Back to home
Español
Wälo
Privacy Policy

Privacy Policy

Your finances are yours. We do not sell them.
This policy complies with CCPA (California), GDPR (EU), and US federal financial data regulations.

Last updated: April 24, 2026 · Effective date: April 24, 2026

1. Data We Collect

To provide Wälo's services we collect:

  • Account data: name, email, country, password hash (bcrypt). Provided by you at signup.
  • Financial data via Plaid: account balances, transactions, holdings, account metadata. We use OAuth — we never see your bank username or password.
  • Manually entered data: transactions, categories, budgets, goals, retirement plan inputs you create.
  • Identity data for credit score (optional): name, date of birth, last 4 SSN digits, address. Only collected if you opt in to credit monitoring. Encrypted at rest with AES-256.
  • Forwarded bank emails (optional): emails you forward to your unique Wälo address. Parsed by AI for transaction extraction. Stored only as long as needed.
  • Usage data: pages visited, feature interactions, error logs. Anonymous unless tied to your account.
  • Device data: IP address, browser, operating system. Used for fraud detection and rate limiting.

2. How We Use Your Data

  • Provide the core Wälo service: tracking, budgeting, retirement planning, tax export.
  • Sync transactions and balances from your linked banks via Plaid.
  • Generate AI-powered categorizations and insights using Google Gemini and Anthropic Claude.
  • Send transactional emails (welcome, trial reminders, security alerts) via Resend.
  • Process subscription payments via Stripe (we never see your full card number).
  • Detect and prevent fraud, abuse, and unauthorized access.
  • Improve the product through aggregated, anonymous usage analytics.

What we never do with your data:

  • Sell or rent it to third parties.
  • Use it for targeted advertising on other platforms.
  • Share it with employers, government agencies (except as required by valid US legal process), or insurance companies.
  • Use AI providers to train their models with your data — we use API endpoints that exclude training (zero data retention with Anthropic, opted-out training with Google).

3. Third-Party Services (Sub-processors)

To deliver the service we share specific data with vetted providers:

ProviderPurposeData shared
PlaidBank aggregationOAuth tokens, account/txn data from your banks
StripeSubscription billingEmail, name, payment method (Stripe stores card details, not Wälo)
Supabase (AWS US-East)Database hosting + authAll your account data, encrypted at rest
Vercel (AWS Global)Application hostingRequest data, IP, user-agent for routing
ResendTransactional emailsEmail address, name, message content
Google GeminiAI categorization + chatTransaction text + receipt OCR (per-call, no training)
Anthropic ClaudeAI email parsingForwarded bank email content (per-call, zero retention)
Array.io (planned)Credit scoreIdentity data (when you opt in)

4. Security

  • Encryption at rest: AES‑256 for database (Supabase / AWS RDS). Plaid access tokens additionally encrypted via PostgreSQL pgcrypto with a passphrase only known to our application. PSP API keys stored as SHA‑256 hashes only.
  • Encryption in transit: TLS 1.2+ with 256‑bit cipher suites on every web and API connection.
  • Access control: Row‑Level Security (RLS) enforced at the database level on 88 of 89 tables — every query is scoped to the authenticated user.
  • Two‑factor authentication (2FA): TOTP via Google Authenticator / Authy / 1Password, available on web and mobile (Settings → Privacy & Security). Once enrolled, sessions are forced to AAL2 by middleware — a stolen password alone does not grant access.
  • Backup codes: 10 single‑use recovery codes generated when you enable 2FA. Hashes only are stored; plaintext is shown to you once. Lose your phone, recover with a code — and 2FA is auto‑disabled until you re‑enroll.
  • Mobile token storage: auth tokens kept in Keychain (iOS) / Keystore (Android), backed by hardware where available — never in plain‑text storage.
  • Plaid tokens: encrypted at rest, never logged. Webhook signatures verified with Plaid's official JWS (jose).
  • Bank credentials: Plaid handles OAuth — Wälo never sees your bank username or password.
  • Incident response: security events logged and alerted; users notified within 72 hours of confirmed breach (per GDPR Art. 33).

5. Your Rights (CCPA + GDPR)

You have the following rights regardless of where you live, because we apply the strictest standards globally:

  • Right to access: request a complete export of your data via Settings → Account → Export Data, delivered as JSON within 30 days.
  • Right to deletion ("right to be forgotten"): Settings → Account → Delete Account. Permanent deletion within 30 days, with backups purged within 90 days.
  • Right to correction: edit any field in Settings, or contact privacy@walomoney.com.
  • Right to data portability: the export above is machine-readable.
  • Right to opt out of "sale": we do not sell your data, so this right is auto-honored.
  • Right to non-discrimination: exercising your rights does not affect your service or pricing.
  • Right to object to processing: request limitation via privacy@walomoney.com.

California residents: under CCPA, you may also request "do not sell my personal information" — already the default at Wälo.

6. Data Retention

  • Active accounts: data kept as long as the account is active.
  • Inactive accounts: after 24 months of no logins, we email you a warning. After 36 months total, account and all data are deleted.
  • Deleted accounts: permanent deletion within 30 days; backups purged within 90 days.
  • Plaid tokens: revoked immediately on account deletion or bank disconnect.
  • Forwarded emails: raw email content deleted within 7 days of parsing; only the structured transaction is retained.
  • Analytics: anonymized after 90 days; never tied to deleted accounts.
  • Legal holds: we may retain specific records longer if required by US law (subpoena, audit).

7. Cookies and Tracking

We use only essential cookies (authentication, locale preference, CSRF protection). We do not use third-party advertising cookies. Optional analytics (PostHog or Plausible) anonymize all traffic, do not track across sites, and do not require consent banners under most jurisdictions because no personally identifiable information is sent.

8. Children's Privacy

Wälo is not directed at children under 18. We do not knowingly collect data from minors. If you believe a child has created an account, contact privacy@walomoney.com and we will delete it immediately.

9. International Transfers

Wälo is a US-based service. If you access it from outside the US, your data may be transferred to and stored in the United States. For EU residents, we rely on Standard Contractual Clauses (SCCs) for transfers under GDPR.

10. Changes to This Policy

We may update this policy. Material changes (new third parties, new data uses) will be notified via email at least 15 days before taking effect. Minor changes (clarifications, typos) take effect immediately and are reflected in the "Last updated" date.

11. Contact

Privacy questions, data requests, or concerns:
privacy@walomoney.com
We respond within 5 business days.

This policy is provided in good faith and reflects our current practices. It is not legal advice. We recommend you consult independent legal counsel for your specific situation.