The United States Securities and Exchange Commission has fined mobile analytics firm App Annie for $10 million alleging that the company engaged in deceptive practices about how its data was derived.

This fine comes with additional punishments for co-founder and former CEO Bertrand Schmitt. Schmitt has been fined an additional penalty of $300,000 and is prohibited from serving as an officer or director of a public company for three years.

Schmitt and App Annie agreed to pay these fines after the SEC accused the company of deceiving both app developers and customers about how app data was gathered, collected, and used.

App Annie provides "alternative data" (data not contained within companie’s financial statements or other disclosures) to customers, and has claimed for years that its data is generated by internal statistical models used to measure app performance.

From 2014 to 2018, that data had a little extra (and apparently untoward) spice added to it—non-aggregated and non-anonymized data provided to App Annie by different mobile developers. This was a two-way deception. The company told developers who provided user data to App Annie that said data would be anonymized and aggregated before analytics were presented to customers.

Customers in turn were told that the data they were analyzing was derived from App Annie’s statistical models and analysis. It was buoyed by that non-anonymized, non-aggregated data.

The SEC says this became a noxious brew of half-truths once trading firms began using this data to make investment decisions. "App Annie and Schmitt were aware that trading firm customers were making investment decisions based on App Annie’s estimates," the agency explained. "App Annie also shared ideas for how trading firms could use the estimates to trade ahead of upcoming earnings and announcements."

All of this malfeasance apparently violated the anti-fraud provisions of Section 10(b), Rule 10b-5, the Exchange Act.

App Annie and Schmitt not admitted to or denied the SEC’s accusation but are consenting to pay the $10 million penalty and abide by the agency’s cease-and-desist order. It will be interesting to see if other regulatory agencies take a closer look at the company, given that these allegations also cover the misuse of customer data.