Privacy Policy

Last Updated: February 2025

Introduction

Ten to Twenty ("we," "us," or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our website and application (the "Service").

Information We Collect

Information You Provide

• Account Information: Name, email address, and password when you create an account
• Profile Information: Your giving percentage preference (10-20%)
• Custom Charities: Names and details of charities you add manually
• Donation Records: Information about donations you record, including amounts, dates, and notes

Information from Third Parties

When you connect your bank through Plaid, we receive:

• Account names and types (e.g., "Checking", "Savings")
• Account masks (last 4 digits)
• Transaction history (date, amount, description, merchant name)

We do not receive or store your bank login credentials. These are handled securely by Plaid.

Information Collected Automatically

• Usage Data: Pages visited, features used, and interactions with the Service
• Device Information: Browser type, operating system, and device identifiers
• Log Data: IP address, access times, and referring URLs

How We Use Your Information

We use the information we collect to:

• Provide the Service: Detect income, calculate giving suggestions, and track donations
• Personalize Your Experience: Remember your preferences and settings
• Communicate with You: Send account-related notifications and respond to inquiries
• Improve the Service: Analyze usage patterns and fix issues
• Ensure Security: Detect and prevent fraud, abuse, and security incidents

How We Share Your Information

We do not sell your personal information.

We may share your information with:

• Service Providers: Plaid (bank connectivity), Supabase (data storage), and Vercel (hosting)
• Legal Requirements: When required by law, court order, or governmental request
• Business Transfers: In connection with a merger, acquisition, or sale of assets

Data Security

We implement appropriate technical and organizational measures to protect your information, including:

• Data encrypted in transit (TLS) and at rest
• Bank access tokens encrypted using AES-256-GCM
• Role-based access controls
• Multi-factor authentication support

Data Retention

• Account Data: Retained while your account is active, deleted within 30 days of account deletion
• Financial Records: Retained for 7 years for tax and legal compliance
• Logs: Retained for up to 90 days

Your Rights

You have the right to:

• Access your data through the Service or by contacting us
• Correct your information through the Settings page
• Delete your account and data through the Settings page
• Disconnect your bank accounts at any time

Children's Privacy

The Service is not intended for users under 18 years of age. We do not knowingly collect information from children under 18.

Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy and updating the "Last Updated" date.

Contact Us

If you have questions about this Privacy Policy, please contact us at:

Ten to Twenty
Email: privacy@tentotwenty.com