No https? That's pretty bad. I would decline to hand over any sensitive information at all if I thought someone had lacked the basic sense to turn on encryption. It costs next to nothing, and is technically very simple, so there's no excuse at all. I wouldn't decline because I feared for the lack of security for the transaction in itself - my concern would be about my data once it's been handed over - if they can't be bothered to turn on https, how cavalier will they be with my data into the future? I think you are right to keep away in this case.