SpendFlow
Privacy Policy

Your privacy matters to us

Last updated: December 9, 2025

SpendFlow ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our bill pay migration assistant service. Please read this policy carefully. By using SpendFlow, you consent to the practices described in this Privacy Policy.

Information We Collect

Personal Information You Provide

  • Account Information: Email address, password (stored as a secure hash), and name (optional).
  • Bank Selection: The name of your new bank or credit union.
  • Coupon Codes: Any promotional codes you apply to your account.

Financial Information (via Plaid)

When you connect your bank account through Plaid, we access:

  • Transaction History: Up to 24 months of transactions to identify recurring payments.
  • Account Details: Account names, types (checking/savings), and masked account numbers (last 4 digits only).

Information We Do NOT Collect

  • Your bank login credentials (these go directly to Plaid)
  • Full account numbers or routing numbers
  • Account balances
  • The ability to initiate transactions or transfers

How We Use Your Information

We use your information solely to provide and improve the SpendFlow service:

  • Identify Recurring Payments: Analyze your transaction history to detect subscriptions, bills, and auto-debits.
  • Create Your Migration Checklist: Generate a personalized list of payments to update when switching banks.
  • Track Progress: Save your migration progress so you can continue where you left off.
  • Provide Rewards: Deliver milestone rewards from your new bank when you reach migration goals.
  • Improve Our Service: Understand usage patterns to enhance the user experience.

Data Security

We implement industry-standard security measures to protect your data:

Encryption

  • Password Hashing: All passwords are hashed using bcrypt with 12 salt rounds before storage.
  • Token Encryption: Bank access tokens are encrypted using AES-256-GCM with unique initialization vectors.
  • Data in Transit: All data is transmitted over HTTPS with TLS encryption.

Plaid Security

We use Plaid, a trusted financial data aggregator used by thousands of apps including Venmo, Robinhood, and Coinbase. Plaid is SOC 2 Type II certified and undergoes regular security audits. Your bank credentials are entered directly into Plaid's secure interface - we never see them.

Data Sharing & Third Parties

We Do Not Sell Your Data

We never sell, rent, or trade your personal or financial information to third parties for marketing purposes.

Limited Sharing

We may share information only in these circumstances:

  • Service Providers: With Plaid for bank connectivity and our database hosting provider for data storage.
  • Partner Banks: Anonymized, aggregated statistics may be shared with participating banks (never individual user data).
  • Legal Requirements: If required by law, court order, or government request.
  • Business Transfers: In connection with a merger, acquisition, or sale of assets (with notice to you).

Your Rights & Choices

  • Access Your Data: You can view all recurring payment data in your account dashboard.
  • Disconnect Your Bank: You can disconnect your bank connection at any time from your account settings. This removes the Plaid access token and all bank account data.
  • Delete Your Account: Contact us to request complete deletion of your account and all associated data.
  • Data Portability: Request a copy of your data in a machine-readable format.

Data Retention

We retain your data only as long as necessary to provide our services:

  • Account Data: Retained until you delete your account.
  • Bank Connection: Plaid tokens are deleted when you disconnect your bank.
  • Recurring Items: Deleted when you disconnect your bank or delete your account.

Children's Privacy

SpendFlow is not intended for users under 18 years of age. We do not knowingly collect personal information from children. If you believe we have collected information from a child, please contact us immediately.

Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page with a new "Last updated" date. Your continued use of SpendFlow after changes constitutes acceptance of the updated policy.

Contact Us

If you have questions about this Privacy Policy or our data practices, please contact us at:

Email: privacy@spendflow.app