Privacy Policy

Effective Date: September 29, 2025

Last Updated: September 29, 2025

Curl Budget ("we," "us," "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our mobile application and services (collectively, the "Service").

Key Points:

We collect only the data necessary to provide budgeting services
Your financial data is encrypted and securely stored
We do not sell your personal information to third parties
You have full control over your data, including the right to delete it

1. Information We Collect

1.1 Information You Provide

When you use Curl Budget, we collect:

Email Address: Used for account creation, authentication via magic links, and important service communications
Workspace Information: Names and settings for your budgeting workspaces
Categories and Budgets: Your custom categories, budget amounts, and financial organization preferences
Manual Transaction Data: Transactions you manually create or edit, including notes and custom fields

1.2 Financial Data from Plaid

When you connect your bank accounts via Plaid, we collect:

Bank Account Information: Account names, types (checking, savings, credit), balances, and account masks (last 4 digits)
Transaction Data: Transaction amounts, dates, descriptions, merchant names, and categories
Institution Information: Name and ID of your financial institution

Important: We never store your bank login credentials. Plaid handles authentication directly with your bank, and we only receive encrypted access tokens to retrieve your transaction data.

1.3 Automatically Collected Information

Device Information: Device type, operating system version, app version
Usage Data: Features used, screen views, interaction patterns (for improving user experience)
Authentication Logs: Login timestamps, IP addresses (for security purposes)
Application Logs: Error logs and performance metrics (scrubbed of personal information)

1.4 AI Categorization Data (Optional)

If you explicitly opt-in to AI-powered transaction categorization:

Data Sent to AI Provider: Transaction descriptions, amounts, and merchant names only
Data NOT Sent: Account numbers, your name, email, IP address, or any personally identifiable information
Your Control: You can revoke consent at any time in Settings, and no future transactions will be sent to the AI provider

AI Categorization is Optional: This feature requires explicit opt-in consent. Transaction data is anonymized before being sent to AI providers (OpenAI, Anthropic) via their API. AI providers are configured for zero data retention where supported by their API.

2. How We Use Your Information

We use your information solely to provide and improve Curl Budget services:

2.1 Core Services

Transaction Management: Import, organize, and display your financial transactions
Budgeting: Calculate spending against budgets and provide insights
Categorization: Automatically categorize transactions using rules and optional AI
Transfer Detection: Identify transfers between your accounts to avoid double-counting
Reports and Analytics: Generate spending reports and visualizations

2.2 Account Management

Authenticate your access via magic links
Manage workspace memberships and collaboration
Send service notifications (budget alerts, sync confirmations)

2.3 Security and Compliance

Detect and prevent fraud and unauthorized access
Monitor for security incidents
Comply with legal obligations and respond to legal requests
Maintain audit trails for shared workspaces

2.4 Service Improvement

Analyze usage patterns to improve features (aggregated, anonymized data only)
Debug errors and optimize performance
Develop new features and enhancements

3. How We Share Your Information

We do not sell your personal information to anyone.

3.1 Plaid (Required Service Provider)

Plaid connects your bank accounts to Curl Budget. Plaid has independent access to your financial data as described in Plaid's Privacy Policy. We share your email address and transaction access authorization with Plaid to enable bank connections.

3.2 AI Providers (Optional, Consent-Based)

If you opt-in to AI categorization, we share anonymized transaction descriptions and amounts with:

OpenAI (ChatGPT API) - Privacy Policy
Anthropic (Claude API) - Privacy Policy

This sharing stops immediately when you revoke consent.

3.3 Cloud Infrastructure Providers

Amazon Web Services (AWS): Hosts our servers, databases, and encrypted backups in secure data centers
Data Location: US regions with encryption at rest and in transit

3.4 Legal Requirements

We may disclose your information if required by law, including:

Compliance with court orders, subpoenas, or legal processes
Enforcement of our Terms of Service
Protection of our rights, property, or safety, or that of others
Investigation of fraud or security incidents

3.5 Business Transfers

If Curl Budget is acquired, merged, or sells assets, your information may be transferred to the successor entity. You will be notified via email of any such change in ownership or control of your personal information.

4. Data Security

We implement industry-standard security measures to protect your data:

4.1 Encryption

Data in Transit: TLS 1.3 encryption for all API communications
Data at Rest: AES-256 encryption for all database storage
Plaid Access Tokens: Encrypted with customer-managed AWS KMS keys
Backups: Encrypted EBS snapshots with separate encryption keys

4.2 Access Controls

Multi-factor authentication (MFA) required for all production system access
Role-based access control (RBAC) limiting employee access to necessary data only
Workspace isolation ensuring users only access their own data
Comprehensive access logging and monitoring

4.3 Security Monitoring

Automated vulnerability scanning via CI/CD pipeline
Regular security assessments and penetration testing
24/7 security monitoring and alerting
Incident response procedures per our Information Security Policy

Your Responsibility: Keep your email account secure, as it's used for magic link authentication. Never share magic links with others, and report suspicious activity immediately to security.

5. Data Retention

We retain your data only as long as necessary for the purposes described in this Privacy Policy. Maximum retention periods are detailed below.

5.1 Retention Periods (Maximums)

Data Type	Maximum Retention Period
Transaction Data	7 years from transaction date
User PII (Email, Name)	3 years after account closure
Financial Account Info	7 years from disconnection
Plaid Access Tokens	Active while connected; 30 days after disconnect
Authentication Logs	2 years from event
Application Logs	90 days
Authorization Records	7 years after revocation

5.2 Early Deletion

Data may be deleted earlier than maximum retention periods when:

You request deletion (exercising your right to erasure)
Data is no longer necessary for stated purposes
Your account is closed (most data deleted within 30 days)
Curl Budget ceases operations (data deleted within 90 days)

5.3 Backup Data

Encrypted database backups are retained for 7 days on a rolling basis. When you delete data, it will be removed from active systems within 30 days and from backups within 7 days through natural rotation.

6. Your Privacy Rights

You have the following rights regarding your personal information:

6.1 Right to Access

You may request a copy of all personal information we hold about you. We provide this data in portable formats (JSON, CSV).

6.2 Right to Correction

You may update or correct your personal information at any time through the app settings or by contacting us.

6.3 Right to Deletion (Right to Erasure)

You may request deletion of your account and all associated data. We will delete your data within 30 days except where retention is required by law.

6.4 Right to Data Portability

You may export all your data in machine-readable formats (JSON, CSV) at any time through the app.

6.5 Right to Object

You may object to certain data processing activities, such as opting out of AI categorization or notification preferences.

6.6 Right to Revoke Consent

Where we process data based on consent (e.g., AI categorization), you may revoke that consent at any time.

6.7 Right to Non-Discrimination

We will not discriminate against you for exercising your privacy rights. Core budgeting features remain available regardless of optional feature choices.

Exercising Your Rights:

Within the App: Settings → Account → Privacy & Data Controls
By Email: privacy
Response Time: We respond to requests within 30 days

6.8 California Residents (CCPA/CPRA)

California residents have additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

Right to know what personal information is collected and how it's used
Right to know if personal information is sold or shared (we do not sell personal information)
Right to limit use and disclosure of sensitive personal information
Right to correct inaccurate personal information

To exercise these rights, email privacy with "CCPA Request" in the subject line.

6.9 European Residents (GDPR)

If you are in the European Economic Area (EEA), United Kingdom, or Switzerland, you have additional rights under GDPR:

Right to lodge a complaint with your local data protection authority
Right to restrict processing in certain circumstances
Right to object to automated decision-making

7. Children's Privacy

Curl Budget is not intended for children under 13 years of age. We do not knowingly collect personal information from children under 13. If you believe we have inadvertently collected information from a child under 13, please contact us immediately at privacy, and we will delete it promptly.

8. International Data Transfers

Curl Budget operates in the United States, and your information is stored on servers located in the United States. If you access our Service from outside the United States, your information will be transferred to, stored, and processed in the United States.

For users in the EEA, UK, or Switzerland: We rely on standard contractual clauses and appropriate safeguards to ensure your data receives adequate protection when transferred internationally.

9. Cookies and Tracking

Curl Budget uses minimal cookies and tracking:

9.1 Essential Cookies

Authentication: Session tokens to keep you logged in
Security: CSRF tokens to prevent cross-site attacks

9.2 Analytics

We use first-party analytics to understand app usage and improve performance. This data is aggregated and anonymized. We do not use third-party advertising or tracking cookies.

9.3 Your Control

You can clear cookies through your device settings, though this may affect app functionality.

10. Business Closure

In the unlikely event Curl Budget ceases operations:

30-Day Notice: We will notify all users via email 30 days before shutdown
Data Export: You will have 30 days to export all your data in portable formats
Data Deletion: All user data will be permanently deleted within 90 days of cessation
Immediate Deletion Option: You may request immediate deletion at any time during the notice period

11. Changes to This Privacy Policy

We may update this Privacy Policy to reflect changes in our practices or legal requirements. When we make material changes:

We will notify you via email at least 30 days before changes take effect
We will update the "Last Updated" date at the top of this policy
Continued use of the Service after changes take effect constitutes acceptance

For non-material changes (clarifications, formatting), we will update this policy without separate notice.

12. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our privacy practices:

Email: Contact us

Security Issues: Contact security

Data Deletion Requests: Settings → Account → Delete Account, or email privacy

Back to Curl Budget Home | Terms of Service