Our Commitment to Privacy
At Nyphex, we take your privacy seriously. This Privacy Policy explains how we collect, use, protect, and share your personal information when you use our personal finance platform. We are committed to transparency and giving you control over your data.
This service is only available to residents of the United States. We do not knowingly collect personal information from individuals outside the United States.
We are fully compliant with CCPA (California) regulations.
What Data We Collect
Account Information
- Email address: Required for account creation and login
- Name: Optional, used for personalization
- Password: Encrypted using bcrypt (10 rounds) - we never store plain passwords
- Two-Factor Authentication (2FA): Optional TOTP secret for enhanced security
Financial Data
- Transactions: Date, amount, merchant, category (user-entered or imported)
- Accounts: Institution name, account type, masked account numbers (last 4 digits only)
- Budgets: Budget amounts and categories
- Investments: Holdings, symbols, quantities (optional)
What We DON'T Collect
- Social Security Numbers
- Full bank account numbers (only masked last 4 digits)
- Full credit card numbers (only masked last 4 digits)
- Physical addresses (unless in uploaded documents - see below)
- Biometric data
- Location data (unless you explicitly enable mileage tracking)
Bank Connections (Plaid Integration)
When you connect your bank account using Plaid:
- Encrypted Tokens: Plaid access tokens are encrypted using AES-256-GCM before storage
- Data Minimization: We only access transaction data, account balances, and institution names
- User Consent: You explicitly authorize the connection through Plaid Link
- Right to Disconnect: You can disconnect your bank at any time, which revokes all access
Note: Plaid is a separate service with its own privacy policy. Learn more at plaid.com/legal
Document Upload Privacy
We use industry-leading privacy protection for document uploads:
Privacy-First Processing
- Local Text Extraction: We first attempt to extract text locally (no cloud processing)
- Automatic PII Detection: We scan for 15+ types of PII including:
- Names, addresses, phone numbers
- Social Security Numbers
- Bank account numbers, credit card numbers
- Email addresses, IBANs, sort codes
- Human-in-the-Loop Review: If PII is detected, YOU review and approve before cloud processing
- PII Redaction: Detected PII is automatically redacted (e.g., "123-45-6789" to "XXX-XX-XXXX")
- Encrypted Storage: Original documents stored encrypted in our secure storage
You have full control: We never send your documents to cloud AI services without your explicit approval.
How We Use Your Data
We use your data solely for the following purposes:
- Core Service: Provide personal finance tracking, budgeting, and reporting
- AI Analysis: Generate insights, detect anomalies, and provide personalized recommendations
- Document Processing: Extract transaction data from receipts and statements
- Notifications: Send budget alerts, bill reminders, and unusual spending warnings (if enabled)
- Security: Detect fraud, prevent unauthorized access, and maintain audit logs
What We DON'T Do
- We DO NOT sell your data to third parties
- We DO NOT share your data with advertisers
- We DO NOT use your data for marketing outside our platform
- We DO NOT train AI models on your personal financial data
How We Protect Your Data
Encryption
- In Transit: All data transmitted over HTTPS/TLS 1.2+ encryption
- At Rest: Sensitive data encrypted using AES-256-GCM (Plaid tokens, documents)
- Passwords: Hashed using bcrypt with 10 salt rounds (industry standard)
- Database: SSL connections, parameterized queries (SQL injection protected)
Security Measures
- Rate Limiting: 5 login attempts per 15 minutes (prevents brute force)
- Two-Factor Authentication: Optional TOTP (Google Authenticator, Authy)
- Trusted Devices: Remember secure devices to reduce 2FA prompts
- Security Headers: CSP, X-Frame-Options, HSTS configured
- Audit Trail: 7-year activity logs for compliance and security
Data Retention & Deletion
Retention Periods
- Transaction Data: Retained until you delete your account
- Documents: Retained until you delete them or your account
- Audit Logs: 7 years (legal/compliance requirement)
- Webhook Events: 90 days
- Sync History: 180 days (6 months)
Automated Cleanup
We automatically delete old temporary data to minimize storage:
- Failed job logs after 30 days
- Resolved duplicate notifications after 30 days
- Old exchange rate data after 365 days
Your Privacy Rights (CCPA)
California Residents: You have additional rights under CCPA. Contact us at support@nyphex.com to exercise your rights.
Third-Party Services
We integrate with the following third-party services:
Plaid (Bank Connections)
Connects to your bank for transaction data
Privacy Policy: plaid.com/legal
OpenAI/Anthropic (AI Analysis)
Powers AI insights and document processing (PII redacted first)
Privacy Policy: openai.com/privacy
Cookies & Tracking
We use minimal cookies for essential functionality:
- Authentication Cookie: Stores your login session (JWT token)
- Preference Cookie: Remembers your theme, language, and settings
- Security Cookie: CSRF protection
We do NOT use: Third-party analytics, advertising trackers, or social media pixels.
Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of significant changes by:
- Email notification to your registered email address
- In-app notification when you next log in
- Updating the "Last Updated" date at the top of this page
Contact Us
If you have questions about this Privacy Policy or how we handle your data:
This Privacy Policy is effective as of December 26, 2024 and will remain in effect except with respect to any changes in its provisions in the future, which will be in effect immediately after being posted on this page.