Skip links

Users Can Take Back Their Data in A PDS Without Sacrificing Their Privacy

The market for Personal Data Stores is growing. Personal Data Stores are technologies which share the ambition of letting users remain in control of their own data. But not all of them are likely to succeed in the privacy-preserving quest. Some are challenged by their underlying business model, others by their organisational setup. However, a sweet spot exists, where Personal Data Stores – the ones we are rooting for – are likely to be able to scale up without sacrificing their ideals. That’s our take on how to make sense of this vital part of our digital future.

Fuelled by big tech’s exploitation of user’s personal data, a new and hugely exiting breed of privacy-preserving technologies has emerged: Personal Data Stores. They comes with the promise of empowering the users to reclaim control of their digital lives.

Naturally, not all Personal Data Stores (hereafter just “PDS’”) are the same. Some focus on storage of data, like extended cloud services. Others on cryptography and on how to make secure computation possible. Others again on utilising data for valuable services to users.

Full Disclosure: This analysis is written from our vantage points as professionals embedded in the space ourselves. You might disagree with how we portray individual PDS’ and you most certainly should question how we treat the PDS’ (polypoly and Data for Good) with which we are personally involved. Jon is an affiliated pro bono specialist with Data for Good Foundation, and during the research Jon was employed by polypoly Denmark. Pernille is pro bono in the advisory board of both polypoly and Data for Good Foundation. But nevertheless we hope the basic analysis of the forces at play have helped illuminate the PDS’ playing field, and draw attention to principles, which at least we find to be decisive for the future development of our digital world.

But there’s an important aspect on which the PDS’ differ: Their ability to ensure users the privacy offered by the PDS will be respected not only now, but also in the future. Making great solutions today isn’t necessarily a guarantee the solution is also great tomorrow. Read on to learn how and why this is.

First Overview of PDS Market
We’re building this analysis on the Personal Data Store Survey we conducted during the summer of 2021 (for full survey results, click here). To the best of our knowledge, the survey represented the first publicly available overview of PDS solutions (see table 1).

The survey is, however, fra from perfect: Only 13 out of 28 identified PDS’ participated, and many more might exist. Also the results from the survey are nearly all based on pure self-descriptions from the participating PDS’, which leaves a lot of leeway for misunderstandings or straight out false answers.

Virgin Market
When going through the results, what first stroke us, was how relatively small and immature most of the PDS’ seemed. The PDS’ which stood out to us as least mature was Onecub and Schluss, who don’t yet have a functioning app and, OwnYourData and Ethi, whose apps seemed only very basic. Also all of these PDS’ have raised modest levels of investments — they disclose themselves, that the combined investments and grants are all below 2 mil. USD.

In the other end of the maturity spectrum comes with investments of more than 30 mil. USD raised and Dataswift with 15 mil. USD raised. Both of them have functioning apps.

In between the mature and relatively immature PDS’ comes a middle category with Mydex, Polypoly, CitizenMe and Meeco. These PDS’ all reports having raised between 4 and 10 mil. USD each. They also all have functioning apps, however with varying degree of functionality (except Data for Good and Mydex, who seems to work through partners’ setups).

Most of the PDS’ choose not to disclose the number of users. Mydex says it serves more than 1.000.000 users through partners, CitizenMe 327.000 users, and had 100.000 users according to a January 2019 article by BBC.

You’re the Product
“If you’re not paying for a service, you’re not the customer – you’re the product being sold”. If this well-known saying is be taken as the standard by which to partly evaluate the privacy-friendliness of the PDS’, the outlook is bleak. In the Personal Data Store Survey only five of the 13 PDS identify direct payments from users among their revenue streams – and only two PDS’ – Ethi and Schluss – claims user payments to be the only revenue stream on which they rely. See figure 1.

Not that business models building on payment directly from the user is all good. If user payments is your only revenue stream, you might find it very hard to scale your service: To reach mass markets, price is often a determining factor. And “free” tends to outperform “paid” by large margins. As a result, PDS’ relying only on user payments risk that not a lot of people will ever benefit from it.

He who Pays the Piper, Calls the Tunes
A business model build on sales of data-products to third-parties, on the other hand, is, we would argue, the most potentially privacy-challenging position for a PDS to rely on. As figure 1 shows, seven PDS’ declare themselves to do exactly this – one of these,, marks sales of data-products as their only revenue stream.

This is not to say that a data-product sales powered PDS cannot be perfectly privacy-safe. Indeed, all the surveyed PDS’ adhere to various privacy-ethic principles, all claim they empower the user to manage consents to data usage, and all indicate users’ data is stored on servers legally within the realm of the EU, as the GDPR prescribes.

But as another saying goes, “he who pays the piper, calls the tunes” and we cannot escape the notion, that PDS’ relying on sales of data-products risk being drawn towards satisfying the needs of the paying customers, not users. At least if not other safeguards – as the organisational aspects touched upon below – are put in place.

BtB: Licensing and Consulting Marks Middle Road
Two more revenue streams were identified in the survey, both generating revenue from third-parties: licensing fees from usage of the PDS technology and payment for consulting services helping third parties to utilise PDS technology. These two revenue streams go hand in hand: Figure 1 shows how eight PDS’ claim to rely on both of these revenue streams; one PDS generates revenue from only one of the two.

Even though third-parties – not users – are the ones from whom revenue flows, technology and consulting business models don’t evolve around user data. Therefore they are not potentially as malign as the data sales business model. In terms of incentives to compromise user privacy, the licensing- and consulting revenue-streams therefore falls in between the sales of data products and user-payments business models.

Ranking PDS from a Privacy-business Model Perspective
Combining the above considerations into a prioritisation of which PDS’ have the most privacy friendly underlying business model produces figure 2.

To us, the PDS’ with the most privacy friendly business models are thus Schluss and Ethi, which relies solely on users paying for the service, and we thus take for granted that data is not used to capitalize on in any way. They are followed by with its combined user payments and sales of technology licensing and consulting business model.

Mydex, OneCub and Meeco, who are based solely on sales of technology licensing and consulting are in a middle category together with and Livescope Labs, who subscribes to all available business modesl, balancing them all nicely out. Also the middel category consists of Dataswift, CitizenMe and Polypoly. On top of technology licensing and
consultancy, these three PDS’ also subscribe to sales of data products, which puts them structurally a bit lower than the rest of the group.

Data for Good generates revenue from technology licensing and data products; a combination that sets them at a somewhat greater privacy risk. As we shall see in a minute, Data for Good employs a privacy-friendly technology and has erected solid governance structures, both of which serves to alleviate these dangers. marks the bottom of the prioritisation scheme with sales of data products as their only revenue source.

To Aggregate or not to Aggregate
Another way to assess the privacy-safeness of the data-product selling PDS’ is by looking at which kind of data, the PDS’ allow customers to buy access to. Here the main question is, if data is aggregated and anonymised before they are handed on, or are sold “as is”.

Aggregated and anonymised data sales are preferable from a privacy perspective, all other things being equal and if the anonymisations methods are of high quality.

Two PDS’ – CitizenMe and Data for Good Foundation – say they allow users to sell access only to aggregated and anonymised data. LifeScope Labs, Polypoly and OwnYourData states they let users sell access to both aggregated and anonymised data as well as data themselves, presumably in different data-products. Depending on how and on which terms the sales of non-anonymised data are done, this would indicate a somewhat lower level of privacy. The same goes for Mydex and DigiMe, which let the users sell access only to non-anonymised data. Also Schluss lets the users sell access to non-anonymised data.

From a privacy perspective, if data is to be shared, it thus should be done sharing aggregated and anonymised rather than raw data. However, it’s hard to conclude on the privacy offered by the PDS’ on this variable alone. This is because a main point of PDS’ is to enable the users to be in charge of their own data – including granting access to them to third-parties, if the users wishes to do so. To conclude whether privacy is endangered or not by letting the user sell access to raw data, the actual controls being offered to the user by the PDS needs to be assessed as well, a point not addressed in the Personal Data Store survey..

Who Controls how Data is Controlled?
One thing is how the PDS’ describe how they protect users personal data today. Another is how users personal data will actually be protected tomorrow. Or put in another way: What stops a PDS from turning what might today be a perfectly privacy-safe solution into a solution crudely selling on users data, without offering users the proper controls for this? Even the best intentioned PDS might encounter a change of strategy or leadership, which puts the PDS at odds with the privacy-terms the PDS originally offered the users. Without clarity on who’s controllling how data are controlled, any privacy-assessment is inherently fragile.

“One Person, one Vote” Safeguards Privacy
To shed light on this question, the Personal Data Store Survey asked the PDS’ to state how they’re organised. Three PDS’ declare themselves as Cooperatives – LifeScope, Polypoly and Schluss. Cooperatives are companies owned by the members, where profits are distributed to members only, and where members form the deciding body of the PDS – based not on number of shares, but on the one person-one vote principle. This is meant to ensure that cooperatively organised PDS’ will not make decisions which runs counter to the interest of the members. The cooperative organisation also theoretically minimises the risk of “hostile” takeovers, as a single entity trying to buy itself into the cooperative will only obtain one vote, no matter how much money it invests in the cooperative. A cooperative structure is therefore highly efficient as a privacy safeguarding organisational form.

Non-profits and Foundation-based are Runner-ups
Two PDS’ states themselves as non-profits – Data for Good Foundation and Like cooperatives, non-profits are shielded from hostile takeovers, but non-profits doesn’t secure the interest of users the way cooperatives do, as the users have no say in a potential sale of the PDS. Still, non-profits are also highly effective as privacy safeguarding organisational form.

A third category of PDS’ states that they’re for-profit foundation-based. Like cooperatives and non-profits, they therefore provide various safeguards against hostile take-over. This applies to DataSwift, Mydex and Onecub. While both DataSwift and Mydex are entirely bound by their foundations, Ondcub is a hybrid, one half being a cooperative, the other half a for-profit company. (A more precise characterisation of the foundations of these cooperatives are not carried out in the Personal Data Store Survey, so we cannot for now really differentiate between the three on this parameter.)

Five PDS’ Potentially for Sale
Finally five PDS’ are regular private, for-profit companies, which in their organisational form provide no safeguards against potential privacy-hostile takeovers and which, from a privacy perspective, is therefore the least assuring group of PDS’. These five are Ethi, Meeco,, Citizen.Me and

Ranking PDS from an Organisational Perspective
In figure 3 we ranked the PDS’ based on their business models. Now we can rank them also in terms of which of them has the most privacy friendly organisational. See figure 4.

Once again, Schluss places itself in the potentially most privacy-preserving group, the cooperative group – joined by LifeScope Labs and Polypoly.

The cooperatives are followed by the non-profits – DATA for GOOD foundation and – which again is followed by the foundation-based PDS’. In this group the dually organised ONECUB scores slightly lower than DataSwift and Mydex and the regular for-profits PDS’ Ethi, Meeco,, CitizenMe and last.

Organisation vs Business Model vs Investments
By considering both the business models and organisation/governance of the PDS’ it’s not possible for us to paint a more complete picture of which PDS’ have the most privacy-friendly long-term setup. This is what we do in figure 5.

In figure 5 we’ve added one more dimension: the investments and grants raised by the PDS’, a measure which we here take to serve as proxy of the maturity of the PDS’: The more investments and grants, the more mature – so the logic goes. Graphically this is indicated by the size of the bubbles of each PDS: PDS with more than 10 mil. USD in investments are depicted as large bubbles, those with 4-10 mil. USD in investments and grants as medium bubbles and those with less than 4 mil. USD in investments and grants as small bubbles.
The PDS’ situated in bottom left-hand corner of the diagram are the ones who poses the greatest potential privacy-risks, as these both rely on a business model of selling data-products, which are potentially in danger of being drawn towards privacy-stripping, and at the same time are regular for-profit companies, ripe for hostile take-overs. The risk is, that the PDS’ will eventually be bought by other parties for the purpose of profitting of the users data in non-privacy respecting ways.

Gravitational Force in Play
To make things worse, the bottom left-hand corner of figure 5 also is endowed with its own gravitational forces. CitizenMe, iGrant, Meeco and Ethi – and to a lesser degree Onecub are all potentially subjected to a pull towards the privacy-unstable lower left-hand corner, as illustrated in figure 6.

This goes for CitizenMe and iGrant: they don’t sell data products today, but their customers are business customers, and they might make the PDS’ an offer which could be hard to refuse.

By the same token MeeCo and Ethi might be tempted to start offering licensing and consulting services to business customers, and if this happens luring them into selling data products could be a next logical step. The distance from a user-paid service to sales of data-products is greater, and the pull of data-product profits therefore weaker, but the pull still exist. Also these PDS’ are in danger of being pressured into the lower left-hand corner.

The gravitational forces of the left-hand corner also applies to organisational forms: Every weakness in the bylaws of a foundation-based, non-profits and cooperative PDS’ will potentially lead to for-profit motives gaining strongholds vis-a-vis preserving the PDS’ privacy friendliness. Actually the strength of the limits imposed by the foundations bylaws and laid down in their legal structure is the one key factor which effectively can lessen the pull of the forces instituted in the lefthand corner of the diagram. This is why also ONECUB potentially experiences the pull.

In this way “gravitational forces” will over time attempt to drag PDS’ in the surrounding areas closer and closer to the “for profit”/“sales of data-products” position.

Unstable Zone
Another kind of dynamics affects Ethi and Schluss in the top section of the diagram. This dynamic doesn’t pull the PDS to any corner. On the contrary it pushes them downward.

The top of the diagram is thus an inherently unstable zone, and the PDS’ there, which relies on users paying for the service, are constantly tempted to find other ways to grow and make money. When users are given the choice between free and paid services, free services usually draws by far the largest number of customers. Unless the users face direct and instant gratification for actually paying for using a service, most users tend to go for a free alternative, if one exists.

The “paid for by users-only” PDS’ will be pushed downwards towards other kinds of revenue-streams in order to maintain themselves. If possible, they’ll be gently pressured towards adopting eg. licensing and consulting businesses as well.

(If they should resist the push, the “paid for by users”-PDS’ will most likely find themselves with no user growth and no traction, and thus with a limited ability to acquire the position as a market leading solutions, addressing and effectively solving the privacy-issues of our time.)

Privacy Sweet Spot
As an effect of the two dynamics pushing and pulling the PDS’, the space in the lower right-hand part of the figure is the place, in which the privacy—intentions of the PDS is left untouched: The business model is suited to draw a significant revenue, if well executed, and the organisational safeguards are in place to protect the PDS’ from corrupting their privacy pledges. This is the “Privacy Sweet Spot” of the model – occupied in order of maturity by Dataswift, Data for Good Foundation, Polypoly, Mydex – and the nascent OwnYourData and Lifescope Labs.

In this article we’ve laid out our analysis of the Personal Data Store space. It’s a space still in it’s infancy, but already key traits have emerged. Some PDS’ will likely grow and while some of these are poised for privacy-sell out in the process others will succeed in safeguarding the privacy positions of their users.

Go to the landing page of the Personal Data Store Survey 2021