Privacy Policy

Last updated: July 1, 2026 · Effective: July 1, 2026

01Who we are

NeuralWallet Inc. ("NeuralWallet", "we", "us", or "our") operates the NeuralWallet mobile and web applications (the "Service"). This Privacy Policy explains what personal information we collect, how we use it, who we share it with, and the rights you have.

• For users in the UK and EEA, NeuralWallet is the data controller of your personal information.
• For users in Canada, NeuralWallet is the organization responsible for personal information under PIPEDA (and Quebec Law 25, where applicable).
• For users in Australia, NeuralWallet is the APP entity handling personal information under the Privacy Act 1988.
• For users in California and other US states with comprehensive privacy laws, NeuralWallet is the business that determines the purposes and means of processing your personal information.

02Information we collect

We collect the minimum information needed to operate the Service.

Information you provide

• Account information — email address and authentication credentials (managed via our authentication provider, Supabase). Passwords are stored as salted hashes; we never see your password.
• Transaction and budgeting data you enter — transactions, amounts, dates, categories, notes, budgets, and recurring entries. You enter this data manually. NeuralWallet does not connect to your bank accounts or pull financial data from third parties.
• AI chat messages — any messages you send to our AI assistant, and the data context you choose to reference.
• Gmail receipt monitoring (Pro, opt-in) — if you connect your Google account, we scan inbox messages that match receipt patterns to suggest transactions. We use the minimum Gmail scopes required and you can disconnect at any time.
• Support communications — messages you send us by email or in-app.

Information collected automatically

• Technical/device data — IP address, device type, operating system, app version, language, and approximate region (derived from IP).
• Usage data — pages or screens viewed, features used, errors, and crash diagnostics.
• Cookies and similar technologies (web only) — strictly necessary cookies for authentication and session management. We do not use advertising cookies.

Information we do not collect

• Bank account credentials, card numbers, or balances.
• Social Security Numbers, SINs, NI numbers, or TFNs.
• Precise geolocation.
• Biometric identifiers.

03How we use your information

We use your information to:

• Provide and operate the Service — display your transactions, calculate budgets, sync between devices.
• Authenticate you and protect your account.
• Provide AI-powered features when you invoke them.
• Communicate with you about the Service (service notices, security alerts, support replies).
• Diagnose and fix bugs, prevent fraud and abuse, and maintain security.
• Comply with legal obligations.

We do not sell your personal information. We do not use Your Content (your transactions or chat messages) to train third-party AI models. We do not use your data for advertising or share it with advertisers or data brokers.

Legal bases (UK / EEA users)

We rely on the following lawful bases under UK GDPR:

• Contract — to provide the Service you signed up for.
• Legitimate interests — to secure the Service, prevent fraud, and improve our product. We balance these against your rights.
• Consent — where required (e.g., optional analytics, marketing emails, Gmail receipt monitoring). You can withdraw consent at any time.
• Legal obligation — where we must comply with applicable law.

04Who we share information with

We share personal information only with the following categories of recipients, and only as needed:

• Supabase — authentication, database hosting, edge functions (US and other regions depending on configuration).
• Cloudflare — web hosting, CDN, DDoS protection (global edge).
• Anthropic — large language model inference for the AI assistant (US).
• Stripe — payment processing for web subscriptions. Stripe handles your card details directly; we do not store them.
• RevenueCat — subscription management for in-app purchases on iOS (Apple App Store) and Android (Google Play).
• Google — Gmail API access for opt-in receipt monitoring (Pro).
• Error and crash diagnostics (if enabled, e.g., Sentry) — stability and bug fixing (US / EU).
• Professional advisors and authorities — legal, accounting, or where required by law.

We require these providers to protect your information through contractual safeguards. We do not authorize them to use your information for their own purposes.

We may disclose information to comply with a lawful request (court order, subpoena, regulatory request), to protect our rights, or in connection with a merger, acquisition, or sale of assets — in which case we will provide notice and choices where required by law.

05International transfers

We are based in Canada and use providers located in the United States and elsewhere. When we transfer personal information out of the UK, EEA, Canada, or Australia, we rely on appropriate safeguards, including:

• Standard Contractual Clauses (UK / EEA), including the UK Addendum where applicable;
• Provider-level certifications (e.g., the EU-US Data Privacy Framework, where the provider is certified);
• Contractual commitments consistent with PIPEDA (Canada) and the Australian Privacy Principles (APP 8).

06Data retention

We retain personal information for as long as your account is active and for a limited period thereafter:

• Account and transaction data — retained while your account exists. Deleted within 30 days after you delete your account, except where retention is required by law.
• AI chat history — retained until you delete it or your account.
• Backups — purged on a rolling basis, typically within 90 days.
• Security logs — typically retained up to 12 months for fraud and abuse prevention.

07Security

We use industry-standard safeguards including encryption in transit (TLS), encryption at rest for the database, hashed passwords, access controls, and audit logging. No system is perfectly secure; you are responsible for keeping your credentials confidential.

If we become aware of a personal data breach that is likely to result in risk to you, we will notify you and the relevant regulators as required by applicable law (e.g., UK GDPR, PIPEDA, the Notifiable Data Breaches scheme in Australia, and US state breach notification laws).

08Your rights

Depending on where you live, you have rights over your personal information. You can exercise any of these by emailing [email protected]. We will respond within the timeframes required by law (generally 30 days; 45 days under CCPA, extendable as permitted).

United Kingdom (UK GDPR)

You have the right to: access, rectify, erase, restrict processing, object, data portability, withdraw consent, and lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.

Canada (PIPEDA and Quebec Law 25)

You have the right to access and correct your personal information and to withdraw consent (subject to legal or contractual restrictions). Quebec residents also have rights to data portability and to be informed about automated decision-making. You can complain to the Office of the Privacy Commissioner of Canada at priv.gc.ca (or the Commission d'accès à l'information du Québec for Quebec residents).

Australia (Privacy Act 1988 / APPs)

You have the right to access and correct your personal information. You can complain to us first; if unsatisfied, you may complain to the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au.

United States (California / other states)

If you are a California resident, you have the right under CCPA/CPRA to:

• Know what personal information we collect, use, disclose, and (if applicable) sell or share.
• Delete personal information we hold about you.
• Correct inaccurate personal information.
• Limit the use of sensitive personal information.
• Opt out of "sale" or "sharing" of personal information. We do not sell or share personal information as those terms are defined under CCPA/CPRA.
• Non-discrimination for exercising your rights.

Residents of other US states with comparable laws (e.g., Colorado, Connecticut, Virginia, Utah, Texas, Oregon) have similar rights, which we honor on a comparable basis.

To make a request, email [email protected]. We will verify your identity before fulfilling sensitive requests. You may use an authorized agent where permitted.

09Children

The Service is not intended for children under 16. We do not knowingly collect personal information from children under 16. If you believe a child has provided us information, contact [email protected] and we will delete it.

10Automated decision-making

We do not make decisions that produce legal or similarly significant effects about you using solely automated processing. AI features assist you with categorization and summarization but do not take actions on your behalf without your input.

11Cookies (web)

The NeuralWallet web app uses only strictly necessary cookies for authentication and session management. We do not use third-party advertising or tracking cookies. Where required (e.g., UK/EU), we present a cookie banner at first visit.

12Changes to this Policy

We may update this Privacy Policy from time to time. If we make material changes, we will provide reasonable notice (in-app or by email) before the changes take effect. The "Last updated" date at the top reflects the latest revision.