Address, phone number, credit card and all.
Oh wow. As someone who used to work in Fintech and who built a PCI-DSS compliant system got it successfully certified, it would be a shame if somebody reported that company for violations that could get them to lose their PCI-DSS certification. I mean, do they just bribe their PCI-DSS auditor to overlook this, or have they just managed to hide this blatant issue so far?
Sounds like you escaped a violent theocratic cult.
You didn’t sell the recovery tool, you sold the warm and fuzzy feeling that somebody was looking out for them.