Legal

Privacy Policy

Last updated: July 9, 2026 | Version 2.1

At SavingsBox, we take your privacy seriously. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our applications and website.

We do not sell your personal information. We do not share your data with advertisers. Identity documents and SSN data are processed exclusively by Stripe Identity and are never stored by The Savings Box Inc. Raw bank transaction data is analyzed in real-time and is never stored in our databases. AI coaching conversations are not persistently stored.

Terms of ServiceCancellation & Refund Policy

1. About this policy

This Privacy Policy describes how The Savings Box Inc. ("SavingsBox," "we," "us," or "our") collects, uses, stores, and shares your personal information when you use the SavingsBox and SavingsBoxPro mobile applications and the website at thesavingsbox.com (collectively, the "Services"). By using our Services, you agree to the collection and use of information in accordance with this Policy. We do not sell your personal information to third parties. We do not share your data with advertisers.

2. Information we collect

We collect information you provide directly, including: full legal name, email address, and password at registration; mobile phone number, verified via a one-time SMS passcode; and messages sent to finance professionals through the platform. Through Stripe Identity's hosted verification flow, we receive and store your verified full legal name, verified residential address, and the type of government ID used — we do not currently receive or store your date of birth, and we never receive or store the raw document image, selfie, or full Social Security Number (processed exclusively by Stripe). We also generate sanctions/PEP/adverse-media screening results for compliance purposes (see Section 3). We additionally collect: bank account information via Plaid (account numbers are not stored by SavingsBox — we receive a tokenized access reference); savings goals, box names, and contribution preferences; and professional credentials, license numbers, and availability (SavingsBoxPro users). We also automatically collect device type, operating system, app version, IP address, access times, app usage data, push notification tokens, crash reports, and transaction history within the platform.

3. Identity verification (Stripe Identity) and sanctions/PEP screening

To comply with federal KYC/AML requirements under the Bank Secrecy Act, we require identity verification before you may access financial features. This is a two-step process: (1) your mobile phone number is verified via a one-time SMS passcode (Twilio Verify), and (2) you complete Stripe Identity's hosted verification flow — a real-time capture of a government-issued photo ID and a matching selfie, processed entirely within Stripe's own systems. SavingsBox receives and stores your verified full legal name, verified residential address, and the type of ID used — we do not store raw identity documents, the selfie, full SSNs, or (in our current configuration) your date of birth. In addition, we screen your verified name and country of residence against sanctions (OFAC), politically-exposed-persons (PEP), and adverse-media databases through a third-party compliance provider (Verifex). If screening identifies a potential match, your account is restricted pending manual review by our Compliance Officer; verified users are also re-screened periodically as watchlists update. Stripe's Privacy Policy governs data processed by Stripe Identity. In states with biometric privacy laws (e.g., Illinois BIPA), Stripe's biometric data practices are governed by their terms and applicable law.

4. Bank account linking & transaction data (Plaid)

When you link your bank account through Plaid, you authorize SavingsBox and Plaid to access your bank account information, account balances, and transaction history. We store a Plaid access token on our secure server to enable ongoing access for features you have consented to. We do not store raw bank account numbers. Plaid's Privacy Policy (plaid.com/legal) governs data processed by Plaid. You may unlink your bank account at any time through app settings, which removes our access to your Plaid data. Bank linking and AI spending analysis are separate permissions — you may use one without the other.

5. AI spending analysis (Anthropic Claude API)

AI spending analysis is an opt-in feature. When you consent, SavingsBox retrieves your transaction history from Plaid for the selected period (30, 60, or 90 days), transmits an aggregated summary (categories, merchant names, transaction counts, and amounts) to Anthropic's Claude API for analysis, and returns AI-generated spending insights to you. Raw transaction data is NOT persistently stored by SavingsBox — it is retrieved in real-time, summarized, and discarded. Full account numbers, SSNs, and other sensitive identifiers are never transmitted to Anthropic. Your consent is recorded with a timestamp in your profile. You may revoke spending analysis consent at any time in Profile settings — this immediately prevents further transaction data access and analysis.

6. AI financial coach (Maya)

SavingsBox provides an AI-powered financial coach named Maya, powered by Anthropic's Claude API. When you interact with Maya, your messages are sent to Anthropic's API for processing and a response is returned to you. SavingsBox does not persistently store the full conversation history beyond the active session. When you have provided bank data consent, Maya may incorporate your spending patterns into its responses. Maya's responses are for informational and motivational purposes only and do not constitute financial, investment, legal, or tax advice. Maya clearly identifies itself as an AI within the app.

7. Personal Financial Summary (PFS)

When you book an appointment with a finance professional and consent to share your Personal Financial Summary, SavingsBox generates a PFS containing your financial health score, savings box progress, wallet balance, 90-day savings activity, bank linked status, identity verification status, and subscription tier. You may book an appointment without sharing a PFS. PFS data is stored with your appointment record and retained for 5 years. Finance professionals who receive your PFS are contractually prohibited from using it for any purpose other than providing the services you have booked.

8. Enterprise-sponsored professionals

Some finance professionals on SavingsBox are sponsored by enterprise partners (financial institutions that have contracted with SavingsBox). Enterprise-sponsored professionals offer sessions at $0 to users. If your professional is enterprise-sponsored, this is disclosed before you book. Basic appointment information (session date, completion status) may be shared with the sponsoring institution for reporting purposes. Individual user personal data, PFS contents, and financial information are NOT shared with enterprise partners.

9. How we use your information

We use information we collect to: verify your identity and comply with KYC/AML obligations under the Bank Secrecy Act; process savings contributions, withdrawals, subscription payments, and appointment payments; connect users with verified finance professionals; operate and improve the platform; personalize AI coach interactions (when bank data consent is provided); send appointment confirmations, push notifications, and account alerts; detect and prevent fraud, money laundering, and prohibited activities; screen users and professionals against OFAC, PEP, and adverse-media watchlists; comply with legal obligations including FinCEN 314(a) requests and court orders; and generate Personal Financial Summaries for appointment sessions (with your consent).

10. How we share your information

We share necessary data with licensed service providers: Stripe for payment processing, identity verification (Stripe Identity), and professional payouts (Stripe Connect); Twilio for phone number verification (SMS passcodes); Plaid for bank account linking and transaction data retrieval; Anthropic for AI coaching (Maya) and spending analysis; Verifex for sanctions/PEP/adverse-media screening (only your verified name and country of residence are shared for this purpose — never your date of birth, address, SSN, or any document/selfie data); Resend for transactional email delivery; Supabase for secure database storage (U.S. data centers); Expo/Apple for push notification delivery; and Render for cloud server hosting. We do not share your data with these providers for their own marketing purposes. We may also share information with finance professionals (PFS and documents, with your consent at booking), enterprise partners (aggregate session data only — not individual user data), and as required by law (court orders, government requests, SAR filings, OFAC compliance).

11. Legal and compliance disclosures

We may disclose your information when required by law to: comply with a court order, subpoena, or government request; respond to FinCEN 314(a) requests or National Security Letters as required by the Bank Secrecy Act; file Suspicious Activity Reports (SARs) with FinCEN when required; report blocked transactions to OFAC; or protect the rights, property, or safety of SavingsBox, our users, or the public. We are legally prohibited from disclosing that a SAR has been filed or that a National Security Letter has been received, if applicable.

12. Data retention

Account and profile data is retained for 5 years after account closure. Identity verification records are retained for 5 years (BSA requirement). Transaction records are retained for 5 years from transaction date (BSA requirement). Appointment records and PFS snapshots are retained for 5 years. Professional earnings records are retained for 7 years (IRS 1099 requirement). SAR and CTR filings are retained for 5 years. Sanctions/PEP/adverse-media screening records are retained for 5 years from the date of screening (BSA requirement). AI coaching conversations are not persistently stored. Raw Plaid transaction data is not stored — retrieved in real-time and discarded. Uploaded documents are retained for 2 years or upon deletion request (BSA minimums apply). After applicable periods expire, data is securely deleted or anonymized.

13. Your rights and choices

You may access and update your account information at any time through the app. You may request a copy of personal data we hold by contacting legal@thesavingsbox.com. You may request account deletion at legal@thesavingsbox.com — note that BSA-required records (transaction and identity records) are retained for legally mandated periods regardless of deletion requests. You may revoke bank linking or spending analysis consent at any time in app settings. You may opt out of push notifications through your device settings. You may opt out of marketing emails using the unsubscribe link.

14. California residents (CCPA/CPRA)

California residents have additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA), including: the right to know what personal information we collect and how it is used; the right to request deletion of personal information (subject to legal retention requirements); the right to opt out of the sale of personal information (we do not sell personal information); the right to correct inaccurate personal information; and the right to non-discrimination for exercising your privacy rights. To exercise California rights, contact legal@thesavingsbox.com. We will respond within 45 days.

15. Data security

We implement industry-standard security measures including: TLS 1.2+ encryption for all data in transit; encryption at rest for all stored data (via Supabase); Row Level Security (RLS) enforced at the database layer ensuring users can only access their own data; access controls limiting employee access to personal data on a need-to-know basis; Multi-Factor Authentication (MFA) for all administrative access; API keys and credentials stored exclusively as environment variables — never in source code; and regular security reviews. Stripe is PCI DSS Level 1 certified. Plaid and Supabase are SOC 2 Type II certified. No system is completely secure — notify us immediately at legal@thesavingsbox.com if you suspect unauthorized access to your account.

16. Children's privacy

SavingsBox is not intended for individuals under 18 years of age. We do not knowingly collect personal information from children under 18. If you believe a child under 18 has provided us with personal information, contact us at legal@thesavingsbox.com and we will promptly delete such information.

17. Cookies

We use cookies and similar tracking technologies on our website to maintain session state and analyze traffic. You may configure your browser to refuse cookies. Our mobile applications do not use browser cookies.

18. Changes to this policy

We may update this Privacy Policy periodically. We will notify you of material changes via in-app notification and/or email at least 14 days before changes take effect. The "Last updated" date at the top of this page reflects the most recent revision. Continued use of the Services after changes become effective constitutes acceptance of the updated policy.

19. Contact us

For privacy-related questions, requests, or to exercise your rights: Email: legal@thesavingsbox.com | Website: thesavingsbox.com/privacy | Mail: The Savings Box Inc., Privacy Officer, United States.

Questions about our privacy practices? Contact us at legal@thesavingsbox.com