← Back to SavvyFi

Privacy Policy

Last updated: 25 May 2026  ·  Effective: 25 May 2026

1. Who we are

SavvyFi ("we", "our", "us") is a personal finance coaching product operated in closed beta. Our service is accessible at savvyfi.app. Questions about this policy can be directed to [email protected].

2. What data we collect

  • Account data: Email address, name, hashed password (if using credentials login), and OAuth provider token (if using Google sign-in).
  • Financial data: Transaction records you upload (merchant names, amounts, dates, categories). We do not collect bank account numbers, sort codes, or card numbers.
  • Usage data: Session metadata (login timestamps, page views) stored in server logs.
  • Preferences: In-app notification and AI settings you configure.

3. How we store your data

  • Data is stored in a self-hosted PostgreSQL database on servers we control directly. We use no third-party database SaaS.
  • Uploaded files (CSV / PDF) are processed in server memory and are never written to disk or retained after processing.
  • Passwords are hashed using bcrypt (cost factor 12) before storage. We never store plaintext passwords.
  • All traffic is routed through Cloudflare Tunnel with TLS termination. There is no unencrypted HTTP path to the server.
  • Current limitation: The database volume is not encrypted at rest (disk-level). We plan to add volume encryption before v1.0.

4. AI processing and third-party sub-processors

Your financial data may be processed by AI models to generate coaching insights. The following providers may receive transaction descriptions (merchant name, amount, date — never account numbers or PII beyond what you explicitly add):

  • AWS Bedrock (Claude): Primary provider. Subject to AWS data processing agreements. Data is not used to train models.
  • Ollama (self-hosted): Runs on our own infrastructure. Data never leaves our servers.
  • Groq: Cloud fallback used only when the above two fail. Groq's privacy policy applies. You can disable Groq in Settings → AI Coach Preferences.

5. Your rights

  • Access: You can download all your data at any time from Settings → Danger Zone → Download My Data.
  • Deletion: You can delete all transactions or your entire account from Settings → Danger Zone. Account deletion removes all associated data immediately and is irreversible.
  • Correction: You can update your profile information in Settings at any time.
  • Portability: Your data export is provided in machine-readable JSON format.

To exercise any of these rights or for any data-related request, email [email protected].

6. Cookies and sessions

We use a single signed, encrypted session cookie (via Auth.js v5) to maintain your login state. We do not use advertising cookies, tracking pixels, or third-party analytics scripts.

7. Data retention

We retain your data for as long as your account exists. When you delete your account, all associated data (user record, transactions, goals, budgets, insights) is permanently deleted from our database within 24 hours.

8. Beta disclaimer

SavvyFi is currently in closed beta. It has not been independently audited and does not hold SOC 2, PCI DSS, or ISO 27001 certifications. We recommend using non-sensitive or anonymised statements during the beta period.

9. Changes to this policy

We will notify beta users by email of any material changes to this policy at least 14 days before they take effect.

Terms of ServiceHome[email protected]