Privacy Policy

Last updated: March 2026

Your money is serious. We built SpendShift knowing that trust is earned, not assumed. This policy explains exactly what data we collect, how we use it, and—critically—what we will never do.

            SpendShift will NEVER:
            Access, move, or transfer your money
Store your bank login credentials
Sell your data to third parties
Share your financial information with advertisers
Make purchases or transactions on your behalf
Share individual data with your employer (even for enterprise plans)

        

            SpendShift ALWAYS:
            Uses read-only bank access (we literally cannot move money)
Encrypts all data with AES-256 encryption
Allows you to delete all your data at any time
Processes data on secure, SOC 2-compliant infrastructure
Gives you full transparency about what data we hold

        

What Data We Collect

Account information: Your email address, used for authentication and communication. We use passwordless magic link authentication—we never store passwords.

Transaction data: When you connect your bank via Plaid, we import your transaction history (merchant names, amounts, dates, and categories). This is used exclusively to generate personalized challenges.

Challenge data: Your challenge completions, reflections, and streak information. This helps us personalize future challenges and track your progress.

Usage data: Basic analytics (pages viewed, features used) to improve the product. Never linked to your financial data.

How We Use Your Data

Personalized challenges: Transaction data is analyzed to generate relevant daily challenges based on your actual spending patterns.
Progress tracking: We track your streak and completion history so you can see your behavioral progress over time.
Product improvement: Aggregated, anonymized data helps us understand which challenge types are most effective.

Bank Connection (Plaid)

SpendShift uses Plaid to securely connect to your bank. Here's how it works:

Plaid acts as a secure intermediary between your bank and SpendShift.
Your bank credentials are handled exclusively by Plaid—we never see or store them.
We request read-only access to transaction data only. No ability to initiate transfers.
You can disconnect your bank at any time, and we'll delete the associated transaction data.

For more information, see Plaid's privacy policy.

Data Security

All data is encrypted in transit (TLS 1.3) and at rest (AES-256).
Our infrastructure runs on SOC 2-compliant cloud providers.
Access to production data is restricted and audited.
We conduct regular security reviews.

Data Retention & Deletion

You can delete your account and all associated data at any time. When you delete your account:

All transaction data is permanently deleted
All challenge history and reflections are permanently deleted
Your bank connection is revoked through Plaid
Your email is removed from our system

This process is irreversible and typically completes within 24 hours.

Third-Party Services

Plaid: Bank connection and transaction data retrieval
Hosting provider: Secure cloud infrastructure for running the application

We do not use advertising trackers, data brokers, or marketing analytics services that track individual behavior.

Your Rights

Access: You can request a full export of your data at any time.
Deletion: You can delete your account and all data at any time.
Portability: You can request your data in a machine-readable format.
Correction: You can update or correct your personal information.

Changes to This Policy

We'll notify you of any material changes via email before they take effect. Minor updates will be reflected in the "Last updated" date above.

Contact

Questions about your data or this policy? Reach us at privacy@spendshift.app