← Back to Home

Pearl Tech Inc.

PRIVACY POLICY

Last Updated: January 1, 2025

This Privacy Policy explains how Pearl Tech Inc., a Delaware corporation ("Company," "we," "us," or "our"), collects, uses, discloses, and safeguards personal information in connection with our mobile applications for iOS and Android, our website https://www.joinpearlai.com (the "Site"), our waitlist experience, and related services (collectively, the "Services"). By using the Services, you agree to this Privacy Policy. If you do not agree, do not use the Services.

Contact: [email protected] | 701 Brazos St, Austin, Texas USA 🇺🇸

Financial Privacy (GLBA/Reg P). To the extent we provide financial products or services for personal, family, or household purposes, certain information we handle may be nonpublic personal information (NPI) governed by the Gramm-Leach-Bliley Act and Regulation P. Where GLBA applies, state consumer privacy laws (e.g., CCPA/CPRA) typically do not apply to that NPI. This Policy covers both GLBA-covered and non-GLBA data and explains the difference.

TABLE OF CONTENTS

1. SCOPE; AVAILABILITY; ROLES

  • Territory. The Services are available to individuals in the United States. We may expand to Canada and Europe (EEA/UK/CH) later; if so, we will publish required jurisdiction-specific notices and transfer mechanisms.
  • Adults. The Services are intended for adults. App Store and Google Play age gates apply (see §16).
  • Role. We act as a business/controller for our processing and, in limited cases, a service provider/processor to financial institutions or partners.

2. CATEGORIES OF INFORMATION WE COLLECT

The information we collect depends on how you use the Services and your settings.

A. You Provide to Us

  • Account & Profile. Name, email, (optional) phone, hashed password, state/country, time zone, preferences, communication settings.
  • Budgeting Inputs. Goals, categories, pay cycles, recurring bills/subscriptions, notes, manual entries (e.g., cash), user tags.
  • Waitlist & Marketing. Email and/or phone/SMS consent; referral code/source if applicable.
  • Support & Feedback. In-app messages, email support, attachments you send, troubleshooting data you choose to share.
  • Consents/Preferences. Records of cookie choices, ad opt-outs, privacy settings.

B. Financial Account Information (Optional; Read-Only Today)

If you link accounts via direct/open-bank APIs or a bank partner (when available), we receive, as permitted by you and your bank(s):

  • Account Metadata & Balances. Institution, type, masked identifiers, current/available balances, currency.
  • Transactions. Merchant/payee, amount, date/time, category, memo/description, and standardized enrichment fields.
  • Investments/Holdings (if applicable). Security identifiers (e.g., ticker/CUSIP), quantities, valuations; limited cost basis if provided.
  • Debt/Credit. APR, minimums, due dates, payment history fields provided through the API.
No scraping; no credentials to us. We do not use credential-based screen scraping. Authentication occurs directly with your financial institution or a bank-approved interface. Your online-banking credentials are not shared with us.

C. Automatically Collected

  • Device & Log. IP address, coarse location (IP-derived), device/OS type and version, app version/build, language, time zone, performance metrics, crash/error logs, diagnostic telemetry.
  • Usage Analytics. Screens viewed, taps/clicks, navigation and search, feature flags, referral/UTM parameters.
  • Cookies/Local Storage/Mobile SDKs. Authentication, preferences, analytics; if enabled, marketing/retargeting (see §10).

D. Sensitive Personal Information

We do not require SSN, driver's license, precise geolocation, or biometrics for budgeting. If future features (e.g., transfers, advisory) require limited sensitive data, we will provide just-in-time notice, obtain consent where required, and restrict use to that purpose (§14).

3. SOURCES

  • You and your devices (use, settings, communications).
  • Financial institutions you connect via direct/open-bank APIs or bank partners.
  • Vendors providing hosting, storage, analytics, error monitoring, communications, and AI functionality.

We do not purchase data from data brokers.

4. HOW WE USE INFORMATION (PURPOSES)

We process information to:

  1. Provide & Operate the Services: account creation/login, secure sessions, syncing, categorization/enrichment, budgets, insights, notifications.
  2. AI Financial Assistant features: summarization, anomaly detection, forecasts, educational explanations (§12).
  3. Personalization: non-sensitive tailoring of content and tips; saved preferences.
  4. Security & Integrity: fraud/abuse detection, account protection, rate limiting, audit logging, incident response.
  5. Analytics & Improvement: usage trends, performance, crash diagnosis, A/B testing, quality/reliability.
  6. Marketing & Waitlist: product updates and promotions where permitted; opt-out any time.
  7. Compliance & Legal: GLBA/Reg P, consumer protection, tax/audit, responding to lawful requests.
  8. Research & Statistics: using de-identified/aggregated data for product development, benchmarking, and reporting.

EEA/UK/CH legal bases (if/when applicable): contract (Art. 6(1)(b)), legitimate interests (security, analytics, improvement, personalization) (Art. 6(1)(f)), consent (ads/certain cookies; optional diagnostics) (Art. 6(1)(a)), legal obligation (Art. 6(1)(c)).

5. GLBA vs. STATE PRIVACY LAWS (WHAT'S COVERED; WHAT ISN'T)

  • GLBA-covered (NPI). Personal financial information we collect and use to provide your financial service (e.g., linked-account balances, transactions, holdings, budgets derived from your transactions).
  • Not GLBA-covered. Website/app analytics, cookies/SDK identifiers, marketing contact info, ad/retargeting data, and aggregated/de-identified reports—these may be subject to state privacy laws (see §17). We apply appropriate rights/opt-outs where required.

6. ADVERTISING; "SALE"/"SHARE"; OPT-OUTS

  • Free product; ads possible. We may show advertising and use retargeting/audience tools.
  • No sale of identifiable personal information. We do not sell your identifiable personal information.
  • "Share"/Targeted Advertising. Where state law treats certain adtech disclosures as a "sale" or "sharing," you may opt out using an in-app control labeled "Do Not Sell or Share My Personal Information". We honor Global Privacy Control (GPC) where required.
  • Aggregated/De-identified commercial insights. We may sell/license aggregated, de-identified findings (e.g., "543 iPhones were purchased last month"). Contracts prohibit re-identification and we maintain technical and organizational measures to preserve de-identification.

7. DISCLOSURES AND RECIPIENTS

We disclose information under confidentiality, security, and purpose-limitation obligations to:

  • Service Providers/Processors. Hosting/cloud, storage/backup, CDN/WAF/DDoS, analytics/telemetry, crash/error monitoring, communications (email/SMS/push), in-app support, CI/CD and logging.
  • Financial Connectivity. Direct/open-bank APIs and bank partners for read-only access you authorize.
  • AI Providers. To deliver AI features under §12.
  • Legal/Regulatory. As required by law or to protect rights, safety, users, or the integrity of the Services.
  • Corporate Transactions. In connection with or during diligence for a merger, acquisition, financing, reorganization, or sale of assets (with continued protections).

We do not authorize our service providers to use your information for their own independent purposes.

8. FINANCIAL DATA CONNECTIVITY (YOUR AUTHORIZATION)

When you link an account:

  • You authorize Pearl Tech Inc. and our direct/open-bank connectivity (or bank partners) to obtain read-only financial information from your bank(s) and share it with us solely to deliver the Services you request.
  • Your credentials go directly to your bank or a bank-approved interface; we do not receive or store them.
  • You may disconnect accounts at any time in Settings. We will stop new retrievals and handle existing data per Retention (§13).

9. AI/ML: INFERENCE, TRAINING & FINE-TUNING (DE-IDENTIFIED)

  • Minimization & De-ID. We design prompts/pipelines to exclude personal identifiers; we rely on de-identified or aggregated financial data wherever feasible.
  • Model Providers. We use pre-built models and may fine-tune models. Unless we clearly state otherwise or obtain your explicit consent, we do not allow AI vendors to use your identifiable data to train their general models.
  • Training/Evaluation. We train and evaluate our AI features on de-identified/aggregated financial data to improve accuracy and safety.
  • No solely automated legal/similar effects. AI outputs are assistive; we do not make decisions with legal or similarly significant effects solely by automated means.

10. COOKIES, SDKs, AND ONLINE TRACKING

  • Necessary. Auth, session continuity, load balancing, WAF/DDoS.
  • Functional. Preferences, theming, localization.
  • Analytics. Product usage, funnels/cohorts, performance, crashes.
  • Advertising (if enabled). Interest-based ads/retargeting with opt-outs (§6).
  • DNT/GPC. Browser DNT lacks a standard; we do not respond to DNT. We honor GPC where required.

You can manage preferences in-app (and via Cookie Preferences when the web app launches) and via your browser/OS.

11. SECURITY

We maintain administrative, technical, and physical safeguards aligned with industry and regulatory expectations, including:

  • Encryption in transit (TLS) and at rest using AWS Key Management Service (KMS) with envelope encryption.
  • Hardened cloud infrastructure; segregation of environments; RBAC and least-privilege access; MFA for privileged accounts; periodic access reviews.
  • Secure SDLC; dependency and vulnerability management; penetration testing; audit logging and anomaly detection; incident response with post-mortems.

No method is 100% secure. You must safeguard your credentials and use strong, unique passwords.

12. YOUR PRIVACY RIGHTS

Depending on your U.S. state of residence, you may have rights to access/know, correct, delete, port, opt out of "sale/share" and targeted advertising, limit certain uses of sensitive data (where applicable), and appeal a decision. We do not discriminate for exercising rights.

Exercising rights: Use in-app privacy controls or email [email protected]. We verify requests using information we maintain and use verification data only for that purpose. Authorized agents may act where permitted.

13. DATA RETENTION

We retain personal information for as long as legally permitted and necessary to (i) provide and improve the Services, (ii) maintain security/integrity, (iii) meet legal, tax, accounting, and regulatory obligations, (iv) resolve disputes, and (v) enforce agreements. Where ongoing retention remains reasonably necessary for legitimate purposes, we retain data for the maximum duration allowed by applicable law. Typical targets (subject to legal holds/requirements):

Data TypeTypical Retention
Account & profileLife of account + up to 12 months
Linked-account data (read-only pulls)Life of account + up to 12 months (or longer if required/permitted)
Usage/telemetry & security logs12–18 months rolling
Crash/error logs90–180 days (longer for active incidents)
Marketing/consent records24 months or as required
Backups/snapshotsRolling 30–90 days (DR purposes)
Payment/tax records (if any)Per law (often 7 years in the U.S.)

Upon account deletion or disconnection, we cease new retrievals and handle existing data per the schedule above unless longer retention is required or permitted by law. De-identified data may be retained for analytics; we will not re-identify it except to test de-ID safeguards.

14. FUTURE MONEY MOVEMENT & ADVISORY (DISCLOSURE)

  • Current state: Read-only connectivity (no transfers).
  • Future state: If we add transfers or SEC investment advisory features, we will provide just-in-time notices, obtain consents, implement KYC/AML and other controls as required, and update this Policy and our Terms accordingly.

15. DISCLOSURE MAP (GLBA vs. State Law)

  • GLBA/NPI (exempt from CCPA/CPRA): linked-account balances, transactions, holdings; budgets derived from your transactions; financial insights provided to you.
  • Non-GLBA (state laws apply): website/app analytics; cookies/SDK identifiers; marketing contact info; ad/retargeting data; aggregated/de-identified reports.
  • Profiling: We do not engage in solely automated decisions with legal/similar effects.
  • Sensitive data: Not required for budgeting; if later collected (e.g., identity verification), we'll provide just-in-time purpose limitation and lawful basis.

16. CHILDREN'S PRIVACY

The Services are intended for adults and are distributed via App Store and Google Play age settings. We do not knowingly collect personal information from children. If you believe a child provided personal information, contact [email protected] and we will promptly delete it.

17. U.S. STATE DISCLOSURES (CA, CO, CT, DE, FL, IN, IA, KY, MN, MT, NE, NH, NJ, OR, TN, TX, UT, VA)

  • We do not sell your identifiable personal information.
  • Where "sharing" for targeted advertising is implicated, you can opt out in Settings; GPC honored where required.
  • California "Shine the Light" requests: email [email protected] with subject "Shine the Light."
  • Appeal rights: if we decline a request, reply to our decision or email with "Appeal" in the subject; we'll respond within the time required by your state.

18. DATA PROCESSING LOCATIONS & INTERNATIONAL TRANSFERS

Primary Processing: We process data primarily in the United States through our service providers.

Service Provider Locations: Our service providers may process data in multiple jurisdictions:

  • Supabase: Data centers in US-East, US-West, and other regions as configured by us.
  • AWS: US regions (primary), with encryption in transit and at rest via AWS KMS.
  • Cloudflare: Global edge network with data processing in US and international locations for performance optimization.
  • Google Cloud: US regions for cloud functions and related services.

Future International Expansion: If we later support EEA/UK/CH or Canada users, we will implement appropriate transfer safeguards (e.g., Standard Contractual Clauses (SCCs)), complete transfer impact assessments where required, and publish jurisdiction-specific rights notices.

Financial Data Residency: Your linked financial account data remains subject to your bank's data residency policies. We do not control where your financial institution stores your data, but our processing of that data occurs primarily in the United States.

19. THIRD-PARTY SERVICES & LINKS

The Services may include links to or integrations with third-party services that have their own privacy policies (e.g., bank APIs, analytics, email/SMS, in-app messaging, AI providers). Review their policies before enabling integrations or sharing information.

20. DE-IDENTIFICATION & AGGREGATION COMMITMENT

We may de-identify or aggregate information for analytics, product development, and commercial reporting. We maintain contractual, technical, and organizational measures designed to prevent re-identification and prohibit recipients from attempting it.

21. CHANGES

We may update this Policy. The "Last Updated" date shows the latest revision. For material changes, we will provide prominent notice (e.g., in-app, email). Please review updates carefully.

22. CONTACT

Pearl Tech Inc.
701 Brazos St, Austin, Texas USA 🇺🇸
Email: [email protected]
Website: https://www.joinpearlai.com

GOVERNING LAW & JURISDICTION

This Privacy Policy and any disputes arising from it are governed by the laws of the State of Delaware, without regard to conflicts of law principles.

Venue & Jurisdiction: Any legal action or proceeding arising under this Privacy Policy will be brought exclusively in the courts located in Delaware, and you consent to personal jurisdiction and venue in those courts.

GLBA MODEL PRIVACY NOTICE (SHORT FORM)

FACTS: What does Pearl Tech Inc. do with your personal financial information?
WHY? We use your information to deliver budgeting/insights you request, maintain and secure your account, comply with law, and improve our Services.
HOW? We share only as permitted by law with service providers (hosting, analytics, support), direct/open-bank providers and your banks (at your direction), professional advisors, and legal/regulatory recipients. We do not sell your identifiable personal information.
TO LIMIT SHARING: Use in-app privacy settings or email [email protected].
QUESTIONS? [email protected].

APPENDIX A — ILLUSTRATIVE VENDOR/SUBPROCESSOR LIST (UPDATE AS IMPLEMENTED)

  • Database & Backend: Supabase (PostgreSQL database, authentication, real-time subscriptions, edge functions); AWS (compute, storage, logging; AWS KMS for key management).
  • Web Infrastructure: Cloudflare (CDN, DDoS protection, WAF, DNS, SSL/TLS termination, edge caching, bot mitigation).
  • Cloud Functions: Google Cloud Functions (serverless compute for API endpoints, data processing, scheduled tasks).
  • Data Connectivity: Direct/open-bank APIs and/or bank partners (no credential scraping).
  • Analytics & Monitoring: Product analytics platform (e.g., Amplitude/Mixpanel); crash/error monitoring (e.g., Sentry); performance telemetry.
  • AI: Third-party AI provider(s) for inference and fine-tuning on de-identified/aggregated data.
  • Communications: Email/SMS/push provider(s) (e.g., SendGrid/Postmark; Firebase/APNs; Twilio).
  • Support: In-app messaging/email ticketing (e.g., Intercom/Zendesk).
All service providers are contractually limited to our documented purposes and must implement security appropriate to their roles.

APPENDIX B — CALIFORNIA "NOTICE AT COLLECTION" (WEB/MOBILE)

Categories Collected: identifiers (e.g., email, device IDs), internet/activity data (analytics), geolocation (coarse/IP-derived), financial data you authorize (balances, transactions, holdings), inferences (non-sensitive), communications (support).

Purposes: provide Services; security; analytics; personalization; ads (if enabled); legal compliance.

Retention: as in §13 (as long as legally permitted/necessary).

Sale/Share: no sale of identifiable personal info; targeted advertising may constitute "sharing"—opt out in Settings; GPC honored.

Right to Know/Delete/Correct/Opt Out: see §12 and §17.

Contacts: [email protected] | 701 Brazos St, Austin, Texas USA 🇺🇸.

APPENDIX C — COOKIE/SDK DISCLOSURE (WEB; PREP FOR LAUNCH)

  • Strictly Necessary: session/auth, load balancing, WAF/DDoS.
  • Functional: preferences, theming, locale.
  • Analytics: usage metrics, crash diagnostics.
  • Advertising (if enabled): retargeting/ad measurement.

Controls: Cookie banner + Preferences; browser/OS controls; in-app "Do Not Sell or Share" toggle; GPC honored where required.