Effective Date: April 21, 2026 · Version 2.0 (supersedes v1, January 2026)
Plain-Language Summary
This summary is provided for your convenience. The full policy follows and is authoritative.
- We collect the information we need to run PiggyBack — your account details, what you log about avoided spending, and (if you connect a bank) your financial account data via Plaid.
- We do not sell your data. We do not rent it. We do not use it for advertising targeting.
- Plaid is how we talk to your bank. You can unlink your bank at any time.
- You can delete your account at any time. Some records are kept for tax and legal reasons, but your user data goes away.
- You have privacy rights if you live in California, Massachusetts, Colorado, Connecticut, Virginia, Texas, Utah, Indiana, Kentucky, Rhode Island, or other states with privacy laws. Section 9 explains how to exercise them.
- We don’t knowingly collect data from children under 13. PiggyBack is for ages 18 and up.
1. Who We Are
PiggyBack Finance LLC (“PiggyBack,” “we,” “us,” or “our”) is a Massachusetts limited liability company that operates the PiggyBack personal finance web application (the “Service”). This Privacy Policy describes how we collect, use, share, and protect personal information.
For purposes of the California Consumer Privacy Act, we are a “business.” For purposes of the Gramm-Leach-Bliley Act, we are a “financial institution” subject to the jurisdiction of the Federal Trade Commission.
2. Scope of This Policy
This Policy applies to personal information we collect through:
- The PiggyBack website and web application
- Our communications with you (email, in-app messages, support correspondence)
- Our social media accounts (where you interact with us)
- Information we receive from third parties such as Plaid when you connect a bank account
This Policy does not apply to third-party services linked from the Service. When you leave our Service to use a third-party service (such as a bank’s OAuth page or a charity’s donation page), you are subject to that third party’s privacy practices.
3. Information We Collect
We collect the following categories of personal information. “Personal information” has the meaning given under applicable law (including the CCPA) and generally means information that identifies, relates to, or could reasonably be linked with a consumer or household.
| Category | Examples | Source |
|---|---|---|
| Identifiers | Email address, display name, account UID, IP address | You, at registration; automatically from your device |
| Account and authentication data | Hashed password, MFA status, sign-in timestamps, device type | You; automatically during sign-in |
| Commercial information | Subscription tier, purchase and billing history, payment method metadata (last 4 digits, not full card number) | You; Stripe on our behalf |
| Financial data from Plaid (paid tiers only, with your consent) | Bank account metadata (institution, account name, masked account number, account type), balances, transactions | Plaid, with your authorization |
| User-generated content | Avoided-spend entries, FFI inputs, Freedom Sweep allocations, goals, notes | You, as you use the Service |
| Internet or network activity | Pages viewed, features used, clickstream within the Service, session duration, error events | Automatically, while you use the Service |
| Device and technical information | Browser type and version, operating system, device identifiers, screen size, language | Automatically |
| Geolocation (approximate) | General geographic region inferred from IP; we do not collect precise GPS location | Automatically |
| Communications content | Support emails, chat transcripts, in-app feedback, survey responses | You, when you contact us |
| Inferences | Derived characteristics, including FFI score and behavior patterns | Calculated by the Service |
3.1 Sensitive Personal Information
Certain information we collect may be considered “sensitive personal information” under California law and equivalent laws of other states, including:
- Account credentials used for authentication (passwords are stored only as salted hashes, never in clear text)
- Financial account information received via Plaid
We use sensitive personal information only for purposes described in this Policy — specifically, to provide, secure, and improve the Service. We do not use sensitive personal information for any purpose requiring opt-in consent beyond what you have already provided by using the Service and connecting a bank account.
3.2 Information We Do Not Collect
We do not:
- Collect or store your bank login credentials (those stay with Plaid and your bank)
- Collect or store full payment card numbers (Stripe tokenizes these; we hold only the last four digits and card brand for display)
- Collect Social Security numbers from end users
- Collect precise geolocation (GPS) data
- Collect biometric identifiers
- Collect information from children under thirteen (13) knowingly (see Section 11)
4. How We Use Your Information
We use personal information for the following purposes:
- Providing the Service. Authenticating you, displaying your data, calculating your FFI score, computing Freedom Sweep allocations, delivering features within your subscription tier.
- Account and subscription management. Billing, responding to support requests, sending transactional notifications about your account.
- Personalization. Customizing content, suggestions, and the in-app experience based on your use.
- Analytics and improvement. Understanding how the Service is used, identifying bugs, prioritizing improvements. We use aggregated or de-identified data wherever practical.
- Communication. Sending you service updates, security notices, and (if you opt in) marketing emails.
- Security. Detecting and preventing fraud, abuse, unauthorized access, and technical misuse; protecting other users and the Service.
- Legal and regulatory compliance. Meeting our obligations under applicable law, including financial regulations, tax laws, breach notification laws (M.G.L. c. 93H; FTC Safeguards Rule), and consumer protection laws.
- Enforcing our Terms. Investigating and responding to violations of our Terms of Service.
4.1 What We Do Not Do with Your Information
WE DO NOT SELL YOUR PERSONAL INFORMATION.
WE DO NOT SHARE YOUR PERSONAL INFORMATION FOR CROSS-CONTEXT BEHAVIORAL ADVERTISING.
WE DO NOT USE DATA OBTAINED FROM PLAID FOR ADVERTISING TARGETING, AD SERVING, OR MONETIZATION OUTSIDE THE SERVICE.
These commitments apply regardless of whether California, Massachusetts, or another state’s privacy law applies to you.
5. Bank Account Linking and Plaid
Premium-tier users may connect their bank accounts through Plaid, Inc. This section explains how that works and how we handle the resulting data.
5.1 Plaid’s Role
- Plaid is the service that securely connects to your financial institution on your behalf.
- Your bank login credentials are provided to Plaid (or your bank directly, via OAuth), not to PiggyBack.
- PiggyBack never receives your bank password.
- Plaid has its own privacy practices. Plaid’s End User Privacy Policy is available at plaid.com/legal. By connecting your bank through Plaid, you agree to Plaid’s privacy practices as well as ours.
5.2 What We Receive from Plaid
With your authorization, we receive:
- Account metadata (institution name, account name, account type, masked account number, routing number where applicable)
- Balance information (current and available balances)
- Transaction data (description, amount, date, category, merchant)
- Account holder information as provided by your institution
- Unique identifiers (Plaid Item ID, account ID, access token)
5.3 How We Use Plaid Data
- To detect patterns of avoided spending and display them in the Service
- To show account balances and recent activity within the Service
- To support the FFI score and Freedom Sweep planning features
- We do not sell, rent, license, or otherwise commercialize Plaid-derived data
- We do not use Plaid-derived data for advertising targeting
- We do not create data products or analytics products for third parties based on Plaid data
5.4 Your Control
- You can unlink any connected account from within the Service at any time. When you unlink, we call Plaid’s
/item/removeendpoint and delete related records per our Data Retention & Deletion Policy. - You can delete your PiggyBack account, which revokes all Plaid linkages and removes your user data (subject to retention exceptions in Section 8).
- You can review and manage apps connected via Plaid (including PiggyBack) at my.plaid.com.
6. How We Share Information
We share personal information only in the following circumstances:
6.1 Service Providers (“Processors”)
We share information with third parties that provide services to us under contractual obligations limiting their use of the information. Key service providers include:
| Provider | Purpose | Data Shared |
|---|---|---|
| Plaid, Inc. | Bank account aggregation (Premium tier only, with your consent) | Identifiers; authorization to retrieve bank data on your behalf |
| Google LLC (Firebase / Google Cloud Platform) | Authentication, database, server-side functions, logging, operational email | All categories of information we collect |
| Vercel, Inc. | Web application hosting | Request-level information (routing, logs); no persistent consumer data stored at Vercel |
| Stripe, Inc. | Subscription payment processing | Email, billing address, subscription tier, payment method (tokenized) |
| Email delivery (Firebase Extensions or similar) | Transactional email delivery | Email address, relevant message content |
| Support tools (if any) | Customer support ticketing | Support correspondence, account identifiers |
6.2 Legal Requirements
We may disclose personal information when we reasonably believe disclosure is required by law, legal process, or a governmental request, including:
- Subpoenas, court orders, or similar legal process
- Regulatory inquiries or compliance obligations, including breach notification to the Massachusetts Attorney General and the FTC
- Law enforcement requests, subject to the protections of applicable law
- To protect the safety of any person, the rights of PiggyBack, or the security of the Service
We review legal requests for legitimacy and scope and, where appropriate and lawful, we notify affected users.
6.3 Business Transfers
If PiggyBack is involved in a merger, acquisition, financing, reorganization, bankruptcy, or sale of assets, personal information may be transferred as part of the transaction. We will notify users of any such transfer and any material changes to how personal information is used.
6.4 With Your Consent
We may share personal information for purposes beyond those described above only with your explicit consent. You may withdraw consent at any time, though withdrawal does not affect prior lawful processing.
6.5 Aggregated or De-Identified Information
We may share aggregated or de-identified information that does not reasonably identify you for purposes such as research, analytics, or marketing of the Service. We do not attempt to re-identify de-identified information.
6.6 What We Do Not Do
WE DO NOT SELL PERSONAL INFORMATION TO THIRD PARTIES.
WE DO NOT SHARE PERSONAL INFORMATION FOR CROSS-CONTEXT BEHAVIORAL ADVERTISING.
“Sell” and “share” have the meanings given in the California Consumer Privacy Act. These commitments apply to all users regardless of residence.
7. How We Protect Information
We maintain a Written Information Security Program consistent with the Massachusetts Data Security Regulation (201 CMR 17.00), the FTC Safeguards Rule, and the AICPA Trust Services Criteria for SOC 2.
Key protections include:
- Encryption. All data is encrypted in transit using TLS 1.2 or higher. Data at rest is encrypted with AES-256 using Google-managed keys.
- Access controls. Access to your data is limited to authorized personnel with a documented business need, enforced by role-based access and multi-factor authentication.
- Authentication. Secure authentication via Firebase Authentication. Multi-factor authentication is available and, for users who link a bank account, will be required under our phased MFA rollout.
- Monitoring and logging. We log authentication, authorization, and administrative events, and monitor for anomalies.
- Incident response. We maintain an Incident Response Plan and comply with all applicable breach notification laws, including Massachusetts M.G.L. c. 93H and the FTC Safeguards Rule breach notification requirement (16 C.F.R. § 314.4(j)).
- Vendor oversight. Our critical vendors maintain SOC 2 Type II attestations or equivalent, under contractual obligations protecting your information.
Despite these measures, no system is entirely immune to breach. If we become aware of unauthorized access to your information, we will notify you and applicable authorities in accordance with law.
8. How Long We Keep Information
We retain personal information only as long as necessary to provide the Service, comply with legal obligations, resolve disputes, and enforce our agreements. Key periods:
| Category | Retention | Disposal |
|---|---|---|
| Account and user-generated content | Life of the account | Deleted on account deletion |
| Plaid access tokens and item data | Until unlinked or account deleted | Immediate on unlink/deletion |
| Billing and invoice records | 7 years from issuance | IRS / tax retention requirement |
| Application and audit logs | 1 year minimum | Automatic expiration |
| Security incident records | 5 years from closure | Deleted after retention period |
| Support correspondence | 2 years from last contact | Deleted or archived |
| Backups | 30 days operational; up to 1 year archival | Age-out per backup schedule |
| Inactive accounts (no activity 18 months) | Notice + 30-day grace, then deletion | Per inactive-account process |
When retention periods end, information is deleted or de-identified. Backups may retain information briefly after primary deletion; information in backups ages out with the backup retention cycle. Records subject to legal hold are retained until the hold is released.
9. Your Privacy Rights
You have rights regarding your personal information. The specific rights depend on your state of residence. To the extent permitted by law, we honor these rights regardless of where you live:
9.1 Rights Available to All Users
- Access. You can request a copy of the personal information we hold about you.
- Correction. You can correct or update your account information in app settings or by contacting us.
- Deletion. You can delete your account at any time. See Section 8 and the separate account deletion flow.
- Portability. You can request an export of your data in a common, machine-readable format.
- Unlink financial accounts. You can unlink connected bank accounts at any time, immediately stopping further Plaid data collection.
- Marketing opt-out. You can opt out of marketing email at any time via the unsubscribe link or account settings.
9.2 How to Exercise Your Rights
To exercise any of the rights above or the state-specific rights below, you may:
- Use the self-service controls in the Service (Account Settings > Privacy)
- Email privacy@piggybackfinance.com from the email address associated with your account
- Submit a written request by mail to the address in Section 15
We will verify your identity before responding to certain requests, typically by confirming that you control the email address on file. We will respond within the time required by applicable law (generally 45 days, with one 45-day extension where needed). We do not charge for requests, except that we may charge a reasonable fee for manifestly unfounded or excessive requests as permitted by law.
9.3 California Residents (CCPA / CPRA)
California residents have the following rights under the California Consumer Privacy Act, as amended by the California Privacy Rights Act (“CCPA”):
- Right to know the categories and specific pieces of personal information we have collected about you
- Right to delete personal information we have collected (subject to legal retention exceptions)
- Right to correct inaccurate personal information we maintain about you
- Right to opt out of sale or sharing of personal information (we do not sell or share for cross-context behavioral advertising)
- Right to limit the use and disclosure of sensitive personal information
- Right to non-discrimination for exercising privacy rights
- Right to use an authorized agent to submit requests on your behalf
We honor Global Privacy Control (GPC) signals as a valid opt-out of sale and sharing to the extent required by law. Because we do not sell or share personal information, a GPC signal does not change our processing; however, we recognize the signal and will not initiate sale or sharing of information from a GPC-signaling browser.
California Civil Code § 1798.83 (“Shine the Light”) permits California residents to request disclosures regarding personal information shared with third parties for those third parties’ direct marketing. We do not disclose personal information for third-party direct marketing.
9.4 Massachusetts Residents
Massachusetts users are protected under M.G.L. c. 93H (data breach notification) and 201 CMR 17.00 (the Massachusetts Data Security Regulation). Nothing in this Policy limits your rights under Massachusetts law.
If your personal information is compromised in a security incident, we will notify you and the Massachusetts Attorney General and Office of Consumer Affairs and Business Regulation in accordance with M.G.L. c. 93H. If the incident involves your Social Security number, we will additionally offer free credit monitoring services as required by § 3A.
9.5 Residents of Colorado, Connecticut, Virginia, Texas, Utah, Indiana, Kentucky, Rhode Island, and Other States with Comprehensive Privacy Laws
If you reside in a state with a comprehensive privacy law, you may have the following rights, subject to the specific law’s requirements and exemptions:
- Right to access or confirm processing of your personal information
- Right to correct inaccuracies
- Right to delete personal information
- Right to portability
- Right to opt out of sale, targeted advertising, and certain profiling
- Right to appeal denials of rights requests
To exercise these rights, contact us as described in Section 9.2. Because we do not sell personal information or use it for targeted advertising, the opt-out rights do not change our processing, but we honor the exercise as a formal acknowledgment.
9.6 GLBA-Protected Information
Certain information we process is “nonpublic personal information” under the Gramm-Leach-Bliley Act. Under GLBA, we are permitted to disclose nonpublic personal information only as authorized by the consumer and as permitted by statutory exceptions. Some state privacy laws exempt GLBA-covered information from their scope; where applicable, we apply the stricter of the two standards.
10. Cookies and Similar Technologies
We use cookies and similar technologies to operate the Service, remember your preferences, maintain authenticated sessions, and understand Service usage.
10.1 Categories of Cookies We Use
- Strictly necessary. Required for the Service to function, including authentication session tokens and CSRF tokens. These cannot be disabled.
- Preferences. Remember your settings and preferences (theme, display options).
- Analytics. Help us understand feature usage. We use first-party analytics where practical; if we use third-party analytics, they operate under contractual restrictions limiting their use of the data.
We do not use cookies for cross-context behavioral advertising.
10.2 Managing Cookies
Most browsers let you control cookies through settings. Disabling strictly necessary cookies will prevent the Service from working correctly. You can also use browser-level privacy controls, including Global Privacy Control (GPC) signals, which we honor as described in Section 9.3.
11. Children’s Privacy
The Service is not directed to children under the age of eighteen (18). The Service is not directed to children under thirteen (13), and we do not knowingly collect personal information from children under 13. If we learn that we have collected personal information from a child under 13, we will delete that information as promptly as possible and terminate any associated account.
If you believe we may have collected information from a child under 13, contact us at privacy@piggybackfinance.com. Parents and guardians of children under 18 who believe their child has created an account contrary to our Terms of Service may request account deletion.
12. International Users
The Service is intended for users in the United States. If you access the Service from outside the United States, you acknowledge that your information will be transferred to, processed in, and stored in the United States, where data protection laws may differ from those in your country of residence. Do not use the Service if you do not consent to this transfer.
13. Our Security Incident Notification Practices
If we become aware of a security incident that affects your personal information, we will notify you as required by applicable law. For Massachusetts residents, notification will conform to M.G.L. c. 93H, including information on how to obtain a security freeze at no charge and, if Social Security numbers were involved, an offer of free credit monitoring services for at least eighteen (18) months.
We will also notify the Massachusetts Attorney General, the Office of Consumer Affairs and Business Regulation, the Federal Trade Commission (where the incident is a “notification event” under 16 C.F.R. § 314.4(j) involving 500 or more consumers), and other state agencies as required.
14. Changes to This Policy
We may update this Privacy Policy from time to time. When we do, we will update the effective date above and, for material changes, provide notice by email or in-app notification at least thirty (30) days before the change takes effect, or a shorter period where a shorter period is required by law or security necessity. Your continued use of the Service after the effective date constitutes acceptance. If you do not agree with the updated Policy, stop using the Service.
We retain prior versions of this Policy and can make them available on request.
15. How to Contact Us
For questions, requests, or concerns about this Policy or your information:
PiggyBack Finance LLC
Privacy Office
385 Court Street, Suite 205
Plymouth, MA 02360, United States
Email: privacy@piggybackfinance.com
Support: support@piggybackfinance.com
If you are not satisfied with our response, California residents may contact the California Privacy Protection Agency (cppa.ca.gov) and Massachusetts residents may contact the Office of the Massachusetts Attorney General (mass.gov/ago).
Effective Date: April 21, 2026 | Version 2.0