1. Information we collect

Account information. When you create an account, we collect your full name, username, email address, phone number, and a hashed (never plain-text) version of your password.

Financial data you upload. When you upload bank statements, we store the transaction data contained in those statements — including dates, amounts, descriptions, and account identifiers — in our database, associated only with your account.

Usage data. We log standard server access data (IP address, browser type, pages visited, timestamps) for security monitoring and debugging purposes.

Device information. When you enable the "trust this device" feature during two-factor authentication, we store a cryptographic hash of your device identifier to recognize your browser for 30 days. We never store your actual device hardware identifiers.

2. How we use your information

• To provide, operate, and improve the MoneyFlow service
• To categorize and analyze your transactions using AI models
• To send you security-related communications (email verification, two-factor authentication codes, password reset links)
• To detect and prevent fraud, abuse, and unauthorized access
• To comply with applicable laws and regulations

We do not use your financial data to serve you advertisements. We do not sell, rent, or trade your personal information to third parties.

3. Data storage and security

Your data is stored on encrypted servers hosted on Amazon Web Services (AWS) in the United States. We use industry-standard security practices including:

• TLS/HTTPS encryption for all data in transit
• Bcrypt/Argon2 password hashing — your actual password is never stored
• Two-factor authentication (SMS and email) for account access
• Session tokens with automatic expiration
• Trusted device management with cryptographic device fingerprinting

Bank statement files you upload are stored in a private, access-controlled vault on our servers. They are not publicly accessible and are never shared with third parties.

4. Third-party services

We use the following third-party services to operate MoneyFlow:

• SendGrid — email delivery for account verification, password resets, and 2FA codes. SendGrid receives your email address and the content of security emails we send you.
• Twilio — SMS delivery for two-factor authentication codes. Twilio receives your phone number and the 2FA code when SMS verification is triggered.
• Anthropic Claude API — AI-powered transaction categorization. We send anonymized transaction descriptions (not your name or account numbers) to Claude for classification.
• Amazon Web Services (AWS) — cloud hosting, database storage, and compute infrastructure. AWS stores your data on our behalf under strict confidentiality agreements.

5. Data retention

We retain your account data for as long as your account is active. If you request account deletion, we will permanently delete your data within 30 days, except where we are required by law to retain certain records.

Audit logs (recording login attempts, security events) are retained for 90 days for security purposes.

6. Your rights

You have the right to:

• Access — request a copy of all personal data we hold about you
• Correction — update inaccurate data in your account settings
• Deletion — request permanent deletion of your account and all associated data
• Portability — export your transaction data in CSV format at any time
• Objection — opt out of any non-essential data processing

To exercise any of these rights, contact us at privacy@moneyflowinc.com.

7. Cookies

We use two types of cookies:

• Session cookie (session_id) — required for authentication. Expires after 30 days of inactivity.
• Device trust cookie (mf_did) — stores an encrypted device identifier to enable the "trust this device" feature. Expires after 30 days.

We do not use advertising, tracking, or analytics cookies.

8. Children's privacy

MoneyFlow is not directed at children under 13 years of age. We do not knowingly collect personal information from children under 13. If you believe a child has provided us with personal information, please contact us immediately.

9. Changes to this policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or by displaying a notice in the app at least 14 days before the change takes effect. Your continued use of MoneyFlow after that date constitutes acceptance of the updated policy.

10. Contact us

If you have questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact us:

• Email: privacy@moneyflowinc.com
• Support: support@moneyflowinc.com