Privacy Policy

Last Updated: November 17, 2025

1. Introduction

Welcome to Trupocket, an API-first personal finance platform operated by ForceCore LLC. This Privacy Policy explains how we collect, use, store, and protect your personal information.

By using Trupocket, you agree to the collection and use of information in accordance with this policy. If you do not agree with our policies and practices, please do not use our service.

2. Services & Data Collection

Third-Party Services We Use

Trupocket relies on the following third-party services to operate:

Core Services

• AWS Cognito: User authentication and authorization
• AWS SES: Transactional email delivery (password reset, billing notifications)
• AWS RDS: Encrypted database storage (MariaDB)
• AWS ECS: Application hosting and container orchestration
• AWS ElastiCache: Redis caching for rate limiting (24-hour data retention)
• AWS CloudWatch: Error logging and system monitoring
  • Logs: Error messages, request IDs, resource names, webhook event metadata
  • Does NOT log: Financial data, email addresses, passwords, or OAuth tokens
  • Retention: 30 days for error logs
• Stripe: Payment processing and subscription management
• Cloudflare: DNS, CDN, and DDoS protection
• jsDelivr CDN: Content delivery network for UI assets
  • Serves: Material-UI CSS, Swagger UI assets (JavaScript and CSS)
  • Your browser connects directly to cdn.jsdelivr.net when viewing API documentation or legal pages
  • jsDelivr may log: IP addresses, User-Agent strings, HTTP referers per their privacy policy

AWS Infrastructure Services

• AWS Application Load Balancer: HTTPS traffic routing and SSL termination
• AWS Certificate Manager: SSL/TLS certificate management
• AWS S3: Storage for load balancer access logs (90-day retention)
• AWS ECR: Docker container image storage
• AWS SNS: System alarm notifications (sent to Trupocket team, not users)
• AWS VPC: Network isolation and security
• AWS Systems Manager Parameter Store: Secure storage for configuration and credentials

Future Services (Not Yet Implemented)

We plan to integrate the following services in the future:

• Marketing Email Services: MailChimp, SendGrid, or similar (you can opt-out)
• Financial Data Providers: Plaid, Yodlee, or similar (for bank account synchronization)

We will notify you via email when these services are introduced and update this Privacy Policy accordingly.

Data We Collect

• Account Information: Email address, name
• Authentication Data: OAuth tokens (validated per-request via AWS Cognito; tokens are not stored by Trupocket)
• Financial Data: Transactions, accounts, budgets, categories, hashtags, payees you manually enter
• Usage Data: Rate limit counters (24-hour retention in Redis cache), error logs (30-day retention)
• IP Addresses: Temporary collection for rate limiting on unauthenticated endpoints (register, sign-in, verify-email). Stored in Redis cache for 24 hours, then automatically deleted. Not logged or stored permanently.
• Subscription Data: Plan type, billing status, payment history (processed via Stripe)

Cookie Policy

Current Implementation: Trupocket API is completely cookie-free. We use Bearer token authentication via the Authorization header instead of session cookies.

No Cookies Used

• No cookies of any kind are currently set by the Trupocket API
• Authentication: Uses OAuth 2.0 Bearer tokens sent in HTTP headers, not cookies
• No tracking cookies: No advertising, analytics, or behavioral tracking cookies
• Stateless API: Each request is authenticated independently via token validation

Third-Party Cookies

While Trupocket doesn't set cookies, third-party services may:

• Stripe: May set cookies when you visit Stripe-hosted payment pages (e.g., checkout, billing portal)
• jsDelivr CDN: May set cookies when loading UI assets (beyond our control)

Future Web Applications

If we launch web applications in the future:

• We may use cookies for user preferences and session management
• You will be notified 30 days before any cookie usage begins
• This Privacy Policy will be updated with detailed cookie disclosures
• You will have the ability to opt-out of non-essential cookies

Metrics Collection

We collect basic performance metrics to improve our service, including:

• API response times
• Error rates and types
• Feature usage statistics (aggregated and anonymized)

Important: Metrics are aggregated and anonymized. We do not sell or share individual user metrics with third parties.

3. How We Use Your Data

Your data is used only for providing and improving the Trupocket service:

• Core Service Delivery: Managing your financial data, processing transactions, generating reports
• Transactional Emails: Password reset, billing notifications, subscription updates
• Customer Support: Responding to support requests and troubleshooting issues
• Service Improvement: Analyzing aggregated, anonymized usage metrics to improve performance and features
• Security & Fraud Prevention: Detecting and preventing unauthorized access or abuse

Marketing Communications (Future)

In the future, we may send marketing emails about new features, updates, and promotions. You will be able to:

• Opt-out of marketing emails at any time via unsubscribe link
• Continue receiving critical transactional emails (password reset, billing notifications)

What We NEVER Do

• Never sell your data to third parties
• Never share individual user data with advertisers or data brokers
• Never use your financial data for purposes other than providing the service

4. Data Retention & Deletion

Transaction Data Retention

Your transaction data is retained based on your subscription plan:

• Free Plan: 90 days of data accessible (data older than 90 days is not processed or displayed)
• Premium Plan: 2 years of data accessible (data older than 2 years is not processed or displayed)
• Developer Plan: Unlimited data access (all historical data accessible)

Important: Data older than your plan limit is not deleted, it is simply not calculated, processed, or accessible via the API or reports. If you upgrade your plan, historical data becomes accessible again.

Specific Retention Periods by Data Type

Different types of data are retained for different periods:

• Transaction Data: Retained indefinitely (access limited by your plan)
• Account Information: Retained while account is active + 7 years after deletion (for tax and legal compliance)
• Authentication Logs: Managed by AWS Cognito (see AWS Cognito privacy policy)
• Error Logs: 30 days retention in AWS CloudWatch
• Payment Records: 7 years (required by law for tax purposes)
• Marketing Preferences: Until you opt-out or close your account
• Rate Limit Counters: 24 hours (Redis cache with automatic expiration)

Account Deletion

You may request account deletion at any time by contacting support@trupocket.app.

• We will delete all personally identifiable information within 30 days
• Aggregated, anonymized metrics may be retained for service improvement
• Legal and financial records (invoices, payment history) may be retained for compliance purposes (7 years)

Subscription Lapse & Downgrade

• Payment Failure: 7-day grace period before downgrade to Free plan
• Cancellation: Service continues through end of current billing period, then downgrades to Free plan
• Non-Destructive Downgrade: All data is preserved when downgrading to Free plan (older data just becomes inaccessible per plan limits)

5. Your Rights

California Residents (CCPA Compliance)

If you are a California resident, you have the right to:

• Access: Request a copy of all personal data we have collected about you
• Deletion: Request deletion of your personal data (subject to legal retention requirements)
• Opt-Out: Opt-out of data selling or sharing (we do not sell or share your data)
• Non-Discrimination: We will not discriminate against you for exercising your privacy rights
• Correct Inaccurate Information: Request correction of inaccurate personal data

To exercise these rights, contact us at legal@trupocket.app.

Automated Opt-Out Signals (Global Privacy Control)

Effective January 1, 2026: We honor Global Privacy Control (GPC) browser signals as required by California law.

• When your browser sends a GPC signal, we automatically opt you out of data sharing (if applicable)
• You will receive confirmation when your opt-out request is processed
• GPC applies to the specific browser or device sending the signal
• You can manually configure GPC in supported browsers (Brave, Firefox, DuckDuckGo, etc.)

Note: Currently, we do not sell or share personal data, so GPC primarily serves as a future protection mechanism.

Nevada Residents

Nevada law allows residents to opt-out of the "sale" of personal information:

• We do not sell personal information as defined by Nevada law
• If our practices change, we will provide you with opt-out mechanisms
• Contact legal@trupocket.app to exercise Nevada privacy rights

Data Export Process

You have the right to receive a copy of your personal data in a portable format:

• How to Request: Email support@trupocket.app with subject "Data Export Request"
• Identity Verification: We will verify your identity by confirming your account email
• Format: Data will be provided in JSON format (machine-readable)
• Timeline: Data export will be provided within 45 days (usually within 7 days)
• Contents: Includes all transactions, accounts, budgets, categories, hashtags, payees, and account settings
• Frequency: You may request data export once every 12 months at no charge

Financial Regulation Exemptions (GLBA)

Important disclosure about regulatory exemptions:

• Certain financial data is subject to the Gramm-Leach-Bliley Act (GLBA)
• GLBA-covered data may be exempt from certain CCPA requirements
• You still retain the right to request access and deletion of non-exempt data
• We will clearly indicate if any data is exempt from your privacy request

US-Only Service (No GDPR Compliance at Launch)

Trupocket is currently available only to US residents. We are not GDPR-compliant at launch. International support may be added in the future, at which time we will comply with applicable international privacy laws.

6. Data Ownership

• You Own Your Financial Data: All transactions, accounts, budgets, and financial information you enter belongs to you
• You Can Export Your Data: Request a full data export at any time (see Section 5)
• You Can Delete Your Data: Request account deletion at any time (see Section 4)
• You Grant Trupocket a License: To store and process your data to provide the service
• You Are Responsible for Accuracy: We are not liable for errors in data you enter
• Trupocket Owns: Aggregated, anonymized metrics, system data, platform code, and intellectual property

7. Security & Data Breaches

Security Measures

We implement industry-standard security measures to protect your data:

• Encryption in Transit: All API communication uses HTTPS/TLS 1.3
• Encryption at Rest: Database storage encrypted via AWS RDS AES-256
• Secure Authentication: OAuth 2.0 via AWS Cognito with multi-factor authentication support
• Access Controls: Role-based access control (RBAC) for internal systems
• Regular Security Audits: Ongoing monitoring and vulnerability assessments
• Penetration Testing: Annual third-party security audits (planned)

Important: No system is 100% secure. While we implement industry-standard security practices, we cannot guarantee absolute security. You are responsible for protecting your account credentials.

Data Breach Notification

In the event of a data breach affecting your personal information:

Our Response Procedure

• Immediate Investigation: We will investigate the breach within 24 hours of discovery
• User Notification: We will notify you via email within 72 hours of confirming the breach
• Regulatory Notification: For breaches affecting more than 500 users, we will notify:
  • Appropriate state authorities (including North Carolina Department of Justice)
  • Credit reporting agencies (if applicable)
  • Federal Trade Commission (if required)
• Public Disclosure: We will post a notice on our website if the breach is significant

What We Will Tell You

Our breach notification will include:

• Nature and scope of the breach
• Types of data affected (e.g., email addresses, financial transactions)
• Date(s) of the breach
• Steps we are taking to address the breach and prevent future incidents
• Steps you should take to protect yourself (e.g., change password, monitor accounts)
• Contact information for questions and support

Your Responsibilities

• Monitor Your Account: Regularly review your Trupocket account for suspicious activity
• Strong Passwords: Use unique, strong passwords and enable two-factor authentication
• Report Suspicious Activity: Contact support@trupocket.app immediately

8. Future Integrations

Open Banking & Data Portability (Section 1033 CFPB Rule)

Compliance Date: April 1, 2026 (for covered financial institutions)

Under the Consumer Financial Protection Bureau's Personal Financial Data Rights Rule, you have the right to:

• Access Your Data: Request access to at least 24 months of transaction history
• Transfer Your Data: Transfer your financial data to authorized third parties
• Revoke Access: Revoke third-party access at any time
• No Fees: Access and transfer your data free of charge

How to Exercise These Rights

• Request data export via support@trupocket.app (see Section 5)
• Authorize third-party access through our API (when available)
• Manage third-party authorizations in your account settings (future feature)

Third-Party Access Protections

When you authorize a third party to access your Trupocket data:

• Third parties must be authorized and certified
• Third parties cannot use your data for advertising or cross-selling unless you separately consent
• Third parties must delete your data when you revoke access
• You can view and manage all authorized third parties in your account

Bank Account Synchronization (Planned)

When we introduce bank account synchronization via Plaid, Yodlee, or similar services:

• You will authorize Trupocket to access your bank accounts on your behalf
• Your bank credentials and transaction data will be shared with the third-party financial data provider
• We will update this Privacy Policy and notify you via email 30 days before launching this feature
• Additional terms and consent will be required before connecting bank accounts
• You can disconnect bank accounts at any time

9. Compliance & Legal

Age Restriction

You must be 18 years or older to use Trupocket.

Children's Privacy (COPPA Compliance)

Trupocket is not intended for children under 18 years of age:

• We do not knowingly collect personal information from anyone under 18
• We do not knowingly collect data from children under 13 (COPPA requirement)
• If we discover we have collected data from a child under 13, we will delete it immediately
• Parents: If you believe your child has provided us with personal information, contact legal@trupocket.app immediately

Third-Party Links

Trupocket may contain links to third-party services (Stripe, AWS, Plaid, etc.). We are not responsible for the privacy practices of these external services. Please review their privacy policies before using them.

Policy Updates

We may update this Privacy Policy from time to time. When we make material changes:

• We will notify you via email 30 days before the changes take effect
• The "Last Updated" date at the top of this page will be updated
• Continued use of the service after changes take effect constitutes acceptance
• You may close your account if you do not agree to the changes

Legal Requests & Compliance

We may disclose your information if required by law, court order, or government request, including:

• Compliance with subpoenas, warrants, or legal processes
• Protection of Trupocket's legal rights and property
• Investigation of fraud, security incidents, or violations of our Terms of Service
• Compliance with financial regulations (AML, KYC, etc.)
• Protection of the safety of our users or the public

10. Contact Information

If you have any questions or concerns about this Privacy Policy, please contact us:

• Company: ForceCore LLC
• Mailing Address: 5821 Fairview Road, Suite 218, Charlotte, NC 28209
• General Support: support@trupocket.app
• Privacy & Legal Questions: legal@trupocket.app
• Data Requests: legal@trupocket.app (CCPA, data export, deletion)

Response Time: We will respond to privacy inquiries within 45 days as required by CCPA.