Privacy Policy

Effective Date: April 22, 2026  |  Operated by Vivytech  |  support@clau.app

This Privacy Policy describes how Vivytech ("we," "us," or "our") collects, uses, and shares information when you use the Clau mobile application ("App"). By using the App, you agree to the practices described here. If you do not agree, do not use the App.

1. Information We Collect

Account Information

• Full name, username, email address, and phone number (collected at registration)
• Password (stored as a bcrypt hash — we never store plaintext passwords)
• Account creation timestamp and last-active timestamp

Financial Information

• Bank account balances and transaction history, retrieved via Stripe Financial Connections when you link a bank account
• Investment portfolio data, trade orders, and account holdings, retrieved from Alpaca Markets after you complete the Alpaca OAuth authorization flow
• Payment history (subscription charges) processed by Stripe
• Wallet balance and deposit/withdrawal records stored on our servers

AI Conversation Data

• Messages you send to the Clau AI assistant, including your full conversation history for that session
• Contextual data automatically included with AI requests: your linked account balances, monthly spending categories, and financial goals
• AI conversations are transmitted to Google's Gemini API for processing (see Section 4)
• Conversation history is stored locally on your device in encrypted app storage and is not uploaded to our servers

Usage and Device Information

• Firebase Cloud Messaging (FCM) token for push notification delivery
• AI message count (to enforce free-tier limits, synced to our servers)
• Gamification points (learning points, card points) stored on our servers
• Notification preferences (financial, goals, learning, general) stored on our servers
• App activity logs (API request timestamps — standard server logs)

Camera and Microphone

The App requests camera and microphone permissions on Android to support document capture and audio input features. These permissions are requested at the time the relevant feature is used and are not accessed in the background.

2. How We Use Your Information

• To create and manage your account and authenticate your identity
• To display your bank balances, transactions, and investment portfolio
• To process subscription payments and manage your billing status
• To power the Clau AI assistant with relevant financial context
• To send push notifications about your finances, goals, and learning progress (configurable in settings)
• To enforce free-tier AI message limits and detect abuse
• To send password-reset emails via SMTP when requested
• To improve and maintain the reliability of the App and its backend services

3. Information We Do Not Collect

• We do not collect your Social Security number or government-issued ID (Alpaca handles identity verification directly)
• We do not collect precise GPS location
• We do not sell your personal data to third parties for advertising
• We do not use your financial data to train machine learning models

4. Third-Party Services and Data Sharing

We share data with the following third parties only as necessary to operate the App:

Stripe, Inc. — Payment processing and bank account linking. When you subscribe or link a bank account, your payment information and bank account data are processed by Stripe under their Privacy Policy. We store your Stripe Customer ID and subscription ID on our servers.

Alpaca Markets / Alpaca Securities LLC — Brokerage services. When you connect your Alpaca account via OAuth, Alpaca receives an authorization request and provides us an encrypted access token. We store this token encrypted on our servers using AES-256 symmetric encryption. Trading is executed through Alpaca's platform subject to their Privacy Policy.

Google LLC (Gemini AI) — AI inference. Your messages to the Clau AI assistant, along with relevant financial context (balances, spending, goals), are sent to Google's Gemini API for processing. Google processes this data subject to their Privacy Policy and API Terms. We recommend not sending sensitive personal information (e.g., full account numbers, SSN) in AI chat messages.

Google LLC (Firebase Cloud Messaging) — Push notifications. Your device's FCM token is stored on our servers and used solely to deliver push notifications you have enabled. Subject to Google's Privacy Policy.

Market Data Providers — Stock quotes and historical prices are fetched from Finnhub, Yahoo Finance, and CoinGecko. These are read-only API calls; no personal data is shared with these providers.

Amazon Web Services (AWS) — Our backend servers and database run on AWS EC2 infrastructure in the US. Your account data and financial records are stored on AWS. AWS is subject to their Privacy Notice.

We do not share your data with any other third parties unless required by law or with your explicit consent.

5. Data Security

• All data in transit is encrypted via HTTPS/TLS
• JWT session tokens on your device are stored in Android EncryptedSharedPreferences using AES-256-GCM encryption
• Alpaca OAuth tokens are encrypted on our servers using Fernet symmetric encryption (AES-128-CBC with HMAC-SHA256)
• Passwords are hashed with bcrypt before storage — we cannot retrieve your password
• Our PostgreSQL database is hosted on AWS with access restricted to backend services only
• Rate limiting is enforced on all API endpoints to prevent brute-force attacks
• Failed login attempts trigger account lockout after repeated failures

6. Data Retention

We retain your account data for as long as your account is active. If you delete your account, your personal information is removed from our active database within 30 days, except where retention is required by law (e.g., financial transaction records). Cached bank and transaction data is refreshed regularly and does not persist beyond what is needed to display current balances.

7. Your Rights and Choices

• Access and correction: You can view and update your personal information in the Profile section of the App
• Delete account: Contact us at support@clau.app to request account deletion
• Disconnect bank account: You can disconnect your linked bank account at any time from the App settings
• Disconnect Alpaca: You can revoke Alpaca access from the App settings at any time
• Notifications: You can toggle each notification category (Financial, Goals, Learning, General) in the Notifications settings screen
• AI conversation history: You can clear your local AI conversation history using the "New Chat" button in the AI screen

8. Children's Privacy

The App is intended for users who are 18 years of age or older. We do not knowingly collect personal information from anyone under 18. If you believe a minor has created an account, please contact us at support@clau.app and we will promptly delete the account.

9. California Privacy Rights (CCPA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act, including the right to know what personal information we collect, the right to request deletion, and the right to opt out of sale of personal information. We do not sell personal information. To exercise your rights, contact us at support@clau.app.

10. Changes to This Policy

We may update this Privacy Policy periodically. Material changes will be communicated via in-app notification or email. The "Effective Date" at the top of this page reflects the most recent revision. Continued use of the App after changes are posted constitutes your acceptance of the revised policy.

11. Contact Us

If you have any questions about this Privacy Policy or our data practices, please contact us:

• Email: support@clau.app
• Developer: Vivytech
• Location: Boston, Massachusetts, United States