OneFolioBack to home
Legal · Privacy

Privacy Policy

Last updated: May 11, 2026

The short version

We collect the minimum data necessary to give you an honest picture of your money and to recommend useful next steps. We do not sell your data. We do not show ads. We do not share your transactions with anyone other than the infrastructure providers we need to run the service. You can disconnect, export, or delete your data at any time.

1. What we collect, and from whom

Information you give us directly:

  • Your name and email address when you sign up.
  • Subscription billing information (handled by Stripe; we never see full card numbers).
  • Notes, tags, manual categories, budgets, goals, and saved scenarios you create inside OneFolio.
  • Anything you ask the AI “decision engine” — those questions are sent to Anthropic and/or Google AI for processing.

Information we receive through Plaid when you connect a financial account:

  • Account information — institution, account name, type, last four digits, current/available balances.
  • Transactions — date, amount, merchant name, raw description, category. Typically 24 months back, depending on what your institution provides.
  • Recurring transactions — Plaid’s detected list of subscriptions and bills.
  • Liabilities — APR, statement balance, due date, and minimum-payment data for credit cards, mortgages, and student loans.
  • Investments — holdings (symbol, quantity, market value) and investment transactions on connected brokerage accounts.
  • Enriched merchant data — Plaid’s normalized merchant names and logos.

You authenticate directly with Plaid (or with your financial institution through Plaid) — we never see your bank login credentials. Plaid’s relationship with you is also governed by Plaid’s own End User Privacy Policy.

Information we collect automatically:

  • Basic device + browser information (IP address, user agent) for security, fraud prevention, and rate-limiting.
  • Application logs of actions you take (insight dismissals, settings changes) so we can debug issues and audit changes you ask about.
  • If you opt in via Settings → Privacy & Data, anonymous product-usage analytics. Off by default.

2. How we use your data

We use the data above to:

  • Provide the OneFolio service — net-worth tracking, spending breakdowns, budgets, goals, debt payoff plans, AI-grounded insights, and credit-card recommendations.
  • Improve the service — analyze aggregated, de-identified usage patterns to find what works and what doesn’t. This never involves selling or sharing your individual data.
  • Authenticate you and protect your account from fraud.
  • Communicate with you about account activity, security alerts, and material product changes. Promotional email is opt-in only.
  • Comply with our legal obligations.

3. We do not sell your data

We do not sell your data. We do not rent your data. We do not provide your transaction history to advertisers, data brokers, or marketing networks. We do not use your transaction data to build advertising profiles, on or off OneFolio. This applies to aggregated, anonymized, and de-identified data as well.

Our revenue comes from your subscription and from credit-card affiliate commissions when our recommendation engine surfaces a card you’d genuinely benefit from and you choose to apply for it. The full breakdown is on our Affiliate Disclosure.

4. Who we share data with

We share data only with infrastructure providers we need to operate the service. Each is bound by a written data-protection agreement appropriate to their role. The full list:

  • Plaid Inc. — financial-data network. Provides the connections to your bank, brokerage, and credit-card accounts. Plaid is a separate data controller for the data it collects from you directly during the link flow; OneFolio is the controller for the data Plaid passes back to us. Plaid’s policy: plaid.com/legal/end-user-privacy-policy
  • Supabase Inc. — encrypted database and authentication hosting. US-region only.
  • Anthropic, PBC — provider of Claude, the AI model that powers our decision engine and recurring-transaction classifier. We send anonymized prompts (no names, no account numbers, no merchant identities tied back to you).
  • Google LLC — provider of Gemini, used to generate the brief on the Insights surface. Same anonymization rules.
  • Stripe, Inc. — subscription billing and payment processing.
  • Resend, Inc. — transactional email delivery (welcome, password reset, security alerts).
  • Vercel Inc. — application hosting and CDN.
  • Upstash Inc. — Redis-based rate limiting and short-lived caching.

We may also share information (i) with you, when you direct us to (e.g., generating a CSV export); (ii) when required by law or court order, with notice to you to the extent we’re legally permitted; (iii) in connection with a corporate transaction (merger, acquisition, financing), in which case we’ll require the acquirer to honor this Privacy Policy.

5. Not a credit report (FCRA)

Plaid is not a “consumer reporting agency” under the Fair Credit Reporting Act (FCRA), and the data we receive from Plaid is not a “consumer report.” We do not use it (and you may not use it) for any FCRA-covered purpose, including credit, insurance, employment, housing, or government-benefit decisions.

6. How long we keep your data

We keep your account, transaction, and budget data while your OneFolio account is active so we can provide year-over-year comparisons, trend analysis, and tax-relevant exports. You can change this at Settings → Privacy & Data → Data Retention.

When you disconnect a single institution, we remove its historical data within 30 days unless you direct otherwise.

When you delete your OneFolio account, we delete your data from active systems within 30 days. Some records are retained longer where required by law: payment records (7 years for tax/accounting), security audit logs (1 year), records related to fraud or abuse investigations until they’re resolved.

7. Your rights

You have the right at any time to:

  • Know what categories of information we have about you (this page; ask us for specifics at admin@1folio.ai).
  • Access and export your data via Settings → Privacy & Data.
  • Correct data — most categorizations and settings are user-editable in app; for anything else, email us.
  • Delete all or specific categories of your data via Settings → Privacy & Data → Delete account, or by emailing admin@1folio.ai.
  • Disconnect any individual account from Settings → Connected Accounts. This stops new data collection from that institution and removes historical data within 30 days.
  • Revoke consent for AI processing by emailing us — we’ll mark your account so the decision engine and brief surfaces no longer run.
  • Opt out of analytics at Settings → Privacy & Data → Analytics. Off by default.
  • Manage Plaid’s authorization separately through Plaid’s consumer dashboard at my.plaid.com.

We don’t discriminate against you for exercising any of these rights. We respond to verifiable requests within the timelines required by applicable law (usually 45 days, 5 business days for revocation).

8. California residents (CCPA / CPRA)

California residents have additional rights under the California Consumer Privacy Act of 2018 as amended by the California Privacy Rights Act of 2020:

  • The right to know the categories of personal information collected, the sources, the business purpose, and the categories of third parties with whom it’s shared (all disclosed in §1 and §4 above).
  • The right to delete personal information (see §7).
  • The right to correct inaccurate personal information (see §7).
  • The right to limit use and disclosure of sensitive personal information.
  • The right to opt out of the sale or sharing of personal information. We do not sell or share personal information for cross-context behavioral advertising — there is nothing to opt out of, but we want to say so explicitly.
  • The right to non-discrimination for exercising these rights.

To exercise these rights, email admin@1folio.ai. We’ll verify your identity by confirming you control the email address on the account, and respond within 45 days.

9. Financial data privacy (GLBA)

Because we handle financial information, we comply with applicable provisions of the Gramm-Leach-Bliley Act and its implementing regulations. That includes giving you this privacy notice, securing your data, and not disclosing nonpublic personal information to non-affiliated third parties for marketing purposes.

10. Security

We maintain a written information-security program approved by our leadership. It includes administrative, technical, and physical controls designed to (i) protect the confidentiality and integrity of your data, (ii) protect against unauthorized access or use, and (iii) ensure proper disposal when data is no longer needed. The program is appropriate to our risk profile and the nature of the data we hold; we use AICPA Trust Services Criteria and NIST 800-53 as our reference frameworks.

All data at rest is encrypted; all data in transit uses TLS. Plaid tokens are encrypted with separately managed keys. We use up-to-date antivirus/anti-malware tools on systems that have access to user data.

Security incident notification:If we discover a security incident affecting your data, we will notify you without undue delay and within the timeframes required by applicable state and federal law. We’ll also notify Plaid within 12 hours of discovery, per our contractual obligation to them.

Vulnerability reports are welcome at admin@1folio.ai. We respond within 2 business days and acknowledge responsible disclosure.

11. Children

OneFolio is not directed to children under 18, and we do not knowingly collect personal information from children. If you believe we’ve received data from someone under 18, contact us at admin@1folio.ai and we will delete it.

12. International users

OneFolio is operated from and intended for use within the United States. If you access OneFolio from outside the US, you understand your information will be transferred to and processed in the US, where data protection laws may differ from those in your country.

13. Changes to this policy

We may update this Privacy Policy from time to time. If a change is material — for example, a change to the categories of data we collect or the third parties we share it with — we’ll notify you in-app and by email at least 30 days before the change takes effect. The version of this policy in effect when you use the service is the version that governs.

14. Contact

Questions, concerns, or requests: admin@1folio.ai. We aim to respond within 2 business days; verifiable rights requests within the timelines required by applicable law.