W
whoamiBack to app

Legal

Privacy Policy

Effective date: March 13, 2026

Overview

whoami is built on the belief that your personal data belongs to you. We collect only what is necessary to run the Service, we never sell your data, and we give you full control over what you share.

This Privacy Policy explains what data we collect, how we use it, and your rights regarding it.

1. Data We Collect

Account Information

When you create an account, we collect your name, email address, and hashed password (we never store your raw password). Optionally, you may add a phone number for SMS-based PIN recovery.

Financial Data (via Plaid)

If you connect a bank account, Plaid provides us with your account balances, transaction history, and account metadata. Your banking credentials (username and password) are entered directly into Plaid's secure interface — whoami never sees or stores them.

Journal Entries

Journal content you write, including titles, body text, mood ratings, and tags. This is stored in our database and is never shared with third parties. You may optionally lock journal entries with a PIN.

Notes

Notes you create, including title, content, tags, and color preferences. Individual notes may be PIN-locked by you.

Calendar & Reminders

Events and reminders you create directly in the app. If you connect Google Calendar via OAuth, we sync your Google Calendar events. You may disconnect Google Calendar at any time from Settings.

Health & Habit Data

Health metrics you manually enter (steps, sleep, weight, water intake, calories, heart rate) and habit tracking data you log. This data is stored only for your personal use.

Usage Data

We log security-relevant events (login attempts, failed authentications, 2FA events) to an audit log for account security purposes. We do not use cookies for tracking or analytics.

2. How We Use Your Data

  • Provide the Service: Your data is used to power the app's features — displaying your finances, journal, calendar, habits, and health data.
  • AI Assistant & Digest: When you use the AI assistant or generate a weekly digest, relevant data (financial summaries, mood trends, habit completion, upcoming events) is sent to Anthropic's Claude API to generate responses. Only aggregated summaries are sent — not raw journal content.
  • Email & SMS: Your email is used for account verification, password resets, PIN recovery, and the weekly digest. Your phone number (if provided) is used only for SMS PIN recovery codes.
  • Security: We use your data to detect unauthorized access, enforce rate limits, and maintain audit logs for account security.

3. Data Sharing

We do not sell, rent, or trade your personal data.

We share data only with the third-party services necessary to operate the app:

  • Neon (PostgreSQL): Hosts your data in a secure, encrypted PostgreSQL database.
  • Vercel: Hosts and serves the application. Does not have access to your data.
  • Plaid: Processes your bank connection. Governed by Plaid's own privacy policy.
  • Anthropic: Processes AI requests. Data sent to Claude API is governed by Anthropic's privacy policy and is not used to train models.
  • Resend: Delivers transactional emails (verifications, resets, digest).
  • Twilio: Delivers SMS PIN recovery codes.

We may disclose data if required by law, court order, or to protect the rights and safety of users or the public.

4. Data Security

We take security seriously and implement multiple layers of protection:

  • All data is transmitted over HTTPS/TLS
  • Passwords are hashed with Argon2id (industry-leading algorithm)
  • PINs are hashed with Argon2id and never stored in plaintext
  • OTP codes for PIN recovery are hashed with SHA-256
  • Two-factor authentication (TOTP) is available
  • Rate limiting on all authentication endpoints
  • Security headers: CSP, HSTS, X-Frame-Options, and more
  • Audit logging on all security-relevant events

5. Data Retention

We retain your data for as long as your account is active. When you delete your account, all associated data is permanently deleted from our systems within 30 days. Some data may be retained in backups for up to 90 days.

Financial transaction data fetched via Plaid is stored in our database for as long as your bank connection is active. You may disconnect your bank at any time from Settings.

6. Your Rights

You have the following rights regarding your data:

  • Access: You can view all your data directly within the app.
  • Deletion: You can delete individual entries at any time, or request full account deletion.
  • Portability: You can request an export of your data by contacting us.
  • Correction: You can edit any data you've entered at any time.
  • Withdraw Consent: You can disconnect third-party integrations (bank, Google Calendar) at any time from Settings.

7. Cookies

We use only a single session cookie to keep you logged in. We do not use tracking cookies, analytics cookies, or advertising cookies. We do not use any third-party tracking scripts.

8. Children's Privacy

The Service is not directed to children under 18. We do not knowingly collect personal information from anyone under 18. If you believe a minor has provided us with personal information, please contact us.

9. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by updating the effective date above. Continued use of the Service after changes constitutes acceptance of the updated policy.

10. Contact

Questions or concerns about this Privacy Policy or your data? Contact us at privacy@whoami.company.

© 2026 whoami.company. All rights reserved.

Terms of ServicePrivacy Policy