Privacy Policy

Last updated: April 2, 2026

Spendable ("we," "us," or "our") operates the Spendable mobile application and website (collectively, the "Service"). This Privacy Policy describes how we collect, use, share, and protect your personal information when you use the Service.

1. Information We Collect

1.1 Account Information

When you create an account we collect your email address, name, password, and timezone. If you sign in with Google or Apple, we receive the name and email address associated with that account. We do not receive or store your Google or Apple password.

1.2 Financial Data

When you connect a bank account through our integration partner, Plaid Inc. ("Plaid"), we receive account balances, transaction history (merchant name, amount, date, category, and pending status), and basic account metadata (account type, last four digits of the account number, and currency). We do not receive or store your bank login credentials — those are handled entirely by Plaid. Your use of Plaid is also subject to Plaid's privacy policy.

1.3 User-Created Content

We store data you create within the app, including savings goals, custom transaction categories, merchant-to-category rules, notification preferences, safety-buffer settings, and forecast-horizon preferences.

1.4 Device & Technical Data

To deliver push notifications we collect your device platform (iOS or Android) and a push-notification token. We also collect error and diagnostic data (stack traces, HTTP status codes) through our error-tracking provider. Before transmission to this provider, personally identifiable information — including your email address, IP address, authentication headers, and request body — is automatically removed.

1.5 Information We Do Not Collect

We do not use third-party analytics or advertising SDKs. We do not collect location data, contacts, photos, or microphone or camera input. We do not track you across other apps or websites.

2. How We Use Your Information

We use the information we collect to:

• Provide, operate, and maintain the Service, including syncing your bank accounts and displaying your transactions.
• Generate cash-flow forecasts and safe-to-spend projections. These forecasts are informational only and do not constitute financial advice.
• Track progress toward your savings goals.
• Send push notifications about material changes to your financial outlook (e.g., when your projected balance falls below your safety buffer).
• Send transactional emails such as password-reset links.
• Diagnose errors, monitor service reliability, and improve the app.
• Protect the security of your account and prevent fraud.

3. How We Share Your Information

We never sell your personal or financial data. We share information only in the following limited circumstances:

3.1 Service Providers

We use trusted third-party service providers to help operate the Service. These providers are contractually obligated to use your data only to perform services on our behalf and include:

• Bank connectivity — we use Plaid Inc. to connect your bank accounts and retrieve financial data. Plaid's use of your data is governed by its own privacy policy.
• Email delivery — a third-party provider delivers transactional emails (e.g., password resets) on our behalf. It receives only your email address and the email content.
• Error monitoring — an error-tracking service helps us diagnose and fix bugs. Personally identifiable information is scrubbed before transmission.
• Push notifications — a notification delivery service sends alerts to your device. Payloads contain only signal data (e.g., alert type) and never include financial amounts.
• Cloud infrastructure — a managed hosting provider runs our database, application servers, and supporting infrastructure.

3.2 Legal Requirements

We may disclose your information if required to do so by law, regulation, legal process, or enforceable governmental request, or when we believe disclosure is necessary to protect our rights, your safety, or the safety of others.

3.3 Business Transfers

If Spendable is involved in a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify you via email or a prominent notice in the app before your information becomes subject to a different privacy policy.

4. Data Security

We take the security of your data seriously and implement the following measures:

• Encryption in transit — all communication between your device and our servers uses TLS (HTTPS).
• Encryption at rest — Plaid access tokens are encrypted at the application layer before being stored in the database. Encryption keys support rotation.
• Password hashing — passwords are hashed using PBKDF2 with HMAC-SHA512 and are never stored in plaintext.
• Session security — refresh tokens are hashed (SHA-256) in the database and support rotation. Reuse of a revoked token is detected and blocked.
• Account protection — accounts are temporarily locked after repeated failed login attempts. Rate limiting is applied to login, registration, and password-reset endpoints.
• Infrastructure security — we enforce security headers (HSTS, CSP, X-Frame-Options, X-Content-Type-Options) and verify Plaid webhook signatures to prevent tampering.

No method of electronic transmission or storage is 100% secure. While we strive to protect your data, we cannot guarantee absolute security.

5. Data Retention & Deletion

We retain your personal and financial data for as long as your account is active. Certain operational records — including expired session tokens, used password-reset tokens, webhook logs, and notification logs — are automatically purged after 90 days.

You may delete your account at any time from the Settings screen in the app. When you delete your account we:

• Revoke all Plaid access tokens, severing the connection to your bank.
• Permanently delete your profile, financial data, goals, settings, device registrations, notification logs, and all session and password-reset tokens.

For more details, see our account deletion page. If you are unable to delete your account through the app, contact us at [email protected] and we will process the deletion on your behalf.

6. Data Export

You can export a copy of your data — including your profile, settings, accounts, transactions, goals, and merchant rules — at any time from the Settings screen. The export is delivered as a JSON file to your device.

7. Your Rights

Depending on your jurisdiction you may have the right to:

• Access the personal information we hold about you.
• Correct inaccurate or incomplete information.
• Delete your account and all associated data.
• Export your data in a portable format.
• Withdraw consent for optional processing (e.g., push notifications) at any time through the app's settings.

To exercise any of these rights, use the relevant feature in the app or contact us at [email protected]. We will respond within 30 days.

8. Children's Privacy

The Service is available to users aged 13 and older. Users under 18 must have the consent of a parent or legal guardian. We do not knowingly collect personal information from children under 13. If you believe a child under 13 has provided us with personal information, please contact us and we will promptly delete it.

9. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes we will notify you by email or through a notice in the app before the changes take effect. Your continued use of the Service after the updated policy becomes effective constitutes your acceptance of the changes.

10. Contact Us

If you have questions or concerns about this Privacy Policy or our data practices, please visit our support page or email us at [email protected].