Privacy Policy

Through your consented use of Plaid Link, Kai Financial may collect:

• Account identifiers, account names, and account types from linked financial institutions.
• Current and available account balances.
• Transaction history, including date, amount, merchant, category, and pending status.
• Plaid access tokens used to maintain the connection to linked institutions.

We do not collect or store your bank login credentials. Those are handled exclusively by Plaid and your financial institution.

• Calculate cash position and surface upcoming financial obligations.
• Detect unusual spending patterns or cash-flow events.
• Deliver private notifications and financial summaries through operator-controlled channels.
• Provide trend analysis and budgeting intelligence.

We do not sell your data. We do not share your data with third-party advertisers or marketing platforms.

Your data is shared only with:

• Plaid, Inc. — to retrieve and update financial data from your linked institutions under their End User Privacy Policy.
• Infrastructure providers required to operate Kai Financial: Vercel (SOC 2 Type II) for application hosting and Supabase (SOC 2 Type II) for encrypted database storage. These providers process data on our behalf under their respective data processing agreements and do not use your data for their own purposes.
• Legal authorities, only when legally compelled by valid subpoena, court order, or regulatory request.

We apply industry-standard security controls:

• All data in transit is encrypted with TLS 1.3.
• Plaid access tokens are encrypted at rest using AES-256-CBC with a dedicated encryption key, on top of the platform-level AES-256 disk encryption provided by Supabase.
• Access to systems that store or process your data is restricted to the founder and protected by phishing-resistant multi-factor authentication (biometrics, passkeys, hardware keys).
• All webhook integrations are authenticated with HMAC-SHA256 signatures.
• Credentials and secrets are stored outside cloud-synced directories and are never committed to source control.

• Plaid access tokens are retained only while your connection is active and are deleted upon disconnection or request.
• Account balances and transaction data are retained for up to 24 months to support trend analysis, then purged automatically.
• Aggregated, non-identifiable insights may be retained indefinitely for internal analytics.
• Operational logs are retained for 90 days; security audit logs for 12 months.
• Operational backups are retained for 30 days and rotated out automatically.

You may request deletion of your data at any time by emailing hello@7avenue.com. Requests are acknowledged within 48 hours and fully processed within 30 days. A written confirmation of deletion is provided upon completion.

Depending on your jurisdiction, you may have rights to:

• Access a copy of the data we hold about you.
• Correct inaccurate data.
• Request deletion of your data.
• Withdraw consent and disconnect linked institutions.
• Object to processing or request restriction of processing.

To exercise any of these rights, email hello@7avenue.com.

This policy is designed to comply with:

• The California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA).
• The Gramm-Leach-Bliley Act (GLBA) Safeguards Rule.
• The Fair Credit Reporting Act (FCRA), where applicable.
• Plaid's End User Privacy Policy and Data Protection Addendum.

Questions, requests, or concerns:

7AVENUE LLC
Connecticut, United States
hello@7avenue.com