Privacy Policy

Effective date: June 26, 2026 Last updated: June 26, 2026

1. Introduction

This Privacy Policy describes how Blipstack, LLC ("Company," "we," "us," or "our"), operator of the Know Your Cashflow service ("Service"), collects, uses, discloses, and protects information about individuals who use the Service. It applies to data collected through our web application at https://app.knowyourcashflow.app and through any related services or integrations described below.

The Service is intended for use only by individuals who are 18 years of age or older and located in the United States. By using the Service, you confirm you meet these requirements.

If you have questions about this policy, contact us using the information in Section 14.

2. Information we collect

We collect the following categories of information:

2.1 Information you provide directly

• Account information. Your name, email address, password (stored

hashed, never in plaintext), and any profile preferences you set.

• Financial data you enter manually. Cash account balances, asset

positions, debts, recurring income and expenses, goals, and any notes you attach to those records.

• Reseller / account-holder identifiers. If you access the

Service through a reseller, we receive identifiers that link your data to that reseller's organization.

2.2 Information collected automatically through linked institutions

When you connect a bank, brokerage, or crypto-exchange account, our service providers (see Section 4) retrieve the following on your behalf, with your authorization:

• Bank account balances and account metadata (institution name,

account type, last four digits of the account number).

• Cryptocurrency holdings and balances from exchanges you connect

with read-only API keys.

• Historical price data for assets you track (publicly available

market data; not personally identifying).

We do not retrieve full transaction histories, account numbers, routing numbers, or any data used for money movement. The Service is read-only with respect to your linked accounts.

2.3 Information collected automatically when you use the Service

• Log data. IP address, browser type and version, operating

system, pages visited within the Service, timestamps, and similar diagnostic information.

• Cookies and similar technologies. Strictly necessary cookies

for session management and authentication. We do not use advertising or cross-site tracking cookies.

3. How we use information

We use the information we collect to:

• Provide, maintain, and improve the Service.
• Authenticate you and protect your account from unauthorized access.
• Compute the aggregations, projections, performance metrics, and

insights that are the core product (e.g., net worth, monthly closes, time-weighted returns).

• Communicate with you about your account, security alerts, service

updates, and material changes to this policy.

• Detect, investigate, and prevent fraudulent or unauthorized

activity, and to enforce our terms of service.

• Comply with applicable laws and respond to lawful requests from

authorities.

We do not use your information to train artificial intelligence or machine learning models on your personal financial data. We do not sell, rent, or trade your personal information.

4. How we share information

We share information only as described below.

4.1 With service providers acting on our behalf

We share information with vendors who help us operate the Service. These vendors are contractually required to protect your information and use it only for the purposes we authorize. Current categories of service providers include:

• Hosting and database — Railway (production hosting and

PostgreSQL database).

• Bank-data aggregation — Plaid Inc. We use Plaid to enable you

to connect bank accounts. Plaid's privacy policy applies to data collected directly by Plaid and is available at https://plaid.com/legal/.

• Cryptocurrency-exchange integrations — Kraken and Gemini APIs,

accessed using read-only API keys you provide. We do not initiate transactions or money movement on your linked exchange accounts.

• Authentication — WorkOS (identity and single-sign-on

provider).

• Property valuation — RentCast (publicly available property

valuation data).

• Price feeds — Alpha Vantage (stocks/ETFs), CoinGecko (crypto),

Finnhub (institution logos), fawazahmed0/currency-api via jsDelivr CDN (precious metals). These providers receive only ticker symbols, asset identifiers, or in the case of RentCast a property address — not personally identifying information about you.

4.2 With resellers (multi-tenant arrangements)

If you accessed the Service through a reseller, the reseller has a limited administrative view of your account scoped to the contractual service they provide you. Resellers are bound by data-processing agreements that require them to protect your information consistent with this policy. The reseller cannot access another reseller's customer data, and we do not commingle data across resellers.

4.3 With other users you authorize (concierge access)

If you grant a secondary user concierge or read-only access to your account, that user can see the data you have authorized them to see. You can revoke their access at any time from your account settings.

4.4 For legal reasons

We may disclose information if we believe in good faith that disclosure is necessary to: comply with a subpoena, court order, or other legal process; protect the rights, property, or safety of Company, our users, or the public; investigate fraud or security incidents; or as otherwise required by law.

4.5 Business transfers

If we are involved in a merger, acquisition, financing, or sale of all or part of our business, your information may be transferred as part of that transaction. We will notify you (e.g., by email and a notice on the Service) before your information becomes subject to a different privacy policy.

4.6 We do not sell your personal information

We do not sell your personal information for monetary or other valuable consideration. We do not share your personal information with third parties for their own marketing purposes.

5. Data security

We use technical and organizational safeguards designed to protect your information from unauthorized access, alteration, disclosure, or destruction. These safeguards include:

• Encryption in transit. All connections to the Service use

HTTPS / TLS.

• Encryption at rest. Sensitive credentials, including Plaid

access tokens and exchange API keys, are encrypted at rest using AES-256-GCM with keys held outside the database.

• Access controls. Production systems that store consumer data

require multi-factor authentication. Administrative access is limited to personnel with a documented business need.

• Network isolation. Our database is not directly reachable from

the public internet.

• Monitoring. We log administrative actions and review them

periodically for anomalies.

No method of transmission over the internet or electronic storage is 100% secure. We cannot guarantee absolute security, but we work continuously to improve our safeguards.

If we become aware of a security incident affecting your information, we will notify you and applicable regulators as required by law.

6. Data retention

We retain personal information for as long as your account is active and for a reasonable period afterward to satisfy legal, regulatory, tax, accounting, or reporting obligations. Specifically:

• Account data and financial records you entered. Retained while

your account is active. Deleted within 30 days of account closure unless we are required to retain it longer for legal reasons.

• Linked-institution access tokens. Revoked and deleted

immediately upon disconnection or account closure.

• Server logs. Retained for up to 90 days, then deleted.
• Backups. May contain data for up to 35 days after the live

data was deleted; backups are then rotated.

• Information required by law. Retained only for the period

required by the applicable law (e.g., transaction-related records required by financial regulations).

7. Your rights and choices

Regardless of where you live, you have the following rights with respect to your information:

• Access. Request a copy of the personal information we hold

about you.

• Correction. Request that we correct inaccurate information.
• Deletion. Request that we delete your information. You can

initiate this by closing your account in settings; this will trigger deletion subject to the retention timelines in Section 6.

• Portability. Request a machine-readable export of your

information.

• Withdrawal of consent. Disconnect any linked bank or exchange

account at any time from the Connectors page. This revokes our access and triggers deletion of the associated access tokens.

• Communication preferences. Opt out of non-essential emails.

To exercise any of these rights, contact us using the information in Section 14. We will respond within 30 days. We may need to verify your identity before fulfilling the request.

8. California residents (CCPA / CPRA)

If you are a California resident, in addition to the rights in Section 7, you have the right to:

• Know the categories and specific pieces of personal information we

collect, use, disclose, and sell about you.

• Request that we not "sell" or "share" your personal information.

We do not sell or share personal information for cross-context behavioral advertising, so there is no opt-out to exercise.

• Request that we limit our use of "sensitive personal information"

(including financial account information) to providing the Service. We already limit our use of this information to what is necessary to provide the Service.

• Be free from discrimination for exercising any of your rights.

To submit a request, contact us using the information in Section 14. We will respond as required by California law.

9. Children's privacy

The Service is not directed to children under 18, and we do not knowingly collect personal information from anyone under 18. If we learn that we have collected personal information from a child under 18, we will delete it. If you believe a child under 18 has provided us personal information, contact us using the information in Section 14.

10. International users

The Service is offered for use within the United States. If you access the Service from outside the United States, you do so on your own initiative and are responsible for compliance with local laws. By using the Service, you understand that your information will be processed in the United States, where data-protection laws may differ from those in your jurisdiction.

11. Third-party links and integrations

The Service may contain links to third-party websites or integrate with third-party services (e.g., Plaid Link). This Privacy Policy does not cover those third parties. We encourage you to read their privacy policies before providing them with information.

12. Automated decision-making

We use algorithms to compute aggregations, forecasts, projections, and insights from the data you enter. These computations are informational and do not constitute financial, investment, tax, or legal advice. We do not use automated decision-making to make decisions that produce legal or similarly significant effects about you.

13. Changes to this policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email and post a prominent notice on the Service before the changes take effect. The "Last updated" date at the top of this policy reflects the most recent revision. Your continued use of the Service after the effective date of the updated policy constitutes acceptance of the changes.

14. Contact us

Questions, comments, or requests regarding this Privacy Policy or your information should be directed to:

Blipstack, LLC Corona, California, United States Email: [email protected]

We will respond to all reasonable inquiries within 30 days.