Arcane Ledger is a personal finance tool. We take your financial data seriously. This policy explains exactly what we collect, why, and how — including our use of Plaid to connect your bank accounts.
1. Who We Are
Arcane Ledger is operated by Stacked Alchemist ("we," "us," or "our"). You can reach us at stackedalchemist@gmail.com.
2. Information We Collect
We collect information you provide directly and information gathered through the services you connect.
- Account information: Your email address and password (managed by Firebase Authentication).
- Financial data: Bank account balances, transaction history, and account metadata retrieved through Plaid when you choose to connect a bank account.
- User-entered data: Manual transactions, bills, budgets, savings goals, and preferences you create inside the app.
- Usage data: Basic app interaction data collected through Firebase to help us improve performance and fix bugs.
3. How We Use Your Information
We use your data solely to operate and improve Arcane Ledger. Specifically:
- To display your account balances, transaction history, and financial forecasts.
- To calculate safe-to-spend amounts, budget progress, and bill schedules.
- To generate household spending summaries if you use the household sharing feature.
- To provide subscription billing via Stripe.
- To communicate service-related notices (e.g., billing issues, security alerts).
We do not sell your data. We do not use your financial data for advertising or share it with data brokers.
4. Plaid — Bank Account Connection
Arcane Ledger uses Plaid Inc. to securely connect to your bank accounts. When you connect a bank, you interact directly with Plaid's interface and are subject to Plaid's End User Privacy Policy.
What this means in practice:
- Your banking credentials are never seen or stored by Arcane Ledger. They are entered directly into Plaid's secure interface.
- Plaid provides us with a secure access token that allows us to retrieve your account balances and transactions on your behalf.
- We store this access token securely in Firebase, encrypted at rest, and use it only to refresh your financial data.
- You can revoke Plaid's access to your bank account at any time through your bank's account settings or by disconnecting in the Arcane Ledger app.
By connecting a bank account, you acknowledge Plaid's data practices as described in their privacy policy at plaid.com/legal.
5. Stripe — Payment Processing
Subscription billing is handled by Stripe. We do not store your credit card number or payment details. Stripe manages all payment information under their own privacy policy.
6. Firebase — Data Storage and Authentication
User accounts and financial data are stored in Google Firebase (Firestore). Firebase is SOC 2 Type II and ISO 27001 certified. Your data is stored in Google Cloud infrastructure in the United States. See Firebase's privacy documentation for details.
7. Data Sharing
We do not sell, rent, or trade your personal information. We share data only in these limited circumstances:
- Service providers: Plaid (bank connectivity), Stripe (billing), Firebase/Google (storage and authentication). Each operates under their own privacy policies.
- Household members: If you use the household sharing feature, shared account data is visible to the household members you explicitly invite.
- Legal requirements: If required by law or to protect the rights and safety of our users.
8. Data Retention
We retain your data for as long as your account is active. If you delete your account, we will delete your personal data and financial records from our systems within 30 days. Some data may be retained in backup systems for up to 90 days after deletion.
9. Your Rights
You have the right to:
- Access the data we hold about you.
- Request correction of inaccurate data.
- Request deletion of your account and associated data.
- Revoke bank account access through Plaid at any time.
- Export your transaction data in CSV or JSON format from within the app.
To exercise any of these rights, contact us at stackedalchemist@gmail.com.
10. California Privacy Rights (CCPA)
If you are a California resident, the California Consumer Privacy Act (CCPA) grants you specific rights regarding your personal information.
Your CCPA Rights:
- Right to Know: You have the right to request disclosure of the categories and specific pieces of personal information we have collected about you, the sources from which we collected it, our business purpose for collecting it, and the categories of third parties with whom we share it.
- Right to Delete: You have the right to request deletion of personal information we have collected from you, subject to certain exceptions (e.g., completing a transaction, security purposes, legal obligations).
- Right to Opt-Out of Sale: We do not sell your personal information to third parties. There is nothing to opt out of, but this right exists for your protection.
- Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA rights.
Categories of Personal Information Collected in the Last 12 Months:
- Identifiers: email address, Firebase user ID.
- Financial information: bank account balances and transaction history (retrieved via Plaid, with your authorization).
- User-generated content: manual transactions, budgets, bills, and goals you create in the app.
- Internet or network activity: app usage data collected through Firebase.
To exercise your CCPA rights, contact us at stackedalchemist@gmail.com with the subject line "CCPA Request". We will respond within 45 days. You may also use the data deletion feature within the app (Settings → Request Data Deletion).
11. Security
We use industry-standard security measures to protect your data. For a detailed overview of our security practices — including read-only bank access, encryption in transit and at rest, and our no-credential-storage policy — see our Security page.
- All data transmitted between your device and our servers is encrypted via HTTPS/TLS.
- Bank access tokens are stored server-side in Firebase and are never exposed to the browser.
- Firebase Authentication manages all user credentials using secure, hashed storage.
- Sensitive API keys are stored as Firebase Secrets, not in code or environment files.
12. Children's Privacy
Arcane Ledger is not directed to children under 13 years of age. We do not knowingly collect personal information from children under 13.
13. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of significant changes by posting a notice in the app or by email. Continued use of Arcane Ledger after changes constitutes acceptance of the updated policy.
14. Contact Us
For questions, requests, or concerns about this Privacy Policy: