Privacy Policy - Compoundly
← Back to Home
Privacy Policy
Effective Date: January 20, 2026
Last Updated: January 20, 2026
1. Information We Collect
Personal Information
- Account Information: Name, email address, password (encrypted)
- Financial Assessment Data: Income, expenses, assets, debts, financial goals
- Subscription Information: Payment details, subscription status, billing history
- Communication Data: Support requests, feedback submissions, correspondence
Technical Information
- Usage Data: Pages visited, features used, time spent on platform
- Device Information: IP address, browser type, operating system, device identifiers
- Cookies and Analytics: Session data, performance metrics, user preferences
2. How We Use Your Information
- Service Delivery: Calculate financial scores, generate assessments, track goals
- AI-Powered Features: Generate personalized financial advice (premium users only)
- Account Management: Authentication, subscription management, customer support
- Communication: Service updates, security notifications, marketing (with consent)
- Improvement: Platform optimization, feature development, fraud prevention
- Legal Compliance: Regulatory requirements, law enforcement requests
3. Legal Basis for Processing (GDPR)
- Contract Performance: Providing financial assessment and premium services
- Consent: Marketing communications, optional features, document processing
- Legitimate Interests: Fraud prevention, service improvement, security
- Legal Obligations: Financial regulations, anti-money laundering, tax reporting
4. Information Sharing and Disclosure
Service Providers
- OpenAI: AI-powered advice generation for premium users (anonymized data)
- Stripe: Payment processing and subscription management
- Email Services: Transactional and marketing communications
- Analytics: Usage analytics and performance monitoring
Legal Requirements
- Court orders and legal process
- Law enforcement investigations
- Financial regulatory compliance
- Fraud prevention and security
Business Transfers
In the event of a merger, acquisition, or sale of assets, your information may be transferred to the acquiring entity with appropriate notice.
5. Data Retention
- Active Accounts: Personal data retained while account is active and for legitimate business purposes
- Deleted Accounts: Most data deleted immediately, some data retained up to 12 months for legal/fraud prevention
- Payment Data: Retained as required by payment processors and financial regulations
- Legal Hold: Data may be retained longer if subject to legal proceedings
6. Your Rights and Choices
Access and Control
- Access: Request copies of your personal information
- Rectification: Correct inaccurate or incomplete data
- Erasure: Request deletion of your personal information
- Portability: Receive your data in a structured, machine-readable format
- Restriction: Limit how we process your information
- Objection: Object to processing based on legitimate interests
Marketing and Communications
- Opt-out of marketing emails via unsubscribe links
- Manage communication preferences in account settings
- Essential service communications cannot be disabled
Account Deletion
You may delete your account at any time through your profile settings. Account deletion is permanent and cannot be undone.
7. International Data Transfers
We primarily operate from the United States. For users in the UK and European Union:
- Adequacy Decisions: We rely on adequacy decisions where available
- Standard Contractual Clauses: We use SCCs for transfers lacking adequacy decisions
- Safeguards: All transfers include appropriate technical and organizational safeguards
- Rights: EU/UK residents retain all data protection rights regardless of transfer location
8. Security Measures
- Encryption: Data encrypted in transit (TLS) and at rest (AES-256)
- Access Controls: Role-based access, multi-factor authentication for staff
- Monitoring: Continuous security monitoring and threat detection
- Audits: Regular security assessments and penetration testing
- Incident Response: Documented breach notification procedures
9. Children's Privacy
Our services are not intended for individuals under 13 years of age (16 in the EU). We do not knowingly collect personal information from children. If we become aware of such collection, we will delete the information immediately.
10. California Consumer Privacy Act (CCPA)
California Residents' Rights
- Know: Categories and specific pieces of personal information collected
- Delete: Request deletion of personal information
- Opt-Out: Opt-out of sale of personal information (we do not sell personal information)
- Non-Discrimination: Equal service regardless of privacy choices
Categories of Information Collected
- Identifiers (name, email, IP address)
- Financial information (income, expenses, assets)
- Internet activity (usage patterns, preferences)
- Professional information (employment details)
11. Updates to This Policy
We may update this Privacy Policy periodically. Material changes will be communicated via:
- Email notification to registered users
- Prominent notice on our website
- In-app notifications for significant changes
Continued use of our services after policy updates constitutes acceptance of the revised terms.
12. Contact Information
13. Compliance Certifications
We maintain compliance with:
- General Data Protection Regulation (GDPR)
- California Consumer Privacy Act (CCPA)
- Gramm-Leach-Bliley Act (GLBA)
- SOC 2 Type II (planned)
- ISO 27001 (planned)