Privacy Policy

Quick summary. Read the full policy below for the complete terms.

Document owner

FinSync LLC (operating as Raintree Technology) privacy and compliance team.

Contact + response

Email legal@raintree.technology with privacy questions. We respond within 5 business days.

What we collect

Email, financial data (via Plaid, crypto exchanges, wallets), AI chat messages, and basic usage analytics. That's it.

Who we share with

Only the service providers that keep Clarity running: Plaid, Stripe, the AI providers behind the assistant (Anthropic, OpenAI), advertising/analytics partners on the marketing site, and our hosting/auth infrastructure.

Data selling

We do not sell your personal information. Never have, never will.

Deletion rights

Request deletion of your account anytime. Deletion is scheduled 30 days out — a banner across Clarity lets you cancel until then. After 30 days your data is purged; any residual copies in encrypted database backups age out on our provider's standard rotation schedule.

Security

Authenticated encryption for credentials, TLS in transit, encryption at rest, and strict access controls. Details live on the Security Practices page.

SOC 2 status

As of March 10, 2026, Clarity has not completed a SOC 2 attestation. Controls align with SOC 2 Trust Services Criteria; see compliance updates.

Clarity is a product of FinSync LLC, operating as Raintree Technology ("we," "our," or "us"). We are committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our personal finance application.

This policy was last updated on April 26, 2026.

2.1 Account Information

When you create an account, we collect:

• Email address
• Password (securely hashed before storage)
• Name (optional)

2.2 Financial Data

Through our integration with Plaid, we access:

• Bank account balances
• Transaction history
• Account names and types
• Credit card balances and limits
• Investment holdings and performance

Important: We never store your bank login credentials. All bank connections are made securely through Plaid, and we only receive read-only access to your financial data.

Data sources (GDPR Art. 14): Financial data is obtained indirectly from your financial institutions via Plaid (banks, brokerages, credit unions); from cryptocurrency exchanges via their APIs through the CCXT integration library (the specific exchange is whichever account you choose to authenticate, and Clarity does not have a direct contractual relationship with each exchange — exchange-specific privacy and security terms apply to data exchanged with that vendor); and from supported public blockchain networks through our on-chain data infrastructure. This data is collected only after you explicitly connect each account.

2.3 Cryptocurrency Data

When you connect crypto exchanges or wallets, we collect:

• Exchange API keys (encrypted before storage, read-only permissions required)
• Wallet addresses (public blockchain data)
• Transaction history
• Portfolio balances

2.4 AI Chat Data

When you use our AI-powered financial assistant, we collect:

• Your questions and chat messages
• Relevant financial data needed to answer your questions
• Chat conversation history

AI Provider Routing:

Clarity routes AI chat queries through the Vercel AI Gateway to one or more API-based large-language-model providers. The primary provider is Anthropic; OpenAI and other providers may also be used as we tune for accuracy, latency, and cost. The current provider stack is listed in Section 5.2 (Sub-processors). When you ask a question, your prompt and the financial context relevant to that question are sent to the selected provider; the response is returned to Clarity and rendered to you. Each provider applies its own data-handling terms — see their respective policies: OpenAI Privacy Policy, OpenAI Business Terms (API), Anthropic Privacy Policy, and Anthropic Commercial Terms.

Under each provider's API/business terms, customer API data is not used by default to train the provider's general-purpose models. Each provider may retain prompts and responses for a limited window (typically up to 30 days) for abuse monitoring, with zero-retention configurations available on qualifying accounts. Note that providers may also be subject to legal orders that override their default retention — for example, a preservation order may require longer retention. We update the current provider stack in Section 5.2 when routing changes; check that section for the most current list.

Data minimization: When processing a chat query, only the financial context relevant to your specific question is sent to the AI provider — not your entire account data.

Chat history retention: Conversations are stored in your Clarity account to provide context in future conversations. Chat history is retained until you explicitly delete it from your account settings. There is currently no automatic deletion policy for chat history.

2.5 Usage Data

We automatically collect:

• Device information (browser, operating system, device type)
• IP address (for security and fraud prevention)
• Pages visited and features used
• Time spent on the application
• Product and site usage analytics from consented sessions; we do not send financial account contents to analytics providers

2.6 Gramm-Leach-Bliley Act (GLBA) Notice

Clarity aggregates financial data from banks, brokerages, and other financial institutions. Under the Gramm-Leach-Bliley Act, we provide this simplified privacy notice:

• Categories of information collected: Account balances, transaction history, holdings, and account identifiers obtained through Plaid and direct API connections.
• Categories of information disclosed: We share data only with service providers listed in Section 5 as necessary to operate the service. We do not disclose your nonpublic personal information to non-affiliated third parties for marketing purposes.
• Opt-out rights: Because we do not share your information with non-affiliated third parties for their own marketing, there is no opt-out required. You may disconnect any financial institution at any time from your account settings.
• Notification of security events: For "notification events" affecting the unencrypted nonpublic personal information of 500 or more U.S. consumers, we will notify the Federal Trade Commission within 30 days as required by 16 CFR § 314.5 (effective May 13, 2024). We will also notify affected consumers and relevant state attorneys general per applicable state breach-notification law. EU/UK users receive 72-hour controller-notification commitments under GDPR Art. 33 separately — see Section 12.

We use your information to:

• Provide and maintain our service
• Calculate net worth and financial metrics
• Categorize transactions automatically using merchant data
• Detect recurring subscriptions and payment patterns
• Generate spending insights, trends, and visualizations
• Provide AI-powered financial insights through our chat feature
• Send service-related notifications (transaction sync, errors, account issues)
• Improve our product and develop new features
• Prevent fraud and ensure security
• Comply with legal obligations

We do NOT use your financial data for advertising, and we do NOT sell your personal information to third parties.

3.1 Automated Decision-Making and AI Processing

Clarity uses automated processing and AI models for the following purposes:

• Transaction categorization: Transactions are automatically categorized using merchant data and pattern matching. You can manually override any categorization.
• Recurring payment detection: We automatically identify recurring charges and subscriptions based on transaction patterns.
• AI chat insights: When you use the AI assistant, your questions and relevant financial context are processed by AI models to generate responses.
• Spending anomaly detection: We may flag unusual spending patterns for your awareness.

None of these automated processes produce legally binding decisions or significantly affect your rights. Under GDPR Article 22 and the EU AI Act, you have the right to request human review of any automated processing that affects you. You are always interacting with an AI system when using the Clarity chat feature, in accordance with EU AI Act Article 50 transparency obligations.

3.2 Per-User Machine Learning

When you manually correct a transaction category, Clarity may use your corrections to train a machine learning model that improves transaction categorization accuracy for your account. These models are:

• Isolated to your account: Per-user models are trained solely on your corrections and are not shared with, accessible to, or used to improve the experience of any other user.
• Triggered by your actions: Model training occurs only after you make categorization corrections, not passively on your transaction data.
• Deletable: Per-user model data is deleted when you delete your account, consistent with the retention periods described in Section 9.

This processing is based on our legitimate interest in improving service accuracy for your account (GDPR Article 6(1)(f)). You may object to this processing at any time by contacting legal@raintree.technology.

We implement multiple layers of security to protect your data. However, no system is 100% secure, and we cannot guarantee absolute security.

4.1 Encryption in Transit

All data transmitted between your browser and our servers is encrypted using TLS (Transport Layer Security) 1.2 or higher.

4.2 Encryption at Rest - Application Level

We encrypt sensitive credentials before storing them:

• Bank account access tokens (from Plaid)
• Crypto exchange API keys
• Blockchain wallet connection credentials

These credentials are encrypted with a secure key that only our application servers can access. Even if our database were compromised, these credentials would remain protected.

4.3 Database Security

All other data (transactions, balances, account information) is stored in our managed cloud database. Our database provider's security features include:

• Encryption at rest using industry-standard methods
• Security-reviewed infrastructure with third-party audits
• Automated backups and disaster recovery
• Network isolation and access controls

4.4 Access Control

• Limited access to production systems
• Multi-factor authentication on all administrative accounts
• Database access restricted to application servers only
• All production access logged

4.5 Infrastructure Security

• Hosted on enterprise-grade managed cloud infrastructure
• Automatic security updates and patches
• DDoS protection and rate limiting
• TLS encryption for all connections

4.6 Security Governance and SOC 2 Readiness

We maintain a security program that includes access reviews, change management controls, security logging, vulnerability management, and incident response procedures designed to align with SOC 2 Trust Services Criteria.

As of March 10, 2026, Clarity itself does not currently hold a completed SOC 2 attestation or other independent certification. We rely on infrastructure providers with mature security programs while we continue maturing our own control environment.

We do not sell your personal information. We never have, and we never will.

5.1 Service Providers

We share data only with trusted service providers necessary to operate our service:

• Plaid: Bank account connections and transaction data (see Plaid Privacy Policy)
• OpenAI & Anthropic: AI model providers for chat responses, reached through the Vercel AI Gateway. Anthropic is the primary provider; OpenAI may also be used. See OpenAI Privacy Policy and Anthropic Privacy Policy.
• Stripe: Payment processing for subscriptions only (see Stripe Privacy Policy)
• PostHog: Product analytics inside the authenticated application (opt-in / consent-gated on the marketing site; covered by Terms acceptance in the app). Identified by your Clarity user ID and email. See PostHog Privacy Policy.
• Cloud infrastructure providers: Managed database, authentication, and application hosting

5.2 Subprocessors and Data Processing Addendum

Current subprocessors involved in processing user data include:

• Plaid (United States) — bank and brokerage data connectivity
• OpenAI OpCo, LLC (United States) — an AI provider for chat responses; receives the user message plus the relevant financial context for each query. Customer API data is not used to train OpenAI's general-purpose models under the OpenAI Business Terms.
• Anthropic, PBC (United States) — primary AI provider for chat responses and research workflows; receives the user message plus the relevant financial context. Customer API data is not used to train Anthropic's general-purpose models under the Anthropic Commercial Terms.
• PostHog, Inc. (United States) — product analytics for the authenticated application. Identifies sessions by Clarity user ID and email; does not receive account contents (balances, transaction lists, holdings).
• Stripe (United States) — payment processing
• Cloudflare, Inc. (United States) — edge compute (Workers), object storage (R2), CDN, and request-log observability
• Vercel Inc. (United States) — application hosting, edge runtime, serverless functions, and AI Gateway routing of assistant requests to the AI providers listed above
• PlanetScale, Inc. (United States) — managed Postgres database
• Upstash, Inc. (United States) — managed Redis cache and rate-limit / coordination store
• Resend, Inc. (United States) — transactional email delivery
• Alchemy Insights, Inc. (United States) — blockchain data and webhook delivery
• Brandfetch(United States) — brand-logo lookup for merchants and institutions; receives the merchant/institution domain or name and the end-user's IP address when serving a logo image.
• Google LLC (United States) — OAuth identity verification at sign-in; Google Search Console for marketing-page SEO; Google Analytics 4 for marketing-page analytics; Google AdSense for advertising on the marketing site
• Meta Platforms, Inc. (United States) — advertising-conversion measurement on the marketing site via the Meta Pixel and Conversions API. Receives a hashed identifier (SHA-256 of email) and standard conversion-event data for marketing-signup and subscription events; does not receive account contents.

A Data Processing Addendum (DPA) is available at /legal/dpa and a current Sub-processor list at /legal/subprocessors. For questions about the DPA, Standard Contractual Clauses (SCCs) for EU/UK transfers, or sub-processor change notifications, email legal@raintree.technology.

5.3 Legal Requirements

We may disclose your information if required by law, subpoena, court order, or other legal process, or to protect our rights, property, or safety.

5.4 Business Transfers

If Clarity is acquired or merged with another company, your information may be transferred to the new owners. We will notify you before your information is transferred and becomes subject to a different privacy policy.

You have the following rights regarding your personal data:

6.1 Access

You can access and review your personal information at any time from your account dashboard.

6.2 Correction

You can update or correct your account information from your settings page. Transaction data is automatically synced from your financial institutions.

6.3 Deletion

You can request deletion of your account at any time from Settings → Security or by emailing legal@raintree.technology. Deletion is scheduled for 30 days after your request. During that grace period a banner appears across Clarity letting you cancel deletion with one click — useful if you change your mind or requested deletion by mistake. After 30 days, your account, linked financial connections, transactions, holdings, conversations, and personal data are purged. Encrypted database backups roll out separately and any residual copy in those backups ages out on our database provider's standard backup-rotation schedule. Limited records (audit log, billing records, email deliverability log) are retained as described in Section 9 because we are legally required to keep them. We revoke linked-bank access tokens at Plaid as part of the purge so the institutions stop sharing your data.

6.4 Data Export

Authenticated users can request a machine-readable JSON full backup at any time through our full-backup export endpoint. That export includes your transaction history, categories, merchants, holdings, budgets, goals, and related account data. Some formatted reports and CSV exports remain subscription features. The JSON full backup is the portability export we rely on for GDPR Article 20 requests.

6.5 Marketing Opt-Out

You can unsubscribe from marketing emails using the link in any email or by updating your email preferences in account settings. You cannot opt-out of service-related emails (security alerts, billing notifications).

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA):

• Right to Know: You can request details about what personal information we collect, use, disclose, and sell.
• Right to Delete: You can request deletion of your personal information (with certain exceptions).
• Right to Correct: You can request correction of inaccurate personal information that we maintain about you.
• Right to Opt-Out: You can opt-out of the "sale" of personal information. (Note: We do not sell personal information.)
• Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA/CPRA rights.

To exercise these rights, email legal@raintree.technology with "CCPA Request" in the subject line. We will respond within 45 days.

Categories of Information We Collect (CCPA):

• Identifiers (email, name)
• Financial information (account balances, transactions)
• Internet activity (usage data, device information)
• Inferences (spending patterns, financial insights)

In addition to California (Section 7), residents of the following states have privacy rights under their respective state laws. Where applicable, these rights include access, deletion, correction, data portability, and the right to opt out of targeted advertising, profiling, and the sale of personal data:

• Colorado — Colorado Privacy Act (CPA)
• Connecticut — Connecticut Data Privacy Act (CTDPA)
• Delaware — Delaware Personal Data Privacy Act (DPDPA)
• Indiana — Indiana Consumer Data Protection Act (ICDPA)
• Iowa — Iowa Consumer Data Protection Act (ICDPA)
• Montana — Montana Consumer Data Privacy Act (MCDPA)
• Nebraska — Nebraska Data Privacy Act (NDPA)
• New Hampshire — New Hampshire Privacy Act (NHPA)
• New Jersey — New Jersey Data Privacy Act (NJDPA)
• Oregon — Oregon Consumer Privacy Act (OCPA)
• Tennessee — Tennessee Information Protection Act (TIPA)
• Texas — Texas Data Privacy and Security Act (TDPSA)
• Utah — Utah Consumer Privacy Act (UCPA)
• Virginia — Virginia Consumer Data Protection Act (VCDPA)

To exercise your rights under any of these laws, email legal@raintree.technologywith "State Privacy Request" in the subject line, including your state of residence. We will respond within the timeframe required by your state's law (typically 45 days). We do not discriminate against users who exercise their privacy rights.

We honor the Global Privacy Control (GPC) signal for non-essential analytics storage as described in Section 10.

If you are in the European Economic Area (EEA), you have additional rights under the General Data Protection Regulation (GDPR):

• Right to Access: Request a copy of your personal data
• Right to Rectification: Correct inaccurate data
• Right to Erasure: Request deletion of your data ("right to be forgotten")
• Right to Restrict Processing: Limit how we use your data
• Right to Data Portability: Export your data in a machine-readable format
• Right to Object: Object to certain types of processing
• Right to Withdraw Consent: Withdraw consent at any time
• Right to Lodge a Complaint: File a complaint with your local data protection authority

To exercise these rights, email legal@raintree.technology with "EU Privacy Request" in the subject line.

Given the current size of our organization, a formal Data Protection Officer (DPO) has not yet been designated. All privacy inquiries directed to legal@raintree.technology serve as the primary contact mechanism for data protection matters.

Legal Basis for Processing:

• Contract Performance: Processing necessary to provide our service
• Legitimate Interests: Fraud prevention, service improvement, security
• Consent: AI chat features, marketing communications
• Legal Obligation: Tax records, compliance with applicable laws

International Data Transfers: Your data may be transferred to and processed in the United States, where our servers are located. We implement appropriate safeguards for these transfers, including Standard Contractual Clauses (SCCs) approved by the European Commission. You may request a copy of our SCCs by emailing legal@raintree.technology.

If you are a UK resident, you have rights under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 that are substantially similar to those described in Section 8 for EU residents, including:

• Rights to access, rectification, erasure, restriction, portability, and objection
• Right to withdraw consent at any time
• Right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk

International transfers of your data from the UK are protected by the UK International Data Transfer Agreement (UK IDTA) or the EU Standard Contractual Clauses with the UK Addendum, as applicable. To request a copy, email legal@raintree.technology.

We retain your data as follows:

• Active accounts: Data retained while your account is active
• Cancelled subscriptions: When a paid subscription is cancelled, your account is suspended at the end of the current billing period and your data is retained in case you re-subscribe. Deletion of personal and financial data is initiated only upon explicit account deletion request, and completes 30 days after that request. Certain data may be retained where required by law (e.g., tax records, fraud prevention).
• Deleted accounts: Deletion of personal and financial data is initiated upon an account deletion request and completes 30 days after that request, consistent with the timeline described in Section 6.3. Certain data may be retained where required by law (e.g., tax records, fraud prevention).

9.1 Retention Periods by Data Category

• Account identity data (email, name, profile): Retained while your account is active; deleted 30 days after the deletion request.
• Financial records (transactions, balances, holdings): Retained while your account is active; deleted 30 days after the deletion request. Tax-related records may be retained for up to 7 years as required by IRS regulations.
• AI chat history: Retained until you delete it from account settings or until account deletion.
• Integration credentials (Plaid tokens, API keys): Revoked and deleted immediately upon disconnection, or 30 days after the deletion request.
• Usage and analytics data: Aggregated analytics are retained indefinitely in anonymized form. Identifiable usage logs are retained for up to 90 days for security and debugging purposes.
• Billing records: Retained for up to 7 years after your last transaction as required for tax and accounting compliance.

We use cookies and similar technologies to operate our service.

Essential Cookies

These cookies are strictly necessary for the operation of our service and cannot be disabled:

• Session management (keep you logged in)
• Security (prevent CSRF attacks, rate limiting)
• Preferences (remember your settings)

Analytics Cookies (Non-Essential)

We use Google Analytics 4 (GA4) to understand how visitors interact with our marketing pages and to measure which content leads to signups. GA4 may collect device information, browser type, and approximate location data after you allow analytics. Google Analytics uses first-party cookies to distinguish browsers and sessions. We do not configure GA4 with a per-account user ID or send financial account contents to Google Analytics. You can opt out of Google Analytics by installing the Google Analytics Opt-out Browser Add-on.

We also use privacy-friendly aggregate analytics tools for operational statistics where available. Those tools are used for trend reporting rather than ad targeting.

Cookie Consent: Visitors are shown an allow/decline banner. Before you make a choice, analytics run in a cookieless mode — GA4 and our product-analytics tool measure aggregate page traffic without storing cookies or identifiers on your device. Allowing analytics enables full measurement, including first-party analytics cookies and session replay; declining stops non-essential analytics entirely. You can change your choice from our Cookie Policy page or by clearing site data in your browser.

Global Privacy Control (GPC): We honor the Global Privacy Control signal as a valid opt-out signal for non-essential analytics storage. When we detect a GPC signal from your browser, we treat it as a decline: no analytics cookies are set, GA4 runs in a fully consent-denied mode, and our product-analytics tool does not capture events.

We do not sell your browsing data. The Clarity marketing site displays Google AdSense advertising; AdSense advertising cookies are managed through Google's certified consent-management platform, which obtains consent in the EEA/UK before any personalized-advertising cookie is set. We also use the Meta Pixel and Meta Conversions API for advertising-conversion measurement (see Section 5.2). You can decline advertising and analytics storage through the cookie controls and the Global Privacy Control described above.

Clarity is not intended for users under 18 years of age. We do not knowingly collect personal information from children under 18. If you believe we have collected information from a child under 18, please contact us immediately at legal@raintree.technology, and we will delete it.

In the event of a data breach that affects your personal information, we will notify affected users promptly and in accordance with applicable laws. For EU/EEA residents, we will notify the relevant supervisory authority within 72 hours of becoming aware of the breach, as required by the GDPR. Notification timelines for other jurisdictions may vary based on local law. Our notification will include:

• What information was affected
• When the breach occurred
• Steps we are taking to address it
• Recommendations to protect yourself

We will also notify relevant regulatory authorities as required by law (e.g., state attorneys general, European data protection authorities).

Our service may contain links to third-party websites or services (e.g., crypto exchanges, bank websites). We are not responsible for the privacy practices of these third parties. We encourage you to review their privacy policies before sharing your information.

Our services are hosted in the United States. If you access Clarity from outside the United States, please be aware that your information will be transferred to, stored, and processed in the United States. By using our service, you consent to this transfer and processing.

For EU/EEA-specific rights and details about international data transfer safeguards (including Standard Contractual Clauses), please see Section 8. You may request a copy of our SCCs by emailing legal@raintree.technology.

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will notify you of material changes by:

• Email notification to your registered email address
• In-app notification when you log in
• Updating the "Last updated" date at the top of this page

Continued use of Clarity after changes take effect constitutes acceptance of the updated Privacy Policy.

For privacy-related questions, concerns, or requests to exercise your rights, please contact us:

• Email: legal@raintree.technology
• Mailing Address: FinSync LLC (operating as Raintree Technology), c/o ZenBusiness Inc., 2520 Venture Oaks Way Suite 120, Sacramento, CA 95833
• Attention: Privacy Officer