Privacy Policy

Introduction

Lightswap ("we," "our," or "us") is a financial management application that helps users manage their bank accounts, track spending, and access brokerage services — all from a single app. This Privacy Policy explains how we collect, use, store, and protect your information when you use our website, mobile application, and related services (collectively, the "Service").

By using the Service, you consent to the collection and use of your information as described in this policy. If you do not agree with this policy, please do not use the Service.

Information We Collect

Account & Registration Information

When you create an account or join our waitlist, we may collect:

• Email address (stored in hashed form)
• Password (stored in hashed form; we never store your plaintext password)
• IP address (for security, fraud prevention, and rate limiting)
• Browser information and referral source

Device & Technical Information

When you use our mobile app, we collect:

• An anonymous device identifier (randomly generated UUID, not linked to your identity)
• Device platform (iOS/Android), OS version, and app version
• Locale and timezone

Financial Data

When you connect a bank account through our Service, we use third-party financial data providers (currently Plaid and Stripe Financial Connections) to access the following information from your linked financial accounts:

• Account balances: Current and available balances for your linked accounts
• Transaction history: Recent transactions including dates, amounts, merchant names, and categories
• Account details: Account type, currency, and masked account number (e.g., ****1234)
• Account ownership information: Account holder name and mailing address, where required for verification

Important: We never store your full bank account numbers, IBANs, sort codes, routing numbers, or bank login credentials on our servers. Your banking credentials are handled entirely by our financial data providers (Plaid and Stripe) and are never transmitted to or accessible by Lightswap.

Usage Data

We collect information about how you interact with the Service:

• Natural language queries you enter in the app
• Actions performed (e.g., viewing balances, requesting insights)
• Error logs for debugging and service improvement

Feedback & Support

When you submit feedback, we collect:

• Your feedback message
• Your email address (optional, if you choose to provide it)
• App version and device information (for debugging)

How We Use Your Information

We use the information we collect for the following purposes:

Financial Management & Insights

• Display your bank account balances and provide a unified view of your finances
• Generate your daily financial briefing ("Rundown"), which analyses your recent transactions, spending patterns, income, and upcoming bills
• Provide AI-powered financial insights and summaries

Payment Processing

• Facilitate bank payments and transfers on your behalf
• Track payment status and provide confirmation
• Maintain regulatory audit records for completed payments

Service Operation & Improvement

• Operate and maintain the Service
• Improve our product based on usage patterns and feedback
• Communicate updates and respond to support requests

Security & Fraud Prevention

• Detect and prevent unauthorised access, fraud, and abuse
• Rate-limit API requests to protect the Service
• Verify payment consent and maintain audit trails

Legal Basis for Processing

We process your information on the following legal grounds:

• Consent: When you connect a bank account, you explicitly authorise us to access your financial data through our data providers. You can revoke this consent at any time by disconnecting your account.
• Contract performance: Processing necessary to provide the Service you have requested.
• Legitimate interests: Service improvement, security, and fraud prevention, where these interests do not override your rights.
• Legal obligation: Where we are required to retain data to comply with financial regulations.

Data Storage & Regional Processing

We maintain strict regional data separation:

• United States users: Your data is processed and stored on servers located in the United States. Financial data accessed via Stripe Financial Connections is stored exclusively within the United States.
• European Union and United Kingdom users: Your data is processed and stored on servers located within the European Union.

Data belonging to US customers will never be transferred to or stored on EU servers, and data belonging to EU/UK customers will never be transferred to or stored on US servers. These datasets are kept strictly separate.

Data Sharing & Third-Party Processors

We never sell your personal data. We share information only with the following categories of service providers, solely to operate the Service:

Financial Data Providers

• Plaid Inc. — Facilitates bank account connections for EU and UK users. Plaid accesses your bank account data (balances, transactions) on our behalf. Plaid's use of your data is governed by the Plaid End User Privacy Policy.
• Stripe, Inc. (Financial Connections) — Facilitates bank account connections for US users. Stripe accesses your bank account data (balances, transactions, account ownership) on our behalf. Stripe's use of your data is governed by the Stripe Privacy Policy.

AI Processing

• Anthropic PBC — We use Anthropic's Claude AI to process your natural language queries and generate financial insights (such as your daily Rundown). Transaction data and account balances may be sent to Anthropic's API for analysis. Anthropic does not use data sent via their API to train their models. Anthropic's use of data is governed by the Anthropic Privacy Policy.

Infrastructure Providers

• Cloudflare, Inc. — Content delivery and security services.
• Render Services, Inc. — Application hosting.

We do not share your financial data with any third parties beyond the service providers listed above, and only to the extent necessary to operate the Service. We contractually require our service providers to protect your data and use it only for the purposes we specify.

Data Security

We maintain a comprehensive information security programme designed to protect your data. Our security measures include:

Zero-Knowledge Architecture

• Your API keys, private keys, and bank login credentials are never stored on our servers
• Sensitive credentials are encrypted and stored locally on your device using the iOS Keychain
• Brokerage and exchange operations are executed directly from your device — our server never has access to your third-party accounts

Encryption & Access Controls

• All data in transit is encrypted using TLS/HTTPS with HSTS enforcement
• Sensitive data at rest (email addresses, passwords) is cryptographically hashed
• Bank account access tokens from financial data providers are used ephemerally and are not retained on our servers
• Access to data is restricted to authorised personnel with a demonstrated business need

Monitoring & Incident Response

• We monitor our systems for unauthorised access and suspicious activity
• Payment consent records are maintained in append-only audit logs that cannot be altered or deleted
• In the event of a data breach affecting your personal information, we will notify you and the relevant supervisory authorities in accordance with applicable law

Data Retention

We retain your data only for as long as necessary for the purposes described in this policy:

• Financial data (balances, transactions): Processed in real time to generate insights and not stored long-term on our servers. Cached temporarily for the duration of your session only.
• Payment records & consent audit logs: Retained for a minimum of 5 years to comply with financial services regulations.
• Feedback data: Retained for 2 years from submission, then automatically deleted.
• Device and usage data: Retained for as long as your account is active, then deleted within 90 days of account closure.
• Waitlist data: Retained until the waitlist programme ends or you request removal.

When data is no longer required, we delete or anonymise it. Where deletion is not immediately possible (e.g., data in backup systems), we isolate and protect the data until deletion is feasible.

Your Rights

All Users

Regardless of where you are located, you have the right to:

• Access the personal data we hold about you
• Correct inaccurate personal data
• Delete your personal data (subject to legal retention requirements)
• Disconnect your linked bank accounts at any time
• Opt out of marketing communications

EU/UK Users (GDPR)

If you are located in the European Union or United Kingdom, you additionally have the right to:

• Data portability: Receive your data in a structured, machine-readable format
• Restrict processing: Request that we limit how we use your data
• Object to processing: Object to processing based on legitimate interests
• Withdraw consent: Withdraw consent at any time without affecting the lawfulness of processing performed before withdrawal
• Lodge a complaint: File a complaint with your local data protection supervisory authority

California Users (CCPA)

If you are a California resident, you have the right to:

• Know what personal information we collect, use, and disclose
• Delete your personal information
• Non-discrimination: We will not discriminate against you for exercising your rights

We do not sell personal information. We do not use or disclose sensitive personal information for purposes other than those permitted by the CCPA.

Exercising Your Rights

To exercise any of these rights, contact us at support@lightswap.com. We will respond to your request within 30 days.

Cookies & Tracking

Our website uses only essential cookies required for the site to function. We do not use advertising cookies, tracking pixels, or third-party analytics services that track you across other websites.

Children's Privacy

The Service is not intended for individuals under the age of 18. We do not knowingly collect personal information from children. If we learn that we have collected information from a child under 18, we will delete it promptly.

Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you through the app or by email before the changes take effect. Your continued use of the Service after changes are posted constitutes your acceptance of the updated policy.

Contact Us

If you have questions about this Privacy Policy or how we handle your data, contact us at:

support@lightswap.com