winnowfiTerms of Service →

Privacy Policy

Last updated: May 10, 2026·v1.1·GDPR & CCPA compliant

Your privacy matters to us. This policy explains what data we collect, why we collect it, how we protect it, and what rights you have over it.

The Short Version

  • We only collect what we need to run the subscription tracking service.
  • We never sell your data to third parties. Ever.
  • We never store your bank credentials, card numbers, or account numbers.
  • You can delete your account and all your data at any time.
  • We use industry-standard encryption for all sensitive data.

1. Information We Collect

We collect the following categories of personal information:

Account Information

Your name and email address. If you sign in with Google, we receive only your name and email — we do not receive your Google password.

Financial Transaction Data

When you connect a bank account via Plaid, we retrieve transaction descriptions, amounts, dates, and merchant categories. We never store bank credentials, account numbers, or card numbers.

Usage and Log Data

Login timestamps, feature interactions, and error events. Used to maintain the Service and improve subscription detection accuracy.

Billing Data

Payment information is handled entirely by Stripe. We store only a Stripe customer ID and subscription ID — never full card numbers or CVVs.

Error and Diagnostic Data

When an error occurs in the application, Sentry captures a stack trace and session context to help us diagnose the issue. PII in error events is masked before transmission.

Cookies

Three HttpOnly session cookies for authentication (see Section 9). No advertising cookies, no third-party analytics trackers.

2. How We Use Your Information

We use the data we collect exclusively to operate and improve WinnowFi:

  • Detect and display your recurring subscription charges
  • Send notifications about upcoming renewals, new subscriptions, and price changes
  • Provide customer support and respond to your inquiries
  • Process payments for Premium plans via Stripe
  • Improve subscription detection accuracy using anonymized patterns
  • Detect and prevent fraud, abuse, and security incidents
  • Comply with applicable legal obligations

We do not use your financial data for advertising. We do not sell, rent, or broker your data to any third party for any purpose.

3. Lawful Basis for Processing (GDPR)

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, we process your personal data on the following legal bases under the General Data Protection Regulation (GDPR):

Contractual necessity (Art. 6(1)(b))

Processing your account information, financial transaction data, and billing data is necessary to provide the Service you signed up for.

Legitimate interests (Art. 6(1)(f))

We process usage and error data to maintain security, prevent fraud, and improve subscription detection accuracy. These interests do not override your fundamental rights.

Legal obligation (Art. 6(1)(c))

We may retain certain records as required by applicable financial, tax, or other laws.

Consent (Art. 6(1)(a))

For non-essential email notifications, we rely on your explicit consent when you configure your notification preferences. You may withdraw consent at any time from your settings or via the unsubscribe link in any email.

4. Data Sharing and Sub-Processors

We share your data only with the following sub-processors, and only to the extent necessary to provide the Service:

Plaid

United States

Bank account connectivity and transaction retrieval (read-only)

Privacy ↗

Stripe

United States

Payment processing for Premium subscriptions

Privacy ↗

Resend

United States

Transactional and notification email delivery

Privacy ↗

Sentry

United States

Error tracking and application diagnostics (PII masked)

Privacy ↗

Google

United States

OAuth2 authentication (login with Google)

Privacy ↗

We may also disclose your information if required by law, court order, or governmental authority, or to protect the rights, property, or safety of WinnowFi, our users, or the public.

5. International Data Transfers

WinnowFi is operated from the United States. If you are located in the EEA, UK, or Switzerland, your personal data will be transferred to and processed in the United States, which may not provide the same level of data protection as your home country.

We ensure that such transfers are protected by appropriate safeguards. For transfers to our US-based sub-processors, we rely on:

  • Standard Contractual Clauses (SCCs) approved by the European Commission (for Plaid, Stripe, Resend, Sentry)
  • The EU-U.S. Data Privacy Framework where applicable

You may request a copy of the applicable transfer safeguards by contacting us at [email protected].

6. Data Security

  • Passwords hashed with bcrypt — never stored in plaintext
  • All data in transit encrypted via TLS 1.2+ (TLS 1.3 preferred)
  • Plaid access tokens encrypted at rest with AES-256
  • Bank credentials never stored — authentication handled entirely by Plaid
  • Authentication uses HttpOnly cookies — tokens are never accessible to JavaScript
  • Rate limiting on all authentication endpoints to prevent brute force attacks
  • Access to production systems restricted by IP allowlist and audit-logged
  • Sentry error reports mask PII before transmission

Despite these measures, no system is 100% secure. If you believe your account has been compromised, contact us immediately at [email protected].

7. Data Retention

We retain your personal data for as long as your account is active or as needed to provide the Service. Specific retention periods:

Account dataUntil account deletion, then deleted within 30 days
Transaction data (Plaid)Until bank disconnection or account deletion
Notification records (SENT)90 days, then automatically purged by scheduled cleanup
Audit logs12 months, then archived or deleted
Billing records7 years (required by US tax law)
Error logs (Sentry)90 days (Sentry default)

8. Your Rights

You have the following rights regarding your personal data:

Access

Request a copy of all personal data we hold about you (GDPR Art. 15).

Rectification

Correct inaccurate or incomplete data — most fields are editable in your account settings (GDPR Art. 16).

Erasure (Right to be Forgotten)

Delete your account and all associated data at any time via Settings → Account → Delete Account (GDPR Art. 17).

Data Portability

Export your subscription data in machine-readable format (JSON or CSV) from your account settings (GDPR Art. 20).

Restriction of Processing

Request that we limit how we use your data while a dispute is being resolved (GDPR Art. 18).

Withdraw Consent

Withdraw consent for marketing emails at any time via the unsubscribe link or notification preferences.

Lodge a Complaint

EU/UK residents may lodge a complaint with your national data protection authority (e.g., CNIL in France, ICO in the UK).

Object to Processing

Object to processing based on legitimate interests (GDPR Art. 21). We will stop unless we have compelling legitimate grounds.

To exercise any right not available in your account settings, contact [email protected]. We will respond within 30 days (EU residents: within 1 month as required by GDPR).

9. California Residents — Your CCPA Rights

If you are a California resident, the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA) grant you additional rights:

Right to Know

You may request that we disclose the categories and specific pieces of personal information we have collected about you in the past 12 months, the sources of that information, and the purposes for which it was used.

Right to Delete

You may request that we delete personal information we have collected from you, subject to certain exceptions (e.g., information needed to complete a transaction, detect security incidents, or comply with legal obligations).

Right to Correct

You may request that we correct inaccurate personal information we maintain about you.

Right to Opt-Out of Sale or Sharing

We do not sell personal information and we do not share it for cross-context behavioral advertising. There is nothing to opt out of — you can verify this by reviewing Section 4 above.

Right to Non-Discrimination

We will not discriminate against you for exercising your CCPA rights. You will continue to receive the same quality of service regardless of whether you exercise these rights.

Shine the Light (Cal. Civ. Code § 1798.83)

California residents may request information about personal information disclosed to third parties for their direct marketing purposes during the prior calendar year. We do not disclose personal information for third-party direct marketing purposes.

To submit a verifiable consumer request, contact [email protected]. We will respond within 45 days as required by CCPA.

Categories of personal information collected in the past 12 months (as defined by Cal. Civ. Code § 1798.140): Identifiers (name, email), Internet or network activity information (usage logs), financial information (transaction data via Plaid), commercial information (billing records).

10. Automated Decision-Making

WinnowFi uses automated analysis to detect recurring subscriptions in your bank transactions. Our AI detection engine scores each transaction and, when confidence is high enough, creates a tracked subscription entry on your behalf.

This automated processing does not produce legal or similarly significant effects on you. Its sole purpose is to surface subscriptions you may have missed. You retain full control:

  • You can review every auto-detected subscription in your dashboard before acting on it.
  • You can delete, edit, or merge any automatically created subscription entry.
  • You can disable auto-detection entirely by disconnecting your bank account.

11. Cookies and Tracking Technologies

WinnowFi uses only technically necessary cookies — no advertising cookies, no third-party analytics trackers, no fingerprinting.

WINNOWFI_access_tokenEssential

JWT authentication token. Expires after 15 minutes. Renewed silently on each page interaction.

WINNOWFI_refresh_tokenEssential

Long-lived session renewal token. Sent only to /api/auth/* endpoints. Expires after 30 days.

WINNOWFI_session_hintEssential

Lightweight indicator for Next.js middleware to know whether the user is logged in, avoiding unnecessary redirects. Expires after 30 days.

All three cookies are HttpOnly (not readable by JavaScript), Secure (transmitted only over HTTPS in production), and SameSite-protected to prevent CSRF. Because we use only strictly necessary cookies, no cookie consent banner is required under the ePrivacy Directive or GDPR.

12. Email Communications and Opt-Out (CAN-SPAM / CASL)

We send two types of emails:

Transactional emails

Email verification, password reset, bank reconnection alerts. Required for account security — cannot be disabled while your account is active.

Notification emails

Upcoming payment reminders, new subscription detected, price change alerts, weekly/monthly digests. Fully configurable in Settings → Notifications, or unsubscribe instantly via the link in any email.

Every notification email includes a one-click unsubscribe link (compliant with CAN-SPAM, CASL, and RFC 8058). Clicking "Unsubscribe" immediately disables all non-transactional emails — no waiting period, no confirmation required.

13. Children's Privacy

The Service is not directed at children under 18 years of age. We do not knowingly collect personal information from anyone under 18. If we learn that we have collected personal information from a child under 18, we will delete it promptly.

If you believe we may have inadvertently collected information from a minor, please contact us at [email protected].

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. When we make material changes, we will:

  • Notify you by email at least 14 days before the new policy takes effect
  • Update the version number and date at the top of this page
  • For EU/UK residents: where required by GDPR, seek your renewed consent for any new processing activities

Continued use of the Service after the effective date of any changes constitutes your acceptance of the updated Privacy Policy.

15. Contact and Data Protection

For privacy-related questions, data subject requests, or to report a security concern, please contact us:

Privacy requests[email protected]
Security concerns[email protected]
General[email protected]
Mailing addressWinnowFi LLC · 30 N Gould St Ste N, Sheridan, WY 82801

EU/EEA residents: WinnowFi has not appointed a formal Data Protection Officer (DPO), as we do not meet the thresholds requiring one under Article 37 of the GDPR (we do not carry out large-scale processing of sensitive data or systematic monitoring of individuals). Privacy requests are handled directly by the founder.

Right to lodge a complaint: If you are located in the EU/EEA, UK, or Switzerland and believe we have violated your data protection rights, you have the right to lodge a complaint with your local supervisory authority. A list of EU data protection authorities is available at edpb.europa.eu.

© 2026 WinnowFi. All rights reserved.

Terms of ServiceSign InSign Up