Legal
Privacy Policy
Last updated: June 10, 2026
This Privacy Policy explains how Sumwright (“we,” “us,” or “our”) collects, uses, and protects information when you use the Sumwright applications and website (the “Service”). We built Sumwright to handle sensitive financial data, and protecting it is core to the product.
Information we collect
- Account information — your email and authentication details, managed through our identity provider (Supabase).
- Financial account data — when you link a bank or card, we receive read-only account balances and transaction history through Plaid. We do not receive or store your online-banking password.
- Usage & device data — basic app interactions and, if you opt in, a device push token so we can send you notifications (for example, when a payment you authorized settles).
- Subscription data — your entitlement status from our billing partners (Apple, Google, Stripe via RevenueCat / Stripe). We do not store full card numbers; payments are processed by those providers.
How we use information
We use your information to provide and improve the Service: to analyze your accounts and build your debt-payoff and cash-flow plans, to time and stage payments you authorize, to categorize transactions, to send notifications you’ve enabled, and to manage your subscription. We do not sell your personal information, and we do not use your financial data for advertising.
How we share information
We share data only with service providers that help us run the Service, under agreements that limit their use of it: Plaid (bank connectivity), Supabase (auth and database), our cloud hosting and push-notification providers, and our billing providers (Apple, Google, RevenueCat, Stripe). We may disclose information if required by law or to protect rights and safety. If Sumwright is involved in a merger or acquisition, data may transfer as part of that transaction, subject to this Policy.
How we protect it
- Data is encrypted in transit (TLS) and at rest.
- Each user can only access their own records — enforced at the database level with row-level security, not just in the app.
- Money movement requires your explicit, biometric-backed approval on your device; the approval is signed by a hardware-held key that never leaves your phone.
- Bank access via Plaid is read-only.
Your choices & rights
You can disconnect a linked institution at any time, which removes our ongoing access to that account. You may request access to or deletion of your personal data, and you can close your account, by emailing us. Depending on where you live, you may have additional rights under laws such as the CCPA/CPRA or GDPR; we honor applicable rights requests.
Data retention
We keep your information for as long as your account is active or as needed to provide the Service, and afterward only as required to comply with legal obligations, resolve disputes, and enforce our agreements. When you delete your account, we delete or de-identify your personal data within a reasonable period, except where retention is legally required.
Children
Sumwright is not directed to anyone under 18, and we do not knowingly collect personal information from children. If you believe a minor has provided us data, contact us and we will delete it.
Changes
We may update this Policy; material changes will be reflected by the “Last updated” date above and, where appropriate, by additional notice in the app.
Contact
Privacy questions or requests? Email support@sumwright.com.