Privacy Policy

Last updated: January 13, 2026

At NALO, we believe your financial data is deeply personal. This Privacy Policy explains how we collect, use, protect, and share your information when you use our mobile application and services. We've written this policy to be clear and straightforward — not hidden behind legal jargon.

The Short Version

We collect your financial data to help you understand and improve your finances. We never sell your data. We use bank-level encryption. You can delete your data anytime.

1. Information We Collect

Account Information

When you create a NALO account, we collect:

  • Email address
  • Name (optional)
  • Authentication credentials (password hash or OAuth tokens)
  • Device information for security purposes

Financial Data via Plaid

When you connect your bank accounts, we use Plaid Inc. to securely retrieve your financial information. Through Plaid, we access:

  • Account balances: Current and available balances across checking, savings, credit cards, and investment accounts
  • Transaction history: Your transaction details including merchant names, amounts, dates, and categories
  • Account details: Account names, types, and institution information
  • Identity information: Name and contact information on file with your bank (used to verify your identity)

Important: Your Bank Credentials

Your bank login credentials are never stored on NALO servers. When you connect an account, you enter your credentials directly with Plaid through their secure interface. We only receive tokens that allow us to fetch your financial data — never your actual passwords.

Usage Data

We automatically collect information about how you use NALO:

  • Features you use and interactions within the app
  • AI coaching conversations (to improve our responses)
  • Device type, operating system, and app version
  • Crash reports and performance data

2. How We Use Your Information

We use your information to:

  • Provide financial insights: Analyze your transactions to show spending patterns, net worth trends, and personalized recommendations
  • Power AI coaching: Use your financial context to provide relevant, personalized advice through our AI assistant
  • Detect behavioral patterns: Identify spending patterns (like weekend spending or subscription changes) to surface Quiet Insights
  • Generate projections: Create What If scenarios that model how life decisions might impact your finances
  • Celebrate your progress: Track financial wins like debt payoff, savings milestones, and positive trends
  • Improve our services: Analyze aggregate, anonymized data to make NALO better for everyone
  • Provide customer support: Help you resolve issues with your account
  • Send important updates: Notify you about service changes, security alerts, or account issues

3. How We Protect Your Data

Encryption

We implement industry-standard security measures:

  • In transit: All data transmitted between your device, our servers, and Plaid uses TLS 1.3 encryption
  • At rest: Your data is encrypted using AES-256 encryption on our servers
  • Database security: We use Google Cloud Platform's Firebase with enterprise-grade security controls

Access Controls

  • Strict employee access policies — only authorized personnel can access user data for support purposes
  • All access is logged and audited
  • Multi-factor authentication required for all internal systems

Infrastructure

  • Hosted on Google Cloud Platform with SOC 2 Type II compliance
  • Regular security audits and penetration testing
  • Automated threat detection and monitoring

4. How We Share Your Information

We Never Sell Your Data

Let us be absolutely clear: we do not sell, rent, or trade your personal information to third parties for marketing or advertising purposes. Your financial data is not a product.

Service Providers

We share data with trusted service providers who help us operate NALO:

  • Plaid Inc.: Financial data aggregation. View Plaid's Privacy Policy
  • Google Firebase: Cloud infrastructure, authentication, and database services
  • Stripe: Payment processing for subscriptions (we never see your full card number)
  • OpenAI: Powers our AI coaching features. Conversations are processed but not used to train their models

Legal Requirements

We may disclose your information if required by law, such as:

  • To comply with a subpoena, court order, or legal process
  • To protect the rights, property, or safety of NALO, our users, or the public
  • To detect and prevent fraud or security issues

5. Plaid Integration

NALO uses Plaid to connect to your financial institutions securely. When you connect an account:

  • You authenticate directly with Plaid, not NALO
  • Plaid retrieves your financial data and shares it with us via secure API
  • We receive access tokens — not your bank credentials
  • You can revoke access anytime through NALO or directly through Plaid

Plaid's use of your data is governed by their End User Privacy Policy. We encourage you to review it.

6. Your Rights and Choices

Access Your Data

You can view all the data we have about you directly in the NALO app. For a complete export, contact us at privacy@nalo.app.

Delete Your Data

You can delete your NALO account and all associated data at any time from the app settings. When you delete your account:

  • Your financial data is permanently deleted from our servers within 30 days
  • Plaid connections are revoked
  • Aggregated, anonymized data may be retained for analytics
  • We may retain certain information as required by law

Disconnect Bank Accounts

You can disconnect individual bank accounts at any time without deleting your entire account.

Communication Preferences

You can opt out of marketing emails while still receiving essential service communications (like security alerts) in your account settings.

Data Portability

You have the right to receive a copy of your data in a machine-readable format. Contact privacy@nalo.app to request an export.

7. Data Retention

We retain your data as follows:

  • Active accounts: Data is retained while your account is active
  • Transaction history: We store up to 24 months of transaction history for active accounts
  • Deleted accounts: Data is permanently deleted within 30 days of account deletion
  • Legal requirements: We may retain certain records longer if required by law
  • Backups: Encrypted backups may contain your data for up to 90 days after deletion

8. Children's Privacy

NALO is not intended for users under 18 years of age. We do not knowingly collect information from children. If you believe a child has provided us with personal information, please contact us at privacy@nalo.app.

9. International Users

NALO is operated from the United States. If you access our services from outside the US, your information will be transferred to and processed in the United States, which may have different data protection laws than your country.

10. California Privacy Rights (CCPA)

If you are a California resident, you have additional rights:

  • Right to Know: What personal information we collect and how it's used
  • Right to Delete: Request deletion of your personal information
  • Right to Opt-Out: We don't sell personal information, so this doesn't apply
  • Right to Non-Discrimination: We won't discriminate against you for exercising your rights

To exercise these rights, contact us at privacy@nalo.app or use the in-app data controls.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We'll notify you of significant changes through the app or via email. Your continued use of NALO after changes constitutes acceptance of the updated policy.

12. Contact Us

If you have questions about this Privacy Policy or your data, please contact us:

Questions?

We're committed to transparency. If anything in this policy is unclear, please reach out. We're happy to explain how we handle your data.