Privacy Policy

Table of Contents

• • Scope of This Privacy Policy
• • Personal Data We Collect
• • How We Use Personal Data
• • How We Share Personal Data
• • Cookies and Tracking Technologies
• • Data Security and Protection
• • Data Retention Practices
• • Children's Privacy
• • Your Privacy Rights
• • U.S. State-Specific Privacy Rights
• • International Data Transfers
• • Changes to This Privacy Policy
• • Contact Information

Scope of This Privacy Policy

This Privacy Policy describes how PennyPal collects and processes Personal Data through our Services, including our website, mobile applications, and related services. "Personal Data" refers to information that identifies or relates to a particular individual, also known as "personally identifiable information" or "personal information" under applicable data privacy laws.

This Privacy Policy does not apply to third-party companies, websites, or services we do not own or control, or to individuals we do not employ or manage.

Personal Data We Collect

Categories of Personal Data

The following chart outlines the categories of Personal Data we collect and have collected over the past 12 months:

Sources of Personal Data

We collect Personal Data from the following sources:

Directly From You: When you create an account, connect financial accounts, use our features, contact support, or participate in surveys.

Automatically Collected: Through Cookies, location services (with your permission), and usage tracking when you interact with our Services.

Financial Account Connections: When you link accounts through third-party aggregation services like Plaid, Finicity, MX, or Spinwheel. We never receive or store your financial institution login credentials.

Third-Party Services: From vendors, analytics providers, marketing partners, security services, and AI platforms such as OpenAI.

Other Users: If authorized household members, family members, or financial advisors access your account with your permission.

How We Use Personal Data

Service Delivery and Operations

We use your Personal Data to provide, maintain, and improve our Services, including account management, transaction tracking, financial insights, personalized recommendations, customer support, fraud detection, security monitoring, and identity verification.

Product Development and Research

We analyze usage patterns and feedback to enhance existing features, develop new functionalities, train machine learning models for improved recommendations, conduct data analytics to understand user needs, and test product improvements.

Marketing and Communications

We may use your information to send promotional materials, product updates, and service announcements (in accordance with your preferences), deliver personalized content and recommendations, conduct market research and customer surveys, and measure the effectiveness of our marketing campaigns.

Legal Compliance and Protection

We process Personal Data as necessary to comply with legal obligations, respond to law enforcement requests and court orders, enforce our Terms of Use and other agreements, protect against fraud and illegal activities, resolve disputes and claims, and safeguard the rights, property, and safety of PennyPal, our users, and the public.

How We Share Personal Data

We may share your Personal Data with the following parties for the purposes described in this Privacy Policy. Depending on your state of residence, certain disclosures to Advertising Partners may constitute "selling" or "sharing" under applicable U.S. State Privacy Laws.

Service Providers: Third-party vendors who perform services on our behalf, including cloud hosting, data analytics, payment processing, customer support, email delivery, marketing assistance, security services, and AI technology providers.

Financial Service Partners: Account aggregation services, payment processors, and financial institutions that facilitate our Services.

Advertising and Analytics Partners: Third parties who help us deliver personalized advertising, measure ad performance, and understand user behavior across platforms.

Authorized Parties: Household members, family members, or financial professionals you explicitly authorize to access your account.

Legal and Regulatory Authorities: Government agencies, law enforcement, courts, or other parties when required by law or to protect rights and safety.

Business Transaction Parties: In connection with mergers, acquisitions, reorganizations, or sale of assets, your Personal Data may be transferred to relevant third parties.

Cookies and Tracking Technologies

Our Services use cookies and similar technologies (web beacons, pixels, local storage) to recognize your browser, analyze usage patterns, remember your preferences, and operate and improve our Services.

Types of Cookies

Strictly Necessary Cookies: Essential for basic service functionality, authentication, and security features.

Functional Cookies: Remember your preferences and settings to personalize your experience.

Analytics and Performance Cookies: Help us understand service usage, identify technical issues, and measure performance.

Advertising and Targeting Cookies: Enable personalized advertising based on your interests and activities across websites.

Managing Cookies

You can control cookies through your browser settings. Most browsers allow you to block or delete cookies, though this may impact service functionality. Note that PennyPal does not currently respond to "Do Not Track" browser signals, as there is no industry-wide standard.

Interest-Based Advertising

We partner with advertising networks that may collect information about your online activities to deliver targeted advertisements. You can opt out of interest-based advertising by visiting the Network Advertising Initiative opt-out page or the Digital Advertising Alliance opt-out page.

Data Security and Protection

We implement industry-standard physical, technical, and organizational security measures designed to protect your Personal Data from unauthorized access, use, alteration, and destruction. Our security measures include encryption, secure data transmission, access controls, regular security assessments, and employee training on data protection.

You play an important role in protecting your data. Please use strong passwords, enable two-factor authentication when available, keep your login credentials confidential, limit access to your devices, and sign out of your account when finished.

While we strive to protect your Personal Data, no method of transmission over the Internet or electronic storage is completely secure. We cannot guarantee absolute security but are committed to protecting your information using reasonable measures.

Data Retention Practices

We retain your Personal Data for as long as necessary to provide our Services, comply with legal obligations, resolve disputes, enforce agreements, and prevent fraud. Retention periods vary based on the type of data, its purpose, legal requirements, and sensitivity.

When determining retention periods, we consider who collected the data, why it was collected, our ongoing need for it, the data sensitivity, and applicable legal requirements. Account credentials and profile information are retained while your account remains active. Transaction history may be retained longer for legal compliance and fraud prevention.

Upon account closure or deletion requests, we will delete or anonymize your Personal Data unless retention is required by law or necessary for legitimate business purposes. Some information may be retained in aggregated or anonymized form that does not identify you personally.

Children's Privacy

Our Services are not intended for children under 18 years of age. We do not knowingly collect Personal Data from children under 18. If you are under 18, please do not use our Services or provide any Personal Data to us.

If we discover that we have collected Personal Data from a child under 18, we will promptly delete that information. If you believe a child under 18 has provided us with Personal Data, please contact us at reachus@wildcardsystems.ai.

Your Privacy Rights

At PennyPal, we believe you should have control over your Personal Data. All users have the following rights regarding their information:

Access and Portability

You have the right to access your Personal Data and request a copy in a portable, machine-readable format. You can download your data through your account settings or by contacting us.

Correction and Updates

You can update and correct your Personal Data at any time through your account settings. For assistance, contact our support team.

Deletion

You may request deletion of your Personal Data through your account settings. We will honor deletion requests except where retention is required for legal compliance, dispute resolution, fraud prevention, or to complete transactions you have requested.

Marketing Preferences

You can opt out of marketing communications at any time by adjusting your email preferences in account settings or clicking "unsubscribe" in our emails. You may still receive transactional and service-related communications.

Cookie Preferences

You can manage your cookie preferences through the "Cookie Preferences" link at the bottom of our website or through your browser settings.

U.S. State-Specific Privacy Rights

If you reside in California, Colorado, Connecticut, Delaware, Iowa, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Tennessee, Texas, Utah, or Virginia, you may have additional privacy rights under your state's privacy law.

Additional Rights for Covered State Residents

Right to Know: Request information about the Personal Data we collect, use, and disclose about you.

Right to Access: Obtain a copy of your Personal Data in a portable format.

Right to Delete: Request deletion of your Personal Data, subject to legal exceptions.

Right to Correct: Request correction of inaccurate Personal Data.

Right to Opt-Out: Opt out of the sale or sharing of Personal Data for targeted advertising.

Sale, Sharing, and Targeted Advertising

We may share certain data with advertising partners in ways that state laws define as "selling" or "sharing" for targeted advertising. You can opt out by using the "Your Privacy Choices" link on our website or enabling Global Privacy Control in your browser. We do not sell Personal Data for monetary consideration.

Sensitive Personal Data

Certain financial information may be considered "sensitive" under state privacy laws. We only process sensitive Personal Data for purposes permitted by law or with your explicit consent. California residents: Our use of sensitive data is limited to permitted purposes under CCPA regulations.

Non-Discrimination

We will not discriminate against you for exercising your privacy rights. You will not be denied service, charged different prices, or receive lower quality service for asserting your rights.

Exercising Your Rights

You can exercise your state privacy rights by:

• Adjusting your account settings

• Using the "Your Privacy Choices" or "Cookie Preferences" links on our website

• Emailing us at: reachus@wildcardsystems.ai

• Enabling Global Privacy Control in your browser

To verify your identity, we may ask you to confirm information we have on file or provide additional details. You may also authorize an agent to submit requests on your behalf with proper documentation.

Appeals Process

If you are a resident of Colorado, Connecticut, Delaware, Iowa, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Tennessee, Texas, or Virginia and we deny your privacy request, you may appeal our decision by emailing us at reachus@wildcardsystems.ai with "[STATE] Privacy Appeal" in the subject line.

International Data Transfers

PennyPal is based in the United States. If you access our Services from outside the United States, your Personal Data may be transferred to, stored in, and processed in the United States or other countries where we or our service providers operate.

These countries may have data protection laws different from those in your jurisdiction. When we transfer Personal Data internationally, we implement appropriate safeguards to protect your information, including standard contractual clauses approved by relevant authorities and other legally recognized transfer mechanisms.

By using our Services, you acknowledge and consent to the transfer, storage, and processing of your Personal Data in the United States and other countries in accordance with this Privacy Policy.

Changes to This Privacy Policy

We may update this Privacy Policy periodically to reflect changes in our practices, technologies, legal requirements, or other factors. When we make material changes, we will notify you by posting the updated Privacy Policy on our website, updating the "Effective" date at the top of this Policy, and, where appropriate, sending you an email notification or displaying a prominent notice in our Services.

We encourage you to review this Privacy Policy regularly to stay informed about our data practices. Your continued use of our Services after changes become effective constitutes your acceptance of the revised Privacy Policy.

Contact Information

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

By Email: reachus@wildcardsystems.ai

Website: https://pennypal.ai

Privacy Inquiries: Please include "Privacy Request" in the subject line of your email

We strive to respond to all privacy inquiries within 30 days. For state-specific privacy requests, we will respond within the timeframes required by applicable law.