Privacy Policy

1. Information We Collect

Personal Information

• Account Information: Name, email address, password (encrypted)
• Financial Assessment Data: Income, expenses, assets, debts, financial goals
• Subscription Information: Payment details, subscription status, billing history
• Communication Data: Support requests, feedback submissions, correspondence

Technical Information

• Usage Data: Pages visited, features used, time spent on platform
• Device Information: IP address, browser type, operating system, device identifiers
• Cookies and Analytics: Session data, performance metrics, user preferences

2. How We Use Your Information

• Service Delivery: Calculate financial scores, generate assessments, track goals
• AI-Powered Features: Generate personalized financial advice (premium users only)
• Account Management: Authentication, subscription management, customer support
• Communication: Service updates, security notifications, marketing (with consent)
• Improvement: Platform optimization, feature development, fraud prevention
• Legal Compliance: Regulatory requirements, law enforcement requests

3. Legal Basis for Processing (GDPR)

• Contract Performance: Providing financial assessment and premium services
• Consent: Marketing communications, optional features, document processing
• Legitimate Interests: Fraud prevention, service improvement, security
• Legal Obligations: Financial regulations, anti-money laundering, tax reporting

4. Information Sharing and Disclosure

Service Providers

• OpenAI: AI-powered advice generation for premium users (anonymized data)
• Stripe: Payment processing and subscription management
• Email Services: Transactional and marketing communications
• Analytics: Usage analytics and performance monitoring

Legal Requirements

• Court orders and legal process
• Law enforcement investigations
• Financial regulatory compliance
• Fraud prevention and security

Business Transfers

In the event of a merger, acquisition, or sale of assets, your information may be transferred to the acquiring entity with appropriate notice.

5. Data Retention

• Active Accounts: Personal data retained while account is active and for legitimate business purposes
• Deleted Accounts: Most data deleted immediately, some data retained up to 12 months for legal/fraud prevention
• Payment Data: Retained as required by payment processors and financial regulations
• Legal Hold: Data may be retained longer if subject to legal proceedings

6. Your Rights and Choices

Access and Control

• Access: Request copies of your personal information
• Rectification: Correct inaccurate or incomplete data
• Erasure: Request deletion of your personal information
• Portability: Receive your data in a structured, machine-readable format
• Restriction: Limit how we process your information
• Objection: Object to processing based on legitimate interests

Marketing and Communications

• Opt-out of marketing emails via unsubscribe links
• Manage communication preferences in account settings
• Essential service communications cannot be disabled

Account Deletion

You may delete your account at any time through your profile settings. Account deletion is permanent and cannot be undone.

7. International Data Transfers

We primarily operate from the United States. For users in the UK and European Union:

• Adequacy Decisions: We rely on adequacy decisions where available
• Standard Contractual Clauses: We use SCCs for transfers lacking adequacy decisions
• Safeguards: All transfers include appropriate technical and organizational safeguards
• Rights: EU/UK residents retain all data protection rights regardless of transfer location

8. Security Measures

• Encryption: Data encrypted in transit (TLS 1.2+) and at rest using AES-256-GCM authenticated encryption
  • Personal information (names, dates of birth), financial data (income, assets, debts, expenses), payment identifiers, and goal details are all encrypted at the application level before being written to the database
  • Each encrypted value uses a unique random nonce, so identical data produces different ciphertext
  • Encryption keys are managed separately from encrypted data and are never stored in the database
• Access Controls: Role-based access, multi-factor authentication for staff
• Monitoring: Continuous security monitoring and threat detection
• Audits: Regular security assessments and penetration testing
• Incident Response: Documented breach notification procedures

9. Children's Privacy

Our services are not intended for individuals under 13 years of age (16 in the EU). We do not knowingly collect personal information from children. If we become aware of such collection, we will delete the information immediately.

10. California Consumer Privacy Act (CCPA)

California Residents' Rights

• Know: Categories and specific pieces of personal information collected
• Delete: Request deletion of personal information
• Opt-Out: Opt-out of sale of personal information (we do not sell personal information)
• Non-Discrimination: Equal service regardless of privacy choices

Categories of Information Collected

• Identifiers (name, email, IP address)
• Financial information (income, expenses, assets)
• Internet activity (usage patterns, preferences)
• Professional information (employment details)

11. Updates to This Policy

We may update this Privacy Policy periodically. Material changes will be communicated via:

• Email notification to registered users
• Prominent notice on our website
• In-app notifications for significant changes

Continued use of our services after policy updates constitutes acceptance of the revised terms.

12. Contact Information