Privacy Policy

SnowballPay (“we,” “us,” or “our”) operates the website and web application located at getsnowballpay.com (the “Service”). This Privacy Policy explains what personal information we collect, why we collect it, how we use and protect it, and what rights you have over it.

Please read this policy carefully before using the Service. By creating an account or otherwise using SnowballPay, you acknowledge that you have read and understood this policy.

SnowballPay is a personal finance planning tool that helps individuals organize and pay off debt using the Debt Snowball method. We are not a bank, credit union, financial institution, broker-dealer, investment adviser, or any other type of regulated financial entity. Nothing we provide constitutes financial, investment, tax, or legal advice.

For questions about this Privacy Policy, contact us at: privacy@getsnowballpay.com

2.1 Account and Identity Data

When you sign up through Google (via Auth0), we receive and store:

• Your full name
• Your email address
• Your profile picture URL (hosted by Google)
• An Auth0 user ID that links your account across sessions

We do not receive or store your Google account password.

2.2 Financial Data You Enter

The core purpose of SnowballPay requires you to provide financial information. We collect and store exactly what you enter, including:

• Debt information: debt names, categories (e.g., credit card, student loan), current balances, original balances, interest rates (APR), minimum monthly payments, credit limits, and payment due dates
• Income information: monthly take-home pay, income source type (e.g., W-2, 1099), and pay frequency
• Expense information: recurring expense names, amounts, frequencies, and categories (e.g., utilities, subscriptions, food)
• Payoff plan data: your projected debt-free date, total interest projections, monthly payment amounts, and the sequencing of your debt payoff steps
• Balance snapshots: monthly balance records you save to track actual progress against your plan

2.3 Uploaded Documents

You may optionally upload financial documents — such as bank statements, credit card statements, or pay stubs — in PDF or image format (JPEG, PNG, GIF, WEBP). These files are:

• Sent directly to the Anthropic Claude AI API for data extraction (see Section 4)
• Stored in our database as a record of the upload, along with the extracted data in structured JSON format
• Associated with your user account via your user ID

Important: Before uploading any document, please ensure it does not contain sensitive information beyond what is needed (e.g., full account numbers, Social Security numbers). We recommend using statements that show only the information relevant to your debt payoff planning.

2.4 AI-Generated Recommendations

We generate personalized debt payoff recommendations by sending a summary of your financial data (debt balances, interest rates, income, expenses, and payoff timeline) to the Anthropic Claude API. The AI-generated output is stored in our database as a cached recommendation associated with your account. This cache is refreshed when your underlying financial data changes.

2.5 Automatically Collected Technical Data

When you use the Service, we and our infrastructure providers (Vercel) automatically collect certain technical information, including:

• IP address
• Browser type and version
• Operating system
• Pages visited and actions taken within the Service
• Date and time of requests
• Referring URL

This data is used for security monitoring, performance optimization, and debugging. It is processed by Vercel as part of hosting the application (see Section 4).

2.6 Cookies and Similar Technologies

We use the following types of cookies and session tokens:

• Authentication session cookies: Auth0 sets a session cookie when you log in to keep you authenticated across page loads. This cookie is strictly necessary for the Service to function and cannot be disabled without preventing login.
• Security tokens: We use JSON Web Tokens (JWTs) to verify your identity on API requests. These are stored in browser memory or session storage, not in persistent cookies.

We do not use advertising cookies, third-party tracking cookies, or behavioral analytics cookies. We do not serve advertisements.

We use the information we collect for the following purposes:

We do not sell your personal data. We do not use your financial data to train AI models, build advertising profiles, or share it with data brokers.

We share your data with the following third-party service providers only to the extent necessary to operate the Service. Each provider acts as a data processor on our behalf and is bound by appropriate data processing agreements and security standards.

Important Notes on Anthropic / Claude API

When you upload a financial document or request AI recommendations, your data is transmitted to Anthropic's API. Under Anthropic's API usage policy, when SnowballPay accesses the API as an operator:

• Anthropic acts as a data processor, not a data controller, for the data we send via the API
• Your data submitted via the API is not used by Anthropic to train its AI modelsunder standard API terms (subject to Anthropic's then-current API Data Privacy Addendum)
• API inputs and outputs may be retained by Anthropic for a limited period for safety and abuse monitoring purposes per their policies

You can review Anthropic's privacy practices at anthropic.com/legal/privacy.

International Data Transfers

All of our primary service providers are based in the United States. If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, your personal data will be transferred to and processed in the United States. We rely on the following transfer mechanisms:

• EU Standard Contractual Clauses (SCCs) with our subprocessors where applicable
• The EU-U.S. Data Privacy Framework where providers are certified

We do not transfer personal data to any country that has not been deemed to provide an adequate level of protection without appropriate safeguards in place.

We retain your data as follows:

• Account and financial data: Retained for as long as your account is active. If you delete your account, all associated data — including debts, income, expenses, payoff plans, balance snapshots, uploaded document records, and AI recommendation caches — is permanently deleted from our production database within 30 days.
• Database backups: Neon maintains automated database backups. Deleted data may persist in backups for up to 30 additional days before being purged from backup storage.
• Server logs: Access and error logs retained by Vercel for up to 30 days for security and debugging purposes.
• Anthropic API logs: Inputs and outputs sent to the Claude API may be retained by Anthropic for a limited period per their policies. We do not control this retention period; please review Anthropic's privacy policy for details.

We implement reasonable technical and organizational measures to protect your personal and financial data, including:

• Encryption in transit: All data transmitted between your browser and our servers uses TLS (HTTPS). All API calls to third-party services use HTTPS.
• Encryption at rest: Your data stored in Neon's PostgreSQL database is encrypted at rest using AES-256 encryption.
• Authentication security: Authentication is handled by Auth0, which provides industry-standard OAuth 2.0 / OpenID Connect flows. We do not store passwords.
• Access controls: Database access is restricted to authenticated API routes. Each API request verifies your identity before accessing or modifying your data. Data is always scoped to your user ID — you cannot access another user's data.
• File validation: Uploaded documents are validated for file type and size before processing. Files are not permanently stored on our servers; they are processed in-memory and only the extracted metadata is persisted to the database.
• Infrastructure security: Neon maintains SOC 2 Type II and ISO 27001 certifications. Vercel operates on enterprise-grade cloud infrastructure.

No security system is perfect. While we take data security seriously, we cannot guarantee absolute security of your data. If you believe your account has been compromised, please contact us immediately at security@getsnowballpay.com.

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours of becoming aware of the breach, and we will notify affected users without undue delay where required by law.

7.1 Rights for All Users

Regardless of where you live, you have the right to:

• Access your data: Request a copy of the personal data we hold about you
• Delete your account: Request that we delete your account and all associated data. You can do this at any time by contacting us.
• Correct inaccuracies: Update any inaccurate information through the app interface or by contacting us
• Data portability: Request an export of your financial data in a machine-readable format (JSON)

7.2 Rights for EEA, UK, and Swiss Residents (GDPR)

If you are located in the European Economic Area, United Kingdom, or Switzerland, you have additional rights under the General Data Protection Regulation (GDPR) or equivalent law:

• Right to be informed (Art. 13-14): You have the right to be informed about how we use your data — which this policy fulfills.
• Right of access (Art. 15): Request a copy of your personal data and information about how it is processed.
• Right to rectification (Art. 16): Request correction of inaccurate or incomplete personal data.
• Right to erasure (Art. 17): Request deletion of your personal data where there is no compelling reason for us to continue processing it.
• Right to restrict processing (Art. 18): Request that we restrict processing of your personal data in certain circumstances.
• Right to data portability (Art. 20): Receive your personal data in a structured, commonly used, machine-readable format.
• Right to object (Art. 21): Object to processing based on our legitimate interests. We will stop unless we have compelling legitimate grounds that override your interests.
• Rights related to automated decision-making (Art. 22): While our AI recommendations are generated automatically, they are presented as informational suggestions only and do not produce legal effects or similarly significant effects on you. No binding decisions are made solely by automated means.

To exercise any of these rights, contact us at privacy@getsnowballpay.com. We will respond within 30 days (extendable to 60 days for complex requests, with notice to you). We may need to verify your identity before processing your request.

If you are unsatisfied with our response, you have the right to lodge a complaint with your local data protection supervisory authority. In the EU, you can find your authority at edpb.europa.eu.

7.3 Rights for California Residents (CCPA / CPRA)

If you are a California resident, the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA) provides you with specific rights:

• Right to Know: You have the right to know what categories of personal information we collect, the purposes for which we use it, and whether we sell or share it. This policy provides that information. You may also request the specific pieces of personal information we have collected about you in the past 12 months.
• Right to Delete: You have the right to request that we delete personal information we have collected from you, subject to certain exceptions under California law.
• Right to Correct: You have the right to request correction of inaccurate personal information we maintain about you.
• Right to Opt-Out of Sale or Sharing: We do not sell your personal information and do not share it for cross-context behavioral advertising. There is nothing to opt out of.
• Right to Limit Use of Sensitive Personal Information: We collect financial data that may constitute “sensitive personal information” under the CPRA. We use this data solely to provide the debt planning features you request and for no secondary purposes.
• Right to Non-Discrimination: We will not discriminate against you for exercising any of these rights. We will not deny you Service, charge you different prices, or provide a different quality of service because you exercised your privacy rights.

Categories of personal information collected in the past 12 months:

• Identifiers (name, email, IP address)
• Financial information (debt balances, interest rates, income, expenses)
• Internet or other electronic network activity information (usage logs)
• Sensitive personal information (financial account details entered by you)

To submit a verifiable consumer request, contact us at privacy@getsnowballpay.com. We will respond within 45 days (extendable to 90 days with notice). You may make a request on behalf of yourself or, if you are a parent or guardian, on behalf of your minor child.

SnowballPay is intended for users who are 18 years of age or older. We do not knowingly collect personal information from children under 13 (or under 16 for EEA residents). If you believe a child has provided us with personal information without parental consent, please contact us and we will delete that information promptly.

Some browsers send “Do Not Track” (DNT) signals. Because we do not engage in cross-site tracking or behavioral advertising, there is no material difference in how the Service functions whether or not a DNT signal is received. We do not currently respond to DNT signals in a technically differentiated way.

The Service may contain links to external websites or resources. We are not responsible for the privacy practices of those sites. We encourage you to review the privacy policies of any external sites you visit.

We may update this Privacy Policy from time to time. When we make material changes, we will:

• Update the “Last updated” date at the top of this page
• Notify you by email (to the address associated with your account) at least 14 days before the changes take effect
• For changes that materially affect how we process your financial data, we will ask for your renewed consent where required by law

Continued use of the Service after changes take effect constitutes acceptance of the updated policy.

For any privacy-related questions, requests, or concerns, please contact us: