Privacy & Storage

Bank via Plaid

Connection: upon connecting to your bank, we only store (1) bank balance and (2) an AES-256 encrypted asset report token in our database provided to us by Plaid. The asset report token allows us to make an API request to Bank servers to collect PII at a later point in time. You will be able to disconnect at any point via https://my.plaid.com/ which severs our ability to access to your personal data from Bank servers. We do NOT store any personally identifiable information (PII) at this stage.

Pull: upon pulling, we make an api request to the bank via the asset report token and our plaid client id, and store AES-256 encrypted (1) full name, (2) email address, (3) phone number, and (4) city/state such that in the case you sever the Plaid endpoint we still have a means of legal recourse via collections agencies. This approach strikes a balance between collecting minimal viable personal data whilst maintaining effective collection strategies by outsourcing skip tracing to licensed collections agencies with access to commercial databases via TLOxp. We do NOT have access to Social Security Numbers or Date of Birth.

Repayment: a “purge PII” button appears in your dashboard. Pressing it deletes the four fields above and leaves only hashed bank acct + anonymized credit history. You may reconnect Plaid later to reopen a line of credit.

Credit Karma via zkTLS

Connection: upon connecting to your credit karma, we store in our database (1) credit scores, credit age, credit utilization, derogatory marks, num. hard inquiries, payment history, and total accounts (non-PII) and (2) a SHA-256 hash of your first and last name to ensure the credit data belongs to the bank account. We do NOT store any personally identifiable information (PII) from Credit Karma.

Connecting to credit karma does NOT trigger a hard check on your credit report.

Dropbox Signatures

Signing: when we initiate a signing flow, your personal information (such as your name, email, and home address) is passed through in real time by making an API call to Plaid's banking servers on the fly and immediately merged into the Dropbox Sign document template. This process is purely ephemeral. Your details exist only in memory during the request and are never cached, logged, or written to our databases. No persistence on our servers.

Because all handling and enrichment occur in transit, our infrastructure never retains your full address, it is used solely to generate the document at the moment of signing. The signed legal document is securely stored in an isolated Dropbox repository within Dropbox. You will only have to do this once.

Browser

Connection: upon connecting your wallet, we store the IP address for fraud-risk scoring.