Privacy Policy
🧾 The short version
- We connect to your bank via Plaid — read-only. We can never move or access your money.
- We store your transaction and budget data to power the app. We never sell your data.
- We use Supabase (US-based) to store your data. It is encrypted in transit and at rest.
- You can delete your account and all associated data at any time, from within the app.
- We use anonymous analytics (PostHog) and crash reporting (Sentry). No personal data leaves the app for ad purposes.
- Spentz does not display ads and does not share data with advertisers.
01 Who we are
Spentz is a personal finance application operated by Spentz LLC, a company incorporated in the State of Wyoming, United States ("Spentz LLC", "we", "us", or "our").
This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use the Spentz mobile application and website at spentz.app (collectively, the "Service").
If you have questions about this policy, please contact us at hello@spentz.app.
02 What we collect
We collect information in three ways: information you give us directly, information we receive via third-party services (primarily Plaid), and information collected automatically.
Information you provide directly
| Data | Why we collect it |
|---|---|
| Email address | Account creation, login, and service communications |
| Password (hashed) | Authentication — we never store plaintext passwords |
| Name (optional) | Personalising the app experience |
| Budget categories and amounts | Core app functionality |
| Savings goals | Goal tracking and pre-purchase check calculations |
| Income and payday settings | Payday-synced budget periods |
| Transaction reclassifications | Improving your category accuracy over time |
Information collected automatically
| Data | Why we collect it |
|---|---|
| Device type and OS version | Compatibility and crash diagnosis |
| App version | Support and debugging |
| Anonymised usage events | Understanding how features are used (PostHog analytics) |
| Crash reports | Diagnosing and fixing bugs (Sentry) |
| IP address (temporary) | Security and fraud prevention, retained for no more than 30 days, then permanently deleted |
03 Plaid & bank data
To connect your bank accounts, Spentz uses Plaid Technologies, Inc. ("Plaid"), a trusted financial data network used by thousands of apps including Venmo, Robinhood, and Coinbase.
When you link a bank account, you authenticate directly with your bank through Plaid's secure interface — Spentz never sees your bank login credentials. Plaid retrieves your account and transaction data and passes it to us. Your credentials are held by Plaid, not Spentz. Plaid's privacy policy is available at plaid.com/legal/privacy-policy.
What Plaid sends us
- Account names, types, and balances
- Transaction history (amount, date, merchant name, category)
- Recurring transaction patterns (for automatic bill detection)
- Account identifiers (masked — no full account numbers)
What we do with bank data
- We store your transaction and balance data in our database (Supabase) to power the app.
- We use transaction history to suggest budget categories and detect recurring bills.
- We use balance data to calculate your spending pace and goal timelines.
- We never share your bank data with third parties for advertising, profiling, or any commercial purpose.
- We never initiate transfers or move money. Our Plaid access is strictly read-only.
Disconnecting your bank
You can disconnect a linked bank account at any time from the Settings screen in the app. When you disconnect, we revoke Plaid's access token and delete the associated transaction data from our systems within 30 days. To remove data immediately, delete your account.
04 Legal basis for processing
We process your personal data on the following legal bases:
- Contract performance: Processing necessary to provide the Service to you — including storing your transactions, calculating budgets, and running pre-purchase checks. This is the basis for the majority of our processing.
- Legitimate interest: Processing necessary for our legitimate business interests, such as improving the Service through aggregate analytics, diagnosing crashes, and preventing fraud — where these interests are not overridden by your rights.
- Consent: Processing that requires your explicit consent, such as sending push notifications or connecting a bank account via Plaid. You may withdraw consent at any time.
- Legal obligation: Processing necessary to comply with applicable law, such as responding to lawful data access requests or retaining records as required.
05 How we use your data
We use the information we collect for the following purposes:
To provide the Service
- Displaying your transaction history, account balances, and spending summaries
- Running pre-purchase checks and calculating goal timeline impact
- Generating budget suggestions based on your historical spending
- Detecting and pre-committing recurring bills and subscriptions
- Delivering payday-synced budget periods
- Sending push notifications (with your permission) for budget alerts and weekly summaries
To improve the Service
- Understanding which features are used most (anonymous aggregate analytics)
- Diagnosing crashes and errors via Sentry
- Testing improvements before releasing them to all users
To communicate with you
- Transactional emails: account creation, password reset, subscription receipts
- Service updates and security notices
- We do not send marketing emails unless you explicitly opt in
Legal and security purposes
- Detecting and preventing fraud or abuse
- Complying with applicable law
- Enforcing our Terms of Service
06 Who we share your data with
We share data with a small number of trusted service providers who help us operate the Service. We do not sell your data.
| Provider | Purpose | Data shared | Location |
|---|---|---|---|
| Supabase | Database, authentication, and edge functions | All app data (encrypted) | United States |
| Plaid Technologies | Bank account connectivity | Bank credentials (held by Plaid only), access tokens | United States |
| RevenueCat | Subscription management | Subscription status, purchase history | United States |
| PostHog | Product analytics | Anonymised usage events (no financial data) | United States / EU |
| Sentry | Crash and error reporting | Device info, app state at crash (no financial data) | United States |
| Apple (APNs) | Push notifications (iOS) | Device push token | United States |
| Anthropic | AI-powered advice layer | Aggregated category spending totals and budget percentages only — no merchant names, transaction descriptions, account numbers, balances, or personally identifiable information | United States |
We maintain data processing agreements (DPAs) or equivalent contractual protections with each of the service providers listed above, ensuring they process your data only as instructed by us, apply appropriate security measures, and do not use your data for their own purposes beyond what is necessary to deliver their service.
We may also disclose your information where required by law, court order, or regulatory authority, or where necessary to protect the rights, property, or safety of Spentz, our users, or the public.
07 Storage & security
Your data is stored on Supabase-managed infrastructure located in the United States. Supabase is SOC 2 Type II compliant.
- Encryption in transit: All data is transmitted over TLS 1.2 or higher.
- Encryption at rest: Your data is encrypted at rest using AES-256.
- Row-level security: Our database enforces row-level security — your data is only accessible to your authenticated account.
- Secrets management: API keys and sensitive credentials are stored in Supabase Vault, not in application code.
- No plaintext passwords: Passwords are hashed using bcrypt before storage. We never store or transmit passwords in plaintext.
While we take reasonable technical and organisational measures to protect your data, no security system is impenetrable. If you believe your account has been compromised, contact us immediately at hello@spentz.app.
Breach notification
In the event of a data breach that compromises the security, confidentiality, or integrity of your personal data, we will notify affected users without unreasonable delay and no later than 72 hours after confirming the breach, in accordance with applicable law. Notification will be provided via email to the address associated with your account and, where appropriate, via in-app notification. The notice will describe the nature of the breach, the categories of data affected, and the steps we are taking in response.
08 Data retention
We retain your personal data for as long as your account is active. Specifically:
- Active account: We keep your data for the duration of your account.
- Disconnected bank: Transaction data for that connection is deleted within 30 days of disconnection.
- Deleted account: When you delete your account, we delete all associated personal data within 30 days. Some anonymised, aggregated data (e.g. product usage statistics) may be retained indefinitely as it cannot be linked back to you.
- Legal hold: In some cases, we may be required to retain certain data for longer periods to comply with legal obligations.
09 Your rights
You have the following rights regarding your personal data:
Access and portability
You can request a copy of the personal data we hold about you. Contact us at hello@spentz.app and we will respond within 30 days.
Correction
You can correct inaccurate data directly within the app (transaction categories, goals, budget amounts) or by contacting us.
Deletion ("right to be forgotten")
You can delete your account and all associated data at any time from Settings → Account → Delete Account within the app. This action is permanent and irreversible.
Objection and restriction
You may object to certain processing activities or request that we restrict processing while a dispute is resolved. Contact us at hello@spentz.app.
Push notifications
You can withdraw consent for push notifications at any time from Settings → Notifications in the app, or from your device's system settings.
Bank connection
You can revoke Plaid's access to your bank account at any time from Settings → Accounts → Disconnect in the app.
10 Children's & minors' privacy
Spentz is intended for users aged 18 and older. We do not knowingly collect personal information from anyone under the age of 18. If you believe a minor has provided us with personal information, please contact us at hello@spentz.app and we will promptly delete it.
11 California residents (CCPA / CPRA)
If you are a California resident, the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), gives you specific rights regarding your personal information.
- Right to know: You may request information about the categories and specific pieces of personal information we have collected about you in the preceding 12 months, the sources from which it was collected, the business purpose for collecting it, and the categories of third parties with whom we share it.
- Right to delete: You may request deletion of your personal information, subject to certain exceptions (e.g. legal obligations, security, or completing a transaction you requested).
- Right to correct: You may request correction of inaccurate personal information that we maintain about you.
- Right to opt-out of sale or sharing: We do not sell or share (as defined by the CPRA) personal information for cross-context behavioural advertising. If this changes, we will update this policy and provide an opt-out mechanism.
- Right to limit use of sensitive personal information: We collect financial data, which the CPRA classifies as sensitive personal information. We use this data solely to provide the Service (budgeting, spending analysis, and goal tracking) — not for profiling, advertising, or any purpose beyond what is necessary to deliver the Service. You may request that we limit our use of sensitive personal information to these service-essential purposes.
- Right to non-discrimination: We will not discriminate against you for exercising any of your CCPA/CPRA rights.
Categories of personal information collected (12-month lookback)
In the preceding 12 months, we have collected the following categories of personal information: identifiers (email address, name), financial information (bank account balances, transaction history via Plaid), internet or electronic network activity (app usage data, crash reports), and inferences drawn from the above (budget suggestions, spending patterns). We have not sold any personal information. We have disclosed personal information for business purposes to the service providers listed in Section 6 of this policy.
To exercise these rights, contact us at hello@spentz.app with the subject line "CCPA Request". We will verify your identity before processing your request and respond within 45 days.
12 Changes to this policy
We may update this Privacy Policy from time to time. When we make material changes, we will notify you via email (to the address associated with your account) or via an in-app notification at least 14 days before the changes take effect.
The "Last updated" date at the top of this page reflects the date of the most recent revision. Continued use of the Service after any update constitutes your acceptance of the revised policy.
Prior versions of this policy are available on request at hello@spentz.app.
13 Contact us
If you have any questions about this Privacy Policy, or wish to exercise any of your rights, please contact us:
Spentz LLC
Wyoming, United States
Email: hello@spentz.app
We aim to respond to all privacy enquiries within 5 business days.