Sprout Privacy Policy
Last updated: May 1, 2025
1. Who we are
Sprout ("we," "us," or "our") is a budgeting app for U.S. college students and young adults. We are preparing to incorporate in the State of Maryland. You can reach us at [email protected].
2. Who can use Sprout
Sprout is intended for U.S. residents 18 years of age or older. We do not knowingly collect personal data from anyone under 18. If you are a parent or guardian and believe your child has provided us personal information, please email us so we can delete it.
3. Information we collect
| Category | Examples | How we collect |
|---|---|---|
| Account info | Name, email, hashed password (if you create one), subscription status | Directly from you during sign‑up or upgrade |
| Financial‑account tokens | Secure Stripe access tokens that let us retrieve your balances & transactions | Via your explicit consent when you link a bank, credit‑card, or loan account |
| Budget chat data | Messages you type to Sprout, category labels, goal amounts | From your in‑app activity |
| Device & usage data | IP address, device type, crash logs, feature clicks | Via Google Analytics (GA4), PostHog, and Sentry |
| Payment data | Last 4 digits of card, billing zip, Stripe customer ID | Collected and stored by Stripe; Sprout only sees limited tokenized details |
We never store your full bank credentials or raw transaction history on our servers. All sensitive financial data lives in encrypted third‑party vaults (Plaid & Stripe). Sprout's database holds only the anonymized or tokenized references needed to power your budget.
4. How we use your information
- Provide the service – display budgets, goals, and spending insights.
- Maintain security and debug – monitor crashes or suspicious logins with Sentry.
- Product analytics – understand which features students love (Google Analytics & PostHog).
- Payment processing – manage subscriptions and billing via Stripe.
- Communications – send wait‑list updates, onboarding tips, and (optional) product news.
You can opt out of marketing emails anytime via the "unsubscribe" link.
5. Legal bases & disclosures
| Purpose | Legal basis (U.S.) | Disclosures |
|---|---|---|
| Core budgeting service | Contractual necessity (your Terms of Service) | None beyond processors listed below |
| Analytics & crash logs | Legitimate interest (service improvement) | Google Analytics, PostHog (self‑hosted), Sentry |
| Payments | Contractual necessity | Stripe Payments LLC |
| Legal compliance | Legal obligation | Government agencies if required (e.g., subpoenas) |
We do not sell or share your personal information with advertisers.
6. Third‑party processors
- Stripe – payments & subscription management
- Plaid (or equivalent aggregator) – secure bank connectivity
- Google Analytics (GA4) – website and app usage stats
- PostHog – in‑app product analytics (self‑hosted on GCP)
- Sentry – error monitoring
Each provider is vetted for SOC 2 or ISO 27001 compliance where available.
7. Data retention
| Data type | Retention period | Deletion trigger |
|---|---|---|
| Financial‑account tokens & derived budget data | Deleted 14 days after you disconnect all accounts or delete your profile | User‑initiated disconnect or deletion |
| Analytics events | 26 months (GA4 default) | Automatic roll‑off |
| Payment records (Stripe) | 7 years (tax & accounting) | End of statutory period |
You may delete your account at any time from Settings or by emailing [email protected]. We'll confirm within 7 business days.
8. Security
- All traffic is encrypted in transit (TLS 1.2+).
- Secrets stored with Google Secret Manager; data at rest encrypted with AES‑256.
- Internal dashboards require MFA and role‑based access.
- We plan to pursue SOC 2 Type II certification in 2026.
9. Your privacy rights (U.S.)
Because Sprout serves only U.S. residents, federal GLBA rules apply to your financial data. Depending on your state (e.g., California's CCPA/CPRA), you may have rights to:
- Know what personal data we hold
- Request deletion or correction
- Opt out of data "sales" (we do none)
- Receive a copy of your data
Email [email protected] with the subject "Privacy Request" and we'll respond within 30 days.
10. Cookies
Our public website uses a single first‑party cookie to remember wait‑list form submissions. We do not use advertising cookies or cross‑site tracking pixels.
11. Changes to this policy
We'll post any updates here and change the "Last updated" date. Material changes will be emailed to registered users at least 10 days before they take effect.
12. Contact us
Questions? Email [email protected] or write to us (postal address coming after incorporation).
Plain‑English summary: we collect just enough data to power your budget, keep it encrypted, never sell it, and delete it shortly after you leave. If you need anything, we're one email away.