Privacy Policy

Last updated: March 2026

1. Information We Collect

We collect the following types of information when you use Nuvestan:

  • Account information: Name, email address, and password when you create an account.
  • Financial data: Transaction history, account balances, and account metadata accessed through Plaid with your explicit consent and read-only permissions.
  • Usage data: Information about how you use the Service, including pages visited, features used, and interaction patterns.
  • AI interactions: Messages exchanged with the AI assistant to improve the quality of educational responses.

2. How We Use Your Information

  • To provide spending analysis, budget tracking, and AI-powered educational features.
  • To send transactional emails (account verification, billing receipts).
  • To send optional product emails (weekly spending digests, daily briefings) that you can unsubscribe from at any time.
  • To improve the Service and develop new features.
  • To detect and prevent fraud or security issues.

3. What We Never Do

  • We never sell your personal or financial data.
  • We never share your data with advertisers or data brokers.
  • We never store your bank login credentials. Authentication is handled entirely by Plaid.
  • We never initiate transactions or move money from your accounts. We have read-only access.

4. Data Security

We use industry-standard security measures to protect your data, including AES-256 encryption at rest, TLS encryption in transit, and encrypted storage for sensitive tokens. Our infrastructure is hosted on secure, SOC 2-compliant providers.

5. Data Retention

We retain your data for as long as your account is active. If you delete your account, we will delete your personal and financial data within 30 days, except where we are required by law to retain certain records.

6. Third-Party Services

We use the following third-party services to operate:

  • Plaid — bank account linking and transaction data
  • Stripe — subscription billing and payment processing
  • Supabase — database and authentication
  • Vercel — hosting and infrastructure

Each of these services has their own privacy policy governing their handling of your data.

7. Your Rights

You have the right to:

  • Access the personal data we hold about you.
  • Request correction of inaccurate data.
  • Request deletion of your data and account.
  • Export your data in a machine-readable format.
  • Opt out of non-essential communications.

8. California Privacy Rights (CCPA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):

  • The right to know what personal information we collect, use, and disclose.
  • The right to request deletion of your personal information.
  • The right to opt out of the sale of personal information. We do not sell your personal information.
  • The right to non-discrimination for exercising your privacy rights.

To exercise these rights, contact us at privacy@nuvestan.com or delete your account from Settings.

9. International Users (GDPR)

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, you have additional rights under the General Data Protection Regulation (GDPR):

  • The right to access, rectify, or erase your personal data.
  • The right to restrict or object to processing.
  • The right to data portability.
  • The right to withdraw consent at any time.
  • The right to lodge a complaint with a supervisory authority.

Our legal basis for processing is your consent (account creation) and our legitimate interest in providing the Service. To exercise your rights, contact privacy@nuvestan.com.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes via email. Continued use of the Service after changes constitutes acceptance of the updated policy.

11. Contact

If you have questions about this Privacy Policy, please contact us at privacy@nuvestan.com.