Privacy Policy

At Savida, we take your privacy seriously. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our mobile application. Please read this privacy policy carefully.

1. Information We Collect

App Privacy Summary

We collect the following data types to operate Savida:

We do not sell data. We do not use collected data for cross-app tracking unless you grant permission (see Section 5 below).

Personal Information

When you create an account, we collect:

• Name and email address
• Profile picture (optional)
• Authentication credentials (managed by Supabase Auth)
• Device information (device ID, operating system)

Financial Information

When you connect financial accounts, we collect:

• Account names and numbers (last 4 digits only)
• Account balances and transaction history
• Transaction amounts, dates, and merchant information
• Account types and financial institution names
• Income and expense patterns for budgeting insights

Analytics and Usage Data

• App usage patterns and feature interactions
• Session duration and frequency
• Crash reports and error logs
• Performance metrics
• Device information (model, OS version, screen resolution)

2. How We Use Your Information

We use your information to:

• Provide and maintain our service
• Track your income, expenses, and financial transactions
• Generate budgets, insights, and financial reports
• Send notifications about your financial goals and budgets
• Provide AI-powered financial coaching (Premium feature)
• Improve our app through analytics and user feedback
• Detect and prevent fraud or unauthorized access
• Comply with legal obligations

3. Third-Party Services

Our app integrates with third-party services. Below are comprehensive disclosures for each service:

Plaid for Bank Connections

We use Plaid Inc. ('Plaid') to link your financial accounts to Savida. Plaid's services are governed by their Privacy Policy at https://plaid.com/legal/.

When you link accounts through Plaid:

• You authorize Plaid to access and transmit your financial account information
• Plaid collects account details, balances, and transaction data from your financial institution
• This data is encrypted using bank-level security (AES-256 and TLS)
• You can manage connected accounts and revoke access at any time through Plaid Portal (my.plaid.com)
• Plaid does not sell your financial data to third parties

OpenAI for AI Financial Coach

Before first use of AI Financial Coach, we ask your permission in-app for AI data sharing. When enabled, we send pseudonymized text to our AI provider (OpenAI API). We remove direct identifiers (name, email, account IDs) and do not include full account numbers or bank credentials.

• We request explicit in-app permission before sending any data to OpenAI
• Your financial data is analyzed to generate personalized insights
• We use OpenAI's GPT models to process pseudonymized data
• OpenAI does not use API data to train models by default
• OpenAI retains data for up to 30 days for abuse monitoring, then deletes it (subject to legal holds)
• We can enable Zero-Data Retention for eligible enterprise use cases
• Coach conversation history is retained for 90 days in our system
• Sunday prompts are stored temporarily (7 days maximum)
• Deleting your account removes all AI coaching data from our systems
• For more info: https://platform.openai.com/docs/guides/your-data

Supabase for Authentication

We use Supabase for secure user authentication and account management. Supabase processes your email address, password (encrypted), and authentication tokens to provide secure login. Your authentication data is encrypted in transit and at rest. You can delete your account and associated data in Settings → Account → Delete Account. Privacy policy: https://supabase.com/privacy

Firebase for Analytics and Services

We use Google Firebase services for app functionality, analytics, and crash reporting. Firebase collects:

• Device information (device model, operating system, screen resolution)
• App usage data (features used, session duration)
• Analytics identifiers (Firebase installation IDs)
• Crash reports and error logs
• Performance metrics

Firebase uses cookies and mobile identifiers. Data is used for app improvement, personalization, and bug fixing. For more information, see Google's Privacy Policy at https://policies.google.com/privacy.

Amplitude for Behavioral Analytics

We use Amplitude to analyze app usage and user behavior to improve Savida. Amplitude processes:

• User events (actions taken in the app)
• Device information (device model, OS version)
• Session data (app opens, session duration)
• User properties (account status, subscription tier)

We do not share personally identifiable information beyond what's necessary for analytics. Amplitude does not sell user data to third parties. Your data is encrypted in transit and at rest. You can request deletion of your data by contacting [email protected]. Learn more at https://amplitude.com/privacy.

Microsoft Clarity for Session Recording

We partner with Microsoft Clarity to capture how you use and interact with Savida through behavioral metrics, heatmaps, and session analysis using the native iOS SDK. This helps us improve our product and user experience.

Clarity collects:

• Masked screen recordings of your app interactions
• Heatmaps (clicks, scrolls, interactions)
• Device data (device type, screen resolution, operating system)
• Session details (pages visited, time spent, navigation patterns)

We mask fields that may contain personal or financial data (including account numbers, amounts, names, and passwords). Session recordings are never stored on your device. App usage data is captured using first-party technologies. Microsoft may use this data for product improvement and advertising purposes. For more information, visit https://privacy.microsoft.com/privacystatement.

For EEA, UK, and Switzerland users: We obtain your consent before collecting this data as required by GDPR. Session recording is OFF by default unless you consent.

Sentry for Error Monitoring

We use Sentry for error tracking and application monitoring. Sentry collects crash reports, error logs, device information (device model, OS version), and performance metrics. This data is used solely to identify and fix bugs and improve app stability. Sentry does not collect advertising identifiers or track users across apps. Data is encrypted in transit (TLS/HTTPS) and at rest (AES-256). For more information, visit https://sentry.io/privacy/.

4. How We Share Your Information

We do not sell, trade, or rent your personal information. We share your information only in these situations:

• With service providers who assist in app operations (Plaid, Supabase, OpenAI, Firebase, hosting providers)
• With analytics partners (Amplitude, Microsoft Clarity, Sentry) to improve app performance
• With group members for shared expense features (limited to transaction details)
• When required by law or to respond to legal process
• To protect our rights, privacy, safety, or property
• With your consent or at your direction
• In connection with a merger, sale, or acquisition of our business

Our service providers (Plaid, Supabase, OpenAI, Firebase, Sentry, Microsoft Clarity, Amplitude) must provide the same or stronger protections as this policy (per Apple Guideline 5.1.1). Each provider operates under their respective privacy policies, linked in Section 3 above.

5. Your Consent & Controls

AI Financial Coach Permission

AI Financial Coach is optional. Before your data is sent to OpenAI, we show an in-app permission prompt that explains exactly what data is sent and who receives it. You can allow or decline. You can change this anytime in Settings → Data & Privacy → AI Data & Consent.

• Allowing enables AI coaching and personalized weekly insights
• Declining keeps AI Coach disabled and no coach data is sent to OpenAI
• You can withdraw consent at any time in-app

Permissions and Settings

We request only the permissions we need, and we explain why before iOS shows a system prompt. You can change permissions in iOS Settings → Savida and manage analytics/session recording in Savida → Settings → Security → Privacy. Opting out of analytics or session recording does not limit core budgeting/expense features.

EEA/UK/Switzerland Users

For users in the EEA, UK, and Switzerland: Analytics and session recording are disabled by default. You will be asked to opt in when first using the app.

App Tracking Transparency

If any data we or our partners collect is used to track you across apps or websites, iOS will present the App Tracking Transparency prompt and we'll only proceed if you tap Allow. Currently, tracking features are feature-flagged and not active. When enabled in the future, you will have full control over tracking permissions.

Your Control Over Analytics

You can control data collection in Settings → Security → Privacy:

• Analytics toggle: Controls Amplitude usage tracking
• Screen Recording toggle: Controls Microsoft Clarity session recording
• Both can be disabled at any time
• Disabling does not affect core app functionality

6. Data Security

We implement industry-standard security measures:

• 256-bit TLS encryption for all data transmissions
• Encryption at rest for sensitive data storage (AES-256)
• Secure authentication through Supabase
• No storage of banking credentials (handled by Plaid)
• Regular security audits and vulnerability assessments
• Access controls and employee training
• SOC 2 Type II compliance for our infrastructure providers

7. Data Retention

We retain your information for as long as your account is active or as needed to provide services. Specifically:

• Active account data is retained indefinitely
• Deleted account data is removed within 30 days
• Backup data is purged within 90 days
• AI coach conversation history: 90 days
• Sunday prompts: 7 days maximum
• Aggregated analytics data may be retained indefinitely
• Legal compliance data retained as required by law

8. Your Privacy Rights

You have the right to:

• Access your personal information
• Correct inaccurate or incomplete data
• Request deletion of your account and data
• Export your financial data
• Opt-out of non-essential communications
• Opt-out of analytics and screen recording
• Control data collection preferences in the app's privacy settings
• Disconnect linked financial accounts at any time
• Withdraw consent for data processing

Account Deletion (in-app)

You can delete your account at any time in Savida → Settings → Account → Delete Account. Deleting your account removes your profile and financial data from our active systems within 30 days and from backups within 90 days, except where we must retain information to comply with law, prevent fraud, or resolve disputes.

California Privacy Rights (CCPA)

California residents have additional rights under the California Consumer Privacy Act (CCPA):

Categories of Personal Information We Collect:

• Identifiers: Name, email address, device ID
• Financial Information: Account balances, transaction history (last 4 digits only)
• Internet Activity: App usage data, interaction patterns
• Geolocation Data: Region/country (not precise location)

Business Purposes for Collection:

• Providing core app services (budgeting, expense tracking, financial insights)
• Personalizing user experience and recommendations
• Analyzing app usage to improve features and performance
• Detecting and preventing fraud or security threats
• Customer support and communication

Categories of Third Parties We Share With:

• Service providers: Plaid (financial data), Supabase (authentication), Firebase (analytics)
• Analytics partners: Amplitude, Microsoft Clarity
• Error monitoring: Sentry
• AI services: OpenAI (pseudonymized data only)

Your CCPA Rights:

• Right to know what personal information is collected, used, shared, or sold
• Right to delete personal information we hold about you
• Right to opt-out of the sale of personal information (we do not sell your data)
• Right to non-discrimination for exercising your rights
• Right to data portability

We do not sell your personal information to third parties. To exercise your CCPA rights, contact us at [email protected].

European Privacy Rights (GDPR)

If you are in the European Economic Area (EEA), UK, or Switzerland, you have rights under GDPR:

Legal Basis for Processing:

• Consent: For analytics, session recording, and marketing communications
• Contract: To provide core app services (budgeting, expense tracking)
• Legitimate Interests: For app security, fraud prevention, and service improvement

Your Rights:

• Right to access your personal data
• Right to rectification (correct inaccurate data)
• Right to erasure ('right to be forgotten')
• Right to restrict processing
• Right to data portability
• Right to object to automated decision-making
• Right to withdraw consent at any time
• Right to lodge a complaint with supervisory authorities

Data Protection Officer: For privacy inquiries related to GDPR, contact our Privacy Officer at [email protected].

U.S. State Privacy Rights

Residents of certain U.S. states (including Virginia, Colorado, Connecticut, and Utah) have similar rights to access, delete, and correct their data, which we will honor. Please contact us to exercise any applicable rights under state law.

Canadian Privacy Rights

Canadian residents have rights under PIPEDA including the right to access, correct, and delete personal information. For privacy inquiries, contact our Privacy Officer.

9. Children's Privacy

Savida is not intended for children. We do not knowingly collect personal information from anyone under the age of 13 (or under 16 in regions where a higher age threshold applies, such as the European Union). If we discover that a child under the applicable age has provided us with personal information, we will delete such information from our systems.

10. International Data Transfers

Your information may be transferred to and processed in the United States or other countries where our service providers operate. These countries may have different data protection laws than your country of residence. We ensure appropriate safeguards are in place for such transfers.

If you are located in Canada, the EEA, UK, or other regions with data transfer restrictions, we rely on appropriate legal mechanisms (such as Standard Contractual Clauses) to ensure your data is protected when transferred to the US.

11. Cookies and Local Storage

Our mobile app uses local storage for:

• Authentication tokens
• User preferences and settings
• Cached financial data for offline access
• App state and navigation history

12. Updates to This Policy

We may update this Privacy Policy from time to time. We will notify you of any changes by posting the new Privacy Policy on this page and updating the "Last Updated" date. For material changes, we will provide additional notice through the app or email.

13. Contact Us

We provide this Privacy Policy in English. If you require it in another language, please contact us.

If you have questions about this Privacy Policy or your data, please contact us: