Privacy Policy

We collect information in three ways: (a) information you provide, (b) information collected automatically, and (c) information from third parties — including Plaid, which connects your financial accounts and credit data when you authorize it.

1.1 Information You Provide

Account Data

• Name and email address
• Password (salted and hashed by Supabase Auth — we never see or store your password in plain text)
• Marketing email opt-in preference

Self-Reported Assessment Data (Sensitive Personal Information)

• Self-reported credit score
• Self-reported credit utilization
• Income, business revenue, funding goals
• Account age, derogatory items

Billing Data

• Stripe Customer ID
• Payment metadata (amount, status, timestamps, last four digits of card, card brand)
• Card data itself is stored by Stripe — Paliscore does not see, store, or transmit full card numbers.

Communications

• Support requests and correspondence
• Affiliate program tax documentation (W-9 or W-8 forms, if applicable)

1.2 Information Collected Automatically

• Usage data: page views, feature interactions, session duration
• Device metadata: browser type, operating system, device type, screen size
• IP address and approximate location (city/state level)
• Error logs: captured by Sentry; configured to scrub personal information from stack traces
• Cookies: see Section 7

1.3 Information from Plaid (When You Authorize It)

When you choose to connect your financial accounts through Plaid, we receive information from your financial institutions and (in a later release) credit reporting agencies, which may include:

What's available today: bank and liability connections (account balances, transaction history, credit-card balances and limits as reported by your bank). Coming in a later release: direct credit-bureau connections (Plaid Check / Equifax). Until that release ships, we do not receive bureau-direct credit reports — your self-reported credit score in the assessment is the source for that field.

From your bank or financial institution:

• Account holder name and account type
• Account and routing numbers (tokenized)
• Current account balances
• Transaction history (date, amount, merchant, category)
• Account ownership details

From credit bureaus (live credit data — future release):

• Credit reports and credit scores
• Tradelines (open and closed accounts, balances, payment history)
• Inquiries (hard and soft)
• Public records and collections
• Credit score factors and changes over time

Important things to understand about the Plaid connection:

• You authorize the connection through Plaid's interface. Plaid's privacy policy applies to data collection through Plaid's services and is available at https://plaid.com/legal/.
• We receive tokens, not your bank credentials. We never see, store, or transmit your bank login or password.
• You can disconnect at any time from your account settings, which immediately revokes our access to ongoing data updates.
• Disconnecting does not delete data we've already received and stored — to delete that data, you must also submit a deletion request (see Section 6).

1.4 Information from Other Third Parties

• Stripe sends us payment status, dispute, and chargeback information.
• Affiliate referrals: if you arrived via an affiliate link, we record the referring affiliate's ID and the timestamp.
• We do not buy or rent personal information from data brokers.

We do not collect: biometric data, precise geolocation, racial/ethnic origin, religious beliefs, union membership, health information, sex life or sexual orientation, genetic data, or contents of communications other than support messages you send us.

2.1 Sensitive Personal Information

Significant portions of the data we collect qualify as Sensitive Personal Information (“SPI”) under CPRA — including your credit report data, bank account information, transaction history, account credentials, and financial information. We use SPI only for the purposes disclosed in this policy and do not use it to infer characteristics about you for advertising or any unrelated purpose. California residents have the right to limit our use of SPI; see Section 6.

We do not use your assessment, credit, or bank data to train AI models.

3.1 What We Send to Anthropic

To generate your personalized plan, we send a structured summary of your financial profile to Anthropic's Claude API. We do not send your full credit report, account numbers, raw transaction history, or bank credentials. We send only the aggregate fields needed for plan generation (e.g., score range, total utilization, account count, summarized payment history). Account numbers and other direct identifiers are never sent to Anthropic.

3.2 Automated Decision-Making

Paliscore uses Anthropic's Claude API to generate a personalized financial plan based on your submitted and connected data. This is automated processing, but the output is informational only — it is not a credit decision, lending decision, or any other decision that produces legal effects. You are not denied or granted any service based on the AI output. You may disregard, modify, or request human review of any plan by contacting security@paliscore.com.

3.3 Not a Credit Repair Service or Consumer Reporting Agency

Paliscore is not a credit repair organization, consumer reporting agency, lender, broker, financial institution, debt relief service, credit counseling agency, or financial advisor. We display credit and financial information for your personal use and education. We do not furnish information to credit bureaus, do not make credit decisions, and do not provide consumer reports to third parties for FCRA-permissible purposes.

About Plaid:Plaid is a financial data network used by thousands of fintech apps. When you connect an account, Plaid acts as the intermediary with your bank or credit bureau. Plaid's own privacy policy applies to data collected through Plaid's services and is available at https://plaid.com/legal/. You can review and revoke connected applications at https://my.plaid.com.

About Anthropic:Per Anthropic's commercial terms, API inputs and outputs are not used to train Anthropic's models and are retained for a limited period (typically 30 days) for trust and safety review unless flagged for longer retention.

Sub-processor changes:We may add or change sub-processors. Material changes will be reflected in this policy with at least 30 days' notice via email and/or in-app notification.

4.1 Other Disclosures

• To comply with law: in response to a subpoena, court order, or other legal process
• To protect rights: to enforce our terms, prevent fraud, or protect the safety of users or the public
• In a business transfer: in connection with a merger, acquisition, or sale of assets
• With your consent:in any other case where you've given us permission

4.2 We Do Not Sell or Share Personal Information

We do not sell your personal information, and we do not share it for cross-context behavioral advertising, as those terms are defined under CCPA/CPRA. We have not done so in the preceding 12 months and do not plan to. We never sell or share Plaid-sourced or credit-bureau-sourced financial information under any circumstances. We do not knowingly sell or share the personal information of consumers under 16.

When you delete your account, we anonymize personal identifiers from your records and revoke all Plaid connections. Certain billing and tax records are retained as required by law.

• Right to know / access
• Right to delete
• Right to correct
• Right to opt out of sale or sharing
• Right to limit use of Sensitive Personal Information
• Right to data portability
• Right to non-discrimination
• Right to opt out of automated decision-making profiling (where applicable under state law)

6.1 Plaid-Specific Controls

• Disconnect a Plaid connection at any time from your Paliscore account settings — this immediately stops new data flow.
• Revoke Plaid's access entirely at https://my.plaid.com.
• Submit a Plaid-specific data request directly to Plaid via privacy@plaid.com.
• Disconnecting does not retroactively delete data we've already received. To delete that data from Paliscore, submit a deletion request below.

6.2 How to Exercise Your Rights

• Self-serve: download your data or delete your account from your account settings
• Email: security@paliscore.com from the email address associated with your account
• Authorized agent: California residents may designate an authorized agent; we will require written authorization and may verify the underlying request directly with you.

We will respond within the timelines required by your state's law (typically 45 days, with one possible 45-day extension). We will verify your identity before fulfilling requests for sensitive data, particularly requests involving credit or bank data.

6.3 Right to Appeal

If we deny your privacy rights request, you may appeal by writing to security@paliscore.com with the subject line “Privacy Appeal.” We will respond within 60 days. If you're not satisfied, you may contact your state attorney general.

6.4 State-Specific Rights

We do not use third-party advertising cookies, retargeting pixels, or third-party analytics. We honor browser-based Global Privacy Control (GPC) signals as opt-out requests.

7.1 Affiliate Cookie Details

The affiliate does not receive your personal information — only an aggregated count of referrals and the resulting commission amount.

• In transit: TLS 1.2 or higher.
• At rest: Sensitive fields — including credit report data, Plaid tokens, bank transaction data, affiliate tax IDs, and assessment data — are encrypted with AES-256-GCM.
• Tokenization: Bank credentials are never seen or stored by Paliscore.
• Access controls: Production data is accessible only to the on-call engineer and designated administrators. Access to credit and bank data is gated by additional authorization and audit logging.
• Authentication: Multi-factor authentication is required for all administrator accounts.
• Aligned with GLBA Safeguards:We have implemented administrative, technical, and physical safeguards aligned with GLBA's Safeguards Rule given the financial nature of the data we handle.

8.1 Breach Notification

In the event of a security incident affecting your personal information, we will notify you by email and through other reasonable means as soon as possible — and within the timelines required by applicable state breach-notification laws (typically 30 to 60 days, depending on the state).

8.2 Reporting a Vulnerability or Security Issue

To report a security vulnerability or suspected security incident, contact security@paliscore.com.

Paliscore is not directed to, and we do not knowingly collect personal information from, children under the age of 18. If you are a parent or guardian and believe your child has provided us with personal information, contact us at security@paliscore.com.

• Transactional: receipts, account notices, security alerts. Cannot opt out while you have an active account.
• Marketing / lifecycle: sent only with your opt-in. Unsubscribe at any time via the link in any marketing email or by emailing security@paliscore.com.

All marketing emails include our business postal address, as required by the CAN-SPAM Act. We do not send SMS marketing.

Paliscore is offered only to users in the United States. If you access Paliscore from outside the United States, you do so at your own risk and consent to the transfer of your information to and processing in the United States.

Material changes will be communicated via email and/or in-app notification, with at least 30 days' notice. Prior versions are available upon request to security@paliscore.com.

For all matters — general inquiries, privacy rights requests, security vulnerabilities, GLBA opt-outs, breach disclosures, and authorized agent submissions — contact:

security@paliscore.com

Why?

Financial companies choose how they share your personal information. Federal law gives consumers the right to limit some — but not all — sharing. Federal law also requires us to tell you how we collect, share, and protect your personal information. Please read this notice carefully to understand what we do.

What?

The types of personal information we collect and share depend on the product or service you have with us. This information can include:

• Name, contact information, and account credentials
• Income, credit history, credit scores, and credit report information
• Account balances, transaction history, and payment history
• Information from credit bureaus (via Plaid)
• Information from your financial institutions (via Plaid)

When you are no longer our customer, we continue to share your information as described in this notice.

How?

All financial companies need to share customers' personal information to run their everyday business. In the section below, we list the reasons financial companies can share their customers' personal information; the reasons Paliscore chooses to share; and whether you can limit this sharing.

To limit our sharing

• Email us at security@paliscore.com with subject line “GLBA Opt-Out”
• Manage your marketing preferences from your account settings at paliscore.com/account

Please note: If you are a new customer, we can begin sharing your information 30 days from the date we sent this notice. When you are no longer our customer, we continue to share your information as described in this notice. However, you can contact us at any time to limit our sharing.

Questions?

Email security@paliscore.com.

Who is providing this notice? Paliscore, a U.S.-based provider of educational financial-readiness software.

How does Paliscore protect my personal information?

To protect your personal information from unauthorized access and use, we use security measures that comply with federal law. These measures include computer safeguards and secured files and buildings. We restrict access to personal information to employees and service providers who have a business need to know it. All sensitive data — including credit reports, bank information, and account credentials — is encrypted in transit (TLS 1.2+) and at rest (AES-256-GCM). All administrative access requires multi-factor authentication and is logged.

How does Paliscore collect my personal information?

We collect your personal information, for example, when you:

• Open an account or provide account information
• Submit your financial profile to receive a personalized plan
• Connect a financial account or credit profile through Plaid
• Make payments or interact with our services

We also collect your personal information from credit bureaus and financial institutions through Plaid, with your authorization.

Why can't I limit all sharing?

Federal law gives you the right to limit only:

• Sharing for affiliates' everyday business purposes — information about your creditworthiness
• Affiliates from using your information to market to you
• Sharing for nonaffiliates to market to you

State laws and individual companies may give you additional rights to limit sharing. See “Other important information” below.

• Affiliates — Companies related by common ownership or control. They can be financial and nonfinancial companies. Paliscore has no affiliates that it shares your information with.
• Nonaffiliates — Companies not related by common ownership or control. They can be financial and nonfinancial companies. Paliscore does not share your personal information with nonaffiliates for their marketing purposes.
• Joint marketing — A formal agreement between nonaffiliated financial companies that together market financial products or services to you. Paliscore does not engage in joint marketing.

California residents: Under California law, we will not share information we collect about you with companies outside of Paliscore unless the law allows. For example, we may share information with your consent, to service your accounts, or to provide rewards or benefits to which you are entitled. We will limit sharing among our companies to the extent required by California law.

Vermont residents: Under Vermont law, we will not share information we collect about you with companies outside of Paliscore unless the law allows or you provide us with your written consent.

Plaid-sourced data: Information we receive from Plaid (including credit bureau data and bank account data) is subject to additional protections. We do not sell, rent, or share Plaid-sourced data with any third party except our service providers as described in our Privacy Policy.

To give you a complete and live view of your financial profile, Paliscore uses Plaid — a regulated financial data network — to connect to your bank and credit card accounts (with credit bureau connections planned for a later release). Before you connect, please understand the following:

Available now: bank account + liability connections (balances, transaction history, credit-card balances and limits as reported by your bank). Planned (1–2 months post-launch): Plaid Check / Equifax direct bureau connection (credit reports, scores, tradelines, inquiries, public records). The disclosures below describe both flows so you have a complete picture of how Paliscore handles each. We will notify you before the bureau connection is enabled.

What Plaid Does

When you click “Connect,” you'll be taken to Plaid's secure interface. Plaid:

• Asks you to choose your bank or credit bureau
• Asks you to log in or verify your identity directly with that institution
• Acts as the intermediary that retrieves the data you authorize
• Returns a token to Paliscore — not your bank credentials

Paliscore never sees, stores, or has access to your bank or credit bureau login credentials.

What Data You're Authorizing Paliscore to Receive

Depending on the connection you choose, Paliscore may receive:

From your bank:

• Account holder name, account type
• Account and routing numbers (used to identify your account; not displayed to you in full)
• Current balances
• Transaction history (date, amount, merchant, category)

From credit bureaus (future release):

• Your credit reports and credit scores
• Open and closed accounts (tradelines), balances, payment history
• Credit inquiries (hard and soft)
• Public records and collections
• Credit score factors and trend data

You can review the specific permissions for each connection within Plaid's interface before authorizing.

How Paliscore Uses This Data

• To display your live credit and account data in your Paliscore dashboard
• To track changes to your credit and accounts over time
• To generate your personalized plan through Anthropic's Claude API (using only aggregated and redacted summaries — not full credit reports or account numbers)
• To provide customer support when you ask for it

How Paliscore Doesn't Use This Data

• We do not sell or share Plaid-sourced data with any third party for marketing purposes.
• We do not furnishany of this data to credit bureaus (we are not a “Furnisher” under FCRA).
• We do not use Plaid-sourced data to make any credit, lending, employment, or eligibility decision about you.
• We do not use Plaid-sourced data to train AI models.
• We do not move moneythrough Plaid. Paliscore's connection is read-only.

Your Controls

You can:

• Disconnect any connection at any time from your Paliscore account settings → Connected Accounts. This immediately stops new data flow.
• Revoke Plaid's access entirely at https://my.plaid.com (this affects all apps you've connected through Plaid).
• Request deletion of data we've already received by emailing security@paliscore.com.

Plaid's Own Privacy Policy

Plaid has its own privacy policy that governs how Plaid collects, uses, and protects your data. Please review it at https://plaid.com/legal/. Paliscore's Privacy Policy governs what Paliscore does with the data we receive from Plaid.

Security

• All data flows over TLS 1.2 or higher.
• Plaid access tokens are encrypted with AES-256-GCM at rest.
• Access to your credit and bank data inside Paliscore is gated and audit-logged.
• You will be notified by email if there is a security incident affecting your data.

Questions

Email security@paliscore.com.

By clicking “Connect with Plaid,” you acknowledge that you have read this disclosure and authorize Paliscore to receive the data you select through Plaid.