Privacy policy

Last updated:

Jan 10, 2025

Cashflowy, Inc. (“Cashflowy,” “we,” “us,” or “our”) is committed to protecting your privacy. This Privacy Policy describes how we collect, use, disclose, and protect personal information when you use our websites, mobile applications, and related services (collectively, the “Services”).

If you connect a financial account through our Services: We use Plaid Inc. (“Plaid”) to facilitate that connection. By connecting an account, you authorize Cashflowy to share your information with Plaid and you authorize Plaid to access and transmit your financial data from your financial institution to us for the purposes described in this Policy. Plaid processes your information per the Plaid End User Privacy Policy. You can manage or revoke data sharing with Plaid via Plaid Portal.

1) Scope

This Policy applies to personal information we process about:

  • Visitors to our sites and users of our apps;

     

  • Individuals who connect financial accounts to the Services; and

     

  • Individuals who interact with us for support, marketing, or business purposes.

     

This Policy does not cover information that is out of scope under applicable privacy laws (e.g., deidentified/aggregated data) or information governed by separate notices (e.g., a GLBA consumer financial privacy notice included below for U.S. customers of our financial services).

2) Information we collect

The information we collect depends on how you use the Services.

A. Information you provide directly

  • Identifiers & contact: name, email, mailing address, phone number, date of birth.

     

  • Verification (where applicable): government‑issued ID numbers or images, tax IDs, SSN/ITIN (U.S.), and similar identifiers required for compliance or identity verification.

     

  • Account & profile: username, settings, preferences, business details, goals, and other profile data.

     

  • Billing & payments: payment method details (e.g., masked card details, bank account numbers used for transfers), transaction amounts, and timestamps.

     

  • Support & communications: messages, survey responses, and content you send to us (including via chat features).

     

  • Documents you upload: invoices, statements, receipts, pay stubs, or other financial documents you choose to provide.

     

B. Information from financial institutions via Plaid (when you connect an account)

Depending on your connection and permissions granted, Plaid may provide us access to:

  • Account identifiers & attributes: institution, account name/type, ownership, masking digits, routing/IBAN/BIC/sort code.

     

  • Balances: current and available balances.

     

  • Transactions: dates, amounts, descriptions, counterparties, categories, locations, merchant or securities data.

     

  • Credit & loan data (if applicable): due dates, balances, payment amounts/dates, interest rate, repayment status, terms.

     

  • Investments (if applicable): holdings, transactions, quantities, prices, fees, and cost basis.

     

  • Identity data: name, email, phone, and addresses on file with the institution.

     

  • Payroll/tax data (if you connect such sources): employer, income, and related information.

     

Depending on how your financial institution exposes data, connecting a single set of credentials may make multiple accounts (e.g., checking, savings, card, joint) visible to Plaid and, in turn, available to us based on your permissions.

C. Information we collect automatically from your device

When you access the Services, we and our partners may collect:

  • Device & network data: IP address, device identifiers, OS/hardware, browser type, mobile network, language, time zone, general location inferred from IP.

     

  • Usage data: app/page views, features used, clicks, referring/exit pages, timestamps, and diagnostic logs.

     

  • Cookies, SDKs, and similar technologies used for essential functionality, analytics, and (where permitted) marketing; see Section 9.

     

D. Information from other sources

We may receive information about you from:

  • Developers/integrations you use with our Services;

     

  • Service providers (e.g., fraud prevention, identity verification, analytics);

     

  • Affiliates to provide support and improve experiences; and

     

  • Public and commercial sources where permitted by law.

     

E. Inferences we derive

We may derive insights (e.g., cash‑flow trends, inferred location, or estimated income) to operate and improve features, detect fraud, and personalize experiences.

3) How we use information

Your data is always kept private and secure. We may use your data to help train our AI engine, but only in a safe, aggregated, and anonymized way that never exposes your identity or business details to others. Our AI is built to understand patterns, not to broadcast who you are.

Here’s how it works: your transactions, revenue, and financial flows help the model learn how numbers move in businesses like yours. Over time, that allows it to surface smarter insights, forecasts, and next-best actions, so you get a more powerful financial coach.

But your specific data, your business name, or your personal information is never shared, sold, or disclosed to OpenAI or any third party. Below is a detail of specifically how your information is used. 

We use personal information to:

  • Provide and improve the Services: operate core features (e.g., account connections, dashboards, reporting), personalize content, and develop new capabilities.

     

  • Process payments & transfers: verify account ownership, enable payouts or debits/credits, and keep ledgers accurate.

     

  • Security, fraud, and abuse prevention: verify identity, monitor for suspicious activity, and protect accounts.

     

  • Compliance: meet legal, regulatory, tax, and audit requirements.

     

  • Communications & support: send service notices, respond to inquiries, and provide customer care.

     

  • Research & analytics: measure performance, improve quality, and produce aggregated/deidentified statistics.

     

  • Marketing: send permitted opted-in marketing and measure campaigns (you can opt out—see Section 10). This is only used by us, never shared with a third party. 

     

  • With consent: for other purposes you have clearly consented to.

     

Legal bases under GDPR/UK law include consent, contract performance, compliance with legal obligations, and our legitimate interests (e.g., service integrity, improvement, and security). Where required, we will obtain consent and you may withdraw it at any time. 

4) How we share information

We share personal information:

  • With service providers/contractors that process data on our behalf (e.g., cloud hosting, security, analytics, payments, customer support) under contracts that limit their use to our instructions.

     

  • With Plaid and financial institutions at your direction to establish and maintain connections, protect your accounts, and provide requested functionality.

     

  • With other third parties you authorize (e.g., apps or partners you choose to connect).


  • For compliance and protection: to law enforcement, regulators, and parties involved in legal processes where required or appropriate; to detect and prevent fraud, security incidents, or misuse; and to protect rights, property, and safety.

     

  • With affiliates for purposes consistent with this Policy.

     

  • In a business transfer: in connection with a merger, acquisition, financing, or sale of assets, subject to standard confidentiality safeguards.

     

  • Aggregated/deidentified: we may share insights that do not identify you.

     

We do not sell personal information and we do not share personal information with non‑affiliates for their own marketing without your consent.

5) Your choices & privacy rights

Your rights may include the ability to request access, correction, deletion, portability, or to object/restrict certain processing. You can:

  • Manage connections and delete data stored by Plaid via Plaid Portal;

     

  • Disconnect financial accounts within our app where that control is available;

     

  • Adjust cookie preferences (see Section 9);

     

  • Opt out of marketing emails by using the unsubscribe link; and

     

  • Contact us to exercise rights (see Section 14). We may need to verify your identity and certain data may be exempt under sectoral laws (e.g., GLBA) or for legal/regulatory reasons.

     

Residents of California, certain U.S. states, the EEA, the UK, and other jurisdictions may have additional rights under local law. We will not discriminate against you for exercising your rights.

6) Retention & deletion

We retain personal information as long as necessary to provide the Services, comply with legal and regulatory obligations, resolve disputes, maintain security, and enforce agreements. When no longer needed, we will delete or deidentify data, subject to lawful exceptions (e.g., fraud prevention, tax/audit requirements). If you remove a connection in our app, we will cease pulling new data and handle previously obtained data per this Policy and our retention obligations.

7) International data transfers

We may process and store information in the United States and other countries. When we transfer personal information internationally, we use lawful mechanisms (e.g., Standard Contractual Clauses and supplementary measures) and conduct transfer assessments as required.

8) Security

We employ administrative, technical, and physical safeguards designed to protect personal information, including access controls, encryption in transit and at rest (where applicable), network protection, and secure development practices. No method of transmission or storage is perfectly secure; if required by law, we will notify you of certain breaches.

9) Cookies & similar technologies

We use cookies, SDKs, and similar tools to enable essential features, analyze usage, and—where permitted—support marketing. You can manage cookies in your browser settings and opt out of certain analytics/advertising as provided by those providers. Disabling cookies may limit some functionality.

10) Children

Our Services are not directed to children under 18, and we do not knowingly collect personal information from them. If we learn a child has provided personal information, we will take steps to delete it where required. 

11) Changes to this Policy

We may update this Policy periodically. We will post the updated version with a new “Effective date” and, if changes are material, provide additional notice as required.

12) Contact us

Cashflowy, Inc.
[Insert mailing address]
privacy@cashflowy.ai

Using Plaid through Cashflowy (Notice & Consent)

When you choose to connect a financial account in Cashflowy, we use Plaid to link your account. By proceeding, you:

  1. Authorize Cashflowy to share your information with Plaid and authorize Plaid to access and transmit your financial data from your financial institution to Cashflowy;

     

  2. Acknowledge that such data may include identifiers, account details, balances, transactions, and other financial information as described above; and

     

  3. Agree that Plaid’s use of your information is governed by the Plaid End User Privacy Policy. You may manage or revoke sharing and delete data stored by Plaid at my.plaid.com.

     

U.S. Consumer Financial Privacy Notice (GLBA)

Why? Financial companies choose how they share your personal information. Federal law gives consumers the right to limit some but not all sharing and requires us to tell you how we collect, share, and protect your personal information. Please read this notice carefully.

What? The types of personal information we collect and share depend on the product or service you have with us. This information can include Social Security number, income, account balances, transaction history, payment history, and account numbers. When you are no longer our customer, we continue to share your information as described in this notice.

How? All financial companies need to share customers’ personal information to run their everyday business. In the section below, we list the reasons financial companies can share their customers’ personal information; the reasons Cashflowy chooses to share; and whether you can limit this sharing.

Reasons we can share your personal information

Does Cashflowy share?

Can you limit this sharing?

For our everyday business purposes — such as to process transactions, maintain your account(s), respond to court orders and legal investigations, or report to credit bureaus

Yes

No

For our marketing purposes — to offer our products and services to you

Yes

No

For joint marketing with other financial companies

No

We don’t share

For our affiliates’ everyday business purposes — information about your transactions and experiences

Yes

No

For our affiliates’ everyday business purposes — information about your creditworthiness

No

We don’t share

For our affiliates to market to you

Yes

Yes

For nonaffiliates to market to you

No

We don’t share

To limit our sharing
Email us at privacy@cashflowy.ai with the subject line “Limit Sharing” or follow the instructions provided in your account settings (where available).

Questions?
Contact privacy@cashflowy.ai.

Who we are
Who is providing this notice? Cashflowy, Inc. and its U.S. affiliates.

What we do
How does Cashflowy protect my personal information?
To protect your personal information from unauthorized access and use, we use security measures that comply with federal law. These include computer safeguards and secured files and buildings.

How does Cashflowy collect my personal information?
We collect personal information, for example, when you:

  • Connect a financial account, make a payment, or receive a payout;

     

  • Open an account or provide contact/identity information;

     

  • Upload documents or interact with our apps and site; or

     

  • Authorize us to obtain information from others (e.g., financial institutions via Plaid).
    We also collect your personal information from others, such as credit bureaus, affiliates, or other companies, as permitted by law.

     

Why can’t I limit all sharing?
Federal law gives you the right to limit only:

  • sharing for affiliates’ everyday business purposes—information about your creditworthiness;

     

  • affiliates from using your information to market to you; and

     

  • sharing for nonaffiliates to market to you.
    State laws and individual companies may give you additional rights to limit sharing.

     

Definitions
Affiliates — Companies related by common ownership or control. They can be financial and nonfinancial companies.
Nonaffiliates — Companies not related by common ownership or control. They can be financial and nonfinancial companies.
Joint marketing — A formal agreement between nonaffiliated financial companies that together market financial products or services to you.

Other important information for state residents
California: We will not share personal information we collect about you except to the extent permitted under California law.
Vermont: We will not share personal information we collect about you with non‑affiliates unless the law allows or you provide authorization.

This document is intended to help Cashflowy satisfy disclosure and consent obligations for use of Plaid and to provide a comprehensive privacy policy. Please review with counsel to confirm alignment with your products, data flows, and regulatory requirements.