Privacy

Straight answers. No legal template. If this isn't enough, don't use the tool.

What we store

Transaction rows: date, merchant, amount, category, source (Amazon/Amex/etc.), last-4 of the card if visible, the order_id if it's from an Amazon email, notes/tags you add.
Your profile: the preferences you set in onboarding (tone, goals, income bracket) so Sol and the chat answer in your voice.
Your Google identity: Google account id, email, name, profile picture — only what Google returns on sign-in.
Raw screenshots and CSVs you uploaded: kept in Cloudflare R2 so we can re-extract if our models improve. Never the raw email bodies you forward.
Message-IDs of forwarded emails: just the ID, not the content. Used to prevent the same email being processed twice.

What we don't store

Full credit card numbers, CVVs, bank account numbers, routing numbers.
Full email bodies. Emails you forward are parsed once and the raw content is discarded within seconds.
Email envelope metadata (return paths, reply-to addresses) beyond what's needed for sender verification.
Shipping addresses, tracking numbers, product thumbnails.
Attachments from forwarded emails.

Where it lives

Cloudflare KV (for transactions and profile) and Cloudflare R2 (for raw screenshots you upload). Same infrastructure used by Stripe, Discord, and most modern web apps. Encrypted at rest by Cloudflare. TLS 1.2+ in transit. Sign-in via Google OAuth 2.0.

Who can see it

You can see it, when you're signed in. The session cookie is AES-GCM encrypted, HttpOnly, Secure, and tied to your Google account. Only a signed-in session can read or modify your records.

Christien (the operator) has technical access, because he runs the server. He doesn't read user records. He doesn't sell data. He doesn't run analytics on your transactions. If that's not enough trust, this tool is not for you — Monarch, Copilot, and YNAB each offer the same infrastructure-level access with a paid support contract.

Who we don't share with

No advertisers.
No data brokers.
No training data for third-party models. Your ledger is passed to Claude only when you chat, and only the slice needed to answer the question you asked.
No affiliate or referral tracking.

Delete everything

The "Delete all my data" button in your dashboard nukes every ledger record, every raw blob, your forwarding address, and your profile. It runs immediately and is not recoverable.

After delete, you can sign in again from zero if you ever want to come back.

Changes to this page

If we ever start collecting more than what's listed above, this page changes first. Last updated 2026-04-20.