COPIA CASH, INC. – Privacy Policy

Last updated: November 24, 2025

This Privacy Policy explains how Copia Cash, Inc. ("Copia," "we," "us," or "our") collects, uses, and protects your information when you use our budgeting and financial management services, including our website, web app, and any related tools (collectively, the "Service").

By creating an account or using the Service, you agree to this Privacy Policy.

1. What this policy covers

This Privacy Policy applies to:

  • Visitors to our website
  • Registered users of Copia
  • People who contact us for support or inquiries

It covers personal information we collect directly from you, from connected financial institutions via Plaid, and from third-party providers we use to operate the Service (such as Stripe, Clerk, AWS, Vercel, Google Gemini API, and Sentry).

This Policy does not cover how those third-party providers independently process your data under their own privacy policies.

Data Minimization and Purpose Limitation: We follow privacy by design principles and only collect personal information that is necessary to provide the Service. We use your information only for the purposes described in this Privacy Policy and do not use it for purposes incompatible with those described herein without your consent or as required by law.

Gramm-Leach-Bliley Act (GLBA) Compliance: If applicable, we comply with the Gramm-Leach-Bliley Act (GLBA) and maintain appropriate safeguards to protect your nonpublic personal information. We do not share your nonpublic personal information with nonaffiliated third parties except as described in this Privacy Policy or as permitted by law.

2. Information we collect

2.1 Account & profile information

When you sign up or use Copia, we may collect:

  • Name
  • Email address
  • Authentication identifiers and metadata (via Clerk)
  • Your communication preferences
  • Any information you voluntarily add to your profile (e.g., goals, notes)

Important: We do not store your sign-in credentials (passwords) in Copia's database. Clerk handles all authentication and stores passwords securely on our behalf. Similarly, we do not store your bank account login credentials; Plaid handles bank authentication separately.

Clerk provides authentication and user management services on our behalf and processes some of this data as our processor.

2.2 Financial account and transaction data (via Plaid)

When you choose to connect a bank or other financial account, we use Plaid to securely connect to your financial institution. We do not receive or store your online banking username or password; Plaid handles the login flow and provides us with tokens and account data.

Through Plaid, we may receive, depending on your connections and permissions:

  • Financial institution name
  • Account name and type (e.g., checking, savings, credit card, loan)
  • Account identifiers used for linking
  • Current and historical balances
  • Transaction history (dates, amounts, merchants, categories, and related metadata)
  • Currency and country information
  • Other data your institution and Plaid make available for budgeting/analytics purposes

You can learn more about how Plaid handles your data in Plaid's own privacy policy.

You can also view and manage connections you've made through Plaid, or request deletion of data stored by Plaid, via Plaid Portal.

End User Authorization (Plaid): By connecting a financial account through Plaid, you acknowledge and agree to the following:

  • We use Plaid Inc. ("Plaid") to gather your data from financial institutions. By using our service, you grant us and Plaid the right, power, and authority to act on your behalf to access and transmit your personal and financial information from the relevant financial institution.
  • We do not sell or rent your financial data to third parties.
  • Plaid transfers your financial data to us on your behalf to provide the Service.
  • We do not store your bank account login credentials. Plaid handles authentication separately and securely.
  • You may disconnect your Plaid connection at any time through your account settings or through Plaid Portal.
  • Your personal and financial information will be transferred, stored, and processed by Plaid in accordance with Plaid's Privacy Policy. By using our service, you acknowledge and agree that your information will be treated in accordance with Plaid's Privacy Policy.

2.3 Subscription and billing data (via Stripe)

If you sign up for a paid plan, we use Stripe to process payments. Stripe may collect and process:

  • Your name
  • Email address
  • Payment method details (e.g., card brand, last 4 digits, expiration date)
  • Billing address
  • Transaction amounts and timestamps

We do not store full payment card numbers on our servers. Payment data is handled by Stripe as a payment processor. Depending on the context, Stripe may act as a controller or processor of your personal data; see Stripe's privacy documentation for details.

2.4 Usage and device information

When you use Copia, we automatically collect:

  • IP address
  • Browser type and version
  • Device type and operating system
  • Referring/exit pages and URLs
  • Dates and times of access
  • Feature usage and in-app navigation
  • Error events and diagnostics

We use this to secure the Service, detect abuse, debug problems, and understand how the Service is used.

2.5 Analytics and error tracking

We use third-party services to help us understand how the Service is used and to identify and fix technical issues:

  • Sentry – We use Sentry to collect error logs, performance traces, and diagnostic information to help us identify, debug, and resolve technical issues. Sentry may collect information about errors, crashes, and performance metrics related to your use of the Service. You can learn more about how Sentry handles data in Sentry's privacy policy.

Note: We currently do not use session replay or recording features. If we implement such features in the future, we will update this Privacy Policy and obtain appropriate consent where required by law.

This information helps us improve the reliability and performance of the Service.

2.6 AI agent interactions (Gemini API)

AI-powered features are optional and require your explicit consent. During account onboarding, you will be asked whether you want to enable AI-powered features. You can change this preference at any time in your account settings.

If you choose to enable and use our AI-powered features (for example, a budgeting assistant or transaction-explanation chatbot), we may send the following to Google's Gemini API to generate responses:

  • The text of your prompts and questions
  • Limited context about your account (e.g., summarized transaction data, budgets, or goals) needed to answer your question
  • System instructions we create to guide the model

For our production Service, we use the paid Gemini API, which under Google's current terms means Google does not use your prompts or responses to improve Gemini or other Google products, though they do briefly log them to detect abuse and comply with legal obligations.

Important: We do not have access to your online banking credentials or full payment card numbers (these are handled by Plaid and Stripe respectively), so these cannot be sent to Gemini. We only have access to masked account numbers and transaction data that we receive from our service providers. We design our prompts to minimize exposure of raw transaction details. However, anything you type into the AI features may be processed by Google to generate a response.

Managing AI Features: You can enable or disable AI-powered features at any time through your account settings. If you disable AI features, we will stop sending your data to Google's Gemini API for AI processing. You can also withdraw your consent by contacting us at support@copiacash.com.

For more details on how Google uses data in Gemini, see Google's Gemini API terms and privacy documentation.

3. How we use your information

We use the information we collect for the following purposes:

To provide and maintain the Service

  • Sync and display your financial accounts and transactions
  • Categorize and analyze your spending
  • Generate budgets, summaries, charts, and other insights
  • Remember your settings and preferences

To power AI-based features (optional)

  • Generate explanations, recommendations, or insights based on your data
  • Answer free-form questions you ask the AI assistant
  • Help you explore "what-if" budgeting scenarios

To secure and improve the Service

  • Detect and prevent fraud, abuse, and security incidents
  • Monitor service performance and reliability
  • Fix bugs and improve product design

To handle payments and account status

  • Manage subscriptions and billing
  • Send payment receipts and notices
  • Enforce account limits and entitlements

To communicate with you

  • Send onboarding messages and product tips
  • Respond to your support requests
  • Notify you about changes to the Service or this Policy
  • Send marketing communications (only with your explicit opt-in consent, where required by law, such as through a checkbox during account creation or a separate consent form)

To comply with legal obligations

  • Maintain records for audit, tax, and compliance
  • Respond to lawful requests from regulators or law enforcement

For processing based on consent, you have the right to withdraw your consent at any time.

4. How we share information

We do not sell your personal information or financial data.

We share data only in the following circumstances:

4.1 Service providers (processors/sub-processors)

We use third-party providers to operate the Service, including:

  • Plaid – account connectivity and transaction data aggregation (Privacy Policy)
  • Stripe – payment processing (Privacy Policy)
  • Clerk – authentication and user management (Privacy Policy)
  • Amazon Web Services (AWS) – hosting of APIs, application code, and databases (Privacy Notice)
  • Amazon RDS – managed relational database with encryption at rest (Privacy Notice)
  • Vercel – hosting of the web client and static assets (Privacy Policy)
  • Google Gemini API – AI-powered features and responses (Privacy Policy)
  • Sentry – error tracking, logging, and performance monitoring (Privacy Policy)

These providers are allowed to process your personal information only as necessary to provide services to us and are bound by contractual obligations, including data protection terms (DPAs) where applicable.

4.2 Legal and safety

We may disclose information if we believe in good faith that it is necessary to:

  • Comply with applicable law, regulation, legal process, or governmental request
  • Protect the rights, property, or safety of Copia, our users, or the public
  • Enforce our Terms of Service

4.3 Business transfers

If Copia is involved in a merger, acquisition, financing, or sale of assets, your information may be transferred as part of that transaction, subject to the same or comparable privacy commitments.

5. Cookies and similar technologies

We may use cookies, local storage, and similar technologies to:

  • Keep you logged in
  • Remember your preferences
  • Measure usage and performance
  • Protect access to the Service

5.1 Cookie types we use

Essential cookies (required for service functionality):

  • Clerk authentication cookies (main app) – Session management and authentication. Set by Clerk to maintain your login session. See Clerk's cookie documentation for details. These cookies are essential for the Service to function.

Non-essential cookies:

  • Currently, we do not use non-essential cookies for advertising or analytics.

Third-party cookies: Clerk, our authentication provider, may set cookies on their domain (clerk.com) to manage your authentication session. These are essential for the Service to function. We do not use third-party cookies for advertising or tracking purposes.

You can control cookies through your browser settings, but disabling essential cookies will prevent you from using the Service.

Do Not Track Signals: Some browsers include a "Do Not Track" (DNT) feature that signals to websites you visit that you do not want to have your online activity tracked. Currently, there is no standard for how DNT signals should be interpreted, so we do not respond to DNT signals at this time. We continue to monitor developments around DNT browser technology and the implementation of a standard.

6. Data retention

We keep your information only as long as necessary to:

  • Provide the Service to you
  • Comply with legal, accounting, or reporting requirements
  • Resolve disputes and enforce our agreements

In general:

  • Account & profile data – kept while your account is active and for up to 7 years after account closure for tax and legal compliance purposes, unless you request earlier deletion and we are not legally required to retain it.
  • Financial data – retained as long as your accounts remain connected and you keep using the Service, then deleted or anonymized within 90 days after account closure unless we must keep it longer for legal reasons (such as tax records, which may be retained for up to 7 years as required by law).
  • Usage and device information – retained for up to 2 years for security and service improvement purposes, then deleted or anonymized.
  • AI interaction logs – we retain your AI conversation history for up to 2 years to show you prior context and improve your own experience, unless you request earlier deletion; Google's separate retention of prompts/responses for abuse detection is governed by their terms.
  • Error logs and diagnostics – retained for up to 90 days to help us identify and resolve technical issues, after which they are deleted or anonymized.
  • Marketing communications data – retained until you opt-out or request deletion, then removed within 30 days.
  • Support inquiries – retained for up to 3 years after resolution for quality assurance and legal compliance, then deleted.
  • Cookie data – session cookies expire when you close your browser; persistent cookies expire according to their individual settings (typically 7-30 days for authentication cookies).

When you delete your account, we will delete or irreversibly de-identify personal information within 30 days, except where we must retain some records for legal, tax, or regulatory purposes (such as financial records required to be kept for 7 years under tax law).

7. Security

We use technical and organizational measures to protect your data, including:

  • Encryption in transit: All traffic between you and our servers uses HTTPS/TLS.
  • Encryption at rest: Our primary databases use encryption at rest (e.g., AWS RDS encryption).
  • Access controls: Only authorized services and personnel have access to production systems and data, following least-privilege principles.
  • Segregation of secrets: Access tokens, API keys, and other secrets are stored separately and rotated when appropriate.
  • Monitoring and logging: We monitor for abnormal access patterns and system errors.

No system is perfectly secure, but we work to align with modern security best practices for fintech applications.

Data Breach Notification: In the event of a data breach that may affect your personal information, we will notify you and relevant authorities as required by applicable law. We will comply with all applicable state and federal breach notification requirements. We will notify affected users and relevant authorities as required by applicable state laws (typically within 30-60 days, depending on the state). We will provide notice as soon as reasonably possible and will include information about the nature of the breach, the categories of data affected, and the measures we are taking to address it.

8. Your choices and rights

8.1 Managing your account and connections

Within Copia, you can:

  • View and edit certain profile details
  • Disconnect financial institutions connected to Copia (which will stop future data syncs)
  • Delete your account (which triggers deletion/anonymization processes on our side)

Managing Plaid connections: You can manage your Plaid account connections through Plaid Portal. Note that Plaid Portal shows all apps and services you've connected via Plaid, not just Copia. Through Plaid Portal, you can:

  • View which apps and services are connected via Plaid
  • Disconnect institutions from specific apps (including Copia)
  • Request deletion of data stored by Plaid

8.2 Rights for certain regions

Depending on where you live (for example, in certain U.S. states like California), you may have additional rights, including:

State-Specific Privacy Rights: Depending on your state of residence, you may have additional privacy rights under state laws such as the Virginia Consumer Data Protection Act (VCDPA), Colorado Privacy Act (CPA), Connecticut Data Privacy Act (CTDPA), Utah Consumer Privacy Act (UCPA), and other applicable state privacy laws. To exercise your rights under these laws, please contact us at support@copiacash.com.

  • Access: Request a copy of personal data we hold about you
  • Correction: Request that we correct inaccurate or incomplete data
  • Deletion: Request that we delete your personal data
  • Portability: Request data in a structured, machine-readable format (e.g., JSON or CSV). We will provide your data within 30 days of your verified request via secure download link or encrypted email. You can request data portability by emailing support@copiacash.com with the subject line "Data Portability Request."
  • Withdrawal of consent: If we process your data based on your consent, you have the right to withdraw that consent at any time. For AI-powered features, you can withdraw consent by disabling the feature in your account settings or by contacting us at support@copiacash.com. For other consent-based processing, please contact us at support@copiacash.com. Withdrawing consent will not affect the lawfulness of processing based on consent before its withdrawal.

You can exercise these rights by contacting us at support@copiacash.com. We may need to verify your identity before fulfilling certain requests.

8.3 California Privacy Rights (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

  • Right to Know: You have the right to request that we disclose what personal information we collect, use, disclose, and sell (we do not sell personal information).
  • Right to Delete: You have the right to request deletion of your personal information, subject to certain exceptions.
  • Right to Opt-Out of Sale or Sharing: We do not sell your personal information. However, you have the right to opt-out of any sharing of your personal information for cross-context behavioral advertising, if applicable.
  • Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights.
  • Right to Correct: You have the right to request correction of inaccurate personal information.
  • Right to Limit Use of Sensitive Personal Information: You have the right to limit our use of sensitive personal information to what is necessary to provide the Service.

Sensitive Personal Information (CPRA): Under CPRA, "sensitive personal information" includes financial account numbers, account access credentials, precise geolocation, racial or ethnic origin, religious beliefs, union membership, genetic data, biometric information, health information, and sex life or sexual orientation information. For purposes of the Service, we primarily collect financial account information (account numbers, transaction data) which is necessary to provide the budgeting and financial management features. We use this sensitive information only as necessary to provide the Service and do not use it for purposes beyond what is necessary to provide the Service, except as required by law or with your consent.

Do Not Sell or Share My Personal Information: We do not sell your personal information. We do not share your personal information for cross-context behavioral advertising. If you have questions about our data sharing practices, please contact us at support@copiacash.com.

To exercise any of these rights, please contact us at support@copiacash.com. We may need to verify your identity before fulfilling your request.

8.4 Marketing Communications

You can opt-out of receiving marketing communications from us at any time by:

  • Clicking the "unsubscribe" link in any marketing email we send you
  • Updating your communication preferences in your account settings
  • Contacting us at support@copiacash.com

Please note that even if you opt-out of marketing communications, we may still send you transactional or service-related messages, such as account notifications, payment receipts, or important updates about the Service.

9. Mobile applications

If you use Copia through our mobile application, we may collect additional information:

  • Device identifiers: Such as device ID, advertising ID, or other unique identifiers
  • Location information: We do not collect your device's physical location. We only use transaction location data (merchant locations) that may be included in transaction data from your financial institution, as described in Section 9.1 below.
  • Mobile device information: Device model, operating system version, mobile carrier, and network information
  • App permissions: We may request permissions to access certain features of your device (such as notifications), which you can manage through your device settings

The information collected through our mobile application is used in the same manner as described in this Privacy Policy. You can manage app permissions through your device's settings.

9.1 Transaction location data

Some financial transactions imported via Plaid may include location information (such as merchant location) provided by your financial institution. We use this location data solely to display transaction locations on maps within the Service and to help you understand where transactions occurred. We do not track your physical location or use location data for any other purpose.

9.2 Automated decision-making and processing

Transaction Categorization: The Service may automatically categorize transactions based on merchant names, transaction descriptions, and other metadata. These categorizations are suggestions that you can review, modify, or override at any time. This automated processing does not have legal or similarly significant effects on you, and you maintain full control over how your transactions are categorized.

AI Features: Our AI features do not make automated decisions that have legal or similarly significant effects on you. The AI provides suggestions and recommendations (such as budget proposals) that you can review, modify, or reject at any time. You always retain full control over your financial decisions and data.

No Profiling: We do not engage in automated profiling that produces legal effects or similarly significantly affects you. Any insights or recommendations are provided for informational purposes only and do not restrict your access to the Service or affect your rights.

10. Children's privacy

The Service is not directed to, and may not be used by, anyone under the age of 18. We do not knowingly collect personal information from individuals under 18. In compliance with the Children's Online Privacy Protection Act (COPPA), we do not knowingly collect personal information from children under 13. If we learn that we have collected such information, we will delete it immediately and terminate the account.

11. Changes to this Privacy Policy

We may update this Privacy Policy from time to time. When we make material changes, we will:

  • Update the "Last updated" date at the top
  • Provide additional notice in the app or by email, where appropriate

Your continued use of the Service after the effective date of an updated Privacy Policy means you accept the changes.

12. Contact us

If you have questions about this Privacy Policy or how we handle your data, you can contact us at:

Copia Cash, Inc.
Email: support@copiacash.com
Address: 680 North Lake Shore Drive, Suite 110 - 2166, Chicago, IL 60611, United States