Privacy Policy

Last updated: May 20, 2026

What we collect

When you sign up, we collect your email address and (optionally) a display name. When you connect a bank, we receive account balances, transactions, and credit-card metadata (APR, statement balance, minimum payment, due date) from Plaid on your behalf.

How we use it

We use this data exclusively to power features you see in-app: categorising transactions, building payoff plans, and showing balance trends. We do not sell your data, do not share it with advertisers, and do not use it to train AI models.

Third-party processors

• Plaid Inc. — bank connectivity. Plaid's privacy notice: plaid.com/legal.
• Supabase / AWS — encrypted Postgres storage and authentication.
• Stripe — payment processing for Pro subscriptions (we never see your card number).

Data retention

• Transactions and balances are kept for up to 7 years for tax / record-keeping purposes.
• Archived accounts inactive for 24 months are purged from active storage.
• Deleted accounts are hard-purged within 30 days, including backups.

Your rights

You can export your data, disconnect any bank, or delete your account entirely at any time from Settings → Danger Zone. Deletion immediately revokes Plaid access tokens and erases your rows from our database. Email privacy@cashflow.app for any other request under GDPR / CCPA.

Security

All traffic is TLS 1.2+. Plaid access tokens are stored encrypted at rest and only readable by server-side code. Row-level security ensures one user can never read another's data. We support optional two-factor authentication (TOTP) — turn it on at Settings → Security.

Contact

Questions? privacy@cashflow.app