Aurelo legal

Privacy Policy

How Aurelo collects, uses, shares, and protects your information.

Last updated: July 1, 2026

Effective date: July 1, 2026 Applies to: getaurelo.app and the Aurelo mobile app

Plain-English summary: We collect what we need to run the App: account info, financial data you connect through Plaid, and basic device data. We do not sell your data. We do not share your data with advertisers. The only third parties we share with are the service providers we need to operate Aurelo (mainly Plaid, Supabase, RevenueCat, Stripe, and Resend). You can request a copy of your data, ask us to delete it, or opt out of any future sales — though we don’t sell.

1. Who We Are and How to Contact Us

This Privacy Policy describes how Aurelo collects, uses, shares, and protects personal information about you when you use the Aurelo mobile app (the “App”) or the Aurelo website at getaurelo.app (the “Website”). For purposes of applicable U.S. state privacy laws, Aurelo is the “business” or “controller” of your personal information.

Privacy questions or requests:

Email: jackie@getaurelo.app Subject line for privacy requests: “Privacy Request”

2. Information We Collect

2.1 Information you provide

  • Account information: first name (optional), last name (optional), display name, username, email address, and a password (which we store only as a salted cryptographic hash).
  • Profile information: any optional information you add such as savings goals, household composition, money goals, language preference, and avatar.
  • Budget content: envelopes you create, allocations you set, savings goals, notes, and tags you enter.
  • Communications: the contents of emails you send to jackie@getaurelo.app or other support addresses.

2.2 Information collected automatically

  • Device and technical data: device model, operating system, App version, language, time zone, IP address, and crash logs.
  • Usage data: screens you visit, features you use, taps and time on screen. We use PostHog for product analytics.
  • Cookies and similar technologies (Website only): we use a small number of strictly necessary cookies to operate getaurelo.app. We do not use advertising cookies.

2.3 Information collected via Plaid

If you connect a bank account, Plaid collects on our behalf: your bank account number, routing number, account holder name, account type, transactions (date, amount, merchant, category), and balances. Plaid handles the actual collection at the source bank; Aurelo receives only the data necessary to run the App. Plaid’s End User Privacy Policy at plaid.com/legal also applies.

2.4 Information collected for Auto-Save

When you set up Auto-Save, Plaid Transfer collects an authorization (Proof of Authorization, or POA) for the ACH transfers you authorize. This authorization is stored by Plaid and referenced by Aurelo via an authorization ID. Aurelo receives the authorization ID and the transfer status; Aurelo does not store your bank credentials, full account numbers, or routing numbers in the App.

2.5 Information we do not collect

Aurelo does not collect:

  • Your Social Security Number.
  • Your driver’s license or government ID number.
  • Your full credit card number or CVC. Payment card details for Founding Member checkout are entered into Stripe directly and tokenized; Aurelo never sees your card number.
  • Biometric data, precise geolocation, health data, or any “sensitive personal information” beyond what is incidentally part of bank transaction history.

Because Aurelo no longer offers a custodial product, Aurelo no longer collects KYC information (date of birth, SSN, government ID). If you used a prior version of Aurelo that included the now-discontinued Vault, see Section 11.

3. How We Use Information

We use the information described above to:

  • Provide the core features of the App, including envelope budgeting, transaction sync, and Auto-Save.
  • Authenticate you, secure your account, and prevent fraud and abuse.
  • Process and bill your subscription.
  • Send service-related communications (transactional emails about your account, transfers, renewals, and policy updates).
  • Provide customer support.
  • Analyze usage patterns to improve the App.
  • Recommend financial products through affiliate partnerships, where the recommendations are based only on your in-App data and never on data sold from third parties.
  • Comply with applicable law and respond to lawful requests from authorities.

We will not send you marketing emails about Aurelo without your prior opt-in consent. Service-related emails (such as renewal reminders, security alerts, and policy updates) are sent regardless of marketing preferences because they are necessary to operate the service.

4. How We Share Information

We do not sell your personal information. We do not share your personal information with advertisers or for cross-context behavioral advertising. We do not use Google Ads, Meta pixels, TikTok pixels, or any similar advertising tracking on the App or Website.

We share information only with the service providers we need to operate Aurelo, and only the data each provider needs to perform its function:

  • Plaid Inc. — for bank connectivity and Auto-Save ACH initiation.
  • Supabase, Inc. — for database, authentication, and backend infrastructure. SOC 2 Type II certified.
  • RevenueCat, Inc. — for subscription management and billing reconciliation across Apple and Google in-app purchase rails.
  • Stripe, Inc. — for Founding Member checkout and recurring annual billing on the Website.
  • Resend (Resend Inc.) — for transactional email delivery.
  • PostHog Inc. — for product analytics. PostHog is configured to scrub personally identifiable information from event payloads.
  • Affiliate Partners — when you click an affiliate link, our outbound link includes a unique tracking identifier that the partner uses to attribute the referral. We do not share your name, email, or financial data with the partner unless you complete a signup or application directly with the partner.

We may also disclose information when we have a good-faith belief that disclosure is necessary to:

  • Comply with applicable law, regulation, legal process, or governmental request.
  • Enforce these Terms or our other agreements, including investigation of potential violations.
  • Detect, prevent, or otherwise address fraud, security, or technical issues.
  • Protect against harm to the rights, property, or safety of Aurelo, our users, or the public.

If Aurelo is involved in a merger, acquisition, financing, or sale of assets, your information may be transferred as part of that transaction, subject to standard confidentiality protections.

5. GLBA Privacy Notice

Aurelo is a financial software company that supports access to financial services through our Affiliate Partners and through Plaid Transfer. We follow privacy practices aligned with the Gramm-Leach-Bliley Act (“GLBA”) and Regulation P (12 CFR Part 1016) for the handling of nonpublic personal financial information.

Categories of nonpublic personal information we collect:

  • Information from you on applications or other forms (your account information).
  • Information about your transactions with us, our affiliates, or others (transactions sourced from Plaid).

Categories of nonpublic personal information we disclose: only what is described in Section 4 above. We do not disclose nonpublic personal information to non-affiliated third parties for those parties’ own marketing purposes. As a result, there is no opt-out for you to exercise under GLBA at this time. If our practices ever change, we will provide you with the opportunity to opt out before any new sharing begins.

We will deliver an annual privacy notice to active users where required by applicable law.

ATTORNEY REVIEW NOTE: Please confirm GLBA scope: Aurelo is no longer in the chain of custody for funds, but Aurelo collects and stores transactional data sourced from financial institutions via Plaid. The traditional view treats this as covered. Please confirm and tune Section 5 accordingly. Also flag whether Reg P annual notice obligations attach given the lack of nonpublic-personal-information sharing with non-affiliated third parties.

6. Your Privacy Rights

6.1 California (CCPA / CPRA)

If you are a California resident, the California Consumer Privacy Act, as amended by the California Privacy Rights Act (“CCPA”), gives you the following rights. We honor each of them, regardless of whether the CCPA legally requires us to do so.

  • Right to know. You may request a list of the categories and specific pieces of personal information we have collected about you in the past twelve (12) months.
  • Right to delete. You may request that we delete personal information we have about you, subject to legal retention requirements.
  • Right to correct. You may request that we correct inaccurate personal information.
  • Right to opt out of sale or sharing. Aurelo does not sell or share personal information for cross-context behavioral advertising. There is currently nothing to opt out of, but you may submit an opt-out request anyway and we will confirm there is no sale to opt out of.
  • Right to limit use of sensitive personal information. Aurelo does not use “sensitive personal information” beyond what is necessary to provide the service.
  • Right to non-discrimination. We will not deny service, change pricing, or degrade your experience because you exercised a privacy right.

To submit a CCPA request, email jackie@getaurelo.app with the subject “Privacy Request — California.” We will verify your identity using information already on file (typically your account email plus a confirmation link) and respond within forty-five (45) days. We may extend the response window by an additional forty-five (45) days where required, with notice to you.

6.2 Other state privacy laws

If you are a resident of Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, Iowa, or any other U.S. state with a comprehensive privacy law in effect, you have analogous rights including the right to access, correct, delete, and obtain a portable copy of your personal information, and the right to opt out of targeted advertising or profiling. Aurelo does not engage in targeted advertising or profiling for decisions that produce legal or similarly significant effects, but we will honor opt-out requests anyway.

To submit a request, email jackie@getaurelo.app with the subject “Privacy Request — [your state].”

ATTORNEY REVIEW NOTE: State privacy law landscape is moving fast. Please confirm the list and tune for any state that has come online by July 2026. The current list reflects laws in effect as of early 2026.

6.3 How to appeal

If we deny your privacy request and you believe the denial was incorrect, you may appeal by replying to our denial email within forty-five (45) days. We will review and respond within sixty (60) days.

7. Data Retention

We retain your data for as long as your account is active. If you delete your account, we delete or de-identify your account data within ninety (90) days, except where we are required to retain certain records longer for legal, regulatory, or fraud-prevention purposes.

  • Transaction records sourced from Plaid: retained for up to seven (7) years after account closure to satisfy financial recordkeeping practices and to support fraud disputes.
  • Auto-Save authorization records: retained for at least two (2) years after the last transfer initiated under that authorization, consistent with NACHA recordkeeping rules.
  • Subscription billing records: retained for seven (7) years for tax and financial reporting purposes.
  • Server logs and PostHog analytics: retained for up to twenty-four (24) months.

8. Security

We use commercially reasonable safeguards to protect your data:

  • All data is encrypted in transit (TLS 1.2 or higher) and at rest.
  • Database infrastructure (Supabase) is SOC 2 Type II certified.
  • Passwords are stored only as salted cryptographic hashes; we cannot read your password.
  • Access to production data is limited to authorized Aurelo personnel and is logged.
  • Aurelo does not store your full bank account number, routing number, or any payment card number; these are tokenized through Plaid and Stripe respectively.

No system is perfectly secure. If we become aware of a data breach affecting your personal information, we will notify you and applicable regulators as required by law.

9. Children

Aurelo is not intended for children under 18. We do not knowingly collect personal information from children. If you believe a child has provided us personal information, contact jackie@getaurelo.app and we will delete it promptly.

10. International Users

Aurelo is operated from the United States and is intended for U.S. residents only. If you access Aurelo from outside the U.S., you do so at your own risk. Aurelo does not currently target users in the European Economic Area, the United Kingdom, or other jurisdictions with comprehensive privacy laws beyond U.S. federal and state laws.

11. Legacy Data from Prior Aurelo Versions

Aurelo previously offered a custodial “Vault” feature operated through Alpaca Securities LLC. This feature was discontinued before the July 1, 2026 launch of the current product. If you provided KYC information (such as date of birth, government ID, or Social Security Number) in connection with a prior beta version of Aurelo:

  • Aurelo deleted the data we collected for KYC, except where retained by Alpaca for its own regulatory recordkeeping.
  • Alpaca may continue to retain a copy of your information under its own privacy policy and applicable broker-dealer recordkeeping requirements.
  • If you have questions about KYC data retained by Alpaca, contact Alpaca directly.

12. Changes to This Policy

We may update this Privacy Policy from time to time. Non-material changes take effect immediately upon posting. For material changes, we will give you at least fourteen (14) days’ notice by email or in-App notification before the new policy takes effect.

13. Contact

Privacy questions? Email jackie@getaurelo.app with the subject “Privacy Question.”