Privacy Policy | PopaDex

Privacy Policy

How PopaDex collects, uses, and protects your personal and financial data

Effective Date: October 6, 2025
Last Updated: October 6, 2025

PopaDex (“we,” “us,” or “our”) is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our wealth management platform.

Information We Collect

Personal Information

Account Registration:

  • Email address (required)
  • Full name
  • Date of birth
  • Country of residence
  • Password (encrypted, never stored in plain text)

Optional Profile Information:

  • Profile picture
  • Phone number
  • Preferred language
  • Timezone

Financial Information

Bank Connections (via Plaid/GoCardless):

  • Account numbers (encrypted)
  • Account balances
  • Transaction history
  • Account holder names
  • Financial institution names
  • Routing/sort codes

Manual Entries:

  • Account names you create
  • Balance amounts you enter
  • Custom categories
  • Notes and descriptions

Automatically Collected Information

Usage Data:

  • Pages visited
  • Features used
  • Time spent in application
  • Click patterns
  • Device information (browser, OS, screen size)

Technical Data:

  • IP address
  • Browser type and version
  • Device identifiers
  • Cookie data
  • Session information

Log Data:

  • Access times
  • Error logs
  • Security events
  • API requests

Third-Party Information

From Plaid/GoCardless:

  • Bank account verification
  • Transaction data
  • Account metadata
  • Institution information

From Payment Processors (Stripe):

  • Payment method details
  • Billing information
  • Transaction history
  • Subscription status

How We Use Your Information

Primary Purposes

Account Management:

  • Create and maintain your account
  • Authenticate your identity
  • Process account settings
  • Provide customer support

Financial Tracking:

  • Aggregate account balances
  • Categorize transactions
  • Calculate net worth
  • Generate reports and insights
  • FIRE calculator projections

Service Improvement:

  • Analyze usage patterns
  • Identify bugs and errors
  • Develop new features
  • Optimize performance
  • Conduct A/B testing

Communication:

  • Send transactional emails (password resets, etc.)
  • Product updates and announcements
  • Security alerts
  • Marketing communications (with consent)
  • Customer support responses

Legal Compliance:

  • Comply with financial regulations
  • Prevent fraud and abuse
  • Enforce our Terms of Service
  • Respond to legal requests
  • Maintain security logs

We process your data based on:

Contract Performance: Processing necessary to provide our services Legitimate Interests: Improving services, security, fraud prevention Legal Obligation: Compliance with financial regulations Consent: Marketing communications, optional features

End-to-End Encryption (E2EE)

How E2EE Works

When you enable E2EE:

Client-Side Encryption:

  • Your data is encrypted in your browser
  • Encryption key derived from your password
  • We cannot decrypt your data
  • We never see your encryption key

What Gets Encrypted:

  • All transaction descriptions
  • Account names and balances
  • Custom categories
  • Notes and metadata
  • Financial insights

What Remains Unencrypted:

  • Email address (login identifier)
  • Account creation date
  • Subscription status
  • Usage analytics (anonymized)

E2EE Limitations

Cannot Provide:

  • Password recovery without recovery key
  • Customer support viewing your data
  • Assisted troubleshooting of encrypted data
  • Data recovery if both password and recovery key lost

Your Responsibility:

  • Securely store recovery key
  • Remember your password
  • Understand data is unrecoverable without these

See E2EE Technical Guide for details.

Data Sharing and Disclosure

Third-Party Service Providers

We share data with trusted partners who help operate our service:

Plaid/GoCardless (Bank Connections):

  • Purpose: Securely connect to your banks
  • Data shared: Bank credentials (temporary), account info
  • Privacy: Subject to their privacy policies
  • Location: US (Plaid), EU (GoCardless)

Stripe (Payment Processing):

  • Purpose: Process subscription payments
  • Data shared: Billing information, payment methods
  • Privacy: PCI-DSS compliant, Stripe Privacy Policy applies
  • Location: US with EU data residency

Amazon Web Services (Infrastructure):

  • Purpose: Host our application and database
  • Data shared: All data stored in our database
  • Privacy: Encrypted at rest and in transit
  • Location: EU-West-1 (Ireland) for EU users, US-East-1 for US users

Cloudflare (CDN & Security):

  • Purpose: Content delivery, DDoS protection
  • Data shared: IP address, request metadata
  • Privacy: Cloudflare Privacy Policy applies
  • Location: Global network

Sentry (Error Tracking):

  • Purpose: Monitor and fix application errors
  • Data shared: Error logs (sanitized, no financial data)
  • Privacy: PII redaction enabled
  • Location: US

Google Analytics (Usage Analytics):

  • Purpose: Understand user behavior, improve service
  • Data shared: Anonymized usage data
  • Privacy: IP anonymization enabled
  • Location: US
  • Opt-out: Available in Settings

We may disclose your information:

Legal Requirements:

  • Court orders or subpoenas
  • Law enforcement requests
  • Regulatory inquiries
  • Tax authorities (if legally required)

Business Transfers:

  • Merger or acquisition
  • Sale of assets
  • Bankruptcy proceedings
  • You’ll be notified of any ownership change

Protection of Rights:

  • Enforce Terms of Service
  • Investigate fraud or abuse
  • Protect security of service
  • Defend legal claims

What We Don’t Do

Never:

  • ❌ Sell your personal data
  • ❌ Share data with advertisers
  • ❌ Rent your email address
  • ❌ Provide data to data brokers
  • ❌ Use data for purposes beyond stated

Data Security

Security Measures

Encryption:

  • In transit: TLS 1.3 for all connections
  • At rest: AES-256 encryption in database
  • E2EE: Optional client-side encryption
  • Passwords: Argon2id hashing (migrating from PBKDF2)

Access Controls:

  • Role-based access for employees
  • Multi-factor authentication required
  • Principle of least privilege
  • Regular access audits

Infrastructure Security:

  • SOC 2 Type II compliant data centers
  • Regular penetration testing
  • Vulnerability scanning
  • DDoS protection

Monitoring:

  • 24/7 security monitoring
  • Automated threat detection
  • Incident response procedures
  • Regular security audits

Data Breaches

In the event of a breach:

  • Notification within 72 hours (GDPR requirement)
  • Email to affected users
  • Details of compromised data
  • Steps we’re taking
  • Recommendations for you

E2EE Protection: If you use E2EE, breached data would be encrypted and unusable to attackers.

Data Retention

Active Accounts

While your account is active:

  • All data retained indefinitely
  • Historical transactions preserved
  • Account settings maintained
  • Login history for 1 year

Deleted Accounts

After account deletion:

  • 0-30 days: Grace period (data preserved, account suspended)
  • 30 days: Permanent deletion begins
  • Personal data: Deleted immediately after grace period
  • Transaction data: Anonymized and retained for 7 years (regulatory requirement)
  • Legal records: Retained for 10 years (compliance)

Regulatory Compliance

Financial records retention (anonymized):

  • EU: 7 years minimum
  • US: 7 years (IRS requirement)
  • UK: 6 years minimum

Cannot identify you: Account ID replaced with anonymous hash

Your Privacy Rights

For All Users

Access: Request copy of your personal data Correction: Update inaccurate information Deletion: Request account deletion Export: Download your data (CSV, JSON, PDF) Objection: Object to processing for direct marketing

Exercise rights: Settings → Privacy or email [email protected]

Additional Rights (GDPR - EU Users)

Restriction: Limit how we process your data Portability: Receive data in machine-readable format Withdraw Consent: For consent-based processing Lodge Complaint: With your local Data Protection Authority

EU Representative:
PopaDex EU Privacy Office
Email: [email protected]

Additional Rights (CCPA - California Users)

Right to Know: What data we collect and why Right to Delete: Request deletion (subject to exceptions) Right to Opt-Out: Opt out of “sale” (we don’t sell data) Right to Non-Discrimination: Equal service regardless of privacy choices

Submit requests: [email protected] or 1-855-POPADEX

Response time: 45 days (may extend 45 more with notice)

Additional Rights (UK GDPR)

Same rights as EU GDPR plus: Right to object to automated decisions: If we use automated decision-making (we currently don’t)

UK Representative:
PopaDex UK Privacy Office
Email: [email protected]

ICO: You can lodge complaints with the Information Commissioner’s Office

Cookies and Tracking

Essential Cookies

Required for service operation:

  • Session cookies: Keep you logged in
  • CSRF tokens: Security protection
  • Preference cookies: Language, theme settings

Cannot be disabled: Service won’t function without these

Analytics Cookies

Help us improve the service:

  • Google Analytics: Usage patterns, popular features
  • Hotjar: Session recordings (optional, disabled by default)

Can be disabled: Settings → Privacy → Analytics

Marketing Cookies

Currently not used. If we add these in future:

  • You’ll be asked for consent
  • Can opt-out anytime
  • Won’t affect service functionality

Managing Cookies

Browser settings: Clear cookies anytime PopaDex settings: Settings → Privacy → Cookie Preferences Do Not Track: We respect DNT browser signals

International Data Transfers

EU to US Transfers

Legal basis:

  • Standard Contractual Clauses (EU Commission approved)
  • Adequate safeguards: Encryption, access controls
  • Data Processing Agreement: Available upon request

US service providers:

  • Plaid (bank connections)
  • Stripe (payments)
  • AWS (some infrastructure)
  • Sentry (error tracking)

Data Residency

EU users: Data stored in EU-West-1 (Ireland) US users: Data stored in US-East-1 (Virginia) UK users: Data stored in EU-West-2 (London) or EU-West-1

Cross-border: Only when necessary for service provision

Children’s Privacy

PopaDex is not intended for children under 16 (under 13 in US).

We do not:

  • Knowingly collect data from children
  • Market to children
  • Allow child account creation

If we discover: Child account will be immediately deleted

Parents: If you believe your child has created an account, contact [email protected] immediately.

California Privacy Disclosures

CCPA Categories of Data Collected

Category Collected Purpose
Identifiers Yes Account management, authentication
Personal records Yes Financial tracking, service provision
Commercial information Yes Transaction history, subscription
Internet activity Yes Service improvement, security
Geolocation No Not collected
Sensory data No Not collected
Professional information No Not collected
Education information No Not collected
Inferences Yes Personalization, insights

CCPA Rights Summary

Annual request limits: None Verification required: Two-factor verification for sensitive data Authorized agents: Must provide power of attorney Response format: Electronic or paper (your choice)

Marketing Communications

Types of Communications

Transactional (cannot opt-out):

  • Password resets
  • Security alerts
  • Account notifications
  • Billing statements

Marketing (can opt-out):

  • Product updates
  • Feature announcements
  • Tips and best practices
  • Company news

Opting Out

Email footer: Click “Unsubscribe” in any marketing email Settings: Settings → Notifications → Unsubscribe from marketing Direct request: Email [email protected]

Effect: Stops marketing only, transactional emails continue

Changes to This Policy

How We Update

Major changes:

  • Email notification to all users
  • 30-day notice before effective date
  • Prominent banner in application
  • Version history maintained

Minor changes:

  • Updated “Last Updated” date
  • No advance notice required
  • Check periodically for changes

Continued use = Acceptance of updated policy

Version History

  • v2.1 (Oct 6, 2025): Current version
  • v2.0 (Jan 15, 2025): Added E2EE details, Argon2id migration
  • v1.5 (Jun 1, 2024): GDPR updates, data retention clarification
  • v1.0 (Jan 1, 2024): Initial policy

Contact Us

Privacy Questions

General inquiries: [email protected] Data requests: [email protected] Security concerns: [email protected]

Mailing address:
PopaDex Ltd.
Attn: Privacy Office
[Address to be added]

Response time: 48 hours for inquiries, 30 days for formal requests

Data Protection Officers

EU DPO: [email protected] UK DPO: [email protected]

Supervisory Authorities

EU: Contact your local Data Protection Authority UK: Information Commissioner’s Office (ico.org.uk) US: FTC (ftc.gov/complaint)

Additional Resources

Questions? Email [email protected] or visit our Help Center

Was this article helpful?

Last updated: October 06, 2025

Questions? Contact Support