Privacy Policy

Last updated: December 8, 2025

1. Introduction

Capital Copilot ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our mobile application ("App") available in the United States.

By using Capital Copilot, you consent to the data practices described in this policy. If you do not agree with the terms of this Privacy Policy, please do not access or use the App.

2. Information We Collect

We collect several types of information to provide and improve our service:

2.1 Information You Provide Directly

  • Account Information: Name, email address, and password when you create an account
  • Financial Transaction Data: Expense and income information you manually enter, including amounts, dates, categories, descriptions, and any notes you add
  • User Preferences: Currency preferences, category customizations, and notification settings
  • Communications: Information you provide when contacting our support team

2.2 Information Collected Automatically

  • Device Information: Device model, operating system version, unique device identifiers, and mobile network information
  • Usage Data: Features accessed, time spent in the App, screens viewed, and interactions with the App
  • Crash and Diagnostic Data: Through Firebase Crashlytics, we collect crash reports, stack traces, device state at the time of crash, and your user ID to help us identify and fix technical issues
  • IP Address: Collected for security purposes and to provide location-relevant services

2.3 Information We Do NOT Collect

  • We do NOT connect to your bank accounts or financial institutions
  • We do NOT access your credit card numbers or bank account numbers
  • We do NOT collect precise geolocation data
  • We do NOT access your contacts, photos, or other personal files

3. How We Use Your Information

We use the information we collect to:

  • Provide, operate, and maintain the App
  • Process and store your expense tracking data
  • Generate spending reports, insights, and analytics for you
  • Authenticate your account and ensure security
  • Communicate with you about updates, security alerts, and support messages
  • Identify and fix bugs, crashes, and technical issues
  • Improve and optimize the App's performance and user experience
  • Comply with legal obligations

Important: We do NOT use your data to train artificial intelligence or machine learning models. Your financial data is used solely to provide services to you.

4. Third-Party Services

We use the following third-party services to operate and improve our App:

4.1 Supabase (Database Provider)

We use Supabase to securely store your account information and financial transaction data. Supabase provides encrypted data storage with data at rest encryption and secure data transmission (TLS). Your data is stored in data centers located in the United States. For more information, visit Supabase Privacy Policy.

4.2 Firebase Crashlytics (Google)

We use Firebase Crashlytics to collect crash reports and diagnostic information to improve App stability. This service collects:

  • Installation UUID (unique identifier for your app installation)
  • Crash traces and stack traces
  • Device model, OS version, and orientation
  • RAM and disk space
  • Your user ID (to correlate crash reports with your account)

For more information, visit Firebase Privacy.

5. Data Sharing and Disclosure

We do NOT sell your personal information. We may share your information only in the following limited circumstances:

  • Service Providers: With trusted third-party service providers (Supabase, Firebase) who assist us in operating the App, subject to confidentiality obligations
  • Legal Requirements: When required by law, subpoena, court order, or other legal process
  • Protection of Rights: To protect our rights, privacy, safety, or property, or that of our users or others
  • Business Transfers: In connection with a merger, acquisition, or sale of assets, with notice to affected users
  • With Your Consent: When you have given us explicit permission to share specific information

6. Data Security

We implement appropriate technical and organizational security measures to protect your information:

  • Encryption in Transit: All data transmitted between your device and our servers uses TLS (Transport Layer Security) encryption
  • Encryption at Rest: Your data stored in our database is encrypted at rest
  • Access Controls: Strict access controls limit who can access user data
  • Secure Authentication: Industry-standard authentication mechanisms protect your account

While we strive to protect your information, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security.

7. Data Retention

We retain your personal information for as long as your account is active or as needed to provide you services. When you request account deletion:

  • Your account and associated data will be deleted within 30 days of your request
  • Some information may be retained for up to 90 days in backup systems before complete removal
  • We may retain certain information as required by law or for legitimate business purposes (e.g., fraud prevention, legal claims)
  • Anonymized, aggregated data that cannot identify you may be retained indefinitely for analytics purposes

8. Your Privacy Rights

Depending on your state of residence, you may have the following rights:

8.1 All Users

  • Access: Request a copy of the personal information we hold about you
  • Deletion: Request deletion of your account and associated data
  • Correction: Update or correct inaccurate information
  • Data Export: Export your transaction data in a portable format

8.2 California Residents (CCPA/CPRA)

Under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA), California residents have additional rights:

  • Right to Know: Request disclosure of categories and specific pieces of personal information collected
  • Right to Delete: Request deletion of personal information
  • Right to Correct: Request correction of inaccurate personal information
  • Right to Opt-Out: Opt out of the sale or sharing of personal information (Note: We do not sell your personal information)
  • Right to Limit: Limit the use and disclosure of sensitive personal information
  • Right to Non-Discrimination: Not be discriminated against for exercising your privacy rights

Categories of Personal Information Collected (last 12 months):

  • Identifiers (name, email, unique identifiers)
  • Financial information (transaction data you enter)
  • Internet or network activity (usage data, device information)
  • Inferences drawn from the above categories

We do not sell or share your personal information as defined under CCPA/CPRA.

8.3 Virginia, Colorado, Connecticut, and Other States

Residents of Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), and other states with comprehensive privacy laws have similar rights to access, delete, correct, and opt-out of certain data processing. To exercise these rights, contact us using the information in Section 14.

9. How to Exercise Your Rights

To exercise your privacy rights, you may:

  • In the App: Navigate to Settings > Account > Delete Account to request account deletion
  • Email: Send a request to privacy@capitalcopilot.app

We will verify your identity before processing requests. We will respond to verifiable requests within 45 days (or as required by applicable law). If we need more time, we will inform you of the reason and extension period.

10. Do Not Track Signals

We honor Global Privacy Control (GPC) signals. When we detect a GPC signal from your browser or device, we will treat it as a valid opt-out request for the sale or sharing of personal information under applicable state laws.

11. Children's Privacy

Capital Copilot is not intended for use by individuals under 13 years of age (or 16 years in California). We do not knowingly collect personal information from children under these ages. If you are a parent or guardian and believe your child has provided us with personal information, please contact us immediately at privacy@capitalcopilot.app. We will take steps to delete such information.

12. International Data Transfers

Our services are operated in the United States. If you access the App from outside the United States, please be aware that your information may be transferred to, stored, and processed in the United States where our servers are located. By using our App, you consent to this transfer.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or for legal, operational, or regulatory reasons. When we make material changes:

  • We will update the "Last updated" date at the top of this policy
  • We will notify you via email or in-app notification
  • Your continued use of the App after the effective date constitutes acceptance of the updated policy

We encourage you to review this Privacy Policy periodically.

14. Contact Us

If you have questions about this Privacy Policy, wish to exercise your privacy rights, or have concerns about our data practices, please contact us:

We aim to respond to all inquiries within 10 business days.