Privacy Policy

Version 1.3 — Last updated: March 14, 2026

This Privacy Policy describes how BAGHOLDER ("we," "us," or "our") collects, uses, and protects your information when you use our mobile application.

---

Information Stored on Your Device

BAGHOLDER stores the following data locally on your device using encrypted storage (iOS Keychain / Android Keystore for secrets, an encrypted local database for structured data):

• Your bags and token allocations
• Round-up ledger (per-bag spare change tracking)
• DCA schedules
• Purchase history and pending orders
• Portfolio snapshots
• Monthly activity summaries
• Diagnostic logs
• State of residence
• Date of birth verification status
• Wallet address
• Bank account connection ID
• App settings and preferences
• Disclosure and terms acceptance records

This data is NOT transmitted to our servers and remains exclusively on your device.

---

Information Stored on Our Server

Our server stores the following data in a secured database:

• Payment profile (wallet address, payment method type, transaction volume)
• Payment charge records (payment reference ID, charge amount, fee amount, wallet address, status, timestamp)
• Gas funding records (wallet address, transaction hash, gas amount, timestamp)
• Fee sweep records (chain, amount, transaction hash, timestamp)
• Anonymized usage events (e.g., app opens, feature usage, purchase outcomes) for service improvement. Events are associated with your wallet address only and are automatically deleted after 1 year.
• Shared bag configurations (token allocations only, no personal data) if you choose to share a bag via the sharing feature. Unused shared bags are automatically deleted after 1 year.

These records are necessary for payment processing, service improvement, and feature functionality. They do not include your name, email, phone number, or any personally identifiable information (PII).

---

Information We Do NOT Collect

BAGHOLDER does not collect or store on any server:

• Private keys or wallet seed phrases
• Your name, email address, or phone number
• Biometric data (device authentication returns a boolean only)
• Bank account credentials or login information
• Social Security numbers or government IDs
• Location data or IP addresses

---

Third-Party Services

BAGHOLDER integrates with third-party services that process your data under their own privacy policies:

Stripe Financial Connections (bank account linking)

Stripe Financial Connections accesses your bank transaction data (read-only) to calculate round-ups. Stripe may access your bank account information and transaction history. We receive only transaction amounts and merchant names — we do not receive your account numbers or login credentials.
See: stripe.com/privacy

Coinbase (payments and market data)

Coinbase processes USD-to-USDC conversion via their hosted onramp and provides public price chart data. Coinbase may collect payment information and identity data under their own privacy policy. We receive only confirmation of successful USDC delivery. No user data is shared for market data requests.
See: coinbase.com/legal/privacy

Privy (wallet creation)

Privy creates and manages your non-custodial embedded wallet using advanced cryptographic techniques. Privy may collect your email address or social login credentials for authentication. We do not receive or store these credentials.
See: privy.io/privacy

Firebase (crash reporting)

We use Firebase Crashlytics for crash reporting. Crash reports may include device model and OS version but no PII.
See: firebase.google.com/support/privacy

Blockchain infrastructure providers (RPC)

Third-party providers relay blockchain data between your wallet and the network. They may see your wallet address in transaction requests. No personal data is shared beyond the wallet address.

CoinGecko (market data)

We fetch public cryptocurrency market data from CoinGecko. No user data is shared with CoinGecko.

---

Data Retention

• Local data: stored until you delete your account or uninstall the app.
• Server payment records, gas funding records, and fee sweep records: retained for 7 years for tax and accounting purposes.
• Payment profiles: retained while your wallet is active.
• Anonymized usage events: retained for 1 year, then automatically deleted.
• Shared bag configurations: automatically deleted after 1 year of inactivity.
• Bank connections: automatically disconnected after 30 days of inactivity to protect your privacy and reduce unnecessary data access.

---

Your Rights

You have the right to:

• Export your data at any time from Settings.
• Delete all local data by using the Delete Account feature in Settings. Upon deletion, all local data is permanently erased, bank connection is disconnected, and your wallet session is disconnected.
• View your transaction history and monthly summaries at any time within the app.
• Request deletion of server-stored data by contacting us at [email protected].

---

California Residents (CCPA)

If you are a California resident, the California Consumer Privacy Act (CCPA) provides you with additional rights:

• Right to know what personal information we collect and how it is used.
• Right to delete your personal information.
• Right to opt out of the sale of your personal information. We do NOT sell your personal information.
• Right to non-discrimination for exercising your rights.
• Right to correct inaccurate personal information.
• Right to limit use of sensitive personal information. We do not collect sensitive personal information.

To exercise these rights, contact us at [email protected].

---

Geographic Availability

BAGHOLDER is available in 46 U.S. states and the District of Columbia. BAGHOLDER is not available in New York, Connecticut, Louisiana, or Vermont due to state-specific regulatory requirements.

---

Children's Privacy

BAGHOLDER is not intended for anyone under the age of 18. We do not knowingly collect personal information from children under 18. If we become aware that a child under 18 has provided us with personal information, we will take steps to delete such information.

---

Security

We use industry-standard security measures to protect your data, including:

• Encrypted local storage (iOS Keychain / Android Keystore)
• HTTPS for all server communication
• Advanced cryptographic key management via our wallet provider
• API keys stored server-side only, never on your device

No system is 100% secure. You are responsible for securing access to your device.

---

Changes to This Policy

We may update this privacy policy from time to time. The current version is always available in the app under Settings. If we make material changes, you will be asked to review and accept the updated policy.

---

Contact Us

If you have questions about this privacy policy, contact us at:
[email protected]
getbagholder.com