Privacy Policy

Effective date: May 1, 2026. This notice describes how Wallie collects, uses, stores, and protects information when you use our apps and websites, including when you connect accounts with Plaid or Teller or opt into Calendar features. Status: Published for transparency and product alignment. Final legal approval of financial-privacy role, opt-outs, and related disclosures is pending counsel sign-off; do not treat this page as exhaustive regulatory advice until our counsel confirms. Deletion and retention statements in Sections 6–7 describe today's POST /v1/me/close-account hard-delete path (linked bank-connection provider teardown, Calendar disconnection where connected, operational DB cascade) with the backup/log/compliance caveats stated there.

1. Who we are

“Wallie” is a consumer software product name. The legal entity that operates Wallie is identified where you downloaded the app (for example, the App Store or Play Store listing) and in our Terms of Service. Wallie is not a bank. Wallie does not hold, pool, or move your money. Payments happen in your existing payment apps and bank products; Wallie reads linked activity to help you see and manage it in one place.

2. What we collect

Depending on how you use Wallie, we may process:

• Account registration data: email address, password (stored as a one-way hash), phone number where you choose to add it, and optional display name.
• Authentication and security data: one-time codes (OTP) delivery metadata; optional multi-factor enrollment state; device/session identifiers tied to rotating refresh tokens; optional mobile push-registration tokens where you enable notifications.
• Bank-connection and linked financial data: when you choose to link an account via Plaid or Teller, that provider shares data according to Plaid's consumer privacy policy, Teller's applicable privacy terms, and the permissions you grant. We receive a scoped access credential (token) used only to synchronize read-only account and transaction details you authorize—for example amounts, dates, memos, counterparties where available, rail or institution labels, and identifiers the provider exposes for continuity. We do not receive or store your bank login passwords.
• Calendar data (optional): if you connect Google Calendar, we process OAuth credentials and minimized calendar-derived suggestions (such as category, time window, rough group size, and suggested action). We do not store event titles, descriptions, locations, or attendee identities for this feature.
• Unified transaction and persona data: transaction history we derive from linked sources; labels you attach; contact and handle information you explicitly provide for pay features; privacy and directory preferences; records of consent to our Terms and Privacy Notice.
• Ask Wallie / AI interactions: when you use chat, your prompts, contextual product data needed to answer, and structured tool results are sent to our model provider to generate each response (see Section 4). Receipt-style images you attach are processed as part of that request flow to help with splits or explanations; they are not stored as standalone photo uploads in our product datastore. We may retain limited operational metadata (for example usage metering or security-related logs) as described elsewhere in this notice.
• Billing (optional): if you subscribe to a paid tier, our payment processor receives payment information you provide and we retain subscription identifiers and metering needed for entitlements.
• Optional contact directory sync: if you explicitly opt in on mobile, the implementation is designed so identifiers from your contacts are transformed into salted digests with processing handled server-side; raw third-party phone numbers or email addresses are not kept as plain contact records for this feature once digesting completes.
• Technical and abuse-prevention logs: IP address, approximate user agent/device class, timestamps, coarse performance and reliability telemetry, structured audit events tied to rails and product actions where applicable, and error reports where you enable crash reporting tools.
• Marketing and waitlist submissions: if you submit a form on our websites (such as early-access or mailing-list fields), we process the identifiers and preferences you submit in that flow.

3. Why we use your information

We process information to:

• Provide the core product: unified transactions, linking, routing, reminders, and in-product assistance;
• Maintain account security and prevent fraud;
• Deliver optional subscription billing and metering where offered;
• Analyze reliability and fix bugs (including crash analytics where enabled);
• Meet legal obligations and respond to lawful requests;
• Communicate with you about the service or, where permitted, product updates.

We do not sell personal information and we do not share personal information with third parties for their own cross-context behavioral advertising on Wallie's behalf.

4. How we share information

We share data with vendors that provide services on our behalf (“subprocessors”). Depending on configuration, subprocessors include:

• Plaid or Teller — account linking and financial data aggregation;
• Google — optional Calendar OAuth and Calendar API access where you connect Calendar features;
• Model provider (e.g. Anthropic) — powering Ask Wallie responses from your prompts and contextual product data;
• SMS providers (e.g. Twilio) — delivering one-time codes where SMS is enabled;
• Email delivery providers (for example Postmark or Resend, depending on environment configuration) — sending email OTP or transactional notices;
• Stripe — payment processing for optional paid tiers;
• Cloud hosting (for example Fly.io or equivalent)— storing encrypted application data and running the API;
• Error and monitoring tools (for example Sentry) — where configured, to diagnose production errors;
• Form or waitlist tooling (for example Tally) — if a page you interact with submits data through that vendor.

Other payment apps you open (Venmo, Cash App, Zelle, banks, etc.) are separate controllers. Their privacy notices govern what they collect when you authenticate and complete a payment outside Wallie.

Some transfers may rely on contractual safeguards appropriate to our role and the vendors we use—details evolve as our program matures.

5. Legal bases / U.S. financial privacy

Wallie collects categories of financial and personal information typical of an account-aggregation assistant. Certain U.S. laws (including rules under the Gramm-Leach-Bliley Act framework) impose privacy and safeguards obligations depending on regulated status at your provider. We intend to provide any additional consumer disclosures (including opt-outs where required) alongside this notice once counsel confirms the corporate role and program scope for your jurisdictions.

6. Your choices and rights

• Unlink: you can disconnect linked accounts from in-product settings at any time.
• Export: in the Wallie web app, signed-in users can download a JSON export of profile, privacy settings, linked-account metadata, recent transactions, and consent history from Settings → Privacy. On mobile, tap Me → Settings → Export my data (opens a pre-addressed email to privacy@getwallie.app) or email us directly at that address from an account you control; we will verify your request.
• Deletion: you can close and delete your Wallie account from the apps or via getwallie.app/delete-account (OTP path for logged-out deletes). This stops new sync, tears down linked bank-connection provider items where applicable, disconnects Calendar where connected, and removes your profile and associated product data from Wallie's operational databases as implemented today. Some records (for example encrypted backups, provider logs, anonymized aggregates, or data retained for lawful compliance) may persist as described in this notice and in our internal retention policy.
• Regional rights: depending on where you live, you may have rights to access, delete, correct, or limit certain processing. Email privacy@getwallie.app to exercise those rights.

Regulatory recordkeeping obligations can require Wallie—or future partners—to retain subsets of transactional data even after ordinary product deletion; where that arises, retention will align with counsel direction and supersede contradictory general statements in this notice.

7. Retention

Active account data persists while your account stays open so we can provide the service. When you delete your account, Wallie removes your user profile and cascading consumer product data from operational databases in line with today's account-deletion implementation (including tearing down linked bank-connection provider items and disconnecting Calendar where connected before profile removal).

Encrypted backups, logs from infrastructure providers, billing records, aggregated statistics that truly cannot be re-linked to an individual, or records retained for lawful compliance may persist longer in accordance with provider lifecycle practices and statutory minimums—we avoid promising a specific purge interval for backups or logs unless contractually nailed down with each vendor.

8. Security

We use HTTPS for data in transit, encrypt bank-connection and Calendar OAuth tokens at rest in our datastore, credential-stretching for passwords, scoped API access, hashed refresh tokens with rotation safeguards, separation of least privileged database roles, and operational access controls documented in our internal security materials.

9. Children

Wallie is not directed at children under 13, and we do not knowingly collect personal information from children.

10. International users

Wallie is operated from the United States. If you use Wallie from other regions, information will be transferred to—and processed in—the U.S. subject to safeguards appropriate to cross-border transfers we rely on.

11. Cookies and local storage

Our web experiences may store necessary tokens or preference choices in local storage/cookies—for example authentication state or anonymous cookie-choice preferences on the dashboard.

12. Changes

We may revise this Privacy Policy periodically. Updates will publish on this URL with an updated effective date. Some changes may require new in-app disclosures or acknowledgment through our consent ledger when we roll out a materially different version—continued use after the new effective date indicates acceptance unless we say otherwise where required by law.

13. Contact

Questions about this notice or privacy rights: privacy@getwallie.app

Privacy Notice version keyed to enrollment date 2026-05-01.