Privacy Policy
Abundera, Inc. ("Abundera", "we", "us", or "our") respects your privacy and is committed to protecting your personal information. This Privacy Policy describes how we collect, use, and safeguard information when you visit abundera.ai (the "Website") or interact with our services.
1. Information We Collect
Information you provide
| Data | When | Purpose |
|---|---|---|
| Email address | Waitlist signup | Product updates, early access invitations |
| Name (optional) | If provided via email | Personalized communication |
Information collected automatically
| Data | Method | Purpose |
|---|---|---|
| IP address | Server logs | Rate limiting, abuse prevention |
| Browser type, OS | HTTP headers | Website compatibility |
| Pages visited | Cloudflare analytics | Website improvement |
| Referring URL | HTTP headers | Understanding traffic sources |
We do not use cookies for tracking. Cloudflare Web Analytics is privacy-first and does not use cookies or track individual users across sites.
2. How We Use Your Information
We use your information to:
- Send you product updates and early access invitations
- Respond to your inquiries or support requests
- Protect against abuse, fraud, and unauthorized access
- Improve the Website and plan future product features
- Comply with legal obligations
3. How We Store Your Data
Your data is stored on Cloudflare's global edge network, encrypted at rest by Cloudflare's infrastructure. This means:
- Data is encrypted at rest and in transit (TLS 1.3)
- No centralized data lake or single point of failure
- Data is processed at the edge, close to where you are
- We do not store data in traditional cloud databases
4. Data Sharing
We do not sell, rent, or trade your personal information.
We share data only with:
| Service | Purpose | Data Shared |
|---|---|---|
| Cloudflare | Website hosting, database, analytics | Standard web request data |
| Plaid, Inc. | Read-only bank account and transaction data aggregation | Account linking credentials (never stored by Abundera) |
| Stripe, Inc. | Subscription billing and payment processing | Billing information (card data handled entirely by Stripe) |
| Resend | Transactional email delivery | Email address (for sending confirmations) |
| Twilio, Inc. | SMS notifications and account alerts | Phone number (for sending SMS notifications) |
We do not share your data with any advertising networks, data brokers, or marketing platforms. For a complete list of sub-processors, their data processing purposes, and links to their DPAs, see our Data Processing & Sub-Processors page.
5. Waitlist Data
We retain your email address for as long as you remain on our waitlist. You can request removal at any time by:
- Emailing privacy@abundera.ai with the subject "Remove from waitlist"
- Clicking the unsubscribe link in any email we send
Upon removal, your email address is permanently deleted from our database within 30 days. For full data retention details across all data types, see Section 10: Data Retention.
6. Your Rights
All users
- Access: Request a copy of the personal data we hold about you
- Correction: Request correction of inaccurate information
- Deletion: Request deletion of your personal data
- Portability: Receive your data in a machine-readable format
California residents (CCPA)
Under the California Consumer Privacy Act, you have the right to:
- Know what personal information we collect and why
- Request deletion of your personal information
- Opt out of the sale of personal information (we do not sell data)
- Not be discriminated against for exercising your privacy rights
EU/EEA residents (GDPR)
If you are in the European Union or European Economic Area, you have additional rights including the right to lodge a complaint with your local data protection authority. Our legal basis for processing is legitimate interest (providing the service you signed up for) and consent (your decision to join the waitlist).
7. Financial Privacy Notice (GLBA)
The Gramm-Leach-Bliley Act (GLBA) requires financial institutions to explain their information-sharing practices and to safeguard sensitive data. While Abundera is a personal financial intelligence platform and not a traditional financial institution, we voluntarily comply with GLBA requirements as a best practice given the sensitivity of the financial data we handle.
Nonpublic personal information (NPI) we collect
Through your use of the Abundera platform, we may collect the following nonpublic personal information:
- Bank account numbers, balances, and transaction history (via Plaid, read-only)
- Investment account holdings, balances, and performance data
- Income sources, amounts, and employment information
- Tax filing status, deductions, and estimated tax liabilities
- Property ownership details and valuations
- Business financial data (revenue, expenses, entity structure)
- Insurance premiums, healthcare costs, and benefit elections
What NPI we share and with whom
We do not share your nonpublic personal information with non-affiliated third parties for marketing purposes. NPI is shared only with our sub-processors (listed on our Data Processing page) solely to deliver the Abundera service. Each sub-processor receives only the minimum data necessary for its function:
- Cloudflare: Encrypted platform data for hosting and storage
- Plaid: Account linking credentials (never stored by Abundera)
- Stripe: Billing information for payment processing
- Resend / Twilio: Contact information for transactional notifications only
How we protect NPI
- AES-GCM encryption at rest for all financial data fields
- TLS 1.3 encryption for all data in transit
- Role-based access controls limiting data access to authenticated users
- Comprehensive audit logging of all data access events
- Data isolation via per-tier database sharding
- Passkey-only authentication (no passwords to compromise)
Your right to opt out
We do not share NPI with non-affiliated third parties for purposes other than servicing your account. Because we do not engage in such sharing, there is no need to opt out. If our practices change, we will provide notice and an opt-out mechanism before any such sharing begins.
How to limit sharing
You may limit data sharing at any time by disconnecting financial accounts, requesting a data export, or closing your account. Contact privacy@abundera.ai for assistance.
8. Health and Medical Information
Abundera may collect and process limited health-related information as part of its financial advocacy platform. This section describes how we handle such data.
What health data we may collect
- Healthcare costs and insurance premiums (as financial line items)
- Medical expenses and copayments
- HSA/FSA account balances and contributions
- User-inputted health information (wellness goals, health conditions relevant to financial planning)
- Insurance plan details and coverage information
How we protect health data
- AES-GCM encryption at rest: All health data is encrypted at the application layer before storage, in addition to Cloudflare's infrastructure encryption.
- "Restricted" classification: Health data carries our highest data classification level, with the strictest access controls.
- Access logging: Every access to health data fields is logged in our audit trail with user ID, timestamp, and action.
- Minimum necessary standard: Internal systems access only the specific health data fields required for the requested operation.
HIPAA-aligned safeguards
Abundera is not a HIPAA covered entity or business associate. However, we voluntarily implement safeguards equivalent to HIPAA requirements because we believe health-related financial data deserves the highest level of protection:
- Administrative safeguards: designated security officer, workforce training, access management procedures
- Technical safeguards: AES-GCM encryption, unique user identification, automatic logoff, audit controls
- Physical safeguards: inherited from Cloudflare's SOC 2 Type II and ISO 27001 certified infrastructure
- Breach notification: affected users will be notified within 72 hours of a confirmed breach involving health data
Your rights regarding health data
- Data export: Health data is included in your full data export (Settings > Data Export).
- Deletion: Health data is permanently deleted when you close your account, following the 30-day grace period.
- No marketing use: We never share health data with third parties for marketing, advertising, or any purpose other than delivering the Abundera service.
9. Sub-Processors
For a complete list of sub-processors, their purposes, data processed, and links to their Data Processing Agreements, see our Data Processing & Sub-Processors page.
10. Data Retention
We retain your data only as long as necessary for the purposes described in this policy. The following summarizes our retention periods:
| Data Type | Retention Period |
|---|---|
| Financial records (transactions, balances) | Duration of account + 7 years (IRS requirement) |
| Account data (profile, settings) | Duration of account + 30-day grace period |
| Health data | Duration of account + 30-day grace period |
| Request logs (method, path, status, duration, IP) | 90 days (rolling) |
| Auth audit logs and admin action logs | 3 years (GLBA Safeguards Rule 16 CFR 314.4(c)(8)) |
| Waitlist entries | Until removed or account created |
| Billing records | 7 years (tax/legal requirement) |
Upon account closure, all personal data is scheduled for permanent deletion after a 30-day grace period (during which you may cancel the closure). Financial records required for tax compliance are retained for 7 years in an anonymized format.
11. Security
We implement appropriate technical and organizational measures to protect your personal information:
- TLS 1.3 encryption for all data in transit
- AES-GCM encryption at rest for sensitive fields
- Rate limiting on all API endpoints
- Passkey-only authentication (no passwords stored)
automated security checks per deployment
For details on our security architecture, see our Security page and Compliance page.
12. Children's Privacy
The Service is not directed at individuals under 18 years of age. We do not knowingly collect personal information from children. If we learn that we have collected data from a child under 18, we will delete it promptly.
13. Third-Party Links
The Website may contain links to third-party websites. We are not responsible for the privacy practices of those sites. We encourage you to review their privacy policies.
14. Current Data Practices
Abundera is currently in alpha with financial data processing capabilities already built and operational. The platform connects to bank accounts via Plaid (read-only), processes subscription billing via Stripe, and stores financial data across tier-isolated database shards. The following practices are already in effect:
- Financial data handling: bank transactions, balances, income, investments, properties, and business data are encrypted with AES-GCM at rest and isolated per user tier (see Section 7)
- Health data protections: healthcare costs, insurance premiums, and HSA/FSA data carry our highest "Restricted" classification (see Section 8)
- AI model training: your data will never be used to train models for other users
- Progressive trust/permission model: users control which accounts are connected and which data categories are enabled
- Data isolation: per-tier database sharding ensures your financial data is stored separately from other users
As additional AI features are introduced, this Privacy Policy will be updated and users will be notified of material changes before they take effect.
15. Changes to This Policy
We may update this Privacy Policy as our practices evolve. Material changes will be communicated via email to waitlist members and by updating the "Last updated" date above. Continued use of the Website after changes constitutes acceptance.
16. Contact Us
For privacy-related questions, requests, or concerns:
Abundera, Inc.
Attn: Privacy
200 W Sahara Ave, Unit 3301
Las Vegas, NV 89102
privacy@abundera.ai
We will respond to all privacy requests within 30 days.