Privacy Policy

1. Overview

Stache, a product of SAS Labs operated by SAS Ventures LLC ("we", "our", "us"), respects your privacy. This policy describes what data we collect, how we use it, and your rights regarding that data. Stache is currently available to users in the United States only.

2. Data We Collect

Account Information

When you sign in with Google, we receive your name, email address, and profile photo. We do not receive or store your Google password.

Financial Data You Enter

Transactions, accounts, categories, receipts, and other financial data you enter into Stache. This data is stored securely and is only accessible to you.

Bank Connection Data

If you connect bank accounts via Plaid, we receive account names, balances, and transaction history. We do not receive or store your bank login credentials — those are handled entirely by Plaid. See Plaid's privacy policy for details.

Receipt Images & Documents

Uploaded receipts and statements are stored in secure cloud storage. Receipt images may be processed by AI (Anthropic Claude) for text extraction. Your data is never used to train AI models — see Section 4 below.

You are solely responsible for the content you upload. We discourage uploading highly sensitive data unrelated to financial record-keeping. We are not responsible for any regulatory obligations related to sensitive data you choose to store in the service.

Payment Information

Subscription payments are processed by Stripe. We do not store credit card numbers or payment details — these are handled entirely by Stripe. See Stripe's privacy policy.

3. How We Use Your Data

• Providing and improving the Stache service
• Authenticating your identity
• Processing your financial transactions and generating reports
• Extracting data from uploaded receipts and statements
• Processing subscription payments
• Communicating service updates or security notices

We do not sell, rent, or share your personal or financial data with third parties for marketing purposes. We do not use your data for advertising or profiling.

4. AI Processing & Data Training

When you upload receipts or statements, they may be processed by Anthropic's Claude AI via their commercial API to extract structured data (merchant name, date, amount, etc.).

• Your data is never used to train AI models.Anthropic's commercial API terms explicitly prohibit using customer data for model training.
• API data is retained by Anthropic for up to 7 days for abuse monitoring, then automatically deleted.
• Only the specific receipt image or statement PDF is sent — no other account data is transmitted.

5. Data Storage & Security

Your data is stored in Supabase (hosted PostgreSQL) with:

• AES-256 encryption at rest
• TLS encryption in transit
• Row-level security (RLS) ensuring users can only access their own data
• HTTP security headers (HSTS, CSP, X-Frame-Options, etc.)

While we implement industry-standard security measures, no system is 100% secure. We encourage you to maintain your own backups.

6. Third-Party Services

We use the following third-party services that may process your data:

• Google — Authentication (OAuth)
• Supabase — Database and file storage
• Plaid — Bank account connections (optional)
• Stripe — Payment processing
• Anthropic — AI receipt/statement processing (data not used for training)
• Cloudflare — Application hosting and CDN

7. Cookies

Stache uses only essential cookies for authentication session management. We do not use tracking cookies, analytics cookies, or advertising cookies. Because we only use strictly necessary cookies required for the service to function, no cookie consent banner is required.

8. Your Rights

You have the right to:

• Access — View all data we store about you (available in-app)
• Export — Download a complete backup of your data at any time via Settings
• Delete — Delete your account and all associated data from Settings (30-day grace period, then permanent deletion)
• Correct — Update or correct your information directly in the app, or contact us for assistance
• Opt-out of sale — We do not sell your personal information. There is nothing to opt out of.

To exercise these rights, use the in-app Settings page or contact us at support@stache.finance.

9. California Privacy Rights (CCPA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):

• The right to know what personal information we collect and how it is used (described in this policy)
• The right to delete your personal information (available via Settings)
• The right to opt-out of the sale of personal information — we do not sell your data
• The right to non-discrimination for exercising your privacy rights

Categories of personal information collected: Identifiers (name, email), financial information (transactions, account data you enter), internet activity (authentication sessions). We collect this information directly from you. We do not collect information from third-party data brokers.

10. Data Retention

We retain your data for as long as your account is active. When you request account deletion, your account enters a 30-day grace period. After 30 days, all personal data, financial records, and uploaded files are permanently and irreversibly deleted from our systems. We do not keep backup copies of deleted accounts.

11. Data Breach Notification

In the event of a data breach affecting personal information, we will notify affected users in accordance with applicable law. Notification will be provided via the email address associated with your account and, where appropriate, through in-app notice.

12. Children

Stache is not intended for use by anyone under the age of 18. We do not knowingly collect personal information from children.

13. Changes to This Policy

We may update this privacy policy from time to time. We will notify users of material changes through the application. Continued use after changes constitutes acceptance.

14. Contact

For questions about this privacy policy, your data, or to exercise your privacy rights, contact us at support@stache.finance.