privacy policy

Last Updated: October 14, 2025 | Effective Date: October 14, 2025

our promise

we minimize what we keep and encrypt the rest. we never store your bank credentials, and we only retain the data needed to deliver your weekly money updates and operate the service safely.

this policy explains what we collect, how we protect it, what we share, and your rights.

what we collect & why

to set up your account

  • phone number - to send you daily texts and verify your identity
  • name - to personalize your messages
  • timezone & preferred time - to send texts when you want them

to connect your bank

  • encrypted plaid access token - used to securely fetch account data
  • institution & account metadata - name, mask, type/subtype, currency
  • balances/snapshots - minimal fields required to generate your weekly summary

note: we never store your bank login credentials — those go directly to plaid.

conversation history (we store this)

  • message content - encrypted at rest
  • metadata - direction, status, provider, timestamps (not encrypted)

most messages auto‑expire after 60 days; some onboarding messages may be kept up to 90 days.

how we protect your data

encryption everywhere

all sensitive data is encrypted using AES-256-GCM encryption, both in transit and at rest

secure infrastructure

we use SOC 2 certified providers: vercel for hosting and neon for database

access tokens

your plaid access token is encrypted and only decrypted when fetching your weekly numbers

no sensitive logs

we do not log decrypted financial data, tokens, or message content

who we share data with

we only share your data with services essential to trilogy:

plaid

connects to your bank securely. we share your encrypted access token to fetch data.

blooio

delivers your texts. we share your phone number and message content.

AI providers (when you chat)

not in use today. if enabled, we would share your question and real‑time calculations (not stored data) to generate responses.

stripe

payments and subscription management.

hosting & database

vercel (app hosting) and neon (database) as processors to run the service.

we never sell your data. period.

your rights & controls

you're in control of your data:

  • pause texts - temporarily disable daily messages anytime
  • disconnect bank - instantly revoke our access to your bank data
  • delete account - remove all your data from our systems
  • export data - download everything we have about you
  • update info - change your preferences, timezone, or name

under CCPA and GDPR, you have additional rights including the right to access, correct, and delete your personal information. contact us to exercise these rights.

data retention

  • profile data - kept until you delete your account
  • conversation history - automatically deleted after 60 days
  • plaid access token - kept until you disconnect or delete account
  • security logs - retained for 30 days
  • deleted account data - permanently removed within 30 days

if something goes wrong

in the unlikely event of a data breach, we will:

  • notify affected users within 72 hours
  • explain what happened and what data was affected
  • provide steps you should take
  • work with authorities as required by law

compliance

we comply with:

  • GLBA - gramm-leach-bliley act (financial privacy)
  • CCPA - california consumer privacy act
  • GDPR - general data protection regulation (if applicable)
  • state privacy laws - virginia CDPA and others as applicable

changes to this policy

we'll notify you of any significant changes to this privacy policy by email and update the "last updated" date at the top. continued use of trilogy after changes means you accept the updated policy.

contact us

questions about privacy? concerns about your data? just want to chat?

email: manav-s@outlook.com

trilogy is committed to protecting your privacy and being transparent about our practices. this policy was written in plain english because we believe you should understand exactly how we handle your data.