Privacy Policy

1. Information We Collect

1.1 Information You Provide Directly

• Account Information: name, email address, and password when you create an account.
• Profile Information: household details, display preferences, and notification settings you configure.
• Financial Data You Enter Manually: account balances, transactions, budgets, financial goals, real estate values, investment holdings, income sources, and tax information.
• Communications: messages you send to us for support, feedback, or inquiries.

1.2 Information Collected Through Third-Party Integrations

• Bank Account Data via Plaid: when you choose to connect a financial institution, we receive account names, account types, account and routing numbers (used solely for identification), current and available balances, and transaction history (up to 24 months). Your bank login credentials are never transmitted to or stored by Richometer; they are handled entirely by Plaid.
• Payment Information via Stripe: when you subscribe to a paid plan, Stripe processes your payment method. We receive only a truncated card identifier (last four digits), card brand, and billing status. We never see or store your full card number.

1.3 Information Collected Automatically

• Usage Data: pages visited, features used, timestamps of interactions, and referring pages.
• Device and Browser Data: IP address, browser type, operating system, and device identifiers for security and troubleshooting purposes.
• Authentication Tokens: session cookies managed by Supabase for maintaining your authenticated session.

2. How We Use Your Information

We use the information we collect for the following purposes:

• Providing the Service: displaying your net worth, tracking transactions, managing budgets, calculating FIRE projections, running Monte Carlo simulations, and generating financial reports.
• Account Management: authenticating your identity, managing your subscription, and processing payments.
• Personalization: customizing dashboards, auto-categorizing transactions, and tailoring financial insights based on your data.
• AI-Powered Features: when you opt in, sending anonymized or aggregated financial queries to OpenAI or Anthropic to power the AI financial assistant. These requests are user-initiated and do not include personally identifiable information beyond what is necessary to answer your question.
• Communication: sending transactional emails (account verification, password resets, billing receipts, and important service updates).
• Security: detecting and preventing fraud, abuse, and unauthorized access.
• Improvement: analyzing usage patterns in aggregate to improve features and user experience.

3. Third-Party Service Providers

We engage the following third-party service providers to deliver our Service. Each provider accesses only the data necessary to perform its function:

4. Data Security

We take the security of your data seriously and implement industry-standard measures to protect it:

• Encryption at Rest: all data stored in our databases is encrypted using AES-256 encryption.
• Encryption in Transit: all data transmitted between your device and our servers is protected using TLS 1.2 or higher.
• Row-Level Security: our database enforces row-level security policies ensuring users can only access data belonging to their own organization.
• Authentication: we use secure session management with HTTP-only cookies, and support multi-factor authentication and passkey (WebAuthn) login.
• Access Controls: internal access to production data is restricted to authorized personnel on a need-to-know basis.
• No Credential Storage: we never store your bank login credentials. Plaid handles all bank authentication directly.

While we strive to protect your data, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security but will notify you promptly in the event of a data breach as required by applicable law.

5. Data Retention

• Active Accounts: we retain your data for as long as your account is active and you maintain a relationship with us.
• Account Deletion: when you delete your account, we will delete your personal data and financial records within 30 days. Certain data may be retained for up to 90 days in encrypted backups before being permanently purged.
• Legal Obligations: we may retain certain records as required by law, including transaction records for tax and financial reporting compliance for up to 7 years.
• Anonymized Data: we may retain anonymized, aggregated data that cannot be used to identify you for analytical purposes indefinitely.

6. Your Rights and Choices

Depending on your jurisdiction, you may have the following rights regarding your personal data:

• Access: request a copy of the personal data we hold about you.
• Correction: request that we correct inaccurate or incomplete personal data.
• Deletion: request that we delete your personal data, subject to legal retention requirements.
• Data Portability: request your data in a structured, machine-readable format (CSV or JSON export is available from your account settings).
• Withdraw Consent: revoke consent for data processing activities where consent is the legal basis. You can disconnect linked bank accounts at any time from your account settings.
• Opt-Out of AI Features: the AI financial assistant is entirely optional. You can use Richometer without ever activating AI features.

To exercise any of these rights, contact us at privacy@richometer.com. We will respond to your request within 30 days as required by applicable law.

7. Data Sharing and Disclosure

We may disclose your information only in the following limited circumstances:

• Service Providers: with the third-party providers described in Section 3, solely for the purpose of delivering the Service.
• Legal Requirements: when required by law, subpoena, court order, or other legal process.
• Safety and Security: when we believe disclosure is necessary to protect the rights, property, or safety of Richometer, our users, or the public.
• Business Transfers: in connection with a merger, acquisition, or sale of assets, your data may be transferred to the acquiring entity. You will be notified via email and/or a prominent notice on our Service before your data is transferred and becomes subject to a different privacy policy.
• With Your Consent: we may share data when you have given us explicit consent to do so.
• Household Members: if you use our household/family sharing feature, data within the shared organization is visible to members you have invited, according to the permissions you configure.

8. Cookie Policy

Richometer uses a minimal set of cookies strictly necessary for the operation of the Service:

• Authentication Cookies: managed by Supabase to maintain your authenticated session. These are HTTP-only, secure cookies that cannot be accessed by third-party scripts.
• Preference Cookies: to store your display preferences (such as theme settings) locally in your browser.

9. Children's Privacy

Richometer is not intended for use by individuals under the age of 18. We do not knowingly collect personal information from children under 18. If you are a parent or guardian and believe your child has provided us with personal information, please contact us at privacy@richometer.com, and we will promptly delete such information.

10. CCPA Compliance (California Residents)

If you are a California resident, the California Consumer Privacy Act (CCPA) provides you with additional rights regarding your personal information:

• Right to Know: you have the right to request that we disclose the categories and specific pieces of personal information we have collected about you.
• Right to Delete: you have the right to request that we delete personal information we have collected from you, subject to certain exceptions.
• Right to Opt-Out of Sale: we do not sell your personal information. As such, there is no need to opt out, but we affirm this right in compliance with CCPA.
• Non-Discrimination: we will not discriminate against you for exercising any of your CCPA rights.

To exercise your CCPA rights, contact us at privacy@richometer.com. We will verify your identity before processing your request.

11. GLBA Compliance

While Richometer is a personal finance management tool and not a financial institution, we recognize the sensitivity of the financial data we handle. We adhere to the principles of the Gramm-Leach-Bliley Act (GLBA) with respect to safeguarding nonpublic personal financial information. We maintain administrative, technical, and physical safeguards designed to protect the security, confidentiality, and integrity of your financial data. We limit the collection and use of customer financial data to what is necessary to provide and improve our Service, and we do not share your nonpublic personal financial information with non-affiliated third parties except as described in this Privacy Policy.

12. International Users

Richometer is operated from the United States. If you are accessing the Service from outside the United States, please be aware that your information will be transferred to, stored, and processed in the United States, where our servers are located and our databases are operated. The data protection laws in the United States may differ from those of your country. By using the Service, you consent to the transfer of your information to the United States.

13. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email (sent to the email address associated with your account) or by posting a prominent notice within the Service at least 30 days before the changes take effect. Your continued use of the Service after the effective date of any changes constitutes your acceptance of the revised Privacy Policy. We encourage you to review this page periodically.

14. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us: