Privacy Policy

Thales ("Thales," "we," "us," or "our") operates a personal finance management platform that provides users with personalized financial insights, analytics, and recommendations. This Privacy Policy describes how we collect, use, disclose, and safeguard your information when you use our services (the "Services").

By using our Services, you agree to the collection and use of information in accordance with this policy. If you do not agree with the terms of this policy, please do not access the Services.

Our core principle is simple: your financial data belongs to you and is used only to deliver the functionality you explicitly request. We do not sell your data, use it for advertising, or share it with any third party for commercial purposes.

a. Information You Provide Directly

When you create an account, we collect information such as your name, email address, and any preferences you configure within the Services (e.g., financial goals, budget categories).

b. Financial Data Accessed Through Plaid

To provide financial insights, we integrate with Plaid Technologies, Inc. ("Plaid"), a leading financial data infrastructure provider. Through Plaid, we may receive the following categories of financial data from your connected accounts:

• Account balances and account identifiers (e.g., last four digits of account numbers)
• Transaction history, including amount, date, and merchant
• Account type and institution name
• Income and payroll data (only if you explicitly enable such features)

c. Usage and Technical Data

We may automatically collect certain technical information when you interact with the Services, including:

• IP address and approximate geographic location
• Browser type, operating system, and device identifiers
• Pages visited, features used, and interaction timestamps
• Error logs and crash reports to improve Service reliability

We use the information we collect solely to provide, maintain, and improve the Services you have requested. Specifically, we use your information to:

• Generate personalized financial insights, spending summaries, and budget analytics
• Deliver AI-driven recommendations relevant to your stated financial goals
• Send account-related notifications and alerts (e.g., unusual spending, low balances)
• Authenticate your identity and manage your account security
• Diagnose technical issues and improve Service performance
• Comply with applicable laws and legal obligations

We process your financial data only to the minimum extent necessary to provide the features you use.

We want to be unambiguous about the limits on how your data is used. Thales expressly commits to the following:

• We do not sell your personal or financial data to any third party under any circumstances.
• We do not share your data with advertisers or data brokers.
• We do not use your financial data for targeted advertising, behavioral profiling, or any commercial purpose other than delivering the Services.
• We do not train general-purpose AI models on your personal financial data without your explicit, informed consent.
• We do not access your full account numbers, routing numbers, or login credentials. This information is never transmitted to Thales systems.

Thales uses Plaid to establish a read-only connection to your financial accounts. "Read-only" means that Thales and Plaid can retrieve account information and transaction data on your behalf, but cannot initiate transactions, move funds, or modify your accounts in any way.

When you connect a financial account through Thales, you are subject to Plaid's End User Privacy Policy, available at plaid.com/legal. Plaid maintains independent security certifications and operates under its own privacy framework.

We implement and maintain industry-standard technical and organizational measures designed to protect your information against unauthorized access, alteration, disclosure, or destruction. These measures include:

• Encryption of data in transit using TLS 1.2 or higher
• Encryption of sensitive data at rest using AES-256 or equivalent standards
• Role-based access controls limiting data access to authorized personnel with a documented business need
• Regular security assessments and vulnerability management practices
• Audit logging of data access to detect and investigate anomalous activity

No method of electronic storage or transmission over the internet is 100% secure. While we employ commercially reasonable security practices, we cannot guarantee absolute security. In the event of a data breach that affects your rights, we will notify you as required by applicable law.

We retain your personal and financial data for as long as your account remains active or as necessary to provide the Services. Upon account deletion:

• We will delete or anonymize your personal information within 30 days of your deletion request, except where retention is required by law.
• Aggregated, non-identifiable analytics data may be retained for internal product analysis.
• Backup copies may persist for up to 90 days in encrypted storage before permanent deletion.

To request deletion of your account and associated data, contact us at privacy@mythales.co.

Depending on your state of residence, you may have certain rights with respect to your personal information under applicable US privacy laws (including the California Consumer Privacy Act, as amended by the CPRA). These rights may include:

• Right to Access: The right to request a copy of the personal information we hold about you.
• Right to Deletion: The right to request that we delete your personal information, subject to certain legal exceptions.
• Right to Correction: The right to request that we correct inaccurate personal information.
• Right to Opt-Out of Sale: We do not sell your personal information. This right is therefore inapplicable, but we honor it categorically.
• Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights.

To exercise any of the above rights, please contact us at privacy@mythales.co. We will respond within 45 days as required by applicable law.

The Services are not directed to individuals under the age of 18. We do not knowingly collect personal information from children under 18. If we become aware that we have inadvertently collected information from a minor, we will take prompt steps to delete such information. If you believe a minor has provided us with personal information, please contact us at privacy@mythales.co.

The Services may contain links to third-party websites or integrate with services other than Plaid (e.g., authentication providers). This Privacy Policy does not apply to those third-party services. We encourage you to review the privacy policies of any third-party services you access through or in connection with the Services.

We are not responsible for the privacy practices of third-party services and do not control how those services collect or use your information.

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. We will provide notice of material changes by updating the "Effective date" at the top of this page and, where required by law, by sending you an email notification.

Your continued use of the Services after any modification to this Privacy Policy constitutes your acceptance of the updated terms.

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us at: