Privacy Policy

1. Introduction

At WIMD ("Where Is My Dough"), we take your privacy seriously. This Privacy Policy explains how we collect, use, and protect your information when you use our personal finance management service.

For detailed information about our security practices, please visit our Security page.

2. Information We Collect

Account Information

  • Email address (required for account creation)
  • Name (optional, for personalization)
  • Profile preferences and settings

Financial Data

When you connect your bank accounts through Plaid or SimpleFin, we receive:

  • Account names and types (e.g., "Chequing Account")
  • Current balances
  • Transaction history (merchant name, amount, date, category)

Important: We never receive your full account numbers—only masked identifiers (e.g., "****1234"). We also never see your bank login credentials.

Data You Create

  • Custom categories and subcategories
  • Transaction rules and notes
  • Budget settings and goals
  • Projects you create
  • Receipts you upload

Usage Data

  • Pages visited and features used
  • Button clicks and interactions
  • Error reports and performance metrics

This data is collected via PostHog and includes your user ID to track sessions. You can request to opt out of analytics tracking by contacting us.

3. How We Use Your Information

  • To provide and maintain our service
  • To categorize transactions and generate spending insights
  • To power AI features like automatic categorization and receipt scanning
  • To process subscription payments through Stripe
  • To send transactional emails (verification, password resets, notifications)
  • To improve the app based on usage patterns
  • To protect against fraud and unauthorized access

4. AI and Your Data

We use AI to help categorize transactions and scan receipts. When using AI features:

  • We send transaction descriptions and amounts only
  • We never send your name, email, account numbers, or personal identifiers
  • We use AI providers (Google Gemini via OpenRouter) that are opted out of training on your data
  • Requests are processed in real-time and not stored by AI providers

5. Third-Party Services

We share your information with the following services to operate WIMD. Each service only receives the minimum data necessary for their function:

Plaid / SimpleFin:Bank connection services that sync your account data
Stripe:Payment processing for subscriptions (they store your payment method)
Resend:Transactional emails (verification, password resets)
Google / OpenRouter:AI-powered categorization (transaction descriptions only)
PostHog:Product analytics (opt-out available on request)

For full details on what each service accesses, see our Security page.

6. What We Will Never Do

  • Sell, trade, or rent your personal information to third parties
  • Share your data with data brokers or advertisers
  • Show you targeted ads based on your financial data
  • Use your data to train AI models for purposes other than serving you

7. Data Protection

  • All sensitive data is encrypted at rest using AES-256
  • All connections are encrypted in transit using TLS
  • Bank access tokens are encrypted before storage
  • Passwords are securely hashed—we cannot see them
  • Two-factor authentication (2FA) is available for your account

8. Your Rights

You have the right to:

  • Access your personal data at any time
  • Export your data in CSV format
  • Request deletion of your account and all associated data
  • Opt out of marketing communications
  • Request to opt out of analytics tracking (PostHog)
  • Disconnect bank accounts and delete synced data
  • Update or correct your personal information

9. Data Retention

We retain your data only for as long as necessary to provide our services. When you delete data (like transactions or categories), it is soft-deleted and kept for 30 days for recovery, then permanently removed.

Upon account deletion, we will securely remove all your data within 30 days, except where required by law.

10. Children's Privacy

WIMD is not intended for users under 18 years of age. We do not knowingly collect personal information from children.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes by email or through the app. Your continued use of WIMD after changes constitutes acceptance of the updated policy.

12. Contact Us

If you have any questions about this Privacy Policy or our data practices, please contact us at [email protected].

Last updated: January 2025