PRIVACY POLICY

1. Information We Collect

We collect information you voluntarily provide, including your name, email address, quiz/intake form responses, customer Stripe ID (for billing), authentication metadata (last login, verification status), and — on Advanced tiers only — AI Coach conversation transcripts.

Payment card details are processed directly by Stripe and are never stored on our servers. We retain only Stripe-issued customer and subscription identifiers for fulfillment and refund handling.

We also collect minimal technical metadata (IP address, user agent, request timestamp) for security, rate limiting, and fraud prevention. This is retained for up to 90 days and is not joined to your account for marketing or profiling.

2. How We Use Information

Your information is used to deliver the personalized blueprint PDF, run the AI Coach conversations on paid tiers, send transactional and lifecycle email, communicate about your purchase, improve service quality, and respond to inquiries. We do not sell or rent your personal data, and we do not use behavioral advertising.

3. Data Storage & Security

Customer data is stored in Supabase (Postgres) with row-level security enforced and forced; only service-role keys held by our server can read or modify rows. Hosting region: US (AWS us-east-1). Data is encrypted in transit (TLS) and at rest. Access to operational consoles is restricted to authorized personnel.

4. Third-Party Services

We rely on a small set of trusted vendors to operate the service. Each operates under its own privacy policy:

• Stripe — payment processing, subscription billing, customer portal, and refund handling. Your card details are submitted directly to Stripe.
• Resend — transactional and lifecycle email delivery. Open and click events are logged via webhook for delivery troubleshooting and bounce/complaint suppression.
• Supabase — Postgres database and storage for customer records, blueprints, and email logs. Hosted in the US.
• Anthropic— Claude language models power the AI Wealth Coach (Compass and Atlas tiers). Your AI Coach prompts are sent to Anthropic for inference and may be retained per Anthropic's commercial terms.
• Vercel — application hosting and edge delivery; minimal request logs retained for ~30 days.

5. Cookies & Analytics

MoneySmith uses functional cookies required to keep you signed in to the dashboard and to remember pricing toggles. We do not use invasive tracking, ad networks, third-party retargeting, or interest-cohort cookies.

6. Your Rights

You may request access, correction, deletion, restriction of processing, or a portable data export by emailing support@moneysmith.one. We respond within 30 days. Stripe-side billing records are retained per Stripe's tax and compliance requirements and may persist after deletion of your MoneySmith account.

California (CCPA / CPRA): California residents have the right to know what categories of personal information we collect, to delete it (subject to legal-retention exceptions), to correct inaccuracies, and to opt out of any sale or sharing of personal information. We do not sell or share personal information for cross-context behavioral advertising.

EU / UK (GDPR): If you are in the EU or UK, you have the right to access, rectify, erase, restrict, and port your data, and to lodge a complaint with a supervisory authority. Our lawful basis for processing is (a) performance of the service contract you accepted at signup, (b) your explicit consent for AI Wealth Coach processing, and (c) our legitimate interest in maintaining security and preventing abuse.

7. Data Retention

Account data is retained while your account is active and for 24 months after cancellation to support reactivation, dispute resolution, and tax compliance. AI Coach transcripts are retained for 12 months unless you request earlier deletion. Security and audit logs are retained for 90 days. Stripe billing records follow Stripe's retention policy and may persist longer.

8. International Transfers

Data is stored in the United States (AWS us-east-1). If you access the service from outside the US, you consent to transfer of your data to the US. Where required, we rely on standard contractual clauses and our vendors' published transfer mechanisms for cross-border data flows.

9. Children

MoneySmith is intended for adults aged 18 and over. We do not knowingly collect personal data from children under 18. If you believe a minor has provided us with data, contact support@moneysmith.one and we will delete it.

10. Security

We use commercially reasonable safeguards including TLS in transit, encryption at rest, Supabase row-level security with enforced + forced policies, scoped service-role keys, rate limiting, and audit logging. No system is perfectly secure; you are responsible for using a strong unique password and notifying us of any suspected unauthorized access.

11. Policy Updates

This Privacy Policy may be updated periodically. The "last updated" date at the top reflects the most recent revision. Material changes will be summarized here and, where appropriate, communicated by email to active subscribers.

Changelog 2026-05-19: added tiered data-collection summary, named Aeocraft LLC as operator, expanded user rights with CCPA/CPRA + GDPR detail, added retention, international-transfer, and security sections, added technical-metadata disclosure. Renumbered sections.

Changelog 2026-05-07: added explicit Resend, Supabase, and Anthropic disclosures; clarified storage region; documented AI Coach prompt handling; added age 18+ note; added "last updated" date format.

12. Contact

For privacy questions, data requests, or to report a concern, contact support@moneysmith.one. Operator of record: Aeocraft LLC.