Privacy Policy

Effective: March 1, 2026

Zoninga ("we," "us," or "our") operates the personal finance dashboard at zoninga.com. This Privacy Policy explains how we collect, use, disclose, and protect your information when you use our service.

1. Information We Collect

1.1 Account Information

When you create an account, we collect:

  • Email address
  • Password (stored as a one-way cryptographic hash — we never store your actual password)
  • Account preferences (currency, timezone, display settings)

1.2 Financial Data You Provide

You may manually enter financial information including:

  • Bank and investment account names and balances
  • Transactions (amounts, descriptions, dates, categories)
  • Budgets and savings goals
  • Tags and notes attached to financial records

1.3 Financial Data from Plaid

If you choose to link a bank account, we use Plaid Inc. to securely connect to your financial institution. Through Plaid, we may receive:

  • Account names, types, and balances
  • Transaction history (amounts, dates, merchant names, categories)
  • Account and routing numbers (used only for account identification, stored encrypted)

Plaid's use of your data is governed by the Plaid End User Privacy Policy. We encourage you to review it before linking your accounts.

1.4 Billing Data

If you subscribe to a paid plan, payment processing is handled by Stripe Inc.. We do not store your credit card number. We receive from Stripe:

  • Subscription status and plan details
  • Payment history (amounts, dates, last four digits of card)

1.5 Usage and Security Data

We automatically collect:

  • Login timestamps and IP addresses (for security and fraud prevention)
  • Failed login attempts (tracked by django-axes for account protection)
  • Browser type and device information (from standard HTTP headers)

2. How We Use Your Information

We use your information to:

  • Provide and maintain the Zoninga financial dashboard
  • Sync and display your bank account data via Plaid
  • Generate financial reports, charts, and insights
  • Process subscription payments through Stripe
  • Send account notifications (budget alerts, goal milestones, billing receipts)
  • Protect your account through security monitoring and rate limiting
  • Improve the service based on aggregated, anonymized usage patterns

3. How We Share Your Information

3.1 We Do Not Sell Your Data

We will never sell, rent, or trade your non-anonymized personal or financial data to third parties.

3.2 Service Providers

We share data with third-party service providers only as necessary to operate the service:

Provider Purpose Data Shared
Plaid Bank account linking Financial institution credentials (via Plaid Link — never seen by Zoninga)
Stripe Payment processing Email, subscription plan details
Google Cloud Hosting and infrastructure All data (encrypted at rest and in transit)
Sentry Error monitoring Technical error reports (no financial data)

3.3 Anonymized and Aggregated Data

We may use anonymized, aggregated data (which cannot identify any individual) for analytics, research, or service improvement.

3.4 Legal Requirements

We may disclose your information if required to do so by law, court order, or governmental regulation, or if we believe disclosure is necessary to protect our rights, your safety, or the safety of others.

3.5 Business Transfers

If Zoninga is acquired, merged, or sells substantially all of its assets, your data may be transferred to the new owner. We will provide at least 30 days' advance notice via email before any such transfer, giving you the opportunity to delete your account and data beforehand.

4. Data Security

We implement industry-standard security measures to protect your data:

  • Encryption at rest: Sensitive fields (account names, transaction descriptions, bank credentials) are encrypted using Fernet symmetric encryption (AES-128-CBC + HMAC-SHA256)
  • Encryption in transit: All connections use TLS 1.2 or higher
  • User data isolation: Every database query is scoped to the authenticated user — you can never access another user's data
  • Rate limiting: All write endpoints are rate-limited to prevent abuse
  • Multi-factor authentication: Optional TOTP-based MFA is available for all accounts
  • Brute-force protection: Accounts are temporarily locked after repeated failed login attempts
  • Automated vulnerability scanning: Dependencies and code are scanned for security issues on every deployment

5. Your Rights

5.1 Right to Know

You may request a copy of the personal information we hold about you. Your financial dashboard already displays all of your stored data. For a formal data export, contact us at support@zoninga.com.

5.2 Right to Delete

You may request deletion of your personal data at any time. You can delete individual records directly within the dashboard, or request full account deletion by contacting support@zoninga.com. Deletion requests are fulfilled within 45 days in accordance with the California Consumer Privacy Act (CCPA). Certain financial records may be retained for up to 7 years as required by tax and regulatory law (see Section 6).

5.3 Right to Opt-Out of Sale

We do not sell your personal information. No opt-out is necessary because we never engage in the sale of non-anonymized user data.

5.4 Right to Non-Discrimination

We will not discriminate against you for exercising any of your privacy rights. You will receive the same service quality and pricing regardless of whether you exercise these rights.

5.5 Plaid Data Rights

You may disconnect your linked bank accounts at any time through the Zoninga dashboard. When you disconnect, we revoke the Plaid access token immediately. Previously synced transaction data remains in your account unless you explicitly delete it.

6. Data Retention

We retain your data according to the following schedule:

  • Active accounts: Your data is retained for as long as your account remains active.
  • After account cancellation: We retain financial records for 7 years after cancellation to comply with IRS record-keeping requirements (26 USC 6501) and Bank Secrecy Act/Anti-Money Laundering regulations.
  • After the retention period: All personal data is permanently deleted or irreversibly anonymized.
  • Plaid access tokens: Revoked immediately upon account cancellation or bank disconnection.

For complete details, see our internal Data Retention Policy, available upon request.

7. Children's Privacy

Zoninga is not directed at children under the age of 13. We do not knowingly collect personal information from children under 13. If we discover that a child under 13 has provided us with personal information, we will delete it promptly.

8. Changes to This Policy

We may update this Privacy Policy from time to time. For material changes, we will provide at least 30 days' advance notice via email to the address associated with your account. Your continued use of the service after the effective date of a revised policy constitutes acceptance of the changes.

9. Contact Us

If you have questions about this Privacy Policy or wish to exercise your privacy rights, contact us at:

Zoninga
Email: support@zoninga.com
Website: zoninga.com