WorthSync legal

Privacy Policy

Last updated: May 30, 2026

This Privacy Policy explains how Hallows Group LLC ("WorthSync," "we," "us," or "our") collects, uses, discloses, and safeguards your information when you visit worthsync.com, use the WorthSync application at app.worthsync.com, or use our iOS and Android apps (together, the "Services"). WorthSync is a personal net-worth tracking tool. Because the Services handle financial information, we treat that data as sensitive and apply heightened protections.

Quick summary. We collect the account information you enter, the identity and billing data needed to run your account, and basic technical data. We use it to operate the Services — not to sell it. We do not, and will not, sell your personal information. You can access, correct, export, or delete your data at any time by emailing support@worthsync.com.

1. Who we are (data controller)

Hallows Group LLC is the controller responsible for your personal data. For any privacy question or to exercise your rights, contact us at support@worthsync.com or by mail at [Hallows Group LLC registered mailing address].

2. Information we collect

Information you provide

  • Account & identity data — name and email address, managed through our authentication provider (Clerk) when you create an account.
  • Financial data you enter — institutions, accounts, balances, dated snapshots, debts and liabilities, categories, goals, and planning inputs (for example, retirement and FIRE assumptions). This is sensitive financial information and is the core of the Services.
  • Household data — when you create or join a household, your membership, role, invitations, and the account visibility settings you choose (private, shared read-only, or shared full access).
  • Billing data — subscription and payment information processed by Stripe. We do not store full card numbers; Stripe handles payment details directly.
  • Communications — messages you send to support and your email and notification preferences.

Information collected automatically

  • Technical & device data — IP address, browser/device type, and similar data needed to deliver and secure the Services.
  • Cookies — see our Cookie Policy. We currently use only essential/functional cookies (for example, your theme preference) and do not run third-party advertising or analytics trackers.
  • Push tokens — if you enable notifications in our mobile apps, a device push token (via Firebase Cloud Messaging) so we can deliver reminders and recaps.

Children. The Services are not directed to children. We do not knowingly collect data from anyone under 16. If you believe a child has provided us data, contact support@worthsync.com and we will delete it.

3. How we use your information

  • Provide, maintain, and secure the Services and your account.
  • Calculate net-worth views, analytics, goals, and planning projections from the data you enter.
  • Enable household sharing according to the visibility settings you select.
  • Process subscriptions, payments, and billing through Stripe.
  • Send service messages, snapshot reminders, household invitations, and (for eligible plans) the monthly recap email.
  • Respond to support requests and detect, prevent, and address fraud, abuse, or security issues.
  • Comply with legal obligations and enforce our Terms of Service.

4. Legal bases for processing (EEA/UK)

If you are in the European Economic Area or the United Kingdom, we rely on the following legal bases under the GDPR / UK GDPR:

  • Performance of a contract — to provide the Services you sign up for, including storing and analyzing the data you enter and processing your subscription.
  • Legitimate interests — to secure the Services, prevent fraud, and communicate about your account, balanced against your rights.
  • Consent — for optional communications and any non-essential cookies; you can withdraw consent at any time.
  • Legal obligation — to meet tax, accounting, and other legal requirements.

5. How we share information

We do not sell your personal information, and we do not share it for cross-context behavioral advertising. We disclose data only to:

  • Service providers (sub-processors) who process data on our behalf under contract — see the list in Section 6.
  • Other household members, but only for accounts you have explicitly set to a shared visibility level.
  • Legal & safety — where required by law, to respond to lawful requests, or to protect the rights, safety, and property of WorthSync, our users, or the public.
  • Business transfers — in connection with a merger, acquisition, or sale of assets, subject to this Policy.

6. Sub-processors

We use the following providers to operate the Services:

ProviderPurpose
ClerkAuthentication and account/identity management
StripeSubscription billing and payment processing
Supabase (PostgreSQL)Primary encrypted database hosting your data
VercelApplication hosting (app.worthsync.com)
CloudflareMarketing site hosting and content delivery (worthsync.com)
ResendTransactional and recap email delivery
Firebase Cloud Messaging (Google)Mobile push notifications
Apple / GoogleApp distribution for the iOS and Android apps

We sign data processing agreements with our sub-processors and require them to protect your data consistent with this Policy.

7. International data transfers

We are based in the United States and our providers may process data in the U.S. and other countries. Where we transfer personal data out of the EEA or UK, we rely on appropriate safeguards such as the European Commission's Standard Contractual Clauses (and the UK Addendum) or an applicable adequacy decision. Contact us for more information about these safeguards.

8. Data retention

We keep your personal data for as long as your account is active and as needed to provide the Services. When you delete your account, we delete or de-identify your personal and financial data within [30–90 days], except where we must retain limited records to meet legal, tax, accounting, or fraud-prevention obligations. Backups are purged on a rolling schedule.

9. Your rights and choices

Depending on where you live, you may have the right to:

  • Access a copy of your personal data and learn how we use it.
  • Correct inaccurate data.
  • Delete your data ("right to be forgotten").
  • Export your data in a portable, machine-readable format.
  • Restrict or object to certain processing, and withdraw consent.
  • For California residents (CCPA/CPRA): know, delete, correct, and limit use of sensitive personal information, and not be discriminated against for exercising these rights. We do not sell or share personal information as those terms are defined under California law.

To exercise any right, email support@worthsync.com. We will verify your request and respond within the time required by applicable law (generally 30 days under GDPR/UK GDPR; 45 days under CCPA/CPRA, each extendable where permitted). You may also lodge a complaint with your local data protection authority.

10. Security

We use technical and organizational measures to protect your data, including encryption in transit, encryption of the database volume at rest, field-level encryption of sensitive financial values, and database-enforced access controls (Row-Level Security). No method of transmission or storage is 100% secure, so we cannot guarantee absolute security.

11. Changes to this Policy

We may update this Policy from time to time. We will post the updated version here with a new "Last updated" date and, for material changes, provide additional notice.

12. Contact us

Hallows Group LLC — support@worthsync.com[registered mailing address].