Privacy Policy

Mack OS ("the Application") is a private personal finance dashboard owned and operated by a single individual ("Operator") for personal use. The Application is not offered to the public and accepts only one authenticated user, the Operator. All references to "you" in this policy refer to that user.

When you connect a financial account through Plaid Link, the following data is retrieved from your bank and stored in our database:

• Account metadata: account name, official name, account number mask (last four digits only), institution name, account type and subtype.
• Balances: current and available balances, credit limits.
• Transactions: transaction date, description, merchant, category, amount, pending status.
• Liabilities: APR, minimum payment, due date, and payoff date for credit cards and student loans where supported by the institution.
• Plaid Item access tokens: opaque server-side credentials that allow the Application to fetch the data above from Plaid on your behalf. These are never exposed to the browser.

The Application does not collect, store, or transmit:

• Full account or routing numbers.
• Online banking credentials. You enter these directly into Plaid Link, which is operated by Plaid Inc.; the Application never sees them.
• Social Security numbers retrieved from financial institutions.
• Health, location, biometric, government ID, or contact-list data.

Email address: required for sign-in via Supabase one-time passcode. No other personally identifying information is requested or stored.

Solely to compute the financial metrics displayed within the Application: balances, weekly safe-to-spend, tax-reserve estimates, debt payoff progress, project-income earned/unearned tracking, and cash-flow forecasting. Data is not used for advertising, profiling, AI model training, marketing, or any purpose unrelated to the Operator's own financial management.

• Database: Supabase Postgres, hosted on AWS in the United States, with AES-256 storage-level encryption enabled by default and key management via AWS KMS.
• Application server: Vercel, with TLS 1.2 or higher enforced for all client–server connections.
• Access controls: row-level security policies restrict every database row to its owning user. Plaid access tokens are read and written exclusively via a service-role context that runs server-side and is never exposed to the browser. Webhook receivers verify Plaid's ES256 JWT signature before processing any event.
• Backups: Supabase performs automated backups; backups inherit the same encryption as the live database.

The Application does not sell, rent, lease, license, or otherwise commercialize your data. Data is shared only with the following third parties, and only to the extent strictly necessary to operate the Application:

• Plaid Inc. receives the access tokens it issued so it can fetch the data you authorized when connecting an institution. Plaid's privacy practices are governed by their own policy: https://plaid.com/legal/#consumers.
• Supabase, Inc. hosts the database and authentication service. https://supabase.com/privacy.
• Vercel Inc. hosts the application runtime. https://vercel.com/legal/privacy-policy.

The Application will never share data with advertising networks, data brokers, analytics providers, AI training pipelines, or any party not strictly required for the Application to function.

As the sole user of the Application, you may at any time:

• Access all data the Application holds about you. Every screen of the Application is itself an export of your data.
• Delete all data via the data-deletion control in the Application's settings, which removes every row associated with your user.
• Disconnect any Plaid-linked institution. Disconnecting calls Plaid's /item/remove API to revoke the access token at the source.
• Cancel by requesting account deletion at the contact address below. Account deletion cascades to all associated data.

The Application uses cookies and local storage to maintain your authenticated session. No third-party tracking, advertising, or analytics cookies are set.

The Application is not intended for and is not used by anyone under 13.

Data is retained until you delete it or until the Operator disconnects the Application. Disconnecting an institution stops new data from being retrieved but retains historical transactions for the Operator's records unless explicitly deleted.

If this policy changes, the Effective date above will be updated. As the sole user, the Operator is the first to know about every change.

For any privacy-related question, contact: maschmitz48@gmail.com.