AskMyMoney ("we", "us", or "our") is operated by Axite LLC. This Privacy Policy explains how we collect, use, store, and share your information when you use the AskMyMoney application ("Service") through ChatGPT or our website.
1. Data We Collect
Account Information
When you sign up we collect your name, email address, and profile image via Google OAuth. We also store session tokens and, if you enroll, passkey (FIDO2/WebAuthn) credentials for passwordless authentication.
Financial Data (via Plaid)
When you connect a financial institution through Plaid we receive and store:
- Account metadata — name, masked account number (last 4 digits), type, subtype, and currency
- Balances — current and available balances
- Transactions — date, amount, merchant name, category, and payment channel
- Investment holdings and transactions (if applicable)
- Liabilities such as credit cards and loans (if applicable)
We do not store your bank login credentials. Credentials are entered directly into Plaid's secure Link interface and are never transmitted to our servers.
Subscription & Billing Data
Payments are processed by Stripe. We store your Stripe customer ID, subscription plan, and billing period. We do not store credit card numbers or payment method details.
Automatically Collected Data
We collect session identifiers, IP addresses, and user-agent strings for authentication and security purposes. We do not use third-party analytics, tracking pixels, or advertising cookies.
2. How We Use Your Data
- Provide and operate the Service (balance checks, spending insights, budget tools)
- Authenticate your identity and manage sessions
- Process subscription billing via Stripe
- Send transactional emails (connection confirmations, error alerts, consent expiration warnings)
- Maintain audit logs for security and dispute resolution
- Improve the reliability and performance of the Service
We do not sell, rent, or share your financial data with marketers or third parties for advertising purposes.
3. Data Storage & Security
- Plaid access tokens are encrypted at rest using AES-256-GCM before being stored in our database.
- All connections use HTTPS/TLS encryption in transit.
- Sessions expire after 30 days and are stored with HttpOnly, Secure, SameSite cookies.
- Plaid webhook payloads are verified via JWT signature and SHA-256 body hash before processing.
- All data queries are scoped to your user ID — you can only access your own data.
4. Third-Party Services
We share limited data with the following service providers solely to operate the Service:
- Plaid Inc. — Connects to your financial institutions and provides account, transaction, and balance data. Plaid's use of your data is governed by the Plaid End User Privacy Policy.
- Stripe Inc. — Processes subscription payments. We share your email and plan selection. Stripe's privacy policy is available at stripe.com/privacy.
- Resend — Delivers transactional emails. We share your email address and name only for the purpose of sending Service-related notifications.
- OpenAI (ChatGPT) — The Service runs as a ChatGPT app. Aggregated financial summaries (not raw transaction data) are returned to ChatGPT in response to your queries. OpenAI's data usage is governed by the OpenAI Privacy Policy.
5. Data Retention
- Financial data (transactions, balances) is retained while your account is active and your bank connection remains linked.
- Sessions expire after 30 days automatically.
- Audit logs (connection and deletion records) are retained indefinitely for compliance and dispute resolution.
- When you disconnect a bank account, we soft-delete the associated items and revoke the Plaid access token. An audit record of the disconnection is kept.
- When you delete your account, we revoke all Plaid access tokens, delete all associated financial data, and remove sessions, API keys, and OAuth tokens.
6. Your Rights
Depending on your jurisdiction you may have the right to:
- Access the personal data we hold about you
- Delete your account and associated data
- Disconnect individual bank accounts at any time
- Export your data upon request
- Object to or restrict certain processing activities
To exercise any of these rights, contact us at the address below.
7. Cookies
We use a single essential session cookie (better_auth_session) to maintain your authenticated session. It is HttpOnly, Secure, and set with SameSite=Lax. We do not use analytics, advertising, or third-party tracking cookies.
8. Children's Privacy
The Service is not intended for users under the age of 18. We do not knowingly collect personal information from children. If you believe a child has provided us with personal data, please contact us and we will promptly delete it.
9. Changes to This Policy
We may update this Privacy Policy from time to time. If we make material changes we will notify you by email or through the Service. Your continued use of the Service after a change constitutes acceptance of the updated policy.
10. Contact Us
If you have questions about this Privacy Policy or wish to exercise your data rights, contact us at:
Axite LLC
Email: [email protected]