When you sign up for a digital service that asks you to sign a long terms-of-service agreement, chances are that company is going to be sharing your data with third parties. But what data is being shared with whom, and why, is often shrouded in secrecy–or at least confusing design, legalese, and hard-to-find disclosures.

A new tree diagram created by the designer and researcher Rebecca Ricks charts out all the different third parties with whom the online payment company PayPal “may” share the data of users who live in Europe. Based on a spreadsheet the company posted online at the beginning of January 2018 in order to comply with the EU’s strict data privacy laws, the visualization breaks the many companies that receive customer data from PayPal into broad categories and details what data is being shared and why. In essence, it’s a list of PayPal’s European service vendors, all of whom are supposed to be using the data to perform services for PayPal.

Ricks’s visualization is a useful tool that should exist for every company that shares the personal data of its customers with third parties. “As consumers we don’t have transparency into how this system works,” Ricks says. “I think people don’t realize their data is shared with third parties. For me, a data viz is a really easy way for people to see what information is shared about them.”

The categories in Ricks’s visualization include “payment processors,” which mostly consists of global banks–logical entities to share data with, given the fact that you can transfer money from PayPal to many banks. Then there’s a category for “credit reference and fraud agencies,” which includes Russia’s National Credit Bureau. A third category consists of companies in “marketing and public relations,” including many email marketers, customer service surveyors, and companies that do targeted advertising, like Google and Linked In. PayPal shares data like name, date of birth, social security number, and even users’ pictures with a wide variety of services, including those that collect debt or validate a user’s identity–and even ones that run survey sweepstakes for the company.

In a statement to Co.Design, a spokesperson for PayPal says: “PayPal collects and uses personal information in order to process payments, manage risk, protect against fraud, and to market and advertise our services in accordance with PayPal’s privacy practices and user preferences. This is all set forth in our Privacy Policy. We go to great lengths to protect our customers’ personal information, and we do not share, sell, or rent personal data with unaffiliated third parties for their own marketing purposes.”

Some entries are ambiguous. Take Microsoft, under the “operational services” category. PayPal apparently supplies the tech company with an image of a customer–a photo or video–or their image from an identity document for the purposes of “facial image comparison for fraud protection” and “research and testing as to appropriateness of new products.” The former sounds like some kind of facial recognition system that PayPal uses to look for fraud. But the latter is uneasily broad. What kind of research is Microsoft doing using pictures of PayPal users’ faces? PayPal did not comment on this specific question.

By putting these revelations in the form of a data visualization, Ricks is trying to make it far easier for consumers to easily see how PayPal is spreading its data around to dozens of third parties. Even if a user might trust PayPal, it’s hard to know if all of these third parties are trustworthy or have any kind of data security. This practice of sharing personal data with third parties is common, and PayPal is just one example.