Glynto

Privacy Policy

Last updated: January 29, 2024
Effective date: January 29, 2024

1. Introduction

Welcome to Glynto ("we," "our," or "us"). We are committed to protecting your privacy and handling your personal and financial information with care and transparency. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our personal finance management service ("Service").

By using Glynto, you agree to the collection and use of information in accordance with this Privacy Policy. If you do not agree with our policies and practices, please do not use our Service.

Important: We use third-party service providers, including Plaid Technologies, Inc. ("Plaid") for bank account connections (when available) and Stripe, Inc. ("Stripe") for payment processing. By using our Service, you acknowledge and consent to the collection and use of your information by these third parties as described in this policy and their respective privacy policies.

2. Information We Collect

2.1 Personal Information You Provide

When you create an account and use our Service, we collect:

  • Account Information: Email address, and password (encrypted)
  • Profile Information: Currency preferences, display settings, timezone, and other customization options
  • Communication Data: When you contact us for support, we collect your name, email address, and the content of your messages

2.2 Financial Data You Provide

You voluntarily provide us with financial information to use the Service, including:

  • Account Information: Names of financial institutions, account types (cash, credit, brokerage, tracking), account balances, and account currencies
  • Transaction Data: Transaction dates, descriptions, amounts, categories, statuses, merchant, and notes
  • Investment Holdings: Security symbols, quantities, purchase prices, cost basis information, and realized/unrealized gains or losses
  • Category Data: Custom categories, budgets, and spending patterns
  • Reimbursement Information: Tracking of business expenses, loans, and amounts owed

Important: We do NOT collect or store your actual bank account credentials, credit card numbers, or banking passwords. When bank account connection features become available, such connections are handled securely through Plaid, and we only receive read-only access to the transaction data you authorize us to access.

2.3 Information Collected Automatically

When you access our Service, we automatically collect certain information:

  • Device Information: Device type, operating system, browser type and version, unique device identifiers
  • Usage Data: Pages visited, features used, time spent on pages, navigation paths, click data
  • Technical Data: IP address, browser cookies and similar tracking technologies, server logs
  • Performance Data: Error reports, crash logs, and diagnostic information

2.4 Information from Third-Party Sources

Plaid (Bank Account Connections - Coming Soon): When you choose to connect your bank accounts through Plaid, we receive transaction data, account balances, securities, and account information from Plaid based on your authorization. Plaid's use of your information is governed by Plaid's Privacy Policy.

Market Data Providers: We use third-party services to fetch real-time security prices for your investment holdings. We only share security symbols (e.g., "AAPL", "TSLA") with these providers, not your personal information or holdings data.

Foreign Exchange Rate Providers: We fetch real-time FX rates from market data providers to calculate multi-currency net worth. No personal information is shared with these providers.

3. How We Use Your Information

We use the information we collect for the following purposes:

3.1 To Provide and Maintain Our Service

  • Create and manage your account
  • Process and display your financial data
  • Calculate net worth, investment performance, and category statistics
  • Import transactions from CSV files
  • Generate reports and analytics
  • Synchronize data across your devices

3.2 To Communicate With You

  • Send service-related notifications (e.g., account changes, security alerts)
  • Respond to your questions, comments, and support requests
  • Send important updates about the Service, privacy policy changes, or terms updates
  • With your consent, send promotional emails about new features or beta programs (you may opt out at any time)

3.3 To Improve and Develop Our Service

  • Analyze usage patterns to understand how users interact with features
  • Identify bugs, performance issues, and areas for improvement
  • Develop new features based on user needs and feedback
  • Conduct research and testing to improve user experience

3.4 For Security and Fraud Prevention

  • Detect, prevent, and investigate security incidents, fraud, or abuse
  • Monitor for suspicious activity or unauthorized access
  • Verify user identity and authenticate access
  • Protect the rights and safety of Glynto, our users, and the public

3.5 For Legal Compliance

  • Comply with applicable laws, regulations, and legal processes
  • Enforce our Terms of Service and other policies
  • Respond to lawful requests from government authorities

4. Third-Party Services and Data Sharing

4.1 Plaid (Bank Account Connections - Coming Soon)

When bank account connection features become available, you will have the option to connect your bank accounts using Plaid Technologies, Inc. Plaid is a trusted third-party service used by thousands of financial applications to securely access financial data.

What Plaid Does:

  • Plaid provides a secure connection with Glynto and your financial institutions
  • Plaid uses read-only access—they cannot move money or make transactions on your behalf
  • Plaid collects your financial institution login credentials directly, which we never see or store
  • Plaid retrieves transaction data and account balances based on your authorization

Data Shared with Plaid:

  • Financial institution login credentials (you provide directly to Plaid, not to us)
  • Your consent and authorization to access specific accounts

Data We Receive from Plaid:

  • Account information (account type, balance, currency, institution name)
  • Transaction history (date, description, amount, category suggestions)
  • Security holdings

Plaid's Privacy Practices: Plaid's collection and use of your information is governed by Plaid's Privacy Policy. We encourage you to review their privacy practices. Plaid is committed to data privacy and security and complies with applicable data protection regulations.

Your Control: You may disconnect bank accounts at any time from your Glynto account. When you disconnect, we will no longer fetch new data via Plaid, but historical data already imported will remain in your account unless you delete it.

4.2 Stripe (Payment Processing - When Paid Tiers Launch)

Coming soon

4.3 Infrastructure and Hosting Providers

We use trusted service providers to host and operate our Service:

  • Supabase: Database hosting, and authentication services. Supabase provides enterprise-grade security with encryption at rest and in transit.
  • Cloud Hosting Providers: We use cloud infrastructure providers for application hosting, data storage, and backups. All data is stored in secure, SOC 2 compliant data centers with encryption. All servers are secured and protected with private keys. All accounts are secured with MFA.

4.4 Analytics Services

We may use analytics services to understand how users interact with our Service. These services collect anonymized usage data, such as pages visited, features used, and navigation patterns. Analytics tools are self-hosted. We do not share any data with any analytics providers.

4.5 Other Data Sharing

We do NOT sell your personal or financial data to third parties. We may share your information only in these limited circumstances:

  • With Your Consent: When you explicitly authorize us to share your data with a third party
  • Service Providers: With trusted vendors who perform services on our behalf (e.g., customer support, email delivery, infrastructure) under strict confidentiality agreements
  • Legal Requirements: When required by law, subpoena, court order, or government investigation
  • Safety and Security: To protect the rights, property, or safety of Glynto, our users, or the public
  • Business Transfers: In connection with a merger, acquisition, bankruptcy, or sale of assets, your data may be transferred to the new entity (you will be notified and given the option to delete your account)

5. Cookies and Tracking Technologies

We use cookies and similar tracking technologies to enhance your experience and collect usage data.

5.1 What Are Cookies?

Cookies are small text files stored on your device by your web browser. They help us recognize you, remember your preferences, and improve our Service.

5.2 Types of Cookies We Use

  • Essential Cookies: Required for the Service to function (e.g., authentication, session management). These cannot be disabled.
  • Functional Cookies: Remember your preferences and settings (e.g., currency selection, theme preference)
  • Analytics Cookies: Help us understand how users interact with the Service (e.g., page views, feature usage)
  • Third-Party Cookies: Plaid and Stripe may set cookies when you interact with their services

5.3 Your Cookie Choices

You can control cookies through your browser settings. Most browsers allow you to refuse cookies or delete existing cookies. However, disabling essential cookies may limit your ability to use certain features of the Service.

For more information about cookies and how to manage them, visit www.allaboutcookies.org.

6. Data Security

We implement industry-standard security measures to protect your data from unauthorized access, disclosure, alteration, or destruction.

6.1 Security Measures

  • Encryption: All data is encrypted in transit using TLS 1.2+ (HTTPS) and at rest using AES-256 encryption
  • Authentication: Secure JWT-based authentication with Supabase. Passwords are hashed using bcrypt with salting.
  • Access Controls: Role-based access controls limit employee and system access to personal data on a need-to-know basis
  • Infrastructure Security: Secure, SOC 2 compliant cloud infrastructure with firewalls, intrusion detection, and DDoS protection
  • Regular Audits: We conduct regular security audits, vulnerability assessments, and penetration testing
  • Backups: Automated daily backups with encryption and off-site storage for disaster recovery
  • Monitoring: monitoring for suspicious activity, unauthorized access, and security incidents

6.2 Your Responsibility

  • Use a strong, unique password for your Glynto account
  • Enable two-factor authentication when available
  • Do not share your password or account credentials
  • Log out when using shared or public devices
  • Keep your email account secure (it's used for account recovery)

6.3 No Guarantee

While we implement strong security measures, no method of transmission over the internet or electronic storage is 100% secure. We cannot guarantee absolute security. If you suspect unauthorized access to your account, please contact us immediately at security@glynto.com.

7. Your Privacy Rights

You have certain rights regarding your personal data. The specific rights available to you may depend on your location and applicable laws.

7.1 Rights Available to All Users

  • Access: Request a copy of the personal data we hold about you
  • Correction: Update or correct inaccurate or incomplete information
  • Deletion: Request deletion of your account and all associated data
  • Export: Download your data in portable formats (CSV, JSON)
  • Opt-Out: Unsubscribe from marketing emails (service-related emails cannot be opted out while you have an account)
  • Object: Object to certain data processing activities

7.2 How to Exercise Your Rights

You can exercise most rights directly through your account settings:

  • Update Information: Edit your profile, preferences, and settings
  • Export Data: Use the "Export Data" feature to download your financial data
  • Delete Account: Use the "Delete Account" option in settings (irreversible)

For other requests or assistance, contact us at privacy@glynto.com. We will respond to requests within 30 days (or as required by applicable law).

8. Data Retention

We retain your data for as long as necessary to provide the Service and fulfill the purposes described in this Privacy Policy.

8.1 Active Accounts

While your account is active, we retain all your financial data, transaction history, settings, and usage data to provide the Service.

8.2 Account Deletion

When you delete your account, we permanently delete your personal and financial data within 30 days, except:

  • Data required to comply with legal obligations (e.g., tax records, transaction records for financial audits)
  • Data needed to resolve disputes, enforce agreements, or prevent fraud
  • Anonymized, aggregated data that cannot be linked back to you
  • Backup copies (purged within 90 days)

8.3 Inactive Accounts

If your account is inactive for more than one year, we may contact you to confirm whether you wish to keep your account active. If we cannot reach you or you do not respond, we may delete your account and data after providing 60 days' notice.

9. International Data Transfers

Glynto operates globally, and your data may be transferred to, stored in, and processed in countries other than your own. These countries may have data protection laws that differ from your country.

When we transfer data internationally, we ensure appropriate safeguards are in place:

  • Standard Contractual Clauses (SCCs) approved by the European Commission for EU data transfers
  • Reliance on adequacy decisions by regulatory authorities
  • Compliance with Privacy Shield frameworks (where applicable)
  • Data Processing Agreements with third-party service providers

By using our Service, you consent to the transfer of your data as described in this Privacy Policy.

10. Children's Privacy (COPPA Compliance)

Our Service is not intended for children under 13 years of age (or 16 in the European Economic Area). We do not knowingly collect personal information from children.

If you are a parent or guardian and believe your child has provided us with personal information, please contact us at privacy@glynto.com. We will promptly delete the information.

11. California Privacy Rights (CCPA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):

11.1 Right to Know

You have the right to request:

  • Categories of personal information we collect about you
  • Specific pieces of personal information we hold
  • Categories of sources from which we collect personal information
  • Our business or commercial purposes for collecting personal information
  • Categories of third parties with whom we share personal information

11.2 Right to Delete

You have the right to request deletion of your personal information, subject to certain exceptions (e.g., legal compliance, fraud prevention).

11.3 Right to Opt-Out of Sale

We do NOT sell your personal information.

11.4 Right to Non-Discrimination

We will not discriminate against you for exercising your CCPA rights. You will not receive a different level of service or be charged different prices.

11.5 How to Exercise CCPA Rights

To exercise your CCPA rights, contact us at privacy@glynto.com with "CCPA Request" in the subject line. We will verify your identity before processing requests and respond within 45 days.

12. European Privacy Rights (GDPR)

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, you have rights under the General Data Protection Regulation (GDPR):

12.1 Legal Basis for Processing

We process your personal data under the following legal bases:

  • Contractual Necessity: To provide the Service you requested (e.g., creating an account, processing transactions)
  • Legitimate Interests: To improve our Service, prevent fraud, and ensure security (where not overridden by your rights)
  • Consent: Where you have given explicit consent (e.g., marketing emails, optional features)
  • Legal Obligation: To comply with applicable laws and regulations

12.2 GDPR Rights

Under GDPR, you have the right to:

  • Access: Obtain a copy of your personal data
  • Rectification: Correct inaccurate or incomplete data
  • Erasure ("Right to be Forgotten"): Request deletion of your personal data
  • Restriction: Limit how we use your data in certain circumstances
  • Data Portability: Receive your data in a machine-readable format
  • Object: Object to processing based on legitimate interests
  • Withdraw Consent: Withdraw consent at any time (where processing is based on consent)
  • Lodge a Complaint: File a complaint with your local data protection authority

12.3 How to Exercise GDPR Rights

Contact us at privacy@glynto.com with "GDPR Request" in the subject line. We will respond within 30 days.

12.4 Data Protection Officer

For GDPR-related inquiries, you may contact our privacy team at privacy@glynto.com.

13. Data Breach Notification

In the event of a data breach that affects your personal information, we will:

  • Notify affected users via email within 72 hours of discovering the breach
  • Describe the nature of the breach, data affected, and potential impact
  • Explain the steps we are taking to address the breach and prevent future incidents
  • Provide guidance on actions you can take to protect yourself
  • Notify relevant regulatory authorities as required by law (e.g., GDPR, CCPA)

If you suspect a security incident, please report it immediately to security@glynto.com.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors.

Notice of Changes: We will notify you of material changes by:

  • Posting the updated Privacy Policy on this page with a new "Last Updated" date
  • Sending an email notification to the address associated with your account

Your Acceptance: Your continued use of the Service after changes become effective constitutes acceptance of the updated Privacy Policy. If you do not agree to the changes, please stop using the Service and delete your account.

We encourage you to review this Privacy Policy periodically to stay informed about how we protect your information.

15. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Email Addresses:

We will respond to your inquiry within 30 days (or as required by applicable law).

Note to Regulators and Partners: This Privacy Policy complies with applicable data protection regulations including GDPR (EU), CCPA (California), COPPA (Children's Privacy), and PCI-DSS standards. We are committed to transparency and user privacy. For partnership or compliance inquiries, contact legal@glynto.com.