⚠ DRAFT — not legal advice. This is placeholder text and has not been reviewed by counsel. Replace with jurisdiction-appropriate language approved by a qualified lawyer before production use.

Privacy Policy

Last updated: DRAFT

This Privacy Policy describes how DigitalFinanceIQ ("we") collects, uses, and protects your personal information. It is a DRAFT and must be completed with counsel.

1. Data we collect

Account & identity: name, email, date of birth, phone, postal address. Authentication: hashed password, optional 2FA/passkey data. Financial data (via Plaid): linked institutions, account names/masks, balances, transactions, and payment activity you initiate.

📝 TODO (counsel): List every data category and field precisely, and confirm against your actual schema. Financial data is "special/sensitive category" under GDPR/DPDP/LGPD — state the explicit legal basis (consent) for processing it.

2. How we use your data

To provide the service: display your accounts, generate insights, and process payments you authorize. We do not sell your personal data.

📝 TODO (counsel): State each purpose and its legal basis (consent, contract, legitimate interest). Describe AI processing: financial context is sent to our model provider to generate coaching responses.

3. Bank connectivity (Plaid)

We use Plaid to securely connect to your financial institutions. DigitalFinanceIQ never receives or stores your bank login credentials. Your use of Plaid is governed by Plaid's End User Privacy Policy. See Plaid's End User Privacy Policy: https://plaid.com/legal/#end-user-privacy-policy.

4. Sub-processors

We share data with vendors strictly to operate the service: Plaid (bank connectivity), Supabase (database/hosting), Upstash (rate-limiting), Resend (email), Stripe (subscription billing), and the Vercel AI Gateway, which routes AI-coach requests to model providers such as Google, OpenAI, and Anthropic.

📝 TODO (counsel): Maintain a current sub-processor list and a signed Data Processing Agreement (DPA) with each. Confirm cross-border transfer mechanisms (e.g. SCCs) for non-EU vendors.

5. Your rights

Depending on your jurisdiction (GDPR, UK GDPR, CCPA/CPRA, PIPEDA, DPDP, LGPD, and others) you may have rights to access, correct, delete, restrict, or export your data, and to withdraw consent. You can export your data or delete your account from your account settings, or contact us at sahanabs100@gmail.com.

6. Data retention & security

Sensitive tokens are encrypted at rest (AES-256-GCM); passwords are hashed (bcrypt); all traffic is over HTTPS.

📝 TODO (counsel): Define retention periods per data category and your breach-notification process (GDPR/PIPEDA: 72 hours).

7. Children

The service is intended for users aged 18 and over. We do not knowingly collect data from minors.

8. Contact

Questions: sahanabs100@gmail.com.

📝 TODO (counsel): Add your legal entity name/address, EU/UK representative if required, and supervisory-authority complaint info.