BuoyAI

BuoyAI Privacy Policy

Effective Date: September 9, 2025
Last Updated: September 9, 2025

1. INTRODUCTION

BuoyAI ("we," "our," or "us") respects your privacy and is committed to protecting your personal information. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our personal finance management application and services.

2. INFORMATION WE COLLECT

2.1 Personal Information

  • Account Information: Name, email address, username, and profile picture
  • Authentication Data: Encrypted passwords, Google OAuth tokens
  • Profile Data: Currency preferences, user settings

2.2 Financial Information (via Plaid)

  • Account Data: Bank account names, types, balances, and account numbers
  • Transaction Data: Transaction amounts, dates, merchant names, categories
  • Connection Data: Financial institution information and connection status

2.3 Usage Information

  • Application Usage: Pages visited, features used, session duration
  • AI Interactions: Queries submitted to AI services, responses generated
  • System Logs: Error logs, performance metrics, security events

2.4 Technical Information

  • Device Information: Browser type, operating system, IP address
  • Cookies: Session cookies for authentication and functionality
  • Security Data: Login attempts, suspicious activity detection
  • IP Geolocation: Approximate geographic location (city/region level) derived from IP address for security and fraud prevention purposes

3. HOW WE USE YOUR INFORMATION

3.1 Primary Services

  • Provide personal finance management and budgeting tools
  • Connect to your financial accounts through Plaid
  • Categorize and analyze your financial transactions
  • Generate AI-powered financial insights and recommendations
  • Detect and manage recurring subscriptions

3.2 Account Management

  • Create and maintain your user account
  • Authenticate your identity and secure your account
  • Detect suspicious login activity using IP-based geolocation (city/region level)
  • Provide risk-based security measures to protect your account
  • Provide customer support and respond to inquiries
  • Send important account and security notifications

3.3 Service Improvement

  • Analyze usage patterns to improve our services
  • Develop new features and functionality
  • Monitor and maintain system security and performance
  • Conduct research and analytics on financial trends

3.4 Anonymized Crowdsourced Subscription Detection

To improve our subscription detection accuracy for all users, we collect and aggregate anonymized pattern data when users confirm or dismiss detected subscriptions. This helps identify common subscription services and improve detection confidence.

What we collect (anonymized):

  • Normalized merchant names (e.g., "netflix" not your specific transaction details)
  • Typical subscription amount ranges (e.g., "$15-20/month")
  • Common billing frequencies (monthly, annual, etc.)
  • Aggregate confirmation and dismissal counts

What we DO NOT collect:

  • Your name, account details, or any personally identifiable information
  • Your specific transaction amounts or dates
  • Any data that could identify you or your financial activity
  • Individual user actions or patterns

Your Control:

  • By default, your confirmation/dismissal actions contribute to this anonymized database
  • You can opt out at any time in Settings > Privacy > Subscription Pattern Sharing
  • Opting out does not affect your subscription detection functionality
  • Previous anonymized data cannot be traced back to you

This feature helps improve subscription detection for the entire BuoyAI community while protecting your individual privacy.

4. INFORMATION SHARING AND DISCLOSURE

4.1 Third-Party Service Providers

Plaid Inc.

  • Purpose: Secure connection to your financial accounts
  • Data Shared: Bank account credentials, transaction data
  • Protection: All data transmitted through encrypted connections
  • Control: You can disconnect accounts at any time

Google Services

  • OAuth Authentication: For secure login via Google account
  • AI Services: For generating financial insights (anonymous/aggregated data only)
  • Data Protection: Subject to Google's privacy policies

4.2 We Do NOT Sell Your Data

  • We never sell, rent, or trade your personal or financial information
  • We do not share your data with advertisers or marketing companies
  • Financial data is used solely for providing our services to you

4.3 Legal Requirements

We may disclose your information when required by law or to:

  • Comply with legal process or government requests
  • Protect our rights, property, or safety
  • Prevent fraud or security threats
  • Enforce our terms of service

5. DATA SECURITY

5.1 Encryption Standards

  • Data in Transit: All communications encrypted with TLS 1.3
  • Data at Rest: Sensitive data encrypted with AES-256
  • Financial Tokens: Plaid access tokens encrypted before storage
  • Passwords: Hashed using BCrypt with salt

5.2 Security Measures

  • Authentication: Multi-factor authentication support
  • Access Controls: Role-based access and principle of least privilege
  • Container Security: Read-only filesystems and minimal capabilities
  • Monitoring: Continuous security monitoring and incident response

5.3 Infrastructure Security

  • Network Protection: Firewall rules and secure proxy configuration
  • Regular Updates: Automated security patches and vulnerability scanning
  • Backup Security: Encrypted backups with secure access controls

6. DATA RETENTION

6.1 Account Data

  • Active Accounts: Retained while your account is active
  • Closed Accounts: Deleted within 30 days of account closure
  • User Request: Immediate deletion upon verified user request

6.2 Financial Data

  • Transaction History: Retained for service functionality
  • Connection Data: Maintained while accounts are connected
  • AI Insights: Stored to improve personalization and avoid duplicates

6.3 Log Data

  • Security Logs: 90 days for security monitoring
  • System Logs: 30 days for operational purposes
  • Error Logs: 90 days for troubleshooting and improvement

7. YOUR RIGHTS AND CHOICES

7.1 Account Control

  • Access: View and download your personal data
  • Correction: Update incorrect or incomplete information
  • Deletion: Request deletion of your account and data
  • Portability: Export your data in a standard format

7.2 Connection Management

  • Disconnect Accounts: Remove bank connections at any time
  • Data Synchronization: Control when financial data is updated
  • Selective Access: Choose which accounts to connect

7.3 Privacy Settings

  • AI Features: Opt out of AI-powered insights
  • Subscription Pattern Sharing: Opt out of contributing anonymized subscription pattern data (see Section 3.4)
  • Data Processing: Control how your data is analyzed
  • Communications: Manage notification preferences

8. COOKIES AND TRACKING

8.1 Essential Cookies

  • Authentication: Required for secure login and session management
  • Security: Necessary for fraud prevention and security
  • Functionality: Enable core application features

8.2 No Third-Party Tracking

  • We do not use advertising cookies or tracking pixels
  • No data shared with social media platforms for tracking
  • No behavioral advertising or profiling for marketing

9. CHILDREN'S PRIVACY

BuoyAI is not intended for children under 18. We do not knowingly collect personal information from children under 18. If you believe we have collected information from a child under 18, please contact us immediately.

10. INTERNATIONAL DATA TRANSFERS

Your information may be processed in countries where we operate. We ensure appropriate safeguards are in place to protect your information when transferred internationally.

11. PRIVACY POLICY UPDATES

We may update this Privacy Policy periodically. We will notify you of significant changes by:

  • Posting the updated policy on our website
  • Sending email notifications for material changes
  • Providing in-app notifications when you next log in

12. CONTACT INFORMATION

For privacy-related questions or concerns, contact us at:

Email: privacy@buoy-ai.com
Subject Line: Privacy Policy Inquiry

For data deletion requests or exercising your privacy rights: Email: privacy@buoy-ai.com
Subject Line: Data Rights Request

13. COMPLIANCE

This Privacy Policy complies with:

  • General Data Protection Regulation (GDPR)
  • California Consumer Privacy Act (CCPA)
  • Financial data protection standards
  • Plaid privacy and security requirements

Document Version: 1.0
Effective Date: September 9, 2025
Next Review: March 9, 2026

This Privacy Policy is part of our Terms of Service and governs your use of BuoyAI services.