This seems like a pretty good reason to phone home with this data, but ... sending back urls WITH query params? It’s pretty common for sensitive data to be in query params, sometimes even things like bearer tokens. I can’t see how query params would be very useful for fraud detection, and sensitive data like this is something you really want to avoid collecting, IMO that’s low hanging fruit to remove.