Privacy Policy

1. Overview

TrackWorth ("we", "our", "us") is a Canadian business operating the website at trackworth.co and the TrackWorth application (the "Service"). This Privacy Policy explains what information we collect, how we use it, and the choices you have.

This policy is intended to comply with the Personal Information Protection and Electronic Documents Act (PIPEDA), Canada's federal privacy law, and the European Union General Data Protection Regulation (GDPR) for users located in the European Economic Area (EEA), the United Kingdom, or Switzerland.

By using the Service you agree to the collection and use of information as described in this policy. If you do not agree, please do not use the Service.

2. Information We Collect

Account information: When you register, we collect your email address and a hashed password (passwords are never stored in plain text).

Financial data you enter: Asset balances, liability amounts, goals, transactions, and net worth snapshots that you manually enter into the Service. This data is stored securely in your account and never shared with third parties for advertising purposes.

Usage data: With your consent, we collect anonymized page view and performance data via Vercel Analytics to operate and improve the Service. No personal financial data is included in analytics.

Payment information: Payments are processed by Stripe, Inc. We do not store your credit card number or payment credentials. Stripe's privacy policy governs how payment data is handled.

3. Lawful Basis for Processing (GDPR Article 6)

We process your personal data on the following legal bases:

• Contractual necessity (Art. 6(1)(b)) — to provide the Service you signed up for (account management, financial tracking, subscription processing)
• Consent (Art. 6(1)(a)) — for non-essential analytics cookies (Vercel Analytics). You can withdraw this consent at any time via Settings → Preferences or by declining the cookie banner
• Legitimate interest (Art. 6(1)(f)) — to improve the Service, prevent fraud, and ensure security. We balance our interests against your rights and only process data necessary for these purposes
• Legal obligation (Art. 6(1)(c)) — to comply with tax, financial, and regulatory requirements (e.g. Stripe transaction records retained for 7 years)

4. How We Use Your Information

• To provide, maintain, and improve the Service
• To process payments and manage subscriptions
• To send transactional emails (password resets, subscription receipts)
• To respond to support requests
• To comply with legal obligations under PIPEDA, GDPR, and applicable law

We collect only the minimum information necessary to provide the Service (data minimisation under GDPR Article 5(1)(c) and PIPEDA's principle of limiting collection).

We do not sell your personal data, use it for advertising, engage in automated decision-making or profiling (GDPR Article 22), or share it with data brokers.

5. Data Storage and Security

Your data is stored on Supabase infrastructure hosted on AWS ca-central-1 (Canada — Montreal). Your financial data never leaves Canadian soil. We use Row-Level Security (RLS) to ensure database queries are strictly scoped to your user account. Data is encrypted at rest and in transit using industry-standard TLS.

No security measure is 100% guaranteed. While we take reasonable steps to protect your data, we cannot guarantee absolute security against all threats. In the event of a security breach that poses a real risk of significant harm, we will notify affected users and the Office of the Privacy Commissioner of Canada (OPC) as required by PIPEDA, and the relevant EU supervisory authority within 72 hours as required by GDPR Article 33 where applicable.

6. Third-Party Services and International Data Transfers

We use the following third-party services (sub-processors). Payment processing and hosting are operated in the United States. Your financial data (database) is stored in Canada.

All third-party service providers are required to comply with applicable privacy laws and use your information only for the purposes described above.

GDPR international transfers: For users in the EEA/UK, transfers to the United States (Stripe, Vercel) are protected by the EU-US Data Privacy Framework (where applicable) and/or Standard Contractual Clauses (SCCs) approved by the European Commission. Canada has been recognised by the European Commission as providing an adequate level of data protection (Adequacy Decision 2002/2/EC), so transfers to our Canadian database do not require additional safeguards.

We maintain Data Processing Agreements (DPAs) with our sub-processors. A list of current sub-processors is available upon request at privacy@trackworth.co. We will notify users of any material changes to our sub-processor list.

7. Data Retention and Deletion

Active accounts: Your data is retained for as long as your account is active. You may delete your account at any time from Settings → Danger Zone. Upon deletion, your personal data and all financial records are immediately removed from our systems. Stripe may retain transaction records for up to 7 years as required by law.

Free plan accounts: All records (assets, liabilities, goals, transactions, and snapshots) older than 3 months are automatically purged on a daily basis. Upgrade to Pro at any time to retain your data indefinitely.

Inactive accounts: Accounts with no activity for 24 months may be purged after notice is sent to the registered email address.

Consent records: We retain a timestamped log of your cookie consent choices for compliance purposes. These records are deleted when your account is deleted.

8. Your Rights

Under PIPEDA (Canadian users):

• Access the personal data we hold about you — free of charge
• Correct inaccurate information in your account (via Settings)
• Delete your account and all associated data (via Settings → Danger Zone)
• Export your data in CSV format at any time — available to all users free of charge (Settings → Data)
• Withdraw consent for non-essential data processing (e.g. analytics) via Settings → Preferences
• Challenge compliance — file a complaint with the Office of the Privacy Commissioner of Canada

Under GDPR (EEA/UK/Swiss users):

In addition to the rights above, you also have the right to:

• Data portability (Art. 20) — receive your data in a structured, machine-readable format (CSV export)
• Restriction of processing (Art. 18) — request that we limit how we use your data while a dispute is resolved
• Object to processing (Art. 21) — object to processing based on legitimate interest. We will cease processing unless we demonstrate compelling legitimate grounds
• Right to be forgotten (Art. 17) — request erasure of your personal data. Account deletion removes all data immediately
• Withdraw consent at any time without affecting the lawfulness of processing based on consent before its withdrawal
• Lodge a complaint with your local EU/EEA supervisory authority

To exercise any of these rights, contact us at privacy@trackworth.co. We will respond within 30 days (PIPEDA) or one month (GDPR Article 12(3)), extendable by two further months for complex requests with prior notice.

9. Cookies and Analytics

TrackWorth uses session cookies strictly required for authentication — these cannot be declined without breaking login functionality (GDPR "strictly necessary" exemption).

We also use Vercel Analytics to collect anonymized page views and performance data. This is a non-essential cookie and requires your explicit consent. You can accept or decline via the cookie banner shown on your first visit. You can change your preference at any time from Settings → Preferences → Analytics Cookies.

We log the timestamp of your consent choice for GDPR compliance. No analytics data is collected until you actively opt in.

10. AI Assistant ("Fin")

TrackWorth includes an optional AI-powered financial assistant called Fin. Understanding how your data is handled within this feature is important.

Conversation storage

• Browser-only storage — Your chat messages are stored exclusively in your browser's local storage. They are never saved to our servers or database.
• Cleared with browser data — Clearing your browser data, cookies, or site data will permanently delete your entire conversation history.
• No backups — Chat history is not included in any server-side backups or data exports.
• Per-device — Conversations are unique to each device and browser you use. There is no sync between devices.

How messages are processed

When you send a message, it is transmitted along with a summary of your financial data (assets, liabilities, goals, and recent transactions) to Groq, Inc., a third-party AI inference provider, which processes the request using Meta's open-source Llama language model. Groq processes the message in real time and does not retain your data after the response is generated (subject to Groq's own privacy policy). This processing may occur on servers located in the United States.

Data safeguards

• Your name, email address, and authentication credentials are never sent to AI providers
• Only financial context relevant to your question (spending amounts, categories, goal progress) is included
• We do not permit third-party AI providers to train their models on your data

What we track

We record only a daily message count per user for rate-limiting purposes. The content of your messages and Fin's responses is never logged, stored, or reviewed by TrackWorth.

11. Children's Privacy

The Service is not directed to individuals under the age of 16. We do not knowingly collect personal data from children. If we become aware that a child under 16 has provided us with personal data, we will delete it promptly.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify registered users of material changes by email or by a notice in the application at least 30 days before changes take effect. Continued use of the Service after changes take effect constitutes acceptance of the revised policy.

13. Contact and Privacy Officer

TrackWorth has designated a privacy contact responsible for ensuring compliance with PIPEDA and GDPR, and handling privacy-related inquiries and complaints.

Privacy contact: privacy@trackworth.co

General support: support@trackworth.co

Canadian users: If you are not satisfied with our response, you may contact the Office of the Privacy Commissioner of Canada (OPC).

EU/EEA users: You may lodge a complaint with your local data protection supervisory authority.