Privacy Policy

Account information you give us. Your email address, used for passwordless (magic-link) sign-in and to deliver your reports.

Financial data via Plaid.When you link a financial institution, we use Plaid Inc. ("Plaid") to connect to it. Through Plaid we receive account information (institution and account names, account type, masked account numbers, balances) and up to 24 months of transaction history. We never receive or store your bank login credentials — you enter those directly with Plaid, which handles authentication with your institution.

Technical and diagnostic data. Basic operational logs and error reports used to keep the service running and secure. We minimize personal information in our error monitoring.

We use your data solely to provide and improve the service: to generate your one-time baseline report and your monthly reports, to categorize transactions and surface trends, to keep personal and business accounts separated, and to deliver reports to you by email. We also use it to operate, secure, troubleshoot, and improve Cash Brief.

We do not sell or rent your personal or financial data, and we do not use it for advertising.

We use Plaid to connect your accounts. By linking an account, you also agree to Plaid's End User Privacy Policy. Plaid handles the connection to your financial institution and your institution credentials; we do not see or store those credentials.

We share data only with service providers ("subprocessors") that help us run Cash Brief, each limited to what they need to perform their function:

• Plaid — connects to your financial institutions.
• Supabase — database, authentication, and file storage.
• Vercel — application hosting.
• Anthropic — generates the written narrative in your report. We send aggregated, derived figures (e.g. category totals and trends), not your raw transaction list or any credentials. Data sent to our AI provider via its API is not used to train its models.
• Resend — delivers your report emails.
• Sentry — error monitoring (with personal data minimized).

We may also disclose data if required by law, to protect our rights or users' safety, or in connection with a business transfer — in which case this policy continues to apply. We never sell your data.

We encrypt data in transit (TLS 1.2+) and at rest. Your Plaid access tokens are additionally encrypted at the application level (AES-256-GCM). Access to your data is isolated per user with database row-level security, restricted to least-privilege service credentials, and admin access to our systems requires multi-factor authentication. See our information security practices for more detail.

We retain your data for as long as your account is active so we can generate your reports. You can disconnect an institution at any time, which stops further data collection from it. You can request deletion of your account and associated data by emailing us; we will delete it within 30 days, except where we are required to retain certain records by law. We review our retention practices periodically.

You can access the data in your reports, disconnect linked institutions, and request correction or deletion of your account and data at any time by contacting us. Depending on where you live, you may have additional rights under applicable privacy laws; we will honor those rights.

Cash Brief is not directed to, and not intended for use by, anyone under 18.

We may update this policy from time to time. We will post the updated version here with a new effective date and, for material changes, take reasonable steps to notify you.

Questions or requests (including data deletion): privacy@mycashbrief.com.