ribbit← Back to home

Privacy Policy

Last updated: February 17, 2026

1. Introduction

Ribbit (“we,” “our,” or “us”) is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your personal information when you use our personal finance management platform (the “Service”).

“Personal data” means any information that identifies, relates to, or could reasonably be linked to you, including your financial data. By using the Service, you consent to the data practices described in this policy.

2. Information We Collect

We collect the following categories of information:

Account Information

Name, email address, and authentication credentials, collected and managed through Clerk when you create an account.

Financial Data

Bank account details, transaction history, account balances, and institution information retrieved via Plaid when you connect your bank accounts. This includes account names, types, routing numbers (masked), transaction descriptions, amounts, dates, and categories.

Investment Data

Investment holdings, trade history, portfolio positions, cost basis, and account information retrieved from Public.com when you connect your investment account.

AI Interaction Data

Messages you send to our AI chat feature, including financial queries and the context provided to generate responses. AI chat history is session-based and not currently persisted after your session ends.

Device & Technical Data

IP address, browser type and version, operating system, device identifiers, and cookies necessary for authentication and session management.

Usage Data

Information about how you interact with the Service, including features used, pages visited, and actions taken. We may implement analytics in the future to better understand usage patterns and improve the Service.

3. How We Use Your Information

We use your information for the following purposes:

  • Service delivery: Synchronizing your bank transactions, tracking investments, generating journal entries, computing balances, projections, and financial reports
  • AI analysis: Processing your queries and providing financial insights, charts, and calculations through our AI chat features
  • Account management: Authenticating your identity, managing your entities, and maintaining your preferences
  • Security: Detecting and preventing fraud, unauthorized access, and other malicious activity through rate limiting and access controls
  • Product improvement: Using aggregated, de-identified data to understand usage patterns and improve the Service (we never use your individual financial data for this purpose)
  • Communications: Sending service-related notices, security alerts, and (with your consent) product updates

4. Third-Party Services & Data Sharing

We share your data with the following third-party service providers, solely to operate the Service. Each provider processes your data under their own privacy policy:

Plaid

Bank account linking and transaction synchronization. When you connect a bank account, Plaid accesses your financial data on our behalf. Plaid Privacy Policy

Public.com

Investment account data retrieval, including holdings and trade history. Public.com Privacy Policy

Anthropic

AI-powered analysis. When you use the AI chat feature, your messages and relevant financial context are sent to Anthropic's Claude API. Anthropic does not use your data to train their models when accessed via the API. Anthropic Privacy Policy

Clerk

User authentication and identity management. Clerk Privacy Policy

Vercel

Application hosting and serverless compute. Vercel Privacy Policy

Neon

Serverless PostgreSQL database hosting. All financial data is stored in Neon-managed databases. Neon Privacy Policy

Upstash

Redis-based rate limiting. Only request metadata (user identifiers and timestamps) is processed; no financial data is sent to Upstash. Upstash Privacy Policy

E2B

Sandboxed code execution for AI-generated Python scripts (data analysis, chart generation). Code and data are processed in isolated, ephemeral sandboxes that are destroyed after each session. E2B Privacy Policy

5. We Will Never Sell Your Financial Data

Ribbit will never sell, rent, or trade your personal or financial data to third parties for advertising, marketing, or any commercial purpose unrelated to providing the Service.

Your financial data is used exclusively to deliver the Service to you. We do not monetize your data, serve ads based on your financial information, or share your individual data with data brokers.

6. Data Security

We implement technical, organizational, and physical measures to protect your data, including:

  • AES-256-GCM encryption for stored Plaid access tokens
  • Encrypted database connections (TLS/SSL) for all data in transit
  • Role-based access controls and multi-tenant data isolation
  • Rate limiting on sensitive endpoints (AI, banking, webhooks)
  • JWT verification for webhook authenticity

While we take data security seriously and implement industry-standard protections, no method of electronic storage or transmission is 100% secure. We cannot guarantee absolute security of your data, but we are committed to promptly addressing any security incidents.

7. Data Retention

We retain your data for the following periods:

Data CategoryRetention Period
Account dataLifetime of your account
Financial & investment dataLifetime of your account + 30 days after deletion
AI chat historySession only (not persisted after session ends)
Technical / server logs90 days

When you request account deletion, we will delete your personal data within 30 days, except where we are required to retain it for legal or regulatory compliance.

8. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal data:

  • Access: Request a copy of the personal data we hold about you
  • Correction: Request that we correct inaccurate or incomplete personal data
  • Deletion: Request that we delete your personal data, subject to our retention obligations
  • Portability: Request your data in a structured, commonly used, machine-readable format
  • Withdraw consent: Where processing is based on consent, you may withdraw that consent at any time

To exercise any of these rights, please contact us at support@ribbit.app. We will respond to your request within 30 days.

9. U.S. State Privacy Rights

If you are a resident of California, Virginia, Colorado, Connecticut, or another U.S. state with comprehensive privacy legislation, you may have additional rights under applicable law, including:

  • Right to know: What personal data we collect, use, and disclose about you
  • Right to delete: Request deletion of your personal data
  • Right to opt out of sale: We do not sell your personal data, so no opt-out is necessary — but we honor the right regardless
  • Right to non-discrimination: We will not discriminate against you for exercising your privacy rights

We honor Global Privacy Control (GPC) signals. If your browser sends a GPC signal, we treat it as a valid opt-out request for any data sharing that would constitute a “sale” under applicable law (though, as noted, we do not sell your data).

California residents (CCPA/CPRA): In the preceding 12 months, we have collected the categories of personal information described in Section 2. We collect this information for the business purposes described in Section 3. We do not sell or share personal information for cross-context behavioral advertising.

10. Cookies & Tracking

We use a limited number of cookies, all of which are functional:

  • Authentication cookies: Managed by Clerk to maintain your login session
  • Entity selection cookie: Stores which entity (personal, business) you have selected

We do not use advertising cookies, third-party tracking pixels, or behavioral tracking. We may implement privacy-respecting analytics in the future, and will update this policy accordingly.

11. Children's Privacy

The Service is not designed for or directed at individuals under the age of 18. We do not knowingly collect personal data from minors. If we learn that we have collected personal data from someone under 18, we will take steps to delete that information promptly. If you believe a minor has provided us with personal data, please contact us at support@ribbit.app.

12. International Users

The Service is hosted and operated in the United States. If you access the Service from outside the United States, please be aware that your data will be transferred to, stored, and processed in the United States, where data protection laws may differ from those in your jurisdiction. By using the Service, you consent to this transfer.

13. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email (if you have provided one) or through a prominent notice within the Service before the changes take effect. We will also update the “Last updated” date at the top of this page. Your continued use of the Service after changes are posted constitutes acceptance of the revised policy.

14. Contact Information

If you have any questions or concerns about this Privacy Policy or our data practices, please contact us at support@ribbit.app.