I agree. On all the implementations of Mixpanel that I've been involved in, I've made it a point to not send any PII to Mixpanel. It's not needed for Mixpanel analytics to work, Mixpanel is not a CRM, it does not need customer email and other details.

Companies use sub-processors all the time, OpenAI is no different. Unless you want to have everybody get a major case of NIH tomorrow (I wouldn't mind, then we can get rid of third party cookies and all advertising as well while we're at it).

Every time a google tag is included on a page a ton of sensitive data gets sent to another party than the one whose website you are visiting.

Whether it was wise or not for OpenAI to share this information with Mixpanel is another thing, personally I think they should not have but OpenAI in turn is also used by lots of companies and given their private data and so on.

This layercake of trust only needs on party to mess up for a breach to become reality. What I'm interested in is whether or not it was just OpenAI's data that was lifted or also other Mixpanel customers.

But why do they send email addresses instead of anonymous identifiers? To link data with data from other sources?

Mixpanel has "session replay" support: https://docs.mixpanel.com/docs/tracking-methods/sdks/javascr...

And it's easy to let things like names and emails slip through.