Privacy Policy

Last Updated: February 17, 2026

Introduction

Karrat (“we,” “our,” or “the App”) is a personal finance application that helps you track your net worth, monitor account balances, view transactions, and manage your financial picture in one place. We take your privacy seriously — especially because we handle sensitive financial data.

This Privacy Policy explains what information we collect, how we use it, who we share it with, and what rights you have. By using Karrat, you agree to the practices described in this policy.

1. Information We Collect

1.1 Account Information

When you create a Karrat account, we collect:

  • Email address — used for authentication and account recovery
  • Display name — shown to group members you choose to share with
  • Authentication credentials — managed securely through our authentication provider (passwords are hashed and never stored in plain text)

1.2 Financial Data (via Plaid)

When you connect a financial institution through Karrat, we use Plaid, Inc. to securely retrieve your financial data. Depending on the type of account you connect, this may include:

  • Account information — account name, type (checking, savings, credit card, loan, mortgage, investment), and last four digits of the account number
  • Balance information — current, available, and credit limit balances
  • Transaction history — transaction descriptions, amounts, dates, categories, and merchant information
  • Investment holdings — security names, quantities, values, and cost basis
  • Liability details — minimum payments, due dates, interest rates, and outstanding balances for credit cards, loans, and mortgages
  • Institution information — the name and identifier of your financial institution

Important: We never receive or store your bank login credentials. Plaid handles authentication directly with your financial institution. Your bank username and password are never transmitted to or through Karrat.

1.3 Subscription Information

If you subscribe to Karrat Premium, we store:

  • Apple transaction identifiers — used to verify your subscription status and process renewals/cancellations
  • Product identifier — which subscription plan you purchased
  • Subscription environment — whether you are in a production or testing environment

All payment processing is handled by Apple through the App Store. We never receive or store your credit card number, billing address, or other payment details.

1.4 Group and Sharing Data

If you create or join a group (e.g., a household), we store:

  • Group membership — which users belong to which groups
  • Invite tokens — temporary codes used to invite others to your group
  • Your role — whether you are an owner, admin, or viewer in a group

Financial data you connect is visible to other members of your group. You control which groups you join and can leave at any time.

1.5 Device and Usage Information

We may collect:

  • Push notification tokens — if you enable push notifications, to deliver alerts about your accounts
  • Basic usage data — to understand how the App is used and to diagnose issues (e.g., crash reports)

We do not collect precise location data, contacts, photos, or any data unrelated to the App's financial tracking functionality.

2. How We Use Your Information

We use your information solely to provide, maintain, and improve Karrat:

  • Display your net worth and account balances
  • Show transaction history and cash flow
  • Track investment portfolio
  • Share finances with household members
  • Process subscription status
  • Send account alerts and notifications
  • Detect and fix errors
  • Prevent fraud and abuse

We do not:

  • Sell your personal or financial data to anyone
  • Use your financial data for advertising or marketing purposes
  • Share your data with data brokers
  • Build advertising profiles based on your financial information
  • Use your data for any purpose other than providing the Karrat service

3. Third-Party Services

Karrat relies on the following third-party services to function:

3.1 Plaid, Inc.

We use Plaid to connect to your financial institutions and retrieve account data. When you connect an account, you are also subject to Plaid's Privacy Policy and Plaid's End User Services Agreement. Plaid acts as an intermediary between Karrat and your bank. Your bank credentials are provided directly to Plaid and are never accessible to Karrat.

3.2 Supabase

We use Supabase as our backend infrastructure provider for authentication, database storage, and serverless functions. Your data is stored on Supabase's infrastructure with encryption at rest, encryption in transit (TLS), row-level security policies, and column-level security that restricts access to sensitive fields.

3.3 Apple

Subscription purchases and payment processing are handled entirely by Apple through the App Store. Apple sends us subscription event notifications so we can update your premium status. We verify the authenticity of these notifications using cryptographic signature verification.

3.4 Anthropic

Certain AI-powered features in the App use Anthropic's API to generate insights or assist with financial analysis. When these features are used, relevant financial context may be sent to Anthropic for processing. Anthropic does not use this data to train their models.

4. Data Security

We implement multiple layers of security to protect your financial data:

  • Encryption in transit — all data transmitted between your device, our servers, and third-party services is encrypted using TLS (HTTPS)
  • Encryption at rest — your data is encrypted on our database provider's infrastructure
  • Row-level security — database policies ensure you can only access data within your own groups
  • Column-level security — sensitive credentials are restricted at the database column level and are never exposed to client applications
  • Webhook verification — incoming notifications from Plaid and Apple are cryptographically verified
  • Server-side credential handling — all communication with financial institutions occurs on our secure backend
  • Authentication — your account is protected by industry-standard authentication with secure session management

No system is 100% secure. While we take reasonable and appropriate measures to protect your data, we cannot guarantee absolute security. If we become aware of a security breach that affects your personal data, we will notify you in accordance with applicable law.

5. Data Retention

  • Financial data — retained as long as your account is active and your financial institutions are connected
  • Transaction history — retained as long as the associated financial account is connected
  • Account information — retained as long as you maintain a Karrat account
  • Subscription records — retained for the duration of your subscription and a reasonable period afterward
  • Webhook processing records — automatically deleted after 7 days

When you delete your Karrat account, we delete your profile, group memberships, and associated data. Financial institution connections (Plaid Items) are disconnected, which revokes our access to your financial data at the source.

6. Data Sharing

We do not sell, rent, or trade your personal or financial data.

We share data only in the following limited circumstances:

  • Plaid — account connection requests to retrieve your financial data
  • Apple — subscription identifiers to process payments
  • Supabase — all stored data (infrastructure provider/data processor)
  • Anthropic — financial context for AI features when you use them
  • Your group members — accounts and balances you have connected within the group
  • Law enforcement — only in response to valid legal process

7. Your Rights and Choices

7.1 Access and Portability

You can view all of your financial data within the App at any time. If you would like a copy of your data in a portable format, contact us at the email address below.

7.2 Deletion

You can:

  • Disconnect individual accounts
  • Delete individual accounts and their data
  • Delete your entire account — removes your profile, all financial data, and disconnects all Plaid connections

7.3 California Residents (CCPA)

If you are a California resident, you have additional rights under the CCPA including the Right to Know, Right to Delete, Right to Non-Discrimination, and Right to Opt-Out of Sale (we do not sell personal information).

7.4 European Residents (GDPR)

If you are located in the EEA, you have rights under the GDPR including the Right of Access, Rectification, Erasure, Restriction of Processing, Data Portability, and the Right to Object.

8. Children's Privacy

Karrat is not intended for use by children under the age of 18. We do not knowingly collect personal information from children.

9. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you through the App or by other appropriate means before the changes take effect.

10. Contact Us

If you have questions about this Privacy Policy or want to exercise your privacy rights, contact us at:

Email: privacy@karrat.ai

We will respond to all privacy-related inquiries within 30 days.

This Privacy Policy is effective as of February 17, 2026.