Privacy Policy

Koala ("we", "our", or "us") is a personal finance management application designed to help you track your spending, manage budgets, and gain insights into your financial health.

We are committed to protecting your privacy and handling your data responsibly. This policy explains what information we collect, how we use it, and what choices you have.

When you use Koala, we collect the following types of information:

• Account Information: Email address and password (securely hashed) when you create an account
• Financial Data via Plaid: When you connect your bank accounts through Plaid, we receive:
  • Account names, types, and balances
  • Transaction history (merchant name, amount, date, category, location)
  • Institution information
• User Preferences: Settings you configure such as categories, rules, dashboard layout, and AI preferences

Your data is used solely to provide you with the Koala service:

• Display your financial information and account balances
• Categorize and organize your transactions
• Generate spending insights and analytics
• Provide AI-powered transaction categorization and financial insights (see "Third-Party Services" below for details on data shared with AI providers)
• Apply your custom rules and preferences

We implement multiple layers of security to protect your data:

• Encryption at Rest: Sensitive credentials (like Plaid access tokens) are encrypted using AES-256-GCM encryption
• Encryption in Transit: All connections use TLS 1.2 or higher
• Row Level Security: Database-level policies ensure you can only access your own data
• Optional MFA: Two-factor authentication is available to protect your account
• No Credential Storage: We never store your bank login credentials - Plaid handles authentication directly with your bank

Koala uses the following third-party services:

• Plaid: Securely connects to your bank accounts. Plaid is a licensed financial services provider. See Plaid's Privacy Policy
• Supabase: Provides database hosting and authentication services
• xAI (Grok): Powers AI transaction categorization. We send transaction metadata including merchant names, amounts, dates, and categories to xAI for automated categorization. No bank credentials, account numbers, or login information is shared
• Anthropic (Claude): Powers tax document extraction. If you upload tax documents (e.g., W-2, 1099), document images are sent to Anthropic for text extraction. SSN/TIN numbers are masked before transmission. No bank credentials or account numbers are shared
• Stripe: Processes subscription payments. See Stripe's Privacy Policy
• Sentry: Error monitoring to help us fix bugs. Text in session replays is masked and no financial data is captured
• PostHog: Privacy-friendly analytics (opt-in only). IP addresses are anonymized and cross-site tracking is disabled

We use cookies and similar technologies to provide and improve our services:

Essential Cookies

These cookies are required for the app to function and cannot be disabled. They include:

• Authentication cookies to keep you logged in
• Session cookies for security
• Cookie consent preferences

Analytics Cookies

With your consent, we use PostHog for privacy-friendly analytics to understand how users interact with Koala. This helps us improve the app. PostHog is configured to:

• Anonymize IP addresses
• Not track across websites
• Respect Do Not Track browser settings

Functional Cookies

These cookies remember your preferences such as:

• Theme preference (light/dark mode)
• Dashboard layout preferences
• Language settings

Managing Your Preferences

You can manage your cookie preferences at any time. When you first visit Koala, you'll see a cookie consent banner where you can accept all cookies, reject non-essential cookies, or customize your preferences. You can also clear cookies through your browser settings.

• Transaction data: Retained for as long as your account is active to provide historical financial tracking
• Account information: Retained for as long as your account is active
• AI processing data: Transaction data sent to AI providers is processed in real-time and not stored by the providers beyond their standard API retention policies
• Error logs: Retained for 90 days for debugging purposes
• Analytics data: Anonymized analytics are retained for 12 months
• You can disconnect bank accounts at any time from Settings
• You can delete your account and all associated data from Settings or by contacting us
• Upon account deletion, all your data is permanently and irreversibly removed from our systems, including Stripe billing records

You have the right to:

• Access all data we store about you
• Export your data at any time
• Disconnect bank connections
• Delete your account and all associated data
• Opt out of AI-powered features

If you are a California resident, the California Consumer Privacy Act (CCPA) provides you with additional rights regarding your personal information:

Categories of Personal Information We Collect

• Identifiers: Email address, account ID
• Financial information: Bank account names, transaction history (via Plaid), account balances
• Internet activity: App usage data, feature interactions (if analytics cookies accepted)
• Inferences: AI-generated transaction categories, spending insights

Business Purpose for Collection

We collect personal information solely to provide the Koala personal finance management service, including displaying financial data, categorizing transactions, generating insights, and processing payments.

Your California Rights

• Right to Know: You may request details about the categories and specific pieces of personal information we have collected about you
• Right to Delete: You may request deletion of your personal information. You can do this directly in Settings or by contacting us
• Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA rights

To exercise your CCPA rights, contact us at support@trykoala.ai. We will verify your identity before processing any request.

Any disputes relating to this Privacy Policy are subject to our Terms of Service, including the arbitration and governing law provisions contained therein.

If you have questions about this privacy policy or your data, please contact us at:

support@trykoala.ai