How a popular privacy app plans to turn a buck

Privacy app Jumbo presents a startling contrast to the maze of privacy controls presented by companies like Facebook, Twitter and Google. After connecting one of these accounts to Jumbo, it's all reduced to a series of simple choices. Founder Pierre Valade said it took him about an hour to understand and modify his privacy settings in Facebook, a process that Jumbo boils down to a few seconds.

"It's impossible for people to manage their own privacy. It's too complex and too time-consuming," said Valade, whose previous startup was a calendar app called Sunrise, which sold to Microsoft in 2015 for about $100 million.

Since launching last April, Jumbo has accrued more than 50,000 users. Now the privacy-fixated company needs to figure out how to make money.

Get what matters in tech, in your inbox every morning. Sign up for Source Code.

In early March, Jumbo is planning to launch a premium version of the app that will help users navigate other hairy facets of staying private online. Valade said the service likely will be pay-what-you-want, with a $3 per month minimum.

But the challenges of running the privacy-friendly tool go deeper than convincing users to pay for premium services. Tech giants have little incentive to make it easier for users to opt out of data collection policies, and none has provided Jumbo with an API that would make integration simple. Additionally, Jumbo has made a point of collecting as little user information as possible, which means that all actions take place on the device and no data is sent back to Jumbo servers.

"It's hard from a technical standpoint … it's kind of like complexity squared," Valade said.

What's coming soon

Since launching the free suite last year, Jumbo has added tools designed to keep people engaged with the app, instead of treating it like a one-time service. For example, the app will check security databases to alert users if any of their accounts have been compromised in a data breach. It will also notify users if they haven't set up two-factor authentication on accounts where it's an option.

For the premium version launching soon, Valade said the app likely will add support for Instagram, Reddit and a few other popular apps, block hundreds of ad trackers that follow users as they browse the web, and let users add an additional Google account to the service. Jumbo is also developing features that would let users delete their profiles on dating apps like Hinge, Tinder and Bumble.

Jumbo is also planning to add a service in 2020 targeted to small businesses, with a price of around $9 per month. That version will include privacy and security features primarily for enterprise tools, such as Slack, Salesforce, Mailchimp, Office 365, Github and Dropbox.

The most ambitious offering under development is the ability for users to send requests to companies to delete their data or stop selling it to third parties — rights granted to EU and California consumers under the General Data Protection Regulation and the California Consumer Privacy Act. Jumbo has been testing a feature that can send out those requests on behalf of users to a long list of services, including genetic testing companies and hotel chains.

So far, of the dozens of companies Jumbo has contacted in testing this feature, none has been cooperative. As of the end of January, no company had complied with the several hundred data requests sent as part of Jumbo's tests. Many responded with emails saying that Jumbo can't make the requests on behalf of its users.

"They're pushing back and saying that users should have to do it themselves, which is not the spirit of the law," he said. "We're doing something really innovative and companies are not ready for it — in general, they're not ready for CCPA or GDPR."

Depending on how companies react, the feature might be introduced after the premium version is made available in a few weeks. Jumbo is considering making a public dashboard highlighting how certain companies reply to the data requests in an effort to put pressure on them to comply, Valade said.

A more private company

It's not the first time Jumbo has run into problems with tech companies, Valade said: A couple of weeks after Jumbo's launch, Facebook complained about the app using people's Facebook credentials to log into their accounts.

Twitter and Google didn't respond to requests for comment; Facebook declined to comment on the record.

"We spent a lot of time explaining to them that we never have access to users' Facebook information — it's never sent back to our servers or anything," he said. "Maybe they didn't know or didn't look, but from our perspective the security is amazing."

Jumbo doesn't collect, store or process user data — anything done in the app takes place on the user's phone rather than on company servers, Valade said. Instead of asking for an email address, Jumbo communicates with its users through push notifications using a serial number token generated by Apple or Android that is unique to your phone and doesn't require the company to collect any personally identifiable information.

Not collecting user data has benefits beyond creating trust with its customers. For example, Jumbo doesn't need to own or operate servers to process data. It also limits the risk of cyberattacks and other data breaches, said Brian Kint, a privacy attorney with the law firm Cozen O'Connor. "If there's ever a breach of their systems, you can't lose what you don't have," he said.

But there are drawbacks. Because Jumbo doesn't collect location data or other personal details, it has only a vague sense of where its users are, which makes it more difficult to do marketing and tailor the service to user needs. Valade guesses that about half of its users are in the U.S. and half are elsewhere because about 50% of people who download the app have their phones set to English.

"They could be living in Mexico or Brazil and have their phone in English," he said. "We just don't know."

And for the business Valade wants to build, he's OK not knowing.

"We want to prove that people are willing to pay for privacy, so there's more incentive for companies like us to be built," he said. "For us, a subscription model is the only way we can align our incentives with our users."