1. Introduction
XPlus Finance ("we", "our", or "the Company") is committed to protecting your privacy and ensuring the security of your personal and financial information. This Privacy Policy explains how we collect, use, disclose, and protect your information when you use our financial management platform.
β’ Web Application (Next.js)
β’ Mobile Applications (iOS and Android)
β’ API Services (FastAPI)
β’ AI Financial Assistant (OpenAI)
β’ Banking Integrations (Plaid)
β’ Payment Processing (Stripe)
GDPR CCPA/CPRA LGPD GLBA PCI DSS
2. Information We Collect
2.1 Personal Information
Account Data
- Identity: Full name, email address, phone number, date of birth
- Authentication: Username, encrypted password (bcrypt), security questions
- Profile: Profile photo, preferences, language, timezone
- Verification: Official ID document (KYC when required)
Financial Information
- Banking Data: Account numbers, balances, transactions (via Plaid - read-only)
- Transactions: Amounts, merchants, categories, dates, locations
- Investments: Portfolios, values, trading history
- Credit Information: Credit scores, debt balances
- Payment Data: Payment methods processed by Stripe (we never store full card numbers)
2.2 Usage Information
- Device: IP address (anonymized for GDPR), device ID, type, OS, browser
- Activity: Pages visited, features used, time spent, click patterns
- Communication: Messages to AI assistant, support, surveys
2.3 Sensitive Information
β’ Biometric Data: Fingerprints, facial recognition (stored ONLY on your device, NEVER on our servers)
β’ Wellness Data: Wellness journal, mood tracking
β’ AI Conversations: Chat history with financial assistant
3. How We Use Your Information
3.1 Core Financial Services
Legal Basis: Contract Performance (GDPR Art. 6.1.b)
- Account management and authentication
- Financial tracking and transaction categorization
- Budget management and expense analysis
- Financial goal tracking
- Investment analysis and portfolio optimization
3.2 AI-Powered Features
Legal Basis: Legitimate Interest (GDPR Art. 6.1.f) and consent
- Personalized financial advice
- Spending pattern analysis
- Tailored financial coaching
- Risk assessment and predictive analytics
3.3 Security and Fraud Prevention
Legal Basis: Legitimate interest and legal compliance
- Detection of fraudulent activities
- Protection against unauthorized access
- Identity verification for sensitive transactions
- Monitoring suspicious patterns
4. Cookies and Tracking Technologies
We use cookies and similar technologies to enhance your experience. For complete details, see our Cookie Policy.
Cookie Summary
| Type | Purpose | Consent |
|---|---|---|
| Strictly Necessary | Authentication, security, basic functionality | β Not required |
| Functional/Preferences | Language, currency, theme, settings | β Required |
| Analytics | Usage metrics, performance (own system) | β Required |
| Marketing | Not currently implemented | N/A |
5. Information Sharing and Disclosure
5.1 Service Providers
| Provider | Service | Data Shared | Safeguards |
|---|---|---|---|
| AWS | Cloud hosting | All data | SCCs, EU region |
| Plaid | Bank connection | Credentials (temporary) | SOC 2, SCCs |
| Stripe | Payment processing | Payment data | PCI DSS Level 1 |
| OpenAI | AI assistant | AI queries (anonymized) | DPA, anonymization |
| Mailgun | Transactional emails | Email, name | Encryption in transit |
| Twilio | SMS/2FA | Phone number | SOC 2 |
| Sentry | Error monitoring | Technical logs | PII removal |
6. Data Security
We implement robust enterprise-level security measures:
Technical Measures
- Encryption in Transit: TLS 1.3 for all transmissions
- Encryption at Rest: AES-256 for stored data
- Database Encryption: Column-level for sensitive data
- Passwords: Bcrypt hashing + salt (never plaintext)
- 2FA: Two-factor authentication available
- Tokens: JWT with expiration and rotation
Administrative Measures
- Least Privilege: Employees only access necessary data
- RBAC: Role-based access control
- Audits: Quarterly permission reviews
- Training: Annual security and GDPR training
Monitoring
- IDS/IPS: Real-time intrusion detection systems
- Logs: Continuous security log monitoring
- Scanning: Weekly vulnerability scans
- Penetration Testing: Annual third-party testing
- 24/7 Response: Incident response team available
7. Your Rights and Choices
Rights under GDPR (EU/EEA Users)
- Right of Access (Art. 15): Request a copy of all your data
- Right to Rectification (Art. 16): Correct inaccurate data
- Right to Erasure (Art. 17): Request deletion of personal data
- Right to Portability (Art. 20): Receive data in JSON format
- Right to Object (Art. 21): Object to processing
- Right to Restrict (Art. 18): Limit processing
- Right to Withdraw Consent (Art. 7.3): At any time
Rights under CCPA (California Users)
- Right to Know: What information we collect and who we share it with
- Right to Delete: Request deletion of personal information
- Right to Opt-Out of Sale: We do NOT sell information (guaranteed)
- Right to Non-Discrimination: No different treatment for exercising rights
How to Exercise Your Rights
In the App: Settings β Privacy β Data Rights
By Email: [email protected] | [email protected]
Response Time: 30 days (standard requests), 72 hours (urgent)
8. Third-Party Services
For complete functionality, we integrate third-party services. Each has their own terms and policies:
9. International Data Transfers
Primary Storage: EU data centers (Frankfurt, Ireland)
Transfers outside EEA: Protected with Standard Contractual Clauses (SCCs)
All transfers comply with GDPR Chapter V and international data protection standards.
10. Children's Privacy
β’ We do NOT collect information from persons under 18
β’ We do NOT allow accounts for persons under 18
β’ We comply with COPPA (under 13 - USA)
β’ If we discover data from a minor: immediate deletion and notification to parents/guardians
11. Data Retention
| Data Category | Retention Period | Reason |
|---|---|---|
| Account Data | While account is active + 7 years | Legal/tax requirements |
| Transaction Data | 7 years from transaction | Regulatory compliance (IRS, SEC) |
| Analytics Data | 2 years, then anonymized | Service improvement |
| Audit Logs | 5 years | GDPR Art. 5.2 (Accountability) |
| Cookie Data | 1 year from last update | Consent management |
Grace Period: 30 days to recover deleted account. Permanent deletion after 90 days (except legally retained data).
12. Changes to This Policy
Minor Changes: Date update, in-app notification
Material Changes: Email with 30 days advance notice, push notification, renewed consent request if required
Version History:
- v2.1 (Nov 15, 2025): Detailed Cookies section
- v2.0 (Nov 14, 2025): Full GDPR/CCPA update
- v1.5 (Jul 1, 2024): AI integrations
- v1.0 (Jan 1, 2025): Initial policy
13. Contact Us
General Email: [email protected]
Data Protection Officer (DPO): [email protected]
Website: https://xplusfinance.org
Data Protection Authorities
- Spain (AEPD): https://www.aepd.es
- EU (EDPB): https://edpb.europa.eu
- California (CCPA): https://oag.ca.gov/privacy/ccpa
- Brazil (ANPD): https://www.gov.br/anpd