Privacy Policy

Last updated: April 11, 2026

Overview

HO3 ("the App") is a private personal finance application built exclusively for two authorized users: the account owner and their spouse. The App is not available to the general public and has no public registration. This policy describes how the App collects, uses, stores, and protects financial data.

Data We Collect

The App collects and processes the following categories of financial data to provide its budgeting, bill tracking, and debt management features:

  • Account information: account names, types, balances, and masked account numbers retrieved via Plaid.
  • Transaction data: transaction amounts, dates, merchant names, and categories retrieved via Plaid.
  • Liability data:credit card balances, APRs, minimum payments, due dates, student loan details, and mortgage information retrieved via Plaid's Liabilities product.
  • User-entered data: bills, subscriptions, projected income, debt details, and priority settings entered manually by authorized users.
  • Uploaded documents: receipt images and financial statement PDFs uploaded by authorized users for OCR processing.
  • Authentication data: email addresses, hashed passwords, and TOTP multi-factor authentication credentials.

How We Collect Data

Financial account data (transactions, balances, and liabilities) is collected through Plaid Inc., a licensed financial data aggregation service. By connecting a bank account through the App, users authorize Plaid to retrieve data from their financial institutions on the App's behalf. Plaid's own privacy policy governs how Plaid collects, uses, and protects data obtained from financial institutions.

OCR Processing

When a user uploads a receipt image or financial statement, the document is sent to Anthropic's Claude API for optical character recognition (text extraction). Anthropic processes the image to extract structured data (merchant names, amounts, dates) and returns the results to the App. Uploaded images are transmitted to Anthropic solely for the purpose of text extraction and are subject to Anthropic's privacy policy. Anthropic does not retain uploaded images from API requests for model training.

Data Storage & Security

  • All data is stored in a Supabase-hosted PostgreSQL database with encryption at rest (AES-256).
  • All data transmission between the App, Supabase, Plaid, and Anthropic occurs over TLS (HTTPS).
  • Access to data is restricted by row-level security policies that enforce per-user, per-book access controls at the database level.
  • All user logins require multi-factor authentication (TOTP via authenticator app) in addition to password authentication.
  • Plaid access tokens are stored encrypted in the database and are never exposed to the client.
  • Uploaded documents are stored in a private Supabase Storage bucket accessible only to authenticated users.

Data Sharing

We do not sell, share, rent, or transfer user financial data to any third parties for any purpose. Data is accessed only by the two authorized users of the App. The only third-party services that process data are:

  • Plaid Inc. — for retrieving financial account data from institutions, as authorized by the user.
  • Anthropic (Claude API) — for OCR text extraction from user-uploaded receipt and statement images.
  • Supabase — for database hosting and file storage.
  • Vercel — for application hosting.

None of these services receive data for advertising, marketing, or resale purposes.

Analytics & Tracking

The App uses no analytics services, tracking pixels, advertising networks, or third-party cookies. There is no behavioral tracking, no session recording, and no data collection beyond what is described in this policy.

Data Retention and Deletion

Effective Date: April 11, 2026  |  Last Reviewed: April 11, 2026  |  Download PDF

1. Scope

HO3 is a private personal finance application used exclusively by two authorized users (the account owner and spouse). This policy governs the retention and deletion of all consumer financial data collected, processed, or stored by the application, including data retrieved through the Plaid API.

2. Data Retained

HO3 retains the following categories of data: account balances and transaction history retrieved from connected financial institutions via Plaid; liability details including credit card and loan balances, APRs, and minimum payments; user-provided categorizations, notes, and uploaded receipt or statement images; encrypted Plaid access tokens required to maintain bank connections; and account profile information including email and authentication credentials.

3. Retention Period

Financial data is retained for as long as the user maintains an active HO3 account. Active accounts retain transaction history for analytical and budgeting purposes. No data is sold, shared, or transferred to any third party.

4. Deletion Upon Request

Users may request deletion of their account and all associated data at any time. Upon a deletion request: (a) Plaid access tokens are immediately revoked, terminating all bank connections; (b) all user data, including transactions, balances, liabilities, receipts, and uploaded statements, is permanently removed from the active database within 30 days; (c) backup copies are retained for an additional 30-day rolling window for disaster recovery purposes, after which they are permanently purged.

5. Automatic Deletion

Inactive accounts (no login for 24 consecutive months) are flagged for automatic deletion. The account holder receives notice 30 days prior to deletion and may reactivate by logging in. Failure to reactivate results in permanent data removal following the same procedure as a manual deletion request.

6. Compliance

This policy is designed to comply with applicable U.S. data privacy laws, including the principles of the California Consumer Privacy Act (CCPA) and Gramm-Leach-Bliley Act (GLBA) safeguards rules. As a private two-user application, HO3 does not sell consumer data, does not share data with advertisers, and does not engage in any processing activity that would trigger additional regulatory obligations.

7. Periodic Review

This policy is reviewed at least annually by the account owner. Reviews verify that retention periods remain appropriate, that deletion procedures function as documented, and that the policy reflects current applicable law. The most recent review date is recorded at the top of this document.

8. Contact

Requests related to this policy, including data deletion requests, may be directed to the account owner via the contact email associated with the HO3 account: shaq@shaqhardy.com.

Contact

For questions about this privacy policy or to request data deletion, contact shaq@shaqhardy.com.