Draft — pending final legal review. This document has not yet been reviewed by counsel. Do not rely on it as a binding legal instrument.

Privacy Policy

Last updated: June 9, 2026 · Effective: June 9, 2026

The short version: WealthWhiz is designed so that we collect nothing on a server. Your raw financial data — account balances, income figures, debt amounts, asset values — lives only on your device. We do not have a backend database of household finances. This document explains the limited information that does flow through our systems, why, and how we handle it.

1. Who we are

WealthWhiz ("we," "us," "our") is the developer and operator of the WealthWhiz financial planning application, available at wealth-whiz.com and through native apps on iOS, Android, macOS, Windows, and Linux. For questions about this policy, contact us at privacy@wealth-whiz.com.

2. The core architecture and what it means for your data

WealthWhiz is built around a single, non-negotiable constraint: raw financial data never leaves your device. The math engine that powers projections, tax calculations, Monte Carlo simulations, and all other computations runs natively on your hardware — in the browser via WebAssembly, or as a compiled native binary on desktop and mobile platforms.

Your plan file — which contains the financial figures you enter — is stored as a local file on your device (or in browser local storage for the web app). We do not ingest, copy, store, transmit, index, or analyze this file. There is no server-side financial computation in WealthWhiz.

This is a verifiable technical property. The application's math engine is open-source and published on GitHub. Anyone can inspect the code, run it locally, and confirm that it contains no outbound data transmission for financial inputs.

3. What is stored on your device

The following data lives exclusively on your device and is never transmitted to WealthWhiz servers:

Your plan file: income, savings, debts, assets, expenses, retirement assumptions, and all other financial inputs
Your BYO LLM API key (if you use the free-tier AI feature) — stored in encrypted local storage
App preferences and UI settings
Cached market data fetched directly from third-party APIs (if you configure a market-data key)
Plaid connection tokens (if you use Plaid sync), processed and stored locally after the initial OAuth handshake

On the Plus tier and above, your plan file may be encrypted at rest using AES-256 with a key derived from your device credentials (biometric or device passcode). We do not hold or have access to this encryption key.

4. What WealthWhiz servers do receive

WealthWhiz does operate limited server infrastructure for non-financial functions. The following data may reach our servers:

4a. Account and subscription data

When you create an account or subscribe to a paid tier, we collect:

Email address (used for authentication and subscription management)
Payment information — processed by Stripe; we store only the last 4 digits of your card, card type, and Stripe customer ID. We never receive or store full card numbers.
Subscription tier and status, billing history
Device identifiers used for license validation (a hashed device ID, not linked to your financial data)

4b. App telemetry (minimal, non-financial)

The app may transmit anonymized, aggregated usage events to help us understand feature adoption — for example, which planning modules are opened, how often the Monte Carlo tab is used, and crash reports. These events contain no financial values, no plan file contents, and no personally identifiable information beyond a random session ID. You may opt out of telemetry in app settings at any time.

4c. Support interactions

If you contact support by email, we receive the content of your message and your email address. We do not have access to your plan file unless you choose to attach it; even if you do, you should sanitize any sensitive values before sharing.

5. The optional AI Concierge and how anonymization works

The AI Concierge (a paid add-on) uses a managed large language model (LLM) to answer questions about your financial plan. Because LLMs run on third-party infrastructure, we take the following steps to prevent raw financial data from reaching the LLM provider:

Anonymization before transmission: Before any context is sent to the LLM, the application replaces specific dollar figures with normalized proxies (e.g., "your annual income" rather than "$185,000"), and replaces institution names with generic labels. The LLM receives a structural description of your financial situation, not raw account data.
No account numbers or credentials: Account numbers, routing numbers, Social Security numbers, and login credentials are never included in any LLM context — they are not stored in a field accessible to the AI feature.
Local pre-processing: The anonymization step runs locally on your device before the LLM request is transmitted. You can inspect the anonymized context in the app's debug view before sending.
BYO key option: If you supply your own LLM API key on the Free tier, you are directly governing the data relationship with the LLM provider under their terms. WealthWhiz passes the anonymized context to your chosen endpoint; it does not log or store the prompt or the response.

The 27 watcher agents in the AI Concierge add-on run locally on your device. They monitor your plan for drift, rebalancing triggers, and threshold events. When a watcher fires and you ask the AI to explain it, the same anonymization process applies before any LLM call is made.

6. Third-party services and when they are involved

The following third parties may be involved in limited, opt-in scenarios:

Stripe: Processes payments for paid subscriptions. Stripe's privacy policy governs their handling of payment data. We receive only a tokenized representation of your payment method.
Plaid: Used for bank sync on Family and Ultimate tiers. You initiate a Plaid connection via an OAuth flow hosted by Plaid. Plaid delivers transaction data to the WealthWhiz app client directly; we do not proxy or store it on our servers. Plaid's privacy policy governs their handling of your bank credentials and connection data.
Apple / Google: On iOS and Android, subscriptions purchased through in-app purchase are governed by Apple App Store and Google Play policies respectively. Apple and Google do not share individual purchase data with us beyond what is necessary to validate the license.
LLM providers (OpenAI, Anthropic, etc.): Only involved if you use the AI features (BYO key on Free, or AI Concierge add-on). Only anonymized context is sent. Each provider's privacy policy governs their use of prompt data.

We do not sell, rent, or trade your data to any third party for marketing purposes.

7. Cookies and web tracking

The marketing website (wealth-whiz.com) uses only functional cookies necessary for session management and payment processing. We do not use advertising tracking pixels, third-party analytics cookies, or behavioral targeting. We use privacy-respecting analytics (Plausible, if enabled) that collect no personally identifiable information and store no cookies.

8. Data retention

Because raw financial data lives on your device, we have nothing to retain. For account and subscription data, we retain records for as long as your account is active and for a reasonable period afterward to comply with tax and accounting obligations (typically 7 years for transaction records). Support emails are retained for 2 years after the last interaction in a thread.

9. Your rights — export and delete

You have full control over your plan data because it lives on your device. At any time you may:

Export: One-tap export to JSON, CSV, or PDF from within the app. Your entire plan file, in a documented open format, is available whenever you want it.
Delete locally: Delete the plan file from your device at any time using the app's delete function or your operating system's file manager.
Delete your account: Sending a request to privacy@wealth-whiz.com with the subject "Account deletion" will result in deletion of your account record, email address, subscription history, and any support interaction records within 30 days. Because we do not have your financial data, there is nothing more to delete from our side.
Disconnect Plaid: You can disconnect any Plaid link from within the app at any time. This revokes WealthWhiz's Plaid access token; previously synced data on your device is not affected unless you delete it.

10. CCPA (California) posture

Under the California Consumer Privacy Act, California residents have the right to know what personal information is collected, to request deletion, to opt out of sale, and to non-discrimination. WealthWhiz does not sell personal information. The personal information we hold about account holders is limited to the account and subscription data described in Section 4a above. You may exercise CCPA rights by contacting privacy@wealth-whiz.com. We will respond within 45 days.

11. GDPR (EU/EEA/UK) posture

For users in the European Economic Area and United Kingdom, the legal basis for processing your email address and subscription data is the performance of a contract (your subscription agreement with us). Telemetry, where collected, is processed under legitimate interests (improving the product) and is opt-out. You have the right to access, rectify, erase, restrict, port, and object to processing of your personal data. The right to erasure is exercised by submitting an account deletion request as described in Section 9. We do not transfer personal data outside the EEA without appropriate safeguards. For GDPR inquiries, contact privacy@wealth-whiz.com. If you are not satisfied with our response, you have the right to lodge a complaint with your local supervisory authority.

12. Security

We apply industry-standard security to the limited account and subscription data we hold: TLS in transit, encryption at rest, access controls, and no unnecessary retention. Because the high-sensitivity data (financial figures) never reaches our infrastructure, the attack surface on our servers is structurally limited. The open-source math engine is subject to public security review; if you find a vulnerability, please report it to security@wealth-whiz.com.

13. Children's privacy

WealthWhiz is not directed at children under the age of 13, and we do not knowingly collect personal information from children under 13. If we become aware that we have inadvertently received personal information from a child under 13, we will delete it promptly.

14. Changes to this policy

We may update this policy from time to time. When we do, we will revise the "Last updated" date at the top of this page and, for material changes, notify account holders by email. Continued use of WealthWhiz after a change constitutes acceptance of the updated policy.

15. Contact

For privacy questions, data requests, or concerns, contact us at:

Email: privacy@wealth-whiz.com
Support portal: wealth-whiz.com/support