1. Introduction
Categorized (“Company,” “we,” “us”) respects your privacy and is committed to protecting your personal and financial data. This Privacy Policy describes how we collect, use, store, and share your information when you use our Service.
2. Information We Collect
Account Information:
- Email address (required)
- Name (optional)
- Phone number (optional)
- Business name and type (required per entity)
Financial Data (via Plaid):
- Bank account identifiers (encrypted, used for Plaid connection only). You provide your banking login credentials directly to Plaid; we never receive or store them.
- Transaction history (descriptions, amounts, dates, merchant names)
- Account balances
- Institution name and type
Payment Information (via Stripe):
- Stripe processes and stores all payment card information. We do not store credit card numbers, CVVs, or full card details on our servers.
- We receive from Stripe: last 4 digits of card, card type, expiration date, billing address
Usage Data:
- Pages visited, features used, categorization actions taken
- Device type, browser type, operating system
- IP address
- Session duration and frequency
- Error logs and performance data
Categorization Data:
- AI categorization results and confidence scores
- Your corrections to categorizations
- Client rules and preferences derived from your usage
3. How We Use Your Information
To Provide the Service:
- Connect to your financial institutions via Plaid
- Import and categorize your transactions
- Generate financial reports (P&L, general ledger)
- Process your payments via Stripe
To Improve the Service:
- Improve categorization accuracy: merchant-pattern rules learned from your corrections apply only to your account; corrections also contribute to the Service’s shared categorization models, in a form designed not to expose your identifiable information to other customers
- Analyze usage patterns to improve features and user experience
- Monitor and ensure the security and integrity of the Service
- Debug issues and provide customer support
To Communicate with You:
- Service-related notifications (billing, account changes, data exports)
- Security alerts (unauthorized access attempts, payment failures)
- Service updates and changes to these policies
We do NOT:
- Sell, rent, or trade your personal or financial data to any third party
- Use your data for advertising, marketing profiling, or behavioral targeting
- Share your individually identifiable data with anyone other than the service providers listed below
- Use your financial data to make credit, lending, or insurance decisions
4. Third-Party Services
| Service | Purpose | Data Shared | Their Privacy Policy |
|---|---|---|---|
| Plaid, Inc. | Bank account connection, transaction import | Banking credentials (provided by you directly to Plaid — never seen by us), transaction data | https://plaid.com/legal/ |
| Stripe, Inc. | Payment processing | Email, name, payment method details | https://stripe.com/privacy |
| Resend | Transactional email (magic links, notifications) | Email address | https://resend.com/legal/privacy-policy |
| Hetzner Online GmbH | Infrastructure (production servers — Germany) | All service data (encrypted at rest) | https://www.hetzner.com/legal/privacy-policy |
| Cloudflare, Inc. | Network/CDN, secure tunnel (Cloudflare Tunnel), and encrypted backup storage (R2) | Traffic metadata; age-encrypted database and file backups | https://www.cloudflare.com/privacypolicy/ |
| Anthropic, PBC | AI categorization using Anthropic’s Claude models — money-in classification, AI Autopilot, money-out web-search classification, rule-backfill review, statement-PDF parsing, and reconciliation Pass-2 reasoning. Anthropic does not use our API data to train its models by default. | Per-call disclosures vary by feature. For money-in / AI Autopilot / rule-backfill: transaction date, amount, vendor / bank text, memo, Plaid primary + detailed category; entity name, owner name (if set), business type, schedule type; full chart-of-accounts list (name + type for every account the LLM may pick); recent client corrections (last 90 days — vendor + amount + corrected-to category); revenue, owner-contribution, and refund history (last 90–180 days — date + vendor + amount). For the money-out web-search pass: vendor name + raw bank text + chart-of-accounts list + Brave web-search snippets (title + URL + snippet, up to 5) used as classification grounding. For statement-PDF parsing during reconciliation: the full extracted text of the bank statement PDF, which includes account identifiers (number / mask), holder name and address, statement period, opening / closing balances, total charges / credits / payments, every transaction line, and any boilerplate (customer-service phone numbers, promotional text, footnotes) present on the statement. For reconciliation Pass-2 reasoning: account type, statement type, bank name, attempt number, learned reconciliation strategies (JSON), and the lists of unmatched statement transactions (date + amount + description) plus unmatched book transactions (date + amount + vendor + memo + Plaid category). | https://www.anthropic.com/legal/privacy |
| Brave Software, Inc. (Brave Search) | Merchant lookup for AI categorization — when a money-out transaction cannot be categorized from bank text alone, the merchant name is searched on the web to ground Claude’s category prediction | The normalized merchant name only, sent as a web-search query (derived from the transaction’s bank text). No transaction amounts, dates, account identifiers, or personal identifiers are sent to Brave. | https://search.brave.com/help/privacy-policy |
By using Categorized, you acknowledge and agree that your financial data will be transmitted to and processed by Plaid, Inc. in accordance with Plaid’s End User Privacy Policy at https://plaid.com/legal/#end-user-privacy-policy.
5. Legal Basis for Processing
We process your data based on:
- Contractual necessity: To provide the Service you subscribed to
- Legitimate interest: To improve the Service, ensure security, and prevent fraud
- Consent: Where required by applicable law (you may withdraw consent at any time)
- Legal obligation: To comply with tax, financial, and regulatory requirements
6. Data Storage & Security
- Data is stored on secured servers operated by our hosting provider in the European Union, with encrypted backups stored with Cloudflare; some service providers listed in Section 4 process data in the United States. Categorized is a U.S. service for U.S. customers regardless of server location
- Financial data is encrypted at rest (AES-256) and in transit (TLS 1.3)
- Database access is restricted to authorized systems only
- Production database credentials are rotated regularly
- Access to client data is limited to authorized personnel on a need-to-know basis
- We maintain a written information security program with administrative, technical, and physical safeguards designed to meet the requirements of the Safeguards Rule under the Gramm-Leach-Bliley Act (GLBA) as applicable to our processing of financial data
7. Data Retention
| Data Type | Retention Period |
|---|---|
| Active account data | Life of subscription |
| Canceled account financial data (your books and supporting records) | Retained in archival form for up to 7 years after termination for recordkeeping, audit-defense, legal-compliance, and fraud-prevention purposes, then permanently deleted. You may request earlier deletion after exporting (see Section 8 and TOS Sections 6 and 16). |
| Payment/billing records | Per legal/tax requirements (~7 years), managed by Stripe |
| Audit trail / categorization history | Same as the books they document (up to 7 years) |
| Aggregated / de-identified data (processed so it is not designed to identify you or your business) | Indefinitely — used to improve the Service’s categorization models and features and for aggregate service analytics |
| Server logs | 30 days rolling |
8. Your Rights
You have the right to:
- Access your data at any time through the Service
- Exportyour data (profit & loss, Schedule C report, general ledger, and transaction history) at any time, at no cost
- Correct your categorizations and account information at any time
- Delete your account and request deletion of your data (honored after you have had the chance to export, except records we must retain by law, records reasonably needed for disputes, billing, fraud prevention, or audit defense, and aggregated or de-identified data — see Section 7 and TOS Sections 6 and 16)
- Withdraw consent for non-essential data processing
- Opt out of non-essential communications
- Request information about what data we hold about you
For California residents (to the extent the CCPA applies to us):
- Right to know what personal information is collected, used, shared, or sold
- Right to delete personal information held by businesses
- Right to opt out of sale or sharing of personal information (we do not sell or share your data)
- Right to correct inaccurate personal information
- Right to non-discrimination for exercising your CCPA rights
To exercise any of these rights, contact us at [email protected].
9. Data Breach Notification
In the event of a data breach that compromises your personal or financial data:
- We will notify affected users without unreasonable delay after confirming a breach, consistent with applicable law and any legitimate law-enforcement needs — our internal response target is 72 hours from confirmation
- Notification will be sent via email and posted on our website
- We will describe the nature of the breach, data affected, and steps we are taking
- We will comply with all applicable state and federal breach notification laws
10. Children’s Privacy
The Service is intended for individuals 18 years of age or older who are operating a business. We do not knowingly collect data from individuals under 18. If we discover we have collected data from a minor, we will delete it promptly.
11. International Data
The Service is intended for use in the United States. If you access the Service from outside the US, you consent to the transfer and processing of your data in the United States and the European Union (see Section 6).
12. Cookies, Do Not Track & Privacy Signals
- The Service uses only essential first-party cookies: session authentication and interface preferences (such as theme). We do not use third-party advertising or cross-site tracking cookies.
- Usage analytics described in Section 2 are collected first-party to operate and improve the Service.
- The Service does not currently respond to “Do Not Track” browser signals. Because we do not sell or share personal information, opt-out preference signals such as Global Privacy Control do not change how we process your data; we honor the rights in Section 8 regardless.
13. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be communicated via email at least 30 days before taking effect. The “Last Updated” date at the top of this policy indicates when it was last revised.
14. Contact
Categorized LLC
1031 Ives Dairy Road, Suite 228-1053, Miami, FL 33179
[email protected]
Privacy inquiries: [email protected]
Last updated: July 16, 2026