Privacy Policy

Effective Date: July 6, 2026 • Last Updated: July 6, 2026

The Short Version

  • We never sell or rent your data. Not to advertisers, not to data brokers, not to anyone - ever.
  • No ads, no trackers, no analytics. Cadence runs no advertising cookies, no third-party analytics, and no retargeting pixels.
  • We never see your bank login. Bank connections are handled by Plaid in read-only mode - we can view balances and transactions, but can never move your money.
  • We don't train AI on your data. Our insights are produced by our own algorithms, and we only share your financial data with an AI platform if you connect one yourself.
  • You stay in control. Export or delete your data at any time from Settings.

The full detail is below.

Introduction

This Privacy Policy explains how Cadence collects, uses, and protects your information. We comply with Canada's Personal Information Protection and Electronic Documents Act (PIPEDA) and, for residents of the United States, applicable state privacy laws.

Information We Collect

Information You Provide

  • Account Information: Name, email address, and password
  • Financial Data: Transactions, accounts, assets, liabilities, budgets, goals, and income sources you enter manually
  • Payment Information: Billing details processed through Stripe (we do not store full payment card numbers)
  • CSV Imports: Transaction data you upload via CSV file, including filename and import metadata
  • Notification Preferences: Push notification settings by category and frequency
  • Support Communications: Messages you send to our support team

Information from Plaid

When you connect a financial institution through Plaid, we receive:

  • Account Information: Account name, type, official name, and last four digits
  • Balance Information: Current and available balances
  • Transaction Data: Descriptions, amounts, dates, merchant names, and categories
  • Institution Information: Name and identifier of your financial institution

Plaid has its own privacy policy: plaid.com/legal

Information from AI Platform Integrations

When you authorise an AI platform (such as Claude, ChatGPT, or Gemini) to access your Cadence data:

  • Authorisation Events: We log which platform was authorised, when, and the scope of access granted
  • Token Activity: Token issuance and revocation events are recorded for security purposes
  • No Separate Copies: AI platforms access your data in real-time on your behalf — we do not create separate copies of your data for third-party platforms

Information Collected Automatically

  • Device Information: Device type, operating system, browser type
  • Usage Data: Features used, application errors, and performance metrics
  • IP Addresses & User Agents: Collected as part of security audit logging for detecting unauthorised access
  • Push Notification Tokens: Device-specific tokens used to deliver push notifications to your device
  • Authentication Events: Login attempts, two-factor verification events, biometric enrollment status, passkey (WebAuthn) enrollment, and session metadata
  • Automated Financial Snapshots: Daily snapshots of your aggregated financial state (account balances, asset values, budget progress) used to power historical charts and net worth tracking

How We Use Your Information

  • Service Provision: Calculating net worth, budget tracking, and financial insights
  • Smart Categorisation: Learning your transaction categorisation preferences from corrections you make, to suggest categories for future transactions
  • Push Notifications: Sending security alerts, spending insights, goal progress updates, and bill reminders based on your preferences
  • AI Platform Data Access: Providing your financial data in read-only mode to AI platforms you have explicitly authorised
  • Security: Detecting unauthorised access and maintaining application security
  • Improvements: Fixing bugs and improving functionality
  • Legal Compliance: Meeting legal obligations under Canadian law

Artificial Intelligence

We do not use your financial data to train artificial-intelligence or machine-learning models. The insights, spending analysis, and category suggestions you see in Cadence are produced by our own algorithms - not by a third-party AI. We do not share your financial data with any AI platform unless you explicitly connect one yourself.

The only way your data reaches an AI platform is if you explicitly connect one yourself (see "Information from AI Platform Integrations" above). That access is read-only, initiated by you, and revocable at any time.

How We Protect Your Information

  • Encryption in Transit: All data encrypted using TLS 1.2 or higher
  • Encryption at Rest: Database encrypted using AES-256; Plaid access tokens receive additional AES-256-GCM encryption
  • Access Controls: Two-factor authentication, Row-Level Security on all user data tables
  • Session Security: Automatic timeout after inactivity
  • Biometric Authentication: Face ID and fingerprint verification are handled entirely by your device's operating system. Cadence stores only an enrollment flag — we never receive, store, or have access to your biometric data
  • Two-Factor Authentication: Optional TOTP-based two-factor authentication with server-generated recovery codes for enhanced account security
  • Passkeys (WebAuthn): Optional passwordless sign-in using device-bound passkeys. The private key never leaves your device - Cadence stores only the public credential needed to verify you
  • Audit Logging: Security-relevant actions are logged for fraud detection. Audit logs are accessible only to system administrators, not to users
  • AI Platform Token Security: Authorised AI platform connections use industry-standard encryption, token rotation, and individually revocable access

When We Share Your Information

We do not sell your information. Ever.We limit sharing to only what's necessary:

No Advertising or Analytics Tracking

We do not use third-party advertising cookies, analytics trackers, or retargeting pixels. We do not share your information with advertisers or data brokers. We do not build advertising profiles based on your financial data. We use essential cookies only for authentication and session management.

Service Providers

We use the following trusted service providers. They only access your data as needed to provide their services to us:

  • Supabase: Database hosting, user authentication, and server-side functions (US-based infrastructure)
  • Plaid: Financial account connectivity — processes your banking credentials directly (we never see them)
  • Stripe: Payment processing for subscriptions — processes billing information directly
  • Apple Push Notification Service (APNs): Delivers push notifications to iOS devices
  • Firebase Cloud Messaging (FCM): Delivers push notifications to Android and web devices
  • Vercel: Application and website hosting (US-based infrastructure)
  • Resend: Delivery of account, security, and notification emails

AI Platforms You Authorise

When you explicitly authorise an AI platform through our OAuth consent flow, your financial data is shared with that platform as described in the consent screen. Data shared may include transactions, budgets, account balances, net worth, recurring bills, income sources, financial goals, cashflow summaries, and spending reports.

  • This sharing is always initiated by you and can be revoked at any time
  • Once transmitted, your data is subject to the AI platform's own privacy policy
  • We do not sell, rent, or share your data with AI platforms without your explicit authorisation

Legal Requirements

We may share information if required by law, court order, or valid legal process.

Business Transfers

In the event of a merger, acquisition, or sale of assets, your information may be transferred as part of the transaction. We will notify you before your information becomes subject to a different privacy policy.

Where Your Data Is Stored

Your data is stored using infrastructure based in the United States. By using Cadence, you consent to this storage. We ensure our providers maintain appropriate security standards.

Your Rights

  • Access: View your data through the application
  • Correction: Update your information at any time
  • Deletion: Delete your account and all data through Settings
  • Data Export: Export your financial data through the application
  • Disconnect Plaid: Remove connected accounts at any time, which immediately deletes access tokens
  • Revoke AI Platform Access: Disconnect any authorised AI platform at any time, which immediately invalidates their access tokens
  • Manage Notifications: Control which notification categories you receive and disable push notifications entirely through Settings
  • Recently Deleted Recovery: Deleted transactions are held for 30 days before permanent deletion, allowing you to recover them during that window

We respond to privacy requests within 30 days.

United States State Privacy Rights

Cadence is available in Canada and the United States. If you are a US resident, you may have rights under your state's privacy laws (such as the California Consumer Privacy Act), including the right to know what personal information we collect, to access or delete it, to correct it, and to not be discriminated against for exercising these rights.

Because we do not sell or share your personal information and do not use it for targeted advertising, there is no "Do Not Sell or Share My Personal Information" choice to make - that protection already applies to every user by default. To exercise any other right, use the in-app tools in Settings or contact us at privacy@cadencemoney.com. We respond within 30 days.

Cookies

We use essential cookies for authentication and session management.

Children's Privacy

Cadence is intended solely for users who are at least 18 years of age. We do not knowingly collect information from anyone under 18. If we become aware that we have collected personal information from a user under 18, we will promptly delete that information.

Changes to This Policy

When we make significant changes to this Privacy Policy or our Terms of Use, we will notify you through an in-app prompt requiring your review and acceptance before you can continue using the Services. We may also notify you via email or push notification at our discretion.

Consent

By using Cadence, you consent to the collection, use, and disclosure of your information as described in this Privacy Policy. You may withdraw consent at any time by deleting your account.


Data Retention & Deletion Policy

Effective Date: July 6, 2026 • Last Updated: July 6, 2026

Purpose

This policy defines how Cadence retains and deletes user data in compliance with Canada's Personal Information Protection and Electronic Documents Act (PIPEDA).

Retention Periods

Data TypeRetention Period
Account informationWhile account is active
Financial data (transactions, accounts, assets, etc.)While account is active
Plaid access tokensWhile connection is active
Plaid synced dataWhile account is active
Session data90 days
Audit logs90 days
Push notification tokensWhile subscription is active
OAuth tokens (AI platforms)Until revoked or 90 days of inactivity
Automated financial snapshotsWhile account is active
Recently deleted transactions30 days, then permanently deleted
Notification history90 days

On account deletion, all user data is immediately and permanently deleted.

Account Deletion

Users can delete their account through Settings > Privacy > Delete Account.

What happens immediately:

  1. Authentication credentials deleted
  2. Plaid access tokens revoked with Plaid API and deleted
  3. OAuth tokens for AI platforms revoked
  4. All financial data deleted (transactions, accounts, assets, budgets, goals, etc.)
  5. Push notification subscriptions deactivated
  6. All preferences and settings deleted
  7. Session data deleted
  8. Audit logs retained per retention schedule (90 days), then deleted

Plaid Disconnection

When you disconnect a Plaid account:

  1. Access token revoked with Plaid API
  2. Token deleted from our database
  3. Synced account records removed
  4. Synced transaction data removed

Your Responsibility

You are responsible for exporting any data you wish to keep before deleting your account. Once deleted, data cannot be recovered.

Legal Holds

Data subject to legal proceedings or valid legal hold will be retained as required by law. If a deletion request cannot be honored due to legal obligations, we will notify you.

User Rights

RightHow to Exercise
AccessView data in the application
CorrectionEdit directly in the application
DeletionSettings > Privacy > Delete Account
Disconnect PlaidSettings > Synced Accounts > Remove

We respond to requests within 30 days.

Compliance

This policy complies with PIPEDA, including the data minimization principle—we only retain data as long as necessary to provide the service.

Policy Review

This policy is reviewed annually and updated when relevant privacy laws or our data practices change.

Contact

Email: privacy@cadencemoney.com

If unsatisfied with our response, you may contact the Office of the Privacy Commissioner of Canada at www.priv.gc.ca or 1-800-282-1376.