Stitch Money

Stitch Money Privacy Policy

Effective Date: March 3, 2026

This Privacy Policy explains how Stitch Money, Inc. (“Stitch Money,” “we,” “us,” or “our”) collects, uses, and shares information when you use our website and mobile application (the “Service”).

Contact: [email protected]

1) What we collect

We collect information in several ways: (a) information you provide, (b) information from connected services you choose to link, (c) Patch/household collaboration data, and (d) information collected automatically.

1.1 Information you provide

Account and profile information (such as name, email address, profile image, country code, and currency code)

Support communications (what you send us if you contact support)

Subscription and billing information (through our payment processor or app store; we typically receive limited billing metadata, not full card details)

App Store purchase metadata and receipt fields required to verify iOS subscriptions (for example, product identifiers, transaction identifiers, original transaction identifiers, and receipt payloads)

Premium feature preferences and delivery metadata (for example, reminder/report opt-in settings, support request records, and report/reminder send audit fields)

Income and planning information you enter (including income profile inputs, tax-related inputs, and manual income entries)

1.2 Information from connected services (only if you connect them)

Bank data (via Plaid or similar providers):

  • Account identifiers and metadata (like institution name and account type)
  • Transaction data (merchant descriptors, dates, amounts, categories)
  • Other financial data you authorize through the connection

Email data (if you connect Gmail):

  • Email metadata and/or content needed to detect subscription-related signals (for example, receipts, confirmation emails, and cancellation notices)
  • Subscription insights inferred from those signals (for example, “new subscription,” “canceled subscription,” and estimated renewal timing)
  • Derived Gmail evidence and event metadata (for example, merchant keys, message/thread identifiers, sender/subject/snippet-derived signals, and cancellation proof records)
  • Connection and authorization token metadata needed to maintain connected services

1.3 Patch/household collaboration data

Patch/household membership records (including member names, roles, and invite metadata)

Shared transaction and recurring stream context visible to Patch members, subject to applicable privacy settings

User-set overrides and preferences (for example, transaction categories/types, privacy flags, recurring bill settings, and related rule metadata)

1.4 Information collected automatically

Device and app information (for example, device type, OS version, and app version)

Log and usage data (for example, features used, screens viewed, service error diagnostics, and fraud/security telemetry)

Approximate location inferred from IP address for security and compliance

Cookies, local storage, and similar technologies used for session, preference, and product functionality

2) How we use information

We use information to:

  • Provide and improve the Service (including importing, categorizing, and displaying financial insights)
  • Maintain security, prevent fraud, troubleshoot, and debug issues
  • Provide customer support and communicate with you
  • Process subscriptions and manage billing
  • Support Patch/household collaboration features and privacy controls
  • Send transactional/service email communications related to your account, security, billing, legal notices, and core Service operation
  • Deliver opted-in Premium reminders/reports and route Premium support requests
  • Send marketing and recommendation emails only when you have explicitly opted in
  • Run automated and AI-assisted processing (through service providers) for transaction cleanup/categorization and recurring-signal inference
  • Comply with legal obligations and enforce our Terms

3) How we share information

We do not sell your personal information.

We may share information in these situations:

  • Patch/household members: if you are in a Patch, invited members may see shared household data based on your membership and in-app privacy settings
  • Service providers: vendors that help us operate the Service (for example, hosting, infrastructure, analytics, customer support tools, AI processing providers, email delivery and suppression tooling, and crash reporting). They are required to protect information and use it only to provide services to us
  • Connected service providers: when you connect a bank or email account, data flows through providers like Plaid and Google based on your authorization
  • Legal and safety: to comply with law, respond to lawful requests, protect rights and safety, investigate fraud, or enforce our Terms
  • Business transfers: if we are involved in a merger, acquisition, financing, or sale of assets, information may be transferred as part of that transaction (with appropriate protections)

3.1 Third-party SDKs/processors and what they receive

Plaid (bank-link provider): receives connection and account/transaction data needed to establish and maintain linked financial accounts.

Google (OAuth/Gmail integrations): receives OAuth request metadata; if you connect Gmail, Google processes access and API requests needed for the Gmail scope you authorize.

Apple (iOS In-App Purchase): receives purchase events through Apple billing flows; Stitch receives App Store receipt and transaction metadata to validate Premium entitlements.

Stripe (web billing surfaces): receives billing/customer/payment metadata for web or non-iOS billing portal flows.

Infrastructure and delivery vendors (for example, hosting/database/email tooling): receive operational data needed to run the Service.

We do not sell personal information to data brokers. We do not use IDFA for advertising, and we do not use third-party SDKs for cross-app behavioral advertising tracking in this release.

4) Your choices and controls

Disconnect services: You can disconnect bank connections in the app. For Gmail, you can revoke access in your Google account permissions and use in-app Gmail controls where available.

Patch privacy controls: For eligible transactions, owners may hide member-owned transactions from other Patch members and shared analytics.

Email communication categories: We classify emails as either (a) transactional/service or (b) marketing. Recommendation emails are treated as marketing.

Premium reminder and report emails are treated as transactional/service communications when enabled by you in product settings.

Marketing preferences and consent: We use a global strict opt-in model for marketing and recommendation emails. You can opt in during signup or later in Settings. We do not treat acceptance of Terms or Privacy alone as marketing consent.

Unsubscribe and suppression: You can unsubscribe from marketing emails using the link in those emails or by changing your Settings. When you unsubscribe, we may place your email on a suppression list to block future marketing sends unless you opt in again.

Transactional/service notices: Unsubscribing from marketing does not opt you out of essential transactional/service notices (for example, account, billing, security, legal, or operational notices).

SMS preferences: If we send SMS (if enabled), you can opt out by following the instructions in the message (message and data rates may apply).

Delete your account: You can delete your account from Settings, or contact [email protected] for help. We may retain certain information as required by law or for legitimate business purposes (for example, security, dispute resolution, and compliance), then delete or de-identify it.

Consent revocation: You can revoke connected-account permissions (for example, bank or Gmail access) through in-app controls where available and/or provider account permissions (for example, Google account permissions). You can also request deletion by emailing [email protected].

5) Data retention

We retain personal information only as long as reasonably necessary to:

  • provide the Service,
  • meet legal or regulatory requirements,
  • resolve disputes, and
  • enforce agreements.
  • Operational retention windows may apply to specific datasets. For example, Gmail-derived subscription events and cancellation proof records are currently retained for up to approximately 730 days in our current implementation.
  • Imported financial history and related derived records may remain until account deletion or a valid deletion request, subject to legal retention requirements.
  • If you disconnect a connected service, previously imported data may remain unless you delete your account or request deletion, subject to legal retention needs.
  • Communication preference and consent records (including timestamps, source, and policy version) may be retained for compliance, auditing, and dispute resolution.
  • Email suppression records may be retained as needed to honor unsubscribe requests and maintain compliance.
  • Account deletion requests initiated in-app are processed as a full account deletion request. In the standard flow, core account records are removed immediately after confirmation, with limited legal/compliance retention exceptions.

6) Security

We use reasonable administrative, technical, and organizational safeguards designed to protect information. However, no method of transmission or storage is 100% secure, and we cannot guarantee absolute security.

7) Children’s privacy

The Service is not intended for children under 18, and we do not knowingly collect personal information from children under 18.

8) International users

The Service is intended for users in the United States. If you access the Service from outside the U.S., you understand your information may be processed in the United States.

9) State privacy disclosures (including California)

Depending on where you live, you may have rights to access, correct, delete, or obtain a copy of certain personal information. To exercise these rights, contact [email protected].

California notice (high level):

  • We do not sell personal information.
  • We do not share personal information for cross-context behavioral advertising in a way intended to be “sharing” under California law.
  • We may use service providers and contractors to process information on our behalf.

10) Changes to this Privacy Policy

We may update this Privacy Policy. If changes are material, we will provide notice (for example, by email or in-app). The effective date at the top shows when the latest version applies.

11) Contact us

Email: [email protected]