Privacy Policy
Effective: June 1, 2026
Zoninga ("we," "us," or "our") operates the personal finance dashboard at zoninga.com. This Privacy Policy explains how we collect, use, disclose, and protect your information when you use our service. Zoninga is intended for residents of the United States, and your information is processed and stored in the United States.
1. Information We Collect
1.1 Account Information
When you create an account, we collect:
- Email address
- Password (stored as a one-way cryptographic hash — we never store your actual password)
- Account preferences (currency, timezone, display settings)
1.2 Financial Data You Provide
You may manually enter financial information including:
- Bank and investment account names and balances
- Transactions (amounts, descriptions, dates, categories)
- Budgets and savings goals
- Tags and notes attached to financial records
1.3 Financial Data from Plaid
If you choose to link a bank account, we use Plaid Inc. to securely connect to your financial institution. Your bank login credentials are entered directly in Plaid's interface and are never seen or stored by Zoninga. However, Plaid does transmit account and transaction data to Zoninga so we can display your financial information. Through Plaid, we may receive:
- Account names, types, and balances
- Transaction history (amounts, dates, merchant names, categories)
- Account and routing numbers (used only for account identification, stored encrypted)
Plaid's use of your data is governed by the Plaid End User Privacy Policy. We encourage you to review it before linking your accounts.
1.4 Billing Data
If you subscribe to a paid plan, payment processing is handled by Stripe Inc.. We do not store your credit card number. We receive from Stripe:
- Subscription status and plan details
- Payment history (amounts, dates, last four digits of card)
1.5 Usage and Security Data
We automatically collect:
- Login timestamps and IP addresses (for security and fraud prevention)
- Failed login attempts (tracked by django-axes for account protection)
- Browser type and device information (from standard HTTP headers)
- Internal feature-usage analytics — which pages you visit, recorded against a one-way hashed session identifier (never the raw session) so we can improve the product. We do not use third-party advertising or cross-site tracking.
We use strictly necessary first-party cookies to keep you logged in and to protect against fraud and cross-site request forgery. We do not use third-party advertising cookies, and we do not sell cookie data.
1.6 AI Assistant
Zoninga includes an optional built-in AI assistant. When you use it, the questions you ask and the financial data needed to answer them are processed by a third-party large-language-model provider (Groq, Inc.) to generate a response. The assistant can only access your own data, and you can choose not to use it. The provider's handling of this data is governed by its own terms; see Section 3.2.
2. How We Use Your Information
We use your information to:
- Provide and maintain the Zoninga financial dashboard
- Sync and display your bank account data via Plaid
- Generate financial reports, charts, and insights
- Process subscription payments through Stripe
- Send account notifications (budget alerts, goal milestones, billing receipts)
- Protect your account through security monitoring and rate limiting
- Improve the service based on aggregated, anonymized usage patterns
3. How We Share Your Information
3.1 We Do Not Sell Your Data
We will never sell, rent, or trade your non-anonymized personal or financial data to third parties.
3.2 Service Providers
We share data with third-party service providers only as necessary to operate the service:
| Provider | Purpose | Data Shared |
|---|---|---|
| Plaid | Bank account linking | Financial institution credentials (via Plaid Link — never seen by Zoninga) |
| Stripe | Payment processing | Email, subscription plan details |
| Google Cloud | Hosting and infrastructure | All data (encrypted at rest and in transit) |
| Sentry | Error monitoring | Technical error reports (no financial data) |
| Groq | AI assistant inference (only when you use the assistant) | Your questions and the financial data needed to answer them |
| Google Workspace | Sending account & notification emails | Email address and message content |
3.3 Anonymized and Aggregated Data
We may use anonymized, aggregated data (which cannot identify any individual) for analytics, research, or service improvement.
3.4 Legal Requirements
We may disclose your information if required to do so by law, court order, or governmental regulation, or if we believe disclosure is necessary to protect our rights, your safety, or the safety of others.
3.5 Business Transfers
If Zoninga is acquired, merged, or sells substantially all of its assets, your data may be transferred to the new owner. We will provide at least 30 days' advance notice via email before any such transfer, giving you the opportunity to delete your account and data beforehand.
3.6 AI Assistants You Connect
Zoninga lets you connect third-party AI assistants (for example, Claude or ChatGPT) to your account using a secure authorization flow (OAuth). If you choose to connect one, you direct us to share your financial data with that assistant's provider so it can answer your questions and perform the tasks you request. This sharing happens at your direction and is governed by your own agreement with that provider; we are not responsible for how a third-party assistant you connect uses your data. You can revoke a connected assistant's access at any time from your account settings.
4. Data Security
We implement industry-standard security measures to protect your data:
- Encryption at rest: Sensitive fields (account names, transaction descriptions, bank credentials) are encrypted using Fernet symmetric encryption (AES-128-CBC + HMAC-SHA256)
- Encryption in transit: All connections use TLS 1.2 or higher
- User data isolation: Every database query is scoped to the authenticated user — you can never access another user's data
- Rate limiting: All write endpoints are rate-limited to prevent abuse
- Multi-factor authentication: Optional TOTP-based MFA is available for all accounts
- Brute-force protection: Accounts are temporarily locked after repeated failed login attempts
- Automated vulnerability scanning: Dependencies and code are scanned for security issues on every deployment
5. Your Rights
5.1 Right to Know
You may request a copy of the personal information we hold about you. Your financial dashboard already displays all of your stored data. For a formal data export, contact us at support@zoninga.com.
5.2 Right to Delete
You may request deletion of your personal data at any time. You can delete individual records directly within the dashboard, or request full account deletion by contacting support@zoninga.com. Deletion requests are fulfilled within 45 days in accordance with the California Consumer Privacy Act (CCPA). Certain financial records may be retained for up to 7 years as required by tax and regulatory law (see Section 6).
5.3 Right to Opt-Out of Sale
We do not sell your personal information. No opt-out is necessary because we never engage in the sale of non-anonymized user data.
5.4 Right to Non-Discrimination
We will not discriminate against you for exercising any of your privacy rights. You will receive the same service quality and pricing regardless of whether you exercise these rights.
5.5 Plaid Data Rights
You may disconnect your linked bank accounts at any time through the Zoninga dashboard. When you disconnect, we revoke the Plaid access token immediately. Previously synced transaction data remains in your account unless you explicitly delete it.
5.6 Sensitive Personal Information
Financial account information is treated as "sensitive personal information" under the California Privacy Rights Act (CPRA). We collect and use it only to provide the financial-dashboard features you request — never to infer characteristics about you, and never for advertising. We do not "sell" or "share" sensitive personal information as those terms are defined under California law.
6. Data Retention
We retain your data according to the following schedule:
- Active accounts: Your data is retained for as long as your account remains active.
- After account cancellation: We retain financial records for 7 years after cancellation to comply with IRS record-keeping requirements (26 USC 6501) and Bank Secrecy Act/Anti-Money Laundering regulations.
- After the retention period: All personal data is permanently deleted or irreversibly anonymized.
- Plaid access tokens: Revoked immediately upon account cancellation or bank disconnection.
For complete details, see our internal Data Retention Policy, available upon request.
7. Children's Privacy
Zoninga requires all users to be at least 18 years old and is not directed at minors. We do not knowingly collect personal information from anyone under 18, and in particular we do not knowingly collect anything from children under 13 within the meaning of the Children's Online Privacy Protection Act (COPPA). If we discover that someone under 18 has provided us with personal information, we will delete it promptly.
8. Changes to This Policy
We may update this Privacy Policy from time to time. For material changes, we will provide at least 30 days' advance notice via email to the address associated with your account. Your continued use of the service after the effective date of a revised policy constitutes acceptance of the changes.
9. Contact Us
If you have questions about this Privacy Policy or wish to exercise your privacy rights, contact us at:
Zoninga
Email: support@zoninga.com
Website: zoninga.com