Privacy Policy

1. Introduction

Compound Finance, Inc. ("Compound," "we," "us," or "our") operates the Compound mobile application and the website located at trycompound.com (collectively, the "Service"). This Privacy Policy describes how we collect, use, disclose, and protect your personal information when you use our Service.

By accessing or using the Service, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with the practices described in this policy, please do not use the Service.

Compound is a financial technology application that provides automatic budget generation and spending insights by connecting to your bank accounts. Because of the nature of our Service, we handle sensitive financial information and take that responsibility seriously.

2. Information We Collect

2.1 Information You Provide Directly

When you create an account or use the Service, you may provide us with:

• Account information: Name, email address, phone number, date of birth, and ZIP code
• Authentication credentials: We use phone-based (SMS) and email-based authentication. We do not store passwords for your bank accounts
• Financial profile information: Annual salary (if provided during onboarding) and financial preferences
• Communications: Information you provide when contacting us for support or submitting feedback

2.2 Financial Information Collected via Plaid

When you connect your bank accounts through our Service, we use Plaid, Inc. ("Plaid") to access your financial data. Through Plaid, we may receive:

• Account information: Account names, types, balances, and institution details
• Transaction data: Transaction amounts, dates, merchant names, and categories
• Identity information: Account holder name as provided by your financial institution
• Recurring transaction data: Recurring charges, subscriptions, and income patterns

2.3 Information Collected Automatically

When you use the Service, we may automatically collect:

• Device information: Device type, operating system, and version
• Usage analytics: Features used, screens viewed, interaction patterns, and timestamps, collected via Mixpanel. These analytics are associated with your account identifier to help us understand how the Service is used and to improve it. Mixpanel does not receive your name, email, phone number, or financial data
• Error and performance data: Crash reports, error logs, and performance metrics (collected via Sentry). All personally identifiable information is scrubbed from error reports before collection

2.4 Information We Do Not Collect

We want to be explicit about what we do not collect:

• Social Security numbers
• Bank account login credentials
• Credit card numbers or full account numbers
• Precise geolocation data
• Contacts, photos, or other device data unrelated to the Service

3. How We Use Your Information

3.1 Providing and Improving the Service

• Generating your automatic budget based on actual spending patterns
• Calculating spending projections and category-level breakdowns
• Syncing and categorizing your financial transactions
• Displaying account balances and spending trends
• Improving the accuracy of our budget algorithms and spending projections

3.2 Account Management and Security

• Creating and managing your account
• Authenticating your identity via email or phone verification
• Detecting and preventing fraud, unauthorized access, or other security issues
• Maintaining audit logs for security and compliance purposes

3.3 Communications

• Responding to your support inquiries
• Sending transactional communications (account verification, security alerts)
• Notifying you of material changes to the Service or this policy

3.4 Legal and Compliance

• Complying with applicable laws, regulations, and legal processes
• Enforcing our Terms of Service
• Protecting the rights, privacy, safety, or property of Compound, our users, or others

4. How We Share Your Information

We share your information only in the following limited circumstances:

4.1 Service Providers

We share information with third-party service providers who perform services on our behalf, including:

• Plaid, Inc. — Bank account connections and financial data access
• Supabase — Database hosting, authentication, and server-side processing
• Twilio, Inc. — SMS verification for phone authentication
• Sentry — Error monitoring and performance tracking (PII is scrubbed)
• Mixpanel — Product analytics and usage tracking

These providers are contractually obligated to use your information only as necessary to provide their services to us and in accordance with applicable privacy laws.

4.2 Legal Requirements

We may disclose your information if required to do so by law or in the good faith belief that such action is necessary to comply with a legal obligation, subpoena, or court order; protect and defend the rights or property of Compound; prevent or investigate possible wrongdoing in connection with the Service; or protect the personal safety of users or the public.

4.3 Business Transfers

If Compound is involved in a merger, acquisition, or sale of all or a portion of its assets, your information may be transferred as part of that transaction. We will notify you via email and/or a prominent notice on the Service of any change in ownership or use of your personal information.

4.4 With Your Consent

We may share your information for any other purpose with your explicit consent.

5. Plaid and Financial Data Access

Compound uses Plaid to connect to your bank accounts. When you connect an account, you authorize Plaid to access your financial data from your financial institution on our behalf.

5.1 How Plaid Works

• Plaid establishes a secure, encrypted connection with your financial institution
• Your bank login credentials are handled entirely by Plaid and your financial institution — Compound never sees or stores them
• Plaid transmits your account and transaction data to Compound over encrypted channels
• Access is read-only. Neither Compound nor Plaid can initiate transactions or move funds in your accounts

5.2 Plaid's Data Practices

Plaid's collection and use of your data is governed by Plaid's End User Privacy Policy. We encourage you to review it. By connecting your accounts through Compound, you also agree to Plaid's privacy practices.

5.3 Disconnecting Your Accounts

You may disconnect your bank accounts at any time through the Compound app. You may also manage or revoke Plaid's access to your data through Plaid Portal.

5.4 Financial Data We Store

After receiving data from Plaid, we store the following in our encrypted database:

• Account identifiers and metadata (account name, type, institution)
• Account balances (refreshed periodically)
• Transaction records (amount, date, merchant, category)
• Plaid connection tokens (encrypted, server-side only — never exposed to your device)

We do not store your bank credentials, full account numbers, or routing numbers.

6. Third-Party Service Providers

Our Service integrates with the following third-party providers. Each has its own privacy practices:

• Plaid, Inc. — Privacy Policy
• Supabase, Inc. — Privacy Policy
• Twilio, Inc. — Privacy Policy
• Functional Software, Inc. (Sentry) — Privacy Policy
• Mixpanel, Inc. — Privacy Policy

We encourage you to review the privacy policies of these providers. While we select providers that maintain strong privacy and security practices, we are not responsible for their independent data practices beyond the services they perform for us.

7. Data Security

We implement industry-standard technical and organizational measures to protect your information, including:

• Encryption in transit: All data transmitted between your device and our servers is encrypted using TLS 1.3
• Encryption at rest: All stored data is encrypted using AES-256 encryption
• Secure token storage: Authentication tokens are stored in your device's secure enclave (iOS Keychain / Android Keystore)
• Server-side access controls: Plaid access tokens and sensitive credentials are stored exclusively on the server and are never transmitted to client devices
• Row Level Security: Database-level access controls ensure users can only access their own data
• Audit logging: All sensitive operations are logged for security monitoring (with PII scrubbed from logs)
• Biometric authentication: Optional biometric security using your device's native capabilities (Touch ID, Face ID, fingerprint)

While we take extensive precautions to protect your data, no method of transmission over the internet or electronic storage is 100% secure. We cannot guarantee absolute security, but we are committed to maintaining and continuously improving our safeguards.

8. Data Retention and Deletion

8.1 Retention Periods

• Account data: Retained for as long as your account is active and for a reasonable period afterward as required for legal, regulatory, or operational purposes
• Financial transaction data: Retained for as long as your account is active to provide spending analysis and budget generation
• Error and performance logs: Retained for up to 90 days for debugging and reliability purposes
• Aggregated analytics: Retained for up to 1 year in anonymized, aggregate form

8.2 Account Deletion

You may request deletion of your account and all associated data by contacting us at support@trycompound.com. We will process deletion requests within 30 days. Upon deletion, your profile information, stored financial data, and Plaid connections are permanently removed.

Some information may be retained for a limited period as required by law (e.g., transaction records for tax or regulatory purposes), after which it will be deleted.

8.3 Plaid Data Deletion

To delete data held by Plaid, visit Plaid Portal to manage or revoke connections and request data deletion directly from Plaid.

9. Your Privacy Rights (CCPA/CPRA)

If you are a California resident, the California Consumer Privacy Act as amended by the California Privacy Rights Act ("CCPA") provides you with certain rights regarding your personal information.

9.1 Your Rights

Under the CCPA, you have the right to:

• Know: Request information about the categories and specific pieces of personal information we have collected about you, the sources, purposes, and categories of third parties with whom we share it
• Delete: Request deletion of your personal information, subject to certain exceptions
• Correct: Request correction of inaccurate personal information
• Opt-out of sale or sharing: We do not sell your personal information, nor do we share it for cross-context behavioral advertising
• Limit use of sensitive personal information: Request that we limit the use and disclosure of your sensitive personal information to what is necessary to provide the Service
• Non-discrimination: Exercise any of the above rights without receiving discriminatory treatment

9.2 How to Exercise Your Rights

To submit a request, contact us at support@trycompound.com. We will verify your identity before processing your request.

We will respond to verifiable consumer requests within 45 days of receipt. If we need additional time (up to an additional 45 days), we will notify you in writing.

9.3 Categories of Personal Information

In the preceding 12 months, we have collected the following categories of personal information as defined by the CCPA:

• Identifiers: Name, email address, phone number, unique account identifier
• Financial information: Bank account details, transaction history, account balances (received via Plaid)
• Internet or electronic network activity: App usage data, interaction patterns, error logs
• Inferences: Spending patterns, budget categories, and financial projections derived from your financial data

9.4 Sale and Sharing of Personal Information

We do not sell personal information. We do not share personal information for cross-context behavioral advertising. We have not sold or shared personal information in the preceding 12 months.

9.5 Authorized Agents

You may designate an authorized agent to submit a request on your behalf. Authorized agents must provide proof of authorization. We may also require you to verify your identity directly with us.

10. Children's Privacy

The Service is not intended for individuals under 18 years of age. We do not knowingly collect personal information from children under 18. If we become aware that we have collected personal information from a child under 18, we will take steps to delete that information promptly. If you believe a child has provided us with personal information, please contact us at support@trycompound.com.

11. Do Not Track Signals

Our Service does not currently respond to "Do Not Track" browser signals. However, as described in this policy, we do not engage in cross-site tracking, behavioral advertising, or sell your personal information to third parties.

12. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, the Service, or applicable law. If we make material changes, we will notify you by updating the "Last updated" date at the top of this policy and, where appropriate, through the app or via email. Your continued use of the Service after any changes constitutes your acceptance of the updated policy.

13. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Email: support@trycompound.com

Compound Finance, Inc.
250 East Houston Street, Apt 3C
New York, NY 10002