Privacy Policy

1. Introduction

SpendStory ("we," "our," or "us") is an AI-powered spending analysis service that generates personalized, humorous stories about your financial habits. This Privacy Policy explains how we collect, use, disclose, and protect your information when you use our service.

2. Information We Collect

Account Information

When you create an account, we collect your email address. We use passwordless authentication, so we do not store passwords.

Banking Data via Plaid

When you connect your bank account through Plaid, we receive read-only access to:

• Transaction history (amounts, dates, merchant names, categories)
• Account information (account name, type, last 4 digits)
• Institution name and identifier

We cannot move money, make transactions, or access your account credentials. Plaid access tokens are encrypted using AES encryption before storage.

Payment Information

Payment processing is handled by Stripe. We do not store your credit card details. We retain Stripe session identifiers and purchase amounts for record-keeping.

Usage Data

We use Google Analytics to collect anonymized usage data, including pages visited, features used, and general interaction patterns.

3. How We Use Your Information

• Generate spending stories: We analyze your transaction data to create AI-powered, personalized narratives about your spending habits.
• Process payments: We use your email and Stripe integration to process purchases and issue credits.
• Send transactional emails: We send PIN verification codes for login and notifications when your story is ready.
• Improve our service: We use anonymized usage data to understand how people use SpendStory and improve the experience.

4. Third-Party Services

We share your information with the following third-party services:

5. Data Security

We implement industry-standard security measures to protect your data:

• Plaid access tokens are encrypted using AES encryption before storage
• Authentication PINs are hashed using Argon2id (OWASP recommended)
• Sessions use HttpOnly, Secure, and SameSite cookies to prevent attacks
• All data is transmitted over HTTPS
• Database access is restricted and monitored

6. Data Retention and Deletion

We retain your data for as long as your account is active. Your generated stories and transaction data used to create them are stored to allow you to access your stories at any time.

If you delete your account, all associated data is permanently deleted, including:

• Account information and email
• Bank connections and Plaid tokens
• Generated stories and transaction data
• Purchase history and credits
• Session data

7. Your Rights

You have the right to:

• Access: Request a copy of your personal data
• Correction: Request correction of inaccurate data
• Deletion: Request deletion of your account and all associated data
• Disconnect: Remove bank account connections at any time through your portal

To exercise these rights, contact us at info@spendstory.app.

8. Children's Privacy

SpendStory is not intended for users under 18 years of age. We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact us immediately.

9. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the new policy on this page and updating the "Last updated" date. Your continued use of SpendStory after changes constitutes acceptance of the updated policy.

10. Contact Us

If you have questions about this Privacy Policy or our data practices, please contact us at info@spendstory.app.