Privacy Policy

1. Introduction

At Zeteo, our foundation is built on the belief that your financial data is yours and yours alone. This Privacy Policy explains in plain English how we collect, use, protect, and handle your personal information when you use our app and website.

Our promise to you: We do not sell your personal or financial data to anyone. You are our customer, not our product.

2. Information We Collect

We only collect information necessary to provide you with financial clarity:

• Information you provide to us: This includes your name, email address, and login credentials when you create an account.
• Financial Information: To power your budgets and forecasts, we retrieve your account balances, transaction history, and institutional data. We do this exclusively through our secure partner, Plaid (more on that below).
• Usage & Device Information: We automatically collect anonymous diagnostic data, such as your device type, operating system version, and how you navigate the app. This helps us squash bugs and improve the experience.

3. Third-Party Integrations (Plaid)

Your security is paramount. We do not ask for, see, or store your bank usernames or passwords. Instead, we use Plaid Inc. ("Plaid") to securely connect to your financial institutions.

When linking an account, you will provide your credentials directly to Plaid, and they provide us with a secure, read-only token to access your transaction data. Information shared with Plaid is treated by Plaid in accordance with their privacy policy, which we strongly encourage you to review: Plaid End User Privacy Policy. Zeteo users can manage or disconnect their bank connections directly within the Zeteo app or through the Plaid Portal.

4. How We Use Your Information

We use your data strictly to operate and improve Zeteo:

• To provide our core services, such as 30-day forecasting, rollover budgeting, and group expense splitting.
• To perform smart auto-categorization and recurring subscription detection.
• To respond to your customer support inquiries.
• To track app performance and squash bugs.

5. Legal Basis for Processing (GDPR)

For users in the EU/EEA, we process your personal data under the following legal bases:

6. How We Share Your Information

As stated above, we do not sell your data. However, we do share data with trusted service providers to run our platform, under strict confidentiality agreements:

• Service Providers: We use Supabase and AWS for secure database hosting, Plaid for bank connections, PostHog for product analytics, Sentry for error monitoring, and Firebase (Google) for push notifications via Firebase Cloud Messaging. (Note: We scrub Personally Identifiable Information before it hits our crash reporters).
• Firebase (Google LLC)— We use Firebase Cloud Messaging (FCM) to deliver push notifications to your device. Your device push token is shared with Firebase solely for this purpose. Google's privacy policy governs Firebase's handling of this data. Firebase is a Google service operating under Google's Data Processing Addendum.
• Legal Requirements: We may disclose information if required to do so by law, court order, or subpoena.
• Business Transfers: If Zeteo is involved in a merger, acquisition, or sale of assets, your data may be transferred, but it will remain subject to the promises made in this Privacy Policy.

7. Analytics and Tracking Technologies

We use the following analytics and monitoring tools:

• PostHog: We capture anonymized in-app usage events (e.g., which features you use, which screens you visit) to understand how users interact with Zeteo and improve the product. These events do not include your financial data, account balances, or personally identifiable information. You may opt out of analytics in app settings.
• Sentry: We capture error reports when the app crashes or encounters an unexpected error. These reports include technical stack traces and device metadata. Personal and financial data is scrubbed before transmission to Sentry.

We do not use advertising identifiers (IDFA) or participate in cross-app tracking. Zeteo complies with Apple's App Tracking Transparency framework.

8. Data Security, Breach Notification, and Retention

We protect your data with multiple verifiable security controls:

• Encryption:Data is encrypted in transit using 256-bit TLS encryption. Your data is encrypted at rest using industry-standard encryption managed by our infrastructure provider, Supabase (hosted on AWS), including AES-256 encryption at the storage layer. Sensitive credentials such as bank connection tokens are further protected using Supabase Vault's authenticated encryption.
• Isolation: We employ Row-Level Security (RLS) on our databases, ensuring that your data can mathematically only be accessed by you.
• Sessions: For your security, sessions expire after 7 days of inactivity. You will be prompted to sign in again after this period.
• Vulnerability reporting: If you believe you have discovered a security vulnerability in Zeteo, please report it responsibly to security@zeteoapp.com. We are committed to acknowledging reports within 48 hours and working with researchers in good faith.
• Breach Notification: In the event of a data breach that poses a real risk of significant harm, we will notify affected users and the Office of the Privacy Commissioner of Canada as required by PIPEDA.
• Retention: We retain your data only for as long as your account is active. After account deletion, your personal and financial data is removed from our active database within 30 days. Encrypted backup copies maintained by our infrastructure provider (Supabase/AWS) may persist for up to an additional 30 days beyond that date before being permanently purged as part of the backup rotation cycle. Anonymized, non-re-identifiable aggregated data may be retained indefinitely for service improvement purposes.

9. Your Rights

Depending on your location, you may have the following rights regarding your personal information:

• Right to Access: Request a copy of the personal data we hold about you.
• Right to Rectification: Request correction of inaccurate personal data.
• Right to Erasure ("Right to be Forgotten"): Request deletion of your personal data.
• Right to Data Portability: Request your data in a machine-readable format (JSON or CSV) to transfer to another service. Data portability exports will be provided in JSON or CSV format via email within 30 days of a verified request.
• Right to Restrict Processing: Request that we limit how we use your data in certain circumstances.
• Right to Object: Object to our processing of your data where we rely on legitimate interests as our lawful basis.
• Right to Opt-Out of Sale (California): We do not sell your personal data. This right is satisfied by our data practices.
• Right to Non-Discrimination (California): We will not discriminate against you for exercising any CCPA rights.

To exercise any of these rights, contact us at privacy@zeteoapp.com or use the account management settings in the app. We will respond within 30 days. For GDPR portability requests, we will provide data within 30 days in JSON or CSV format.

EU/EEA users also have the right to lodge a complaint with your local data protection supervisory authority at any time.

As a Canadian company, we comply with the Personal Information Protection and Electronic Documents Act (PIPEDA) and the British Columbia Personal Information Protection Act (PIPA). We believe all our users deserve strong protections worldwide.

10. California Privacy Rights (CCPA/CPRA)

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA) as amended by CPRA:

• Right to Know: You may request the categories and specific pieces of personal information we have collected about you in the past 12 months, the categories of sources, our business purpose for collecting it, and the categories of third parties with whom we share it.
• Right to Delete: You may request deletion of your personal information, subject to certain exceptions.
• Right to Correct: You may request correction of inaccurate personal information.
• Right to Opt-Out of Sale or Sharing: We do not sell or share your personal information for cross-context behavioral advertising.
• Right to Limit Use of Sensitive Personal Information: We use your financial data only to provide the service you requested.
• Right to Non-Discrimination: We will not discriminate against you for exercising these rights.

To submit a California privacy request, email privacy@zeteoapp.com or use the account settings in the app. We will respond within 45 days (extendable to 90 days with notice).

11. Children's Privacy

Zeteo is intended for users 18 years of age or older. If we become aware that a user under 18 has created an account, we will suspend the account and delete all associated personal data within 24 hours of identification.

12. Changes to this Policy

We may update this policy as we add new features (like AI insights) or as regulations change. When we make material changes, we will notify you via email or a prominent notification within the app.

13. Governing Law

This Privacy Policy is governed by the laws of the Province of British Columbia, Canada, except where preempted by applicable law.

Notwithstanding the foregoing choice of law, nothing in this Privacy Policy limits any rights you may have under applicable data protection laws in your jurisdiction, including the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA/CPRA), PIPEDA, or PIPA.

14. Contact Us

We believe in transparency. If you have questions about how we handle your data, or wish to exercise your privacy rights, please reach out to us at privacy@zeteoapp.com.