Privacy Policy — Compound

1. Introduction

Compound Finance, Inc. ("Compound," "we," "us," or "our") operates the Compound mobile application and the website located at trycompound.com (collectively, the "Service"). This Privacy Policy describes how we collect, use, disclose, and protect your personal information when you use our Service.

By accessing or using the Service, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with the practices described in this policy, please do not use the Service.

Compound is a financial technology application that provides automatic budget generation and spending insights by connecting to your bank accounts. Because of the nature of our Service, we handle sensitive financial information and take that responsibility seriously.

2. Information We Collect

2.1 Information You Provide Directly

When you create an account or use the Service, you may provide us with:

Account information: Name, email address, phone number, date of birth, and ZIP code
Authentication credentials: We use phone-based (SMS) and email-based authentication. We do not store passwords for your bank accounts
Financial profile information: Annual salary (if provided during onboarding) and financial preferences
Communications: Information you provide when contacting us for support, submitting feedback, or communicating with our AI assistant

2.2 Financial Information Collected via Plaid

When you connect your bank accounts through our Service, we use Plaid, Inc. ("Plaid") to access your financial data. Through Plaid, we may receive:

Account information: Account names, types, balances, and institution details
Transaction data: Transaction amounts, dates, merchant names, and categories
Identity information: Account holder name as provided by your financial institution
Recurring transaction data: Recurring charges, subscriptions, and income patterns

Important: We never receive, store, or have access to your bank login credentials. Plaid connects directly to your financial institution using their secure infrastructure. Our access to your financial data is read-only — we cannot move, transfer, or modify funds in your accounts.

2.3 Information Collected Automatically

When you use the Service, we may automatically collect:

Device information: Device type, operating system, and version
Usage data: Features used, screens viewed, interaction patterns, and timestamps
Error and performance data: Crash reports, error logs, and performance metrics (collected via Sentry). All personally identifiable information is scrubbed from error reports before collection
Analytics data: Aggregated and anonymized usage statistics to help us improve the Service

2.4 Information We Do Not Collect

We want to be explicit about what we do not collect:

Social Security numbers
Bank account login credentials
Credit card numbers or full account numbers
Precise geolocation data
Contacts, photos, or other device data unrelated to the Service

3. How We Use Your Information

3.1 Providing and Improving the Service

Generating your automatic budget based on actual spending patterns
Calculating spending projections and category-level breakdowns
Syncing and categorizing your financial transactions
Displaying account balances and spending trends
Improving the accuracy of our budget algorithms and spending projections

3.2 Account Management and Security

Creating and managing your account
Authenticating your identity via email or phone verification
Detecting and preventing fraud, unauthorized access, or other security issues
Maintaining audit logs for security and compliance purposes

3.3 Communications

Responding to your support inquiries
Sending transactional communications (account verification, security alerts)
Notifying you of material changes to the Service or this policy

3.4 Legal and Compliance

Complying with applicable laws, regulations, and legal processes
Enforcing our Terms of Service
Protecting the rights, privacy, safety, or property of Compound, our users, or others

We do not sell your personal or financial information. We do not use your data for advertising or share it with advertisers. Our revenue comes from subscription fees — not from monetizing your data.

4. How We Share Your Information

We share your information only in the following limited circumstances:

4.1 Service Providers

We share information with third-party service providers who perform services on our behalf, including:

Plaid, Inc. — Bank account connections and financial data access
Supabase — Database hosting, authentication, and server-side processing
Stripe, Inc. — Payment processing for subscriptions
Twilio, Inc. — SMS verification for phone authentication
Sentry — Error monitoring and performance tracking (PII is scrubbed)
Anthropic — AI assistant functionality (data is anonymized before transmission; see Section 6)

These providers are contractually obligated to use your information only as necessary to provide their services to us and in accordance with applicable privacy laws.

4.2 Legal Requirements

We may disclose your information if required to do so by law or in the good faith belief that such action is necessary to comply with a legal obligation, subpoena, or court order; protect and defend the rights or property of Compound; prevent or investigate possible wrongdoing in connection with the Service; or protect the personal safety of users or the public.

4.3 Business Transfers

If Compound is involved in a merger, acquisition, or sale of all or a portion of its assets, your information may be transferred as part of that transaction. We will notify you via email and/or a prominent notice on the Service of any change in ownership or use of your personal information.

4.4 With Your Consent

We may share your information for any other purpose with your explicit consent.

5. Plaid and Financial Data Access

Compound uses Plaid to connect to your bank accounts. When you connect an account, you authorize Plaid to access your financial data from your financial institution on our behalf.

5.1 How Plaid Works

Plaid establishes a secure, encrypted connection with your financial institution
Your bank login credentials are handled entirely by Plaid and your financial institution — Compound never sees or stores them
Plaid transmits your account and transaction data to Compound over encrypted channels
Access is read-only. Neither Compound nor Plaid can initiate transactions or move funds in your accounts

5.2 Plaid's Data Practices

Plaid's collection and use of your data is governed by Plaid's End User Privacy Policy. We encourage you to review it. By connecting your accounts through Compound, you also agree to Plaid's privacy practices.

5.3 Disconnecting Your Accounts

You may disconnect your bank accounts at any time through the Compound app. You may also manage or revoke Plaid's access to your data through Plaid Portal.

5.4 Financial Data We Store

After receiving data from Plaid, we store the following in our encrypted database:

Account identifiers and metadata (account name, type, institution)
Account balances (refreshed periodically)
Transaction records (amount, date, merchant, category)
Plaid connection tokens (encrypted, server-side only — never exposed to your device)

We do not store your bank credentials, full account numbers, or routing numbers.

6. AI Features and Data Processing

Compound includes an optional AI assistant powered by third-party AI services. The AI assistant is entirely optional — the Service functions fully without any AI interaction.

6.1 Data Anonymization

Before any financial data is sent to our AI provider, it is anonymized. Specifically:

Transaction amounts are rounded (not exact values)
Merchant names are generalized to categories (e.g., "Coffee Shop" instead of a specific store name and location)
Account references are genericized (e.g., "Account 1" instead of actual account details)
Dates are expressed in relative terms (e.g., "3 days ago") or at month level
User identifiers are hashed

6.2 Data Never Sent to AI

The following information is never transmitted to our AI provider:

Your name, email address, or phone number
Bank account numbers, routing numbers, or card numbers
Social Security numbers or government-issued identifiers
Exact transaction amounts or specific merchant names with location identifiers
Physical addresses or precise geolocation data
Device identifiers or IP addresses

6.3 AI Conversation Storage

Conversations with the AI assistant are stored in our database to provide continuity within the Service. AI conversation data is retained for 90 days, after which it is automatically deleted. You may delete your AI conversations at any time through the app.

6.4 AI Limitations

The AI assistant does not provide professional financial, legal, or tax advice. AI-generated responses are for informational purposes only and should not be relied upon as a substitute for qualified professional guidance.

7. Third-Party Service Providers

Our Service integrates with the following third-party providers. Each has its own privacy practices:

Plaid, Inc. — Privacy Policy
Supabase, Inc. — Privacy Policy
Stripe, Inc. — Privacy Policy
Twilio, Inc. — Privacy Policy
Functional Software, Inc. (Sentry) — Privacy Policy
Anthropic, PBC — Privacy Policy

We encourage you to review the privacy policies of these providers. While we select providers that maintain strong privacy and security practices, we are not responsible for their independent data practices beyond the services they perform for us.

8. Data Security

We implement industry-standard technical and organizational measures to protect your information, including:

Encryption in transit: All data transmitted between your device and our servers is encrypted using TLS 1.3
Encryption at rest: All stored data is encrypted using AES-256 encryption
Secure token storage: Authentication tokens are stored in your device's secure enclave (iOS Keychain / Android Keystore)
Server-side access controls: Plaid access tokens and sensitive credentials are stored exclusively on the server and are never transmitted to client devices
Row Level Security: Database-level access controls ensure users can only access their own data
Audit logging: All sensitive operations are logged for security monitoring (with PII scrubbed from logs)
Biometric authentication: Optional biometric security using your device's native capabilities (Touch ID, Face ID, fingerprint)

While we take extensive precautions to protect your data, no method of transmission over the internet or electronic storage is 100% secure. We cannot guarantee absolute security, but we are committed to maintaining and continuously improving our safeguards.

9. Data Retention and Deletion

9.1 Retention Periods

Account data: Retained for as long as your account is active and for a reasonable period afterward as required for legal, regulatory, or operational purposes
Financial transaction data: Retained for as long as your account is active to provide spending analysis and budget generation
AI conversation data: Retained for 90 days, then automatically deleted
Error and performance logs: Retained for up to 90 days for debugging and reliability purposes
Aggregated analytics: Retained for up to 1 year in anonymized, aggregate form

9.2 Account Deletion

You may delete your account and all associated data at any time through the app. Upon deletion, your profile information, stored financial data, AI conversation history, and Plaid connections are permanently removed, and your subscription is cancelled.

Some information may be retained for a limited period as required by law (e.g., transaction records for tax or regulatory purposes), after which it will be deleted.

9.3 Plaid Data Deletion

To delete data held by Plaid, visit Plaid Portal to manage or revoke connections and request data deletion directly from Plaid.

10. Your Privacy Rights (CCPA/CPRA)

If you are a California resident, the California Consumer Privacy Act as amended by the California Privacy Rights Act ("CCPA") provides you with certain rights regarding your personal information.

10.1 Your Rights

Under the CCPA, you have the right to:

Know: Request information about the categories and specific pieces of personal information we have collected about you, the sources, purposes, and categories of third parties with whom we share it
Delete: Request deletion of your personal information, subject to certain exceptions
Correct: Request correction of inaccurate personal information
Opt-out of sale or sharing: We do not sell your personal information, nor do we share it for cross-context behavioral advertising
Limit use of sensitive personal information: Request that we limit the use and disclosure of your sensitive personal information to what is necessary to provide the Service
Non-discrimination: Exercise any of the above rights without receiving discriminatory treatment

10.2 How to Exercise Your Rights

To submit a request, contact us at founder@trycompound.com. We will verify your identity before processing your request. You may also delete your account and data directly within the app.

We will respond to verifiable consumer requests within 45 days of receipt. If we need additional time (up to an additional 45 days), we will notify you in writing.

10.3 Categories of Personal Information

In the preceding 12 months, we have collected the following categories of personal information as defined by the CCPA:

Identifiers: Name, email address, phone number, unique account identifier
Financial information: Bank account details, transaction history, account balances (received via Plaid)
Internet or electronic network activity: App usage data, interaction patterns, error logs
Inferences: Spending patterns, budget categories, and financial projections derived from your financial data

10.4 Sale and Sharing of Personal Information

We do not sell personal information. We do not share personal information for cross-context behavioral advertising. We have not sold or shared personal information in the preceding 12 months.

10.5 Authorized Agents

You may designate an authorized agent to submit a request on your behalf. Authorized agents must provide proof of authorization. We may also require you to verify your identity directly with us.

11. Children's Privacy

The Service is not intended for individuals under 18 years of age. We do not knowingly collect personal information from children under 18. If we become aware that we have collected personal information from a child under 18, we will take steps to delete that information promptly. If you believe a child has provided us with personal information, please contact us at founder@trycompound.com.

12. Do Not Track Signals

Our Service does not currently respond to "Do Not Track" browser signals. However, as described in this policy, we do not engage in cross-site tracking, behavioral advertising, or sell your personal information to third parties.

13. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, the Service, or applicable law. If we make material changes, we will notify you by updating the "Last updated" date at the top of this policy and, where appropriate, through the app or via email. Your continued use of the Service after any changes constitutes your acceptance of the updated policy.

14. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Email: founder@trycompound.com

Compound Finance, Inc.