Mt. Money — Privacy Policy
Effective date: 2026-06-01 Last updated: 2026-05-14 Status: Draft. To be reviewed by counsel and published at https://mount.money/privacy before MVP launch.
1. Overview
This Privacy Policy describes how Mt. Money ("Mt. Money," "we," "us," "our") collects, uses, shares, and protects information when you use our website, applications, and related services (collectively, the "Service"). The Service is a multi-entity financial management platform that lets you connect bank accounts, view transactions, and use an AI assistant to answer questions about your own financial data across the businesses you operate.
We handle non-public personal information (NPI) and operate under the principles of the Gramm-Leach-Bliley Act (GLBA), even where the Service is used in a non-commercial or personal-use context. This policy explains, in plain English, what we collect, why, and what your rights are.
2. Who we are
| Entity | Mt. Money — a venture currently operated by the founder under an existing consulting LLC; a successor entity will be formed prior to taking outside investment. The current operator of record is identified in our public contact information. |
| Domain | https://mount.money |
| Privacy contact | privacy@mount.money |
| Security contact | security@mount.money |
| Postal address | To be added prior to launch |
If you have questions, requests, or complaints about how we handle your information, the privacy contact above is the canonical channel.
3. Information we collect
3.1 Information you provide directly
- Account information — your email address, your name (if provided), authentication credentials (we never see your password in plaintext — see Section 9), and multi-factor authentication factors you enroll.
- Workspace information — the names you give the businesses or entities you set up inside Mt. Money, the role you assign each member, and any tags, notes, or categorizations you create.
- Bank-connection consent — when you connect a bank account, you authorize us (through Plaid) to access account and transaction data for that account.
- Support communications — anything you write to us via email or in-app messaging.
3.2 Financial information collected via Plaid
When you connect a bank account, our service provider Plaid Inc. retrieves information from your financial institution on your behalf and provides it to us. This includes:
- Account information — account name, type (checking, savings, etc.), institution name, currency, mask (last 4 digits), and current and available balances.
- Transaction information — for each transaction in the connected account: date, amount, merchant name, description, Plaid-assigned category, payment channel, and pending status.
- Connection metadata — a Plaid item identifier and an encrypted access token that allows continued retrieval of data from the linked account until you disconnect.
We do not, through Plaid or otherwise, gather: account or routing numbers (we do not request the Auth product), identity attributes on file with the institution (we do not request the Identity product), liabilities data, investments data, or income data.
3.3 Information collected automatically
- Usage information — pages viewed, features used, approximate timing of sessions. We use this to operate and improve the Service.
- Device and connection information — IP address, browser type and version, operating system, time zone, and similar technical attributes.
- Cookies and similar technologies — session cookies needed to keep you logged in, and a minimal set of first-party cookies described in Section 11.
3.4 Information we do not collect
- We do not collect your bank or financial-institution password. Plaid handles credential exchange; the credentials are never visible to Mt. Money.
- We do not buy data about you from data brokers.
- We do not track you across other websites or services.
- We do not collect biometric data.
4. How we use information
We use the information described above to:
- Operate the Service — display your accounts, balances, and transactions to you; group them by workspace; let you tag, annotate, and search them.
- Power the AI assistant — answer your natural-language questions about your own financial data. See Section 5.2 for how this works and what we do (and do not) share with the AI provider.
- Authenticate you — verify identity at login, enforce multi-factor authentication, prevent unauthorized access.
- Maintain the Service — debug errors, monitor performance, detect abuse, run security investigations.
- Communicate with you — service notifications (e.g., a bank connection has expired and needs re-authentication), security notices, responses to your support inquiries.
- Comply with law — meet our regulatory, audit, and legal obligations, including responding to lawful requests from authorities with appropriate process.
We do not use your financial information to:
- Sell to third parties for advertising, marketing, or any other purpose.
- Train machine-learning models, including the AI provider's models. See Section 5.2.
- Build profiles about you for any party outside the operation of the Service itself.
- Send you marketing for unrelated products.
5. How we share information
We share information only as described in this section. We do not sell or rent your personal information.
5.1 Service providers
We share information with the following service providers, each engaged under written terms that restrict use to providing services to Mt. Money:
| Provider | Role | Data shared | Provider's privacy policy |
|---|---|---|---|
| Supabase | Database, authentication, file storage (US region) | All application data at rest, including account, workspace, transaction, and tag data | https://supabase.com/privacy |
| Vercel | Application hosting and request processing | All data passing through the application in transit; no persistent data storage | https://vercel.com/legal/privacy-policy |
| Plaid | Bank account connection and transaction retrieval | Bank credentials (handled by Plaid, not seen by us), institution identifiers, transaction and balance data | https://plaid.com/legal |
| Anthropic | AI assistant model provider (Claude API) | Scoped, per-query data only — see Section 5.2 | https://www.anthropic.com/legal/privacy |
| Resend | Transactional email delivery (sign-in links, security notices, invitations) | Recipient email address and message content | https://resend.com/legal/privacy-policy |
| Cloudflare | DNS and email routing | DNS query metadata, email routing metadata | https://www.cloudflare.com/privacypolicy/ |
| GitHub | Source-code hosting | No customer data; codebase and infrastructure configuration only | https://docs.github.com/en/site-policy/privacy-policies |
| Sentry (when enabled) | Error monitoring | Stack traces and request metadata with PII scrubbed before transmission | https://sentry.io/privacy/ |
All listed providers are SOC 2 Type II audited.
5.2 AI provider — what is and is not shared
The AI assistant is powered by Anthropic's Claude API. When you ask the AI a question, we send to Anthropic only:
- Your question text.
- A scoped subset of your transaction or account data needed to answer that specific question (for example, "transactions from June 2026 in the Acme Properties LLC workspace"), retrieved via internal tool calls.
- A system prompt describing the AI's role.
We do not send Anthropic:
- Bulk exports of your data.
- Data from workspaces other than the one you are currently using (unless you have explicitly switched to a "consolidated view" context that you have selected).
- Your authentication credentials or session tokens.
- Other users' data, even if you share a workspace with them — your queries draw only on the data you yourself can access under Section 6.
Our agreement with Anthropic is configured for zero-data-retention training: Anthropic does not retain your queries or our scoped data exports to train its models.
5.3 Other workspace members
If you share a workspace with other people (for example, a bookkeeper or accountant you have invited), members of that workspace can see workspace data according to the role you have assigned them. Mt. Money enforces these access boundaries at the database level using Postgres row-level security, in addition to application-level checks.
5.4 Legal, safety, and transfers
We may share information when we believe in good faith that doing so is necessary to:
- Comply with applicable law, court orders, subpoenas, or other valid legal process.
- Enforce our terms of service and investigate violations.
- Protect the rights, property, or safety of Mt. Money, our users, or others.
- Effectuate a merger, acquisition, financing, reorganization, bankruptcy, or sale of assets. In such cases we will notify affected users where legally required, and any successor will be bound by commitments at least as protective as this policy.
6. Plaid-specific disclosure
By using the Service to connect a bank or financial account, you grant Mt. Money and our service provider Plaid Inc. the right, power, and authority to access and transmit your financial information from the relevant financial institution. You acknowledge and agree that your financial information will be transferred, stored, and processed by Plaid in accordance with the Plaid End User Privacy Policy.
You can disconnect a financial institution from Mt. Money at any time via your account settings. Disconnecting revokes Mt. Money's and Plaid's authorization to retrieve new data from that institution going forward; previously retrieved data is handled per Section 7 (Data Retention).
7. Data retention
We retain information for as long as your account is active and as long as needed to provide the Service.
- Active accounts: Account, workspace, and transaction data is retained while the account is active.
- Disconnected bank accounts: Transactions previously retrieved from a disconnected institution remain visible to you for historical reference unless you delete the workspace or your account.
- Closed accounts: When you close your account, we delete or de-identify your personal information within 30 days, except where we are required to retain specific records to comply with legal, financial-reporting, or audit obligations (in which case we retain only those records, only for the period required, and only in limited-access archival storage).
- Backups: Encrypted database backups may persist for up to 90 days after deletion, after which they are overwritten.
- AI assistant logs: Conversation logs are retained per Section 5.2; they are scoped to the workspace and accessible only to you and others you have authorized.
You can request earlier deletion via Section 9.
8. Your rights and choices
Regardless of where you live, you have the following rights:
- Access — request a copy of the personal information we hold about you.
- Correction — request that we correct inaccurate information.
- Deletion — request that we delete your account and associated personal information, subject to legal retention requirements (see Section 7).
- Portability — receive your transaction and workspace data in a structured, machine-readable format.
- Disconnect — disconnect a linked financial institution at any time via account settings.
- Marketing opt-out — Mt. Money does not currently send marketing email. If we begin to, every marketing email will include an unsubscribe link.
To exercise any of these rights, email privacy@mount.money. We will respond within 30 days (or sooner where required by applicable law). We may need to verify your identity before fulfilling a request involving access or deletion.
8.1 California residents (CCPA / CPRA)
If you reside in California, you have additional rights under the California Consumer Privacy Act as amended by the CPRA, including the right to know what categories of personal information we have collected, the sources, the business or commercial purpose, the categories of third parties with whom we share information, and the right to request deletion. We do not sell or share personal information for cross-context behavioral advertising. To exercise California-specific rights, use the contact above and reference "California request."
8.2 Other US states
Residents of Virginia, Colorado, Connecticut, Utah, and other states with comprehensive privacy laws have rights substantially similar to those above. We honor them through the same request process.
8.3 Outside the United States
Mt. Money is operated from the United States and the Service is intended for U.S. residents and U.S.-incorporated businesses. We do not currently serve users outside the United States. If you access the Service from outside the U.S., your information will be transferred to and processed in the U.S.
9. Security
We take reasonable and appropriate technical and organizational measures to protect your information:
- Encryption in transit — all connections to the Service use TLS 1.2 or higher.
- Encryption at rest — all data is encrypted at rest by our database provider (AES-256). Highly sensitive fields, including Plaid access tokens, are additionally encrypted at the column level.
- Access controls — multi-tenant data isolation is enforced by Postgres row-level security, in addition to application-layer checks.
- Administrative access — administrative access to production infrastructure requires multi-factor authentication; current configuration uses WebAuthn passkeys (phishing-resistant) across critical systems.
- Secrets management — production credentials are stored in environment variables, never in source control, and are scoped to the specific service that needs them.
- Vendor selection — all subprocessors are SOC 2 Type II audited.
- Logging — personal information is not logged at informational levels; error reports are scrubbed of PII before transmission to our monitoring provider.
- Vulnerability management — see our internal vulnerability patching SLA for severity tiers and remediation timelines.
No security program is perfect. If you believe your account has been compromised, contact security@mount.money immediately.
10. Children's privacy
Mt. Money is not directed to children under 18 and we do not knowingly collect personal information from individuals under 18. If you believe a child has provided us personal information, please contact privacy@mount.money and we will delete it.
11. Cookies and similar technologies
We use a minimal set of first-party cookies:
- Authentication cookies — keep you signed in across page loads. Strictly necessary; without them the Service does not function.
- Preference cookies — remember workspace selection, layout choices, and similar UI state.
We do not use third-party advertising cookies, retargeting pixels, or cross-site trackers.
12. Review and changes to this policy
Review cadence. Mt. Money reviews this Privacy Policy at minimum annually, and additionally whenever any of the following occurs:
- A change in applicable privacy or financial-information law (federal, state, or otherwise) affecting our processing activities;
- A material change in our processing activities, subprocessor list, retention practices, or security controls;
- A privacy or security incident that warrants reassessment of these practices;
- Onboarding of a new category of users (e.g., expansion beyond U.S. residents, addition of minors, addition of commercial customers under a B2B agreement).
Annual reviews are recorded in our internal compliance log along with any resulting amendments.
Changes. When we update this policy, we will revise the "Last updated" date at the top. For material changes, we will provide additional notice — for example, a banner in the Service or an email to your account address — before the change takes effect.
13. Contact
Questions, requests, or complaints:
Email: privacy@mount.money Security disclosures: security@mount.money Postal address: To be added prior to launch
This document is a draft prepared in advance of MVP launch and is intended for review by qualified counsel before publication. It is committed to the project repository as part of Mt. Money's evidence of substantive privacy planning, not as a substitute for legal review.