Privacy Policy

ChaiSpend is operated by ChaiSpend LLC ("ChaiSpend," "we," "us," or "our"). We are the data controller responsible for your personal information.

If you have questions about this policy or your data, contact us at support@chaispend.com.

We collect the following categories of information:

Information you provide

• Account information: name and email address when you create an account via Google sign-in
• Financial preferences: income, budget settings, savings goals, spending categories, and transaction rules you configure in the app
• Chat messages: conversations with the AI assistant, stored encrypted
• External account credentials: if you connect third-party accounts (such as payment platforms or cryptocurrency exchanges), we store your API keys or OAuth tokens. These are encrypted at rest using AES-256-GCM and are used solely to sync your account data.

Information from financial institutions

We use a third-party bank data aggregation provider to connect to your financial institutions. Through this connection, we receive:

• Account details: account name, type, and balance
• Transaction data: date, amount, merchant name, and category for each transaction
• Account holder identity: name and account ownership information as provided by your bank

We do not receive or store your bank login credentials. Our bank data provider handles authentication directly with your financial institution using certificate-secured connections. Your bank credentials never touch our servers.

Information collected automatically

• Device information: device type, operating system, and app version
• Usage analytics: feature usage patterns collected via a product analytics provider. Sensitive fields (amounts, descriptions, emails) are stripped before any analytics event is sent.
• Push notification tokens: used to deliver daily allowance notifications and weekly reviews

We use your information for the following purposes:

• Providing the service: calculating your daily spending allowance, syncing transactions, tracking goals, powering the AI assistant, and generating spending insights
• AI assistant: your chat messages and relevant financial context are sent to a third-party AI language model provider to generate responses. The provider's API terms prohibit using inputs to train their models. See Section 6 for details.
• Notifications: sending daily allowance updates, weekly spending reviews, and account alerts via email and push notifications
• Account management: authenticating your identity, managing your subscription, and communicating about your account
• Product improvement: understanding how features are used via anonymized analytics to improve the app experience
• Security: detecting and preventing fraud, abuse, and unauthorized access

We do not use your financial data for advertising, profiling, or any purpose other than providing and improving ChaiSpend.

We share your information only with the service providers necessary to operate ChaiSpend:

• Bank data aggregation provider: connects to your bank accounts to retrieve balances and transactions via certificate-secured connections
• AI language model provider: processes AI chat requests. Chat messages and relevant financial context are sent to generate responses. The provider's API terms prohibit using inputs to train their models.
• Analytics provider: receives anonymized, sanitized usage analytics. No financial amounts, transaction descriptions, or personal identifiers are included.
• Email delivery provider: delivers transactional emails (daily allowance notifications, weekly reviews, account alerts). Receives your email address and notification content.
• Subscription management provider: manages in-app subscriptions and purchase verification for Apple App Store and Google Play Store transactions.
• Push notification provider: delivers push notifications to your device.
• Infrastructure providers: cloud hosting and database services that process data on our behalf under strict data processing agreements.
• Legal requirements: when required by law, subpoena, court order, or to protect our legal rights.

We do not share your information with advertisers, data brokers, affiliate marketers, or any other third parties for their own purposes.

We do not sell your personal information. We do not sell anonymized or aggregated data. We do not share your information for cross-context behavioral advertising. Our only revenue comes from subscriptions.

As required by the California Consumer Privacy Act (CCPA), we confirm: ChaiSpend has not sold or shared personal information in the preceding 12 months, nor do we intend to.

Bank connections

ChaiSpend uses a third-party bank data aggregation provider to connect to your financial institutions. When you link a bank account, you authenticate directly with the provider and your bank. The connection is secured with certificate-based mutual TLS (mTLS) authentication. ChaiSpend receives an access token and your financial data (account balances, transactions) but never your bank login credentials.

If you disconnect a financial account, we stop receiving new data from that account. You may request deletion of previously synced data at any time.

External account connections

You may optionally connect external accounts such as payment platforms and cryptocurrency exchanges to sync transactions. Depending on the provider, this uses OAuth 2.0 or API key authentication. All credentials (OAuth tokens, API keys, API secrets) are encrypted at rest using AES-256-GCM envelope encryption before being stored in our database. Credentials are used solely to retrieve your account data in read-only mode.

AI assistant

The ChaiSpend AI assistant is powered by a third-party AI language model provider. When you use the chat feature, your messages and relevant financial context (such as transaction summaries, budget data, and goal progress) are sent to the provider for processing. Chat messages are stored encrypted in our database. The provider's API terms state that API inputs are not used to train their models.

Analytics

We use a third-party product analytics provider. Before any event is sent, sensitive fields including financial amounts, transaction descriptions, and email addresses are stripped or masked. The provider receives only anonymized feature usage data.

ChaiSpend supports household sharing, where multiple users can share access to financial accounts and budgets. If you use this feature:

• The household owner's subscription extends to all household members
• You control which accounts are visible to other household members through account sharing rules
• Individual transactions can be hidden from other household members
• Each household member maintains their own login credentials and can leave the household at any time

We retain your information for as long as your account is active. Specific retention periods:

• Account data: retained until you delete your account
• Transaction data: retained until you delete your account or disconnect the linked account and request deletion
• Chat history: retained encrypted until you delete your account
• Usage analytics: retained in aggregated, non-identifiable form

When you delete your account, all personal and financial data is permanently deleted from our systems via cascading deletion, including transactions, chat messages, budget data, goals, and linked account credentials. Deletion completes within 30 days, except where retention is required by law.

We use bank-level encryption and security measures to protect your data:

• Encryption at rest: all sensitive data (financial amounts, transaction descriptions, account credentials, chat messages, and personal identifiers) is encrypted using AES-256-GCM authenticated encryption with envelope encryption (data encryption keys wrapped by a key encryption key)
• Encryption in transit: all connections use TLS 1.2 or higher. Bank connections use mutual TLS (mTLS) with certificate-based authentication.
• No bank credential storage: your bank login credentials are handled exclusively by our bank data provider and never touch our servers
• Encrypted API key storage: third-party API keys and OAuth tokens for external account connections are encrypted with AES-256-GCM before storage
• Secure token storage: authentication tokens on your mobile device are stored in the operating system's secure enclave (iOS Keychain / Android Keystore)
• Access controls: production data access is restricted to essential personnel with role-based access controls

No method of transmission or storage is 100% secure. If we become aware of a security breach affecting your data, we will notify you and relevant authorities as required by law.

Depending on where you live, you may have the following rights regarding your personal information:

All users

• Access: request a copy of the personal data we hold about you
• Correction: request correction of inaccurate data
• Deletion: delete your account and all associated data from the app settings, or by contacting us
• Data export: request an export of your data in a portable format

California residents (CCPA/CPRA)

In addition to the rights above, you have the right to:

• Know what personal information we collect, use, and disclose
• Opt out of the sale or sharing of personal information (we do not sell or share, so there is nothing to opt out of)
• Limit the use of sensitive personal information
• Non-discrimination for exercising your privacy rights

European Economic Area residents (GDPR)

Our legal bases for processing your data are: contract performance (providing the service you signed up for), legitimate interest (improving the product and preventing fraud), and consent (where explicitly given). You additionally have the right to:

• Restrict or object to processing
• Withdraw consent at any time
• Lodge a complaint with your local data protection authority

Your data is processed in the United States. We use standard contractual clauses where required to ensure adequate protection for international transfers.

Other US state residents

Residents of Virginia, Colorado, Connecticut, and other states with consumer privacy laws have similar rights to access, correct, delete, and opt out. Contact us to exercise these rights.

To exercise any of these rights, email support@chaispend.com. We will respond within 30 days (45 days for complex requests, with notice).

ChaiSpend is not directed at children under the age of 13. We do not knowingly collect personal information from children under 13. If we learn that we have collected data from a child under 13, we will delete it promptly. If you believe a child has provided us with personal information, please contact us at support@chaispend.com.

We may update this privacy policy from time to time. For material changes, we will notify you via email or an in-app notification at least 30 days before the changes take effect. Minor clarifications or updates required by law may be made without advance notice.

The "last updated" date at the top of this page indicates when this policy was most recently revised.

If you have questions, concerns, or requests regarding this privacy policy or your personal data, contact us at: