Last updated: April 19, 2026
Effective date: April 19, 2026
Contents
1. Introduction2. Information We Collect3. How We Use Your Information4. AI-Powered Features5. How We Share Your Information6. Financial Data Aggregation (Plaid)7. Payment Processing (Stripe)8. Data Security9. Data Retention10. Your Privacy Rights11. Gramm-Leach-Bliley Act (GLBA)12. Children’s Privacy13. Cookies and Tracking Technologies14. International Users15. Changes to This Policy16. Accessibility17. Contact UsAnvil Financial LLC, doing business as Anvil (“Anvil,” “we,” “us,” or “our”), operates the Anvil personal finance application and website at anvil-financial.com (collectively, the “Service”). This Privacy Policy explains how we collect, use, disclose, and protect your personal information when you use our Service.
By creating an account or using Anvil, you agree to the collection and use of information in accordance with this policy. If you do not agree, please do not use the Service.
Anvil is a personal finance dashboard and educational AI tool. We are not a financial institution, registered investment advisor, broker-dealer, or credit reporting agency.
When you choose to connect your bank accounts, we receive financial data through Plaid, Inc. (“Plaid”). This includes:
Important:Your bank login credentials are never transmitted to or stored on Anvil’s servers. Authentication is handled entirely by Plaid through their secure OAuth-based connection. See Section 6 for details.
For purposes of the California Consumer Privacy Act (CCPA) and similar state privacy laws, the categories of personal information we collect include: (A) Identifiers (name, email address, IP address); (B) Financial information (account balances, transaction history, debt balances, savings amounts); (C) Commercial information (subscription status, feature usage); (D) Internet or electronic network activity (pages visited, session data, interaction patterns); (E) Inferences drawn from the above (AI-generated financial insights based on your data). We do not collect sensitive personal information as defined under the CCPA, including Social Security numbers, precise geolocation, racial or ethnic origin, health data, sexual orientation, or biometric data.
If you sign in using Google OAuth, we receive your name, email address, and profile picture from Google. We do not access your Google contacts, calendar, or other Google services.
We use your information for the following purposes:
| Purpose | Data Used |
|---|---|
| Provide the Service (dashboard, budgets, goals, tracking) | Account info, financial data, manual entries |
| Power AI assistant features (insights, analysis, suggestions) | Financial data, chat messages (see Section 4) |
| Process payments and manage subscriptions | Email, subscription status (Stripe handles payment details) |
| Authenticate your identity and secure your account | Email, password hash, CAPTCHA tokens |
| Send account-related communications | Email address |
| Improve and maintain the Service | Usage data, device info (anonymized/aggregated) |
| Comply with legal obligations | As required by applicable law |
We do not sell, rent, or share your personal information with marketers or any third party for their own marketing purposes. To the extent we maintain and use personal information in a deidentified or aggregated form, we will not attempt to reidentify the information, except for the purpose of determining whether our deidentification processes satisfy our legal obligations.
Anvil uses artificial intelligence to provide financial insights, analysis, and suggestions through our AI assistant feature. Here is how your data is handled:
Our AI assistant is powered by Anthropic’s Claude API. When you interact with the AI assistant, relevant context from your financial data and your messages are transmitted to Anthropic for processing.
Your financial data is not used to train AI models. Anthropic’s API does not use customer inputs or outputs to train their models. Your conversations with the AI assistant are not used to improve the underlying AI system. This reflects Anthropic’s API data usage policy as of the date of this Privacy Policy. We will update this section if Anthropic’s data practices change.
When you enable the optional Cinder Memory feature, our AI assistant may store summaries of your financial preferences, goals, and decisions from conversations. This feature is opt-in only — it is disabled by default and must be explicitly enabled in your Settings.
What Cinder Memory stores:General financial preferences (e.g., “prefers aggressive debt payoff”), goals (e.g., “saving for a house”), decisions made during conversations, and short summaries of past conversations. Cinder Memory does not store exact account numbers, balances, Social Security numbers, or other sensitive identifiers. Exact financial figures are always retrieved from your connected accounts in real time.
Your controls:You may view all stored memories, delete individual memories, delete all memories at once, export your memories as a file, or disable the feature entirely — all from Settings > Memory. You may also use Private Session mode for conversations you do not want remembered. Disabling the feature stops all future memory collection but does not automatically delete existing memories — use the “Forget everything” button for that.
AI-generated responses may contain inaccurate, incomplete, or misleading information due to the probabilistic nature of AI. The AI assistant is an educational tool and does not provide personalized financial, investment, tax, or legal advice. You must independently verify all AI outputs before making financial decisions. See our Terms of Service for complete disclaimers.
We share your information only with the following categories of service providers, and only to the extent necessary to operate the Service:
| Provider | Purpose | Data Shared |
|---|---|---|
| Supabase | Database hosting, authentication | All account and financial data (encrypted at rest, RLS enforced) |
| Plaid, Inc. | Bank account linking and transaction sync | Authentication tokens (your credentials never touch our servers) |
| Anthropic (Claude API) | AI assistant features | Chat messages, relevant financial context per query |
| Stripe | Payment processing | Email address, subscription status (card data handled by Stripe) |
| Vercel | Web hosting and CDN | Standard web request data (IP, user agent) |
| Upstash | Rate limiting | Anonymized request identifiers |
| Cloudflare (Turnstile) | CAPTCHA / bot protection | Browser interaction signals (no personal data) |
We may also disclose your information if required by law, subpoena, court order, or government request, or to protect the rights, safety, or property of Anvil, our users, or others.
In the event of a merger, acquisition, or sale of assets, your information may be transferred to the successor entity. We will notify you before your data becomes subject to a different privacy policy.
Anvil uses Plaid to securely connect to your financial institutions. When you link a bank account through Plaid:
Plaid is SOC 2 Type II and ISO 27001 certified, registered with the Consumer Financial Protection Bureau (CFPB), and handles GLBA compliance for data in transit. For more information, see Plaid’s Privacy Policy.
You can disconnect your linked accounts at any time through Settings. When you disconnect, we revoke the Plaid access token and stop receiving new data from that institution.
Subscription payments are processed by Stripe, Inc. Your credit card number, expiration date, and CVC are entered directly into Stripe’s PCI DSS Level 1 certified payment form and are nevertransmitted to or stored on Anvil’s servers.
We store only your Stripe customer ID and subscription status to manage your account tier. For more information, see Stripe’s Privacy Policy.
We implement industry-standard administrative, technical, and physical safeguards to protect your personal information:
Our infrastructure partners — Supabase, Plaid, Stripe, and Vercel — each maintain their own independent security certifications. While no system is 100% secure, we continuously monitor and improve our security practices.
In the event of a security breach affecting your personal information, we will notify you by email and through the Service within 72 hours of discovering the breach, or as otherwise required by applicable state law. The notification will describe the nature of the breach, the types of data affected, steps we are taking in response, and steps you can take to protect yourself. We will also notify applicable regulatory authorities as required by law.
If you discover a security vulnerability in our Service, please report it to security@anvil-financial.com. We follow RFC 9116 for security contact information.
We retain your data according to the following schedule:
| Data Type | Retention Period |
|---|---|
| Account profile and settings | For the life of your account |
| Financial data (transactions, budgets, goals) | For the life of your account |
| AI conversation history | Current session only (not persisted server-side) |
| Data after account deletion | Plaid access tokens revoked immediately. All personal and financial data deleted within 30 days. Data required by law (e.g., billing records) may be retained up to 7 years. |
| Data after subscription expiration (no deletion request) | Up to 12 months, then purged |
| Anonymized analytics data | May be retained indefinitely in aggregate form |
Depending on your state of residence, you may have the following rights regarding your personal information:
If you are a resident of a state with comprehensive privacy legislation, you additionally have the right to:
We do not sell your personal information. We do not share your personal information for cross-context behavioral advertising.
To exercise any of these rights, you may: use the self-service tools in Settings (export, delete account, disconnect accounts), or email us at privacy@anvil-financial.com. We will verify your identity before processing any request and respond within 45 days (or as required by your state law).
If you are a California resident, you may designate an authorized agent to exercise your privacy rights on your behalf. The authorized agent must provide written authorization from you and verify their own identity. We may deny requests from agents that cannot verify authorization.
If we deny a privacy rights request, you may appeal by emailing privacy@anvil-financial.comwith “Privacy Appeal” in the subject line. We will respond to appeals within 60 days. If the appeal is denied, we will provide information on how to contact your state attorney general.
California Civil Code Section 1798.83 permits California residents to request information about our disclosure of personal information to third parties for their direct marketing purposes. We do not disclose personal information to third parties for their direct marketing purposes.
Florida residents may exercise the rights described above under the Florida Digital Bill of Rights (FDBR, Fla. Stat. §§ 501.701–501.721) and the Florida Information Protection Act (FIPA, Fla. Stat. § 501.171). In addition, you may request confirmation of whether we process your personal data, obtain a portable copy of such data, and appeal any denial of a privacy rights request to privacy@anvil-financial.com with the subject line “Florida Privacy Appeal.” If we deny your appeal, you may contact the Florida Attorney General at myfloridalegal.com. We do not sell personal data or use it for targeted advertising. We do not knowingly process the personal data of minors for profiling or targeted advertising.
We do not offer financial incentives (such as discounts, free months, or other rewards) in exchange for the collection, retention, or sharing of your personal information. If we introduce such a program in the future — for example, a referral program that rewards you for inviting friends — we will update this Privacy Policy to describe the program’s material terms, including how to participate, how to withdraw, and how the value of the personal information is calculated, as required by applicable state law.
As a service that receives consumer financial information through Plaid, we are subject to the Gramm-Leach-Bliley Act (GLBA). We protect your nonpublic personal information (NPI) through the administrative, technical, and physical safeguards described in Section 8.
We share your NPI only with the service providers listed in Section 5, and solely as necessary to operate the Service. These service providers are contractually required to protect your information and may not use it for their own purposes. We do not disclose your NPI to non-affiliated third parties for marketing or any purpose unrelated to providing the Service. Because we do not share your NPI beyond what is necessary to operate the Service, there are no optional sharing practices from which to opt out. If our sharing practices change in the future, we will update this policy and provide you with opt-out rights as required by law.
Anvil is not intended for use by anyone under the age of 18. We do not knowingly collect personal information from children under 18. If we learn that we have collected information from a child under 18, we will delete that information promptly. If you believe a child has provided us with personal information, please contact us at privacy@anvil-financial.com.
We use the following cookies and similar technologies:
| Type | Purpose | Duration |
|---|---|---|
| Authentication cookies | Keep you signed in (Supabase auth tokens) | Session / up to 7 days |
| Preference cookies | Remember your settings (theme, sidebar state) | Persistent |
| CAPTCHA cookies | Bot protection via Cloudflare Turnstile | Session |
| localStorage | AI question counter, session state, onboarding progress | Persistent (local to your browser) |
We use PostHog for product analytics (tracks page views, feature usage, and interactions tied to your user ID — data stays in USA) and Sentry for error monitoring (captures JavaScript errors and server exceptions; may include browser context — data stays in USA). Both are listed as processors in Section 5. We do not use third-party advertising cookies or cross-site tracking pixels. Our Service does not respond to Do Not Track (DNT) browser signals. We do not track you across third-party websites.
Anvil is currently designed for use within the United States. Our servers and service providers are located in the United States. If you access the Service from outside the United States, your information will be transferred to and processed in the United States. By using the Service, you consent to this transfer.
If we expand to serve users in the European Economic Area (EEA) or United Kingdom, we will update this policy with GDPR-specific provisions including legal bases for processing, data protection officer contact information, and international transfer safeguards.
We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email or through a prominent notice within the Service at least 30 days before the changes take effect. Your continued use of the Service after the effective date constitutes acceptance of the updated policy.
Anvil is committed to making its Service accessible to users with disabilities. We strive to conform to the Web Content Accessibility Guidelines (WCAG) 2.1 Level AA and continuously test and improve the Service to meet that standard. If you experience an accessibility barrier or need an alternative format for any content in this Privacy Policy or the Terms of Service, please contact us at privacy@anvil-financial.com and we will respond within five (5) business days.
If you have questions about this Privacy Policy, want to exercise your privacy rights, or have concerns about how your data is handled, contact us at:
Anvil — Privacy Inquiries
Email: privacy@anvil-financial.com