Privacy Policy

This Privacy Policy describes how Smata Systems ("we," "us," or "our") collects, uses, and protects your information when you use our web application at smatasystems.com (the "Service"). By creating an account or using the Service, you agree to the practices described in this policy.

1. Information We Collect

Account Information

When you register for an account, we collect:

• Username and email address
• Password (stored as a salted hash — we never store your plain-text password)
• Subscription tier (free or premium)
• Account creation date and last login timestamp

Financial Data You Provide

The core purpose of the Service is to help you manage your finances. To do this, we store:

• Transaction records you upload via CSV or import via Plaid bank connection
• Transaction categories, custom keywords, and categorization preferences
• Budget amounts you set per category
• Net worth assets and liabilities you enter manually
• Investment portfolio holdings you enter manually
• Debt accounts and payment history derived from your transactions

Bank Connection Data (via Plaid)

If you choose to connect a bank account using Plaid, we store a Plaid access token in our database to retrieve your transactions on your behalf. We do not store your bank username, password, or full account numbers. See Section 3 for more on Plaid.

Usage and Technical Data

We automatically collect limited technical information when you use the Service:

• Browser type and operating system (via standard HTTP headers)
• Pages visited and time spent (via Google Analytics, only with your consent)
• IP address (for security and rate limiting purposes)
• Session identifiers (for authentication)

2. How We Use Your Information

We use your information solely to provide and improve the Service:

• To authenticate you and maintain your account session
• To display your financial data — transactions, budgets, net worth, portfolio — back to you
• To categorize transactions and generate spending insights, trends, and reports
• To power AI-assisted features such as the financial chat assistant and debt analysis
• To send transactional emails (account confirmation, password reset, deletion reminders)
• To process subscription payments via Stripe
• To detect and prevent unauthorized access, fraud, or abuse
• To analyze aggregate, anonymized usage patterns to improve the Service (via Google Analytics)

We do not use your financial data to make credit decisions, sell you products, or share it with advertisers.

3. Third-Party Services

We integrate with the following third-party services. Each has its own privacy policy governing how they handle data.

Plaid Technologies, Inc.

We use Plaid to enable secure bank account connections. When you connect a bank account, Plaid facilitates the authentication with your financial institution and returns transaction data to us. By connecting a bank account through our Service, you agree to Plaid's End User Privacy Policy. We store only the access token Plaid issues — never your bank credentials.

OpenAI

Our AI chat assistant and automated financial insights features are powered by OpenAI's API. When you use these features, a limited set of your transaction data (aggregated summaries or recent transactions) is sent to OpenAI to generate a response. OpenAI does not use API data to train its models by default. See OpenAI's Privacy Policy.

Stripe

Premium subscription payments are processed by Stripe. We do not store your credit card number or payment details on our servers. Stripe handles all payment data in accordance with PCI-DSS standards. See Stripe's Privacy Policy.

Google Analytics

With your consent (via the cookie banner), we use Google Analytics to understand how visitors use the Service. Google Analytics collects anonymized usage data such as pages visited and session duration. You can opt out at any time by declining cookies or using the Google Analytics Opt-out Browser Add-on. See Google's Privacy Policy.

Amazon Web Services (AWS)

The Service is hosted on AWS infrastructure in the us-east-1 (Northern Virginia) region. All data is stored and processed in the United States.

4. Cookies and Tracking

We use the following types of cookies and browser storage:

• Session cookies — required for authentication. These expire when you close your browser or log out. You cannot use the Service without these.
• localStorage — used to remember your cookie consent preference and certain UI state (e.g. investment portfolio data).
• sessionStorage — used to persist uploaded transaction data across page navigation within a single browser session. This data is cleared when you close the tab.
• Google Analytics cookies — used for anonymous usage analytics. Only loaded after you accept the cookie banner.

You will be presented with a cookie consent banner on your first visit. You may accept or decline analytics cookies. Declining does not affect your ability to use the Service.

5. Data Security

We take reasonable technical measures to protect your data:

• All data in transit is encrypted using TLS 1.2 or higher
• Passwords are stored using one-way hashing with salt
• The application enforces CSRF protection, rate limiting, and HTTP security headers (HSTS, X-Frame-Options, Content-Security-Policy, etc.)
• Database access is restricted to the application within a private AWS VPC
• Plaid access tokens are stored server-side and never exposed to the browser
• Login attempts are rate-limited to prevent brute-force attacks

No method of transmission or storage is 100% secure. In the event of a data breach affecting your personal information, we will notify affected users as required by applicable law.

6. Data Retention and Deletion

Active Accounts

We retain your account data and financial records for as long as your account is active. You can delete individual transactions or transaction history at any time from the Data Management section of your Profile page.

Account Deletion

You may request permanent deletion of your account at any time from the Account tab on your Profile page. Upon submitting a deletion request:

• Your account enters a 30-day grace period during which it remains fully accessible
• You will receive reminder emails at 23, 7, and 2 days before the scheduled deletion date
• You may cancel the deletion request at any time before the scheduled date
• On the scheduled date, your account and all associated data — including transactions, budgets, bank connections, keywords, and session data — are permanently and irreversibly deleted from our active systems

We recommend exporting your transaction data before requesting deletion. An export option is available on the Profile page.

Backups

Deleted account data may persist in encrypted database backups for up to 30 days following deletion, after which it is purged from backups as well.

7. Your Rights

As a US-based service, we respect the following user rights:

• Access — You can view all your data within the application at any time.
• Export — You can export your transaction data as a CSV from the Profile page.
• Correction — You can update your account information from the Profile page.
• Deletion — You can delete your account and all associated data as described in Section 6.
• Opt-out of analytics — You can decline analytics cookies at any time.

If you have questions or requests regarding your data, contact us at support@smatasystems.com.

8. Children's Privacy

The Service is not directed to children under the age of 13. We do not knowingly collect personal information from children under 13. If you believe we have inadvertently collected such information, please contact us and we will delete it promptly.

9. Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we will update the "Last Updated" date at the top of this page. For material changes, we will notify registered users by email. Your continued use of the Service after changes are posted constitutes your acceptance of the updated policy.

10. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or your data, please contact us:

• Email: support@smatasystems.com
• Location: Bowie, MD, United States