Privacy Policy

Third-Party Services We Use

Trupocket relies on the following third-party services to operate:

Future Services (Not Yet Implemented)

We plan to integrate the following services in the future:

• Marketing Email Services: MailChimp, SendGrid, or similar (you can opt-out)

• Financial Data Providers: Plaid, Yodlee, or similar (for bank account synchronization)

We will notify you via email when these services are introduced and update this Privacy Policy accordingly.

Data We Collect

• Account Information: Email address, name

• Authentication Data: OAuth tokens (validated per-request via AWS Cognito; tokens are not stored by Trupocket)

• Financial Data: Transactions, accounts, budgets, categories, hashtags, payees you manually enter

• Usage Data: Rate limit counters (24-hour retention in Redis cache), error logs (30-day retention)

• IP Addresses: Temporary collection for rate limiting on unauthenticated endpoints (register, sign-in, verify-email). Stored in Redis cache for 24 hours, then automatically deleted. Not logged or stored permanently.

• Subscription Data: Plan type, billing status, payment history (processed via Stripe)

Web Application Data

When you use the Trupocket web application, certain data is stored locally in your browser:

Cookie Policy

Current Implementation: Trupocket API is completely cookie-free. We use Bearer token authentication via the Authorization header instead of session cookies.

Metrics Collection

We collect basic performance metrics to improve our service, including:

• API response times

• Error rates and types

• Feature usage statistics (aggregated and anonymized)

Important: Metrics are aggregated and anonymized. We do not sell or share individual user metrics with third parties.

Marketing Communications (Future)

In the future, we may send marketing emails about new features, updates, and promotions. You will be able to:

• Opt-out of marketing emails at any time via unsubscribe link

• Continue receiving critical transactional emails (password reset, billing notifications)

What We NEVER Do

• Never sell your data to third parties

• Never share individual user data with advertisers or data brokers

• Never use your financial data for purposes other than providing the service

Transaction Data Retention

While your account is active, all transaction data you enter is stored indefinitely regardless of your subscription plan. There are no automated data retention cutoffs or deletions. Your subscription plan determines what data is displayed and processed:

• Free Plan: Most recent 90 days of data displayed and processed

• Premium Plan: Most recent 2 years of data displayed and processed

• Developer Plan: All historical data displayed and processed

Important: Data outside your plan's access window is never deleted. It remains securely stored but is not included in calculations, reports, or API responses. This ensures a seamless experience when upgrading or downgrading your plan. If you delete your account, see the Account Deletion section below.

Specific Retention Periods by Data Type

Different types of data are retained for different periods:

• Transaction Data: Retained indefinitely (access limited by your plan)

• Account Information: Retained while account is active + 7 years after deletion (for tax and legal compliance)

• Authentication Logs: Managed by AWS Cognito (see AWS Cognito privacy policy)

• Error Logs: 30 days retention in AWS CloudWatch

• Payment Records: 7 years (required by law for tax purposes)

• Marketing Preferences: Until you opt-out or close your account

• Rate Limit Counters: 24 hours (Redis cache with automatic expiration)

Account Deletion

You may request account deletion at any time by contacting [email protected].

• We will delete all personally identifiable information within 30 days

• Aggregated, anonymized metrics may be retained for service improvement

• Legal and financial records (invoices, payment history) may be retained for compliance purposes (7 years)

Subscription Lapse & Downgrade

• Payment Failure: 7-day grace period before downgrade to Free plan

• Cancellation: Service continues through end of current billing period, then downgrades to Free plan

• Non-Destructive Downgrade: All data is preserved when downgrading to Free plan (older data just becomes inaccessible per plan limits)

California Residents (CCPA Compliance)

If you are a California resident, you have the right to:

• Access: Request a copy of all personal data we have collected about you

• Deletion: Request deletion of your personal data (subject to legal retention requirements)

• Opt-Out: Opt-out of data selling or sharing (we do not sell or share your data)

• Non-Discrimination: We will not discriminate against you for exercising your privacy rights

• Correct Inaccurate Information: Request correction of inaccurate personal data

To exercise these rights, contact us at [email protected].

Global Privacy Control (GPC)

Current Status: Trupocket does not sell or share your personal data with third parties for advertising, marketing, or cross-context behavioral purposes. Because we do not engage in these practices, GPC signals do not trigger any action.

• No data selling/sharing: We do not sell or share your personal information as defined by CCPA/CPRA

• No tracking: We do not use advertising cookies, behavioral tracking, or cross-site tracking

• Future commitment: If we ever begin selling or sharing data in ways that require GPC compliance, we will implement automated GPC signal detection and provide 30 days notice

You can still manually opt-out of any data practices by contacting [email protected].

Nevada Residents

Nevada law allows residents to opt-out of the "sale" of personal information:

• We do not sell personal information as defined by Nevada law

• If our practices change, we will provide you with opt-out mechanisms

• Contact [email protected] to exercise Nevada privacy rights

Data Export Process

You have the right to receive a copy of your personal data in a portable format:

• How to Request: Email [email protected]with subject "Data Export Request"

• Identity Verification: We will verify your identity by confirming your account email

• Format: Data will be provided in JSON format (machine-readable)

• Timeline: Data export will be provided within 45 days (usually within 7 days)

• Contents: Includes all transactions, accounts, budgets, categories, hashtags, payees, and account settings

• Frequency: You may request data export once every 12 months at no charge

Financial Regulation Exemptions (GLBA)

Important disclosure about regulatory exemptions:

• Certain financial data is subject to the Gramm-Leach-Bliley Act (GLBA)

• GLBA-covered data may be exempt from certain CCPA requirements

• You still retain the right to request access and deletion of non-exempt data

• We will clearly indicate if any data is exempt from your privacy request

US-Only Service (No GDPR Compliance at Launch)

Trupocket is currently available only to US residents. We are not GDPR-compliant at launch. International support may be added in the future, at which time we will comply with applicable international privacy laws.

Security Measures

We implement industry-standard security measures to protect your data:

• Encryption in Transit: All API communication uses HTTPS/TLS 1.3

• Encryption at Rest: Database hosted in private VPC subnets with AWS Secrets Manager for credential storage

• Secure Authentication: OAuth 2.0 via AWS Cognito with multi-factor authentication support

• Access Controls: Role-based access control (RBAC) for internal systems

• Regular Security Audits: Ongoing monitoring and vulnerability assessments

• Penetration Testing: Annual third-party security audits (planned)

Important: No system is 100% secure. While we implement industry-standard security practices, we cannot guarantee absolute security. You are responsible for protecting your account credentials.

Data Breach Notification

In the event of a data breach affecting your personal information:

Security Certifications

Current Status: Trupocket is an early-stage product (MVP). We have not yet obtained third-party security certifications.

• SOC 2: Not yet certified

• ISO 27001: Not yet certified

• PCI DSS: Not applicable - we do not store credit card data (handled by Stripe)

We implement industry-standard security practices as described above. Formal certifications may be pursued as the service matures.

Open Banking & Data Portability (Section 1033 CFPB Rule)

Compliance Date: April 1, 2026 (for covered financial institutions)

Under the Consumer Financial Protection Bureau's Personal Financial Data Rights Rule, you have the right to:

• Access Your Data: Request access to at least 24 months of transaction history

• Transfer Your Data: Transfer your financial data to authorized third parties

• Revoke Access: Revoke third-party access at any time

• No Fees: Access and transfer your data free of charge

Bank Account Synchronization (Planned)

When we introduce bank account synchronization via Plaid, Yodlee, or similar services:

• You will authorize Trupocket to access your bank accounts on your behalf

• Your bank credentials and transaction data will be shared with the third-party financial data provider

• We will update this Privacy Policy and notify you via email 30 days before launching this feature

• Additional terms and consent will be required before connecting bank accounts

• You can disconnect bank accounts at any time

Age Restriction

You must be 18 years or older to use Trupocket.

Children's Privacy (COPPA Compliance)

Trupocket is not intended for children under 18 years of age:

• We do not knowingly collect personal information from anyone under 18

• We do not knowingly collect data from children under 13 (COPPA requirement)

• If we discover we have collected data from a child under 13, we will delete it immediately

• Parents: If you believe your child has provided us with personal information, contact [email protected] immediately

Third-Party Links

Trupocket may contain links to third-party services (Stripe, AWS, Plaid, etc.). We are not responsible for the privacy practices of these external services. Please review their privacy policies before using them.

Policy Updates

We may update this Privacy Policy from time to time. When we make material changes:

• We will notify you via email 30 days before the changes take effect

• The "Last Updated" date at the top of this page will be updated

• Continued use of the service after changes take effect constitutes acceptance

• You may close your account if you do not agree to the changes

Legal Requests & Compliance

We may disclose your information if required by law, court order, or government request, including:

• Compliance with subpoenas, warrants, or legal processes

• Protection of Trupocket's legal rights and property

• Investigation of fraud, security incidents, or violations of our Terms of Service

• Compliance with financial regulations (AML, KYC, etc.)

• Protection of the safety of our users or the public