Privacy Policy

Orbit Tech LLC ("we," "us," or "our") operates the OrbitFinance mobile application (the "Service"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service.

Please read this Privacy Policy carefully. By accessing or using OrbitFinance, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy. If you do not agree with the terms of this Privacy Policy, please do not access the Service.

1. Information We Collect

1.1 Account Information

When you create an OrbitFinance account, we collect:

• Email address
• Name (first and last)
• Authentication credentials (managed securely via AWS Cognito; we do not store passwords directly)
• Profile information you choose to provide (such as profile photo)

1.2 Financial Data (via Plaid)

When you connect financial accounts through our Service, we use Plaid Inc. ("Plaid") to gather the following information from your financial institutions:

• Account information: account name, type, subtype, and official name
• Balance information: current balance, available balance, and balance limits
• Transaction data: transaction amount, date, merchant name, category, pending status, and payment channel
• Investment holdings: security name, ticker symbol, quantity, cost basis, current value, and institution price
• Investment transactions: buy/sell activity, fees, and security details
• Account owner identity: name and email associated with the financial account (for verification purposes)

1.3 Usage Data

We may automatically collect certain information about how you interact with the Service, including:

• Device type, operating system, and version
• App version and configuration
• Feature usage patterns (e.g., which screens you visit)
• Error logs and crash reports

1.4 User-Generated Data

Information you create within the Service:

• Budget configurations and category limits
• Financial goals and targets
• Bill reminders and schedules
• Sharing group memberships and preferences
• Notification preferences

2. How We Use Your Information

We use the information we collect to:

• Provide the Service: Display your financial accounts, transactions, balances, budgets, and investment holdings
• Generate insights: Analyze your financial data to provide AI-powered insights, spending analysis, and budget recommendations
• Sync data: Automatically synchronize transaction and balance data from your linked financial institutions
• Enable sharing: Facilitate shared financial visibility within family and partner sharing groups you choose to create or join
• Send notifications: Deliver push notifications for budget alerts, bill reminders, and account activity
• Improve the Service: Analyze usage patterns to improve functionality, performance, and user experience
• Maintain security: Detect and prevent fraud, unauthorized access, and other security concerns
• Communicate: Send service-related emails including account verification, security alerts, and important updates

3. Third-Party Services

3.1 Plaid Inc.

We use Plaid to connect your financial accounts to OrbitFinance. When you link an account, Plaid collects your financial data directly from your financial institution and transmits it to us. We do not receive or store your financial institution login credentials -- these are handled entirely by Plaid.

Plaid's use of your data is governed by the Plaid End User Privacy Policy. We encourage you to review Plaid's privacy policy to understand how they handle your information.

Plaid is SOC 2 Type II certified and uses bank-level encryption to protect your data during transmission.

3.2 Amazon Web Services (AWS)

Our Service is built on AWS cloud infrastructure. We use the following AWS services to operate and secure OrbitFinance:

• AWS Cognito: Manages user authentication, including email/password, Google Sign-In, and Apple Sign-In. Supports multi-factor authentication (MFA) via TOTP.
• AWS Lambda & API Gateway: Processes API requests in a serverless, auto-scaling environment.
• Amazon RDS (PostgreSQL): Stores your financial data in an encrypted, managed database with row-level security to ensure data isolation between users.
• AWS KMS: Manages encryption keys used to protect your data at rest.
• AWS Secrets Manager: Securely stores and rotates sensitive credentials (database passwords, API keys) -- these are never hardcoded or stored in plain text.
• Amazon S3 & CloudFront: Stores and serves uploaded content (such as profile images) with encryption at rest and HTTPS-only delivery.
• Amazon SNS: Delivers push notifications to your device.
• Amazon SES: Sends transactional emails (account verification, security alerts).

AWS services are hosted in the US East (N. Virginia) region (us-east-1). AWS maintains numerous compliance certifications including SOC 1/2/3, ISO 27001, and more. For details, see AWS Compliance.

3.3 AI Insights (Anthropic)

We use Anthropic's Claude AI to generate personalized financial insights. When you request AI insights, aggregated and anonymized summaries of your financial data (such as spending categories and trends) are sent to Anthropic's API. We do not send raw transaction details, account numbers, or personally identifiable information to the AI service. AI-generated insights are cached for up to 6 hours to reduce unnecessary data transmission.

4. Data Sharing and Disclosure

We do not sell your personal or financial information to third parties. We may share your information only in the following circumstances:

• With your consent: When you explicitly choose to share data within sharing groups you create or join
• Service providers: With third-party service providers (Plaid, AWS, Anthropic) as described above, solely to provide and improve the Service
• Legal requirements: When required by law, regulation, legal process, or governmental request
• Protection of rights: To protect the rights, property, or safety of Orbit Tech LLC, our users, or the public
• Business transfers: In connection with a merger, acquisition, or sale of assets, in which case your data would remain subject to this Privacy Policy

5. Data Security

We implement comprehensive security measures to protect your information:

• Encryption in transit: All data transmitted between the app, our servers, and third-party services uses TLS 1.2+ encryption
• Encryption at rest: All stored data is encrypted using AES-256 encryption via AWS KMS
• Authentication: AWS Cognito provides secure authentication with support for multi-factor authentication (TOTP MFA)
• Database isolation: PostgreSQL row-level security (RLS) ensures each user can only access their own data
• Network isolation: Backend services run within a private VPC with no direct public internet access
• Credential management: All sensitive credentials are stored in AWS Secrets Manager and never exposed in application code
• JWT authentication: Every API request is authenticated with Cognito-issued JSON Web Tokens validated server-side

6. Data Retention

We retain your data for as long as your account is active and as needed to provide the Service. Specifically:

• Account data: Retained until you delete your account
• Financial data: Transaction and balance data is retained for the duration of your account to provide historical analysis and insights
• AI insights: Cached for up to 6 hours, then regenerated as needed
• Logs and analytics: Retained for up to 90 days for operational and debugging purposes

7. Data Deletion

You may request deletion of your data at any time. For step-by-step instructions, see our Data Deletion Instructions.

• Disconnect accounts: You can disconnect linked financial accounts at any time through the app, which stops further data synchronization from those accounts
• Delete account: You can request complete account deletion by contacting us. Upon deletion, we will remove your personal information, financial data, budgets, goals, and all associated records from our systems within 30 days
• Plaid data: To revoke Plaid's access to your financial institution, you can disconnect accounts in OrbitFinance or contact Plaid directly via their Plaid Portal

Certain data may be retained in encrypted backups for up to 90 days after deletion, after which it will be permanently removed. We may also retain anonymized, aggregated data that cannot be used to identify you.

8. Children's Privacy

OrbitFinance is not directed to individuals under the age of 18. We do not knowingly collect personal information from children. If we learn that we have collected personal information from a child under 18, we will take steps to delete that information promptly. If you believe that a child has provided us with personal information, please contact us.

9. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal data:

• Access: Request a copy of the personal data we hold about you
• Correction: Request correction of inaccurate or incomplete data
• Deletion: Request deletion of your personal data
• Portability: Request a machine-readable copy of your data
• Objection: Object to certain processing of your data
• Restriction: Request restriction of processing of your data

To exercise any of these rights, please contact us using the information provided below.

10. California Residents (CCPA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA), including the right to know what personal information we collect, the right to delete personal information, and the right to opt out of the sale of personal information. We do not sell personal information. To make a request, contact us using the information below.

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy within the app or sending you a notification. Your continued use of the Service after the effective date of the revised Privacy Policy constitutes your acceptance of the changes.

12. Contact Us