selling them as "data insights". Visa said it allows customers to see data on populations as small as 50 people, often tied to groups with zip codes. Mastercard would not reveal its smallest group size.
One Mastercard program is particularly interested in privacy advocates. Bloomberg has reported that data from millions of Mastercards – now probably including Apple Cards – end up helping Google track retail sales.
Data goes into a double-blind system that allows online giant link ads people have seen back to purchases they have made in the real world. A person familiar with the matter, who was not authorized to speak about it, confirmed the agreement to me.
Businesses would not recognize the specific program, but emphasize Mastercard scrubs identifiable information. Mastercard spokesman Jim Issokson says: "Mastercard does not share data or insights for measuring ads to any of the tech giants."
Google spokeswoman Anaik von der Weid says: "We have developed advanced, privacy-protecting technology in this area, just to avoid sharing personal information."
3. The Store
To Target, my credit card worked as a kind of ID – each swipe helped build a "guest profile" about me. It is useful for learning my habits, targeting me on Facebook ads and sharing information about me with others. It didn't matter if I paid with Chase Visa or Apple Card.
Who are these companies: Marketers? Data Brokers? Other dealers? Target spokeswoman Jenna Reck wouldn't say.
What specifically does Target share? It "varies," Reck says, but adds "we provide unified, unidentified information whenever possible."
4. Outlets and Retail Banks
The technology that helps stores track us often comes from card swipers and the commercial banks that process transactions for them. These companies have access to your name, card number and other details, and often reserve the right to share data in one form or another. What do they do with it?
This is where the data track becomes particularly cloudy. Target would not say who the so-called acquiring bank is or what restrictions it places on it.
Target would also not say what data restrictions it adds to the company that makes its sweep terminals, VeriFone. This company did not respond to my emails.
An experience you may have had at a coffee shop shows what's possible. Swipe your card and the terminal already knows the phone number or email to send a receipt?
This is because the system has linked your card to a profile and you have voluntarily opted in from those details before.
Square, a manufacturer of these systems, says it does not "sell" this data. But it passes the emails or phone numbers we provide for receipts back to sellers. And it shares aggregate data on purchases with organizations including trade groups.
5. Mobile Wallets
I paid for my bananas with physical cards, but smartphone payment systems introduce even more transactions. Apps can access and store not only what you buy, but also where you go.
Google Pay for Android saves transactions to your Google Account. Google says it doesn't allow advertisers to target you based on this data. But Google Pay's default privacy settings, which you can adjust, give it the right to use your personal information to allow Google companies to market to you.
The Samsung Pay app has details of the last 20 transactions, although the company says the information is not stored on the servers. The app also delivers location-based campaigns.
Apple states that it does not retain transaction information "that can be linked to you" when using Apple Pay.
6. Financial Apps
Many free financial services actually track your data. Intuit's Mint, which lets you track all your accounts in one place, uses your data to promote you in its app. Financial software maker Yodlee sells customer-identified data to market research firms, traders and investors.
Your email address can also be a mole. Each time you receive a receipt in Gmail, Google adds it to a purchase database. Google says it doesn't use the content of Gmail to target ads, but that it opens up other uses.
If you care about privacy, there are steps you can take to better protect your life as a consumer – but it's the quilt.
Maybe that goes without saying, but you can pay with cash. It doesn't help if you swipe a loyalty card … or once businesses start using face recognition.
I plan to continue using the Apple card, though the rewards are not as good as other cards. Goldman's contracts protect you from a certain amount of bank supervision capitalism. The Apple Card also doesn't work with curious apps like Mint – you have to access your account information through the app on your iPhone.
But I'm disappointed that Apple didn't build new types of privacy technologies to counter all the other categories of companies that use every swipe. For example, the card offered by a startup called Privacy uses a different number for each (online only) transaction, so you can't be as easily tracked.
By law, credit card companies give us ways to opt out of some of their data sharing, although sharing with other financial institutions and joint marketing partners is usually excluded. Chase and American Express have online forms you can fill out.
Through online forms you can also opt out of data sharing programs with Visa and Mastercard. (Everyone who has an Apple card will need to do this to enhance privacy.)
Even some stores offer retail outlets. In the US, Target says customers can call 800-440-0680 and ask to be removed from having shared personal information for marketing.
Many of these companies say giving us these "choices" is sufficient. It's nonsense. With data, the devil is in default – companies know that a vanishingly small number of people will ever adjust the settings. And how can we make a choice if we don't even know what happens to our data?
The recent headlines on Facebook and Equifax opened many more eyes to how privacy affects our lives in unforeseen ways. Other businesses should take it as a warning: Data is the new corporate social responsibility.
If a company wants our trust, they are no longer good enough to say "we care about your privacy" and point to some legal. It's time to come clean.