Privacy Policy

Who we are

Navazia Pulse ("Pulse," "we," "us") is a personal finance app operated by [LEGAL ENTITY NAME, TBD], a California limited liability company. Our mailing address is [BUSINESS ADDRESS, TBD].

You can reach us at:

• General questions: support@navaziapulse.com
• Privacy questions or data requests: privacy@navaziapulse.com

What we collect

Information you give us directly

• Account information: your first name, last name, email address, and password (which we store as a one-way hash — we never see your actual password).
• Optional contact: WhatsApp number (only if you provide it, used for coaching messages you opt into).
• Location context: ZIP code (optional, used to personalize cost-of-living advice).
• Onboarding context: information you share during signup to help us personalize the app — household size, income range, pets, and similar lifestyle questions.
• Financial data you upload: bank, credit card, and loan statements you upload as PDF files, plus any transactions, bills, goals, or accounts you enter manually.
• Your preferences: language, theme, background, notification settings, and similar.

Information we collect automatically

• Timezone: we detect your browser's timezone so timestamps in our emails are shown in your local time.
• IP address for security events: when you request a password reset or email verification, we record the IP address that made the request. This helps us detect abuse. We do NOT log IP addresses for normal app activity.
• Browser storage: we use your browser's local storage to remember your language and theme preferences, and session storage to keep you signed in. We do NOT use tracking cookies.

Information from third parties

Currently: none. We only have data you give us directly. In the future, if you connect a bank account via Plaid (a planned feature for the Plus tier), we would receive transaction data from your bank through Plaid. We will update this policy and notify you before introducing such features.

How we use your information

• To run the app: show you your transactions, balances, bills, goals, debts, and loans; categorize spending; calculate savings recommendations and debt payoff plans.
• To process statements with AI: when you upload a statement, we send the PDF to Anthropic's Claude AI to extract transactions, balances, and other structured data. See "AI processing" below for details.
• To send you transactional emails: account verification, password resets, password-change confirmations, and (if you opt in) coaching messages.
• To improve the app: understanding which features get used (in aggregate, not at the individual level).
• To keep the app safe: detecting abuse, fraud, or unauthorized access.
• To comply with the law: responding to legal requests, enforcing our Terms.

AI processing — what you should know

This deserves its own section because it's where many users have questions.

When AI sees your data

• Statement parsing: when you upload a PDF statement, the entire document is sent to Anthropic's Claude AI. This includes account numbers, names, addresses, every transaction line, and balances visible in the PDF. The AI must read the whole document to extract structured data. We do NOT redact or sanitize the PDF before sending — doing so would prevent the AI from doing its job.
• Transaction categorization: transaction descriptions (e.g. "STARBUCKS #1234 SEATTLE WA") are sent to AI to suggest categories.
• Coaching and tips: when you ask the AI a financial question, a limited summary of your financial context (recent transactions, account summaries) is sent so the AI can give relevant advice.

What Anthropic does with your data

We use Anthropic's commercial API, which has stronger privacy protections than its consumer products. Under Anthropic's Commercial API terms:

• Your data is never used to train Anthropic's AI models.
• API logs are retained for approximately 7 days for service operation and abuse prevention, then automatically deleted.
• Anthropic does not share your data with other API customers or for advertising.

You can read Anthropic's commercial terms at anthropic.com/legal/commercial-terms.

Who we share your information with

We do not sell your personal information. We do not share it for advertising or marketing.

We share information only with these service providers, who help us run the app:

• Supabase — our database provider. They host the data we store on your behalf. Supabase privacy policy
• Netlify — our website and server hosting. They handle traffic, including IP-level information at the infrastructure level. Netlify privacy policy
• Anthropic — AI processing for statement parsing, categorization, and coaching, under their Commercial API terms (see above).
• Resend — sends our transactional emails (welcome, password reset, etc.). Resend privacy policy
• Stripe — payment processing for paid tiers (when those launch). Stripe handles card data directly; we never see your full card number. Stripe privacy policy

We may also share information when legally required (court order, subpoena, valid legal process) or to protect rights, safety, and property.

Potential future sharing — partner deals

We are exploring features that may, in the future, offer you personalized partner deals (such as discounts on services that fit your spending patterns). If we introduce such features, we will update this policy before the change takes effect, and any such sharing will require your explicit opt-in. You will never be enrolled in partner-data-sharing without your active consent.

Business transfers

If Pulse is acquired by, merged with, or sells substantially all of its assets to another company, user information may transfer as part of that transaction. We will notify you by email and via the app if this happens, so you can review the new owner's privacy practices before continuing.

How long we keep your data

• Active accounts: we keep your data for as long as your account is active.
• Inactive accounts: if you don't sign in for 24 months, we will email you a warning at 18 and 23 months, and automatically delete your account and data at 24 months of inactivity.
• Deleted accounts: when you delete your account, we mark it for deletion immediately (you lose access right away). The data is kept in a recoverable state for 30 days, during which you can email privacy@navaziapulse.com to restore it. After 30 days, all your personal data is permanently and irreversibly deleted from our systems.
• Backups: our backups are encrypted and rotate on a 30-day cycle. Your deleted data is fully purged from backups within 30 days of deletion.
• Legally required records: if you've made payments through Stripe (when paid tiers launch), we may keep transaction receipts for the period required by tax law, typically 7 years. These records contain only payment metadata, not your detailed financial data.
• Anthropic logs: as noted above, Anthropic retains API logs for approximately 7 days, independent of our retention. We have no ability to delete those logs faster.

Your rights

We give the same rights to all users, regardless of which state or country you live in. These rights include:

• Access: see what data we have about you. You can do this directly in the app, or email us for a complete export.
• Download: get a copy of your data in a portable format (we offer a "Download My Data" feature in Settings).
• Correction: fix any incorrect data. You can edit most things directly in the app; email us if you can't.
• Deletion: delete your account and all your data (in-app, or by emailing us).
• Object to processing: tell us to stop using your data for specific purposes. Note that some processing is required to run the app — if you object to all processing, the practical effect is account deletion.
• Not be discriminated against: we won't degrade your service or charge you more for exercising any of these rights.

To exercise any of these rights, email privacy@navaziapulse.com. We respond within 30 days for most requests (45 days for complex ones, with notice).

California residents (CCPA / CPRA)

If you live in California, you have specific rights under the California Consumer Privacy Act. These are largely the same as the rights listed above, plus:

• The right to know the specific categories of personal information we have collected about you and the categories of sources.
• The right to opt out of "sale" or "sharing" of personal information. We do not sell or share personal information for cross-context behavioral advertising, so this is a non-event — but you have the right anyway.
• The right to limit use of "sensitive personal information." Our use of sensitive personal information (such as account numbers in statements) is strictly limited to providing the service you requested.

You may also authorize an agent to make a request on your behalf. We will verify the agent's authorization before responding.

How we protect your information

• Encryption in transit: all traffic between your device and our servers uses TLS encryption (HTTPS).
• Encryption at rest: Supabase encrypts stored data using industry-standard methods.
• Password protection: we store passwords as one-way hashes, not in plain text. We are working to upgrade our hashing to bcrypt (an industry standard for password security).
• Limited access: only the founder and (in the future) authorized employees can access user data, and only when necessary to support, debug, or improve the app.
• No payment data on our servers: when Stripe launches, your full credit card information is handled by Stripe directly and never touches our servers.

No system is perfectly secure. If we discover a breach affecting your data, we will notify you promptly as required by law.

Children

Pulse is not intended for users under the age of 18. We do not knowingly collect data from anyone under 18. If you believe a child under 18 has created an account, please email privacy@navaziapulse.com and we will delete the account.

International users

Pulse is currently offered to users in the United States only. We are not actively serving users in the European Union, United Kingdom, or other jurisdictions outside the US. If you are accessing Pulse from outside the US, your data will be processed in the US, where data protection laws may differ from those in your country. By using Pulse, you consent to this processing.

Changes to this policy

We may update this policy from time to time. If we make material changes (changes that meaningfully affect your rights or how we use your data), we will notify you by email and via the app at least 30 days before the change takes effect. The "Last updated" date at the top of this policy tells you the most recent version.

Contact us

Privacy questions: privacy@navaziapulse.com
General support: support@navaziapulse.com
Mailing address: [BUSINESS ADDRESS, TBD]

© [YEAR] Navazia Pulse. All rights reserved.