Privacy Policy

Cerebral Wealth Inc. · Last updated: May 1, 2026 · Effective: May 1, 2026

    The short version: Cerebral connects to your bank accounts with read-only access to show you a clear picture of your finances. We never move your money, never sell your data, and never share your financial information with advertisers. This policy explains exactly what we collect, why, and how you can control it.
  

1. Who We Are

Cerebral Wealth Inc. ("Cerebral," "we," "us," or "our") is a Canadian company that provides an AI-powered financial awareness platform. Our registered address is in Canada. For privacy inquiries, contact us at contact@cerebralwealth.app.

This Privacy Policy applies to our mobile application, web application, and website at cerebralwealth.app (collectively, the "Service").

2. Information We Collect

Information you provide directly

Account information: Your name and email address when you create an account.
Financial goals and preferences: Your stated financial goals, interests, and preferences during onboarding.
Communications: Messages you send to our AI assistant or support team.

Financial information collected through Plaid

When you connect your bank accounts, we use Plaid, an open banking provider, to securely retrieve:

Account balances and account names
Transaction history (descriptions, amounts, dates, categories)
Institution names and account types

This access is read-only. Cerebral cannot initiate transfers, make payments, or move money in any way. Your banking credentials are never stored by Cerebral — they are handled entirely by Plaid under their own security standards.

Cross-border data transfer: Plaid is a U.S.-based company, so the financial data Plaid retrieves on our behalf is processed and stored in the United States. By connecting your bank accounts through Cerebral, you consent to this cross-border transfer of your financial information. U.S. privacy laws may differ from Canadian law and U.S. authorities may, in limited circumstances, be able to access information held by U.S. service providers. See Plaid's End User Privacy Policy for details.

Information collected automatically

Usage data: Features you use, screens you view, actions you take within the app.
Device information: Device type, operating system, and app version.
Log data: Error logs and performance data to help us fix bugs and improve reliability.
Push notification token: If you enable push notifications, we store a device token to send you alerts.

Location information

We may ask for your general location (city or region) during onboarding to surface relevant financial insights (e.g., TFSA contribution room, local HYSA rates). We do not track your real-time or precise GPS location.

3. How We Use Your Information

Provide the Service: Display your accounts, balances, transactions, and net worth.
Generate AI insights: Analyze your spending patterns and surface personalized financial observations.
Power the AI assistant: Your financial data is included in prompts sent to OpenAI's API so the assistant can answer questions about your specific finances. See Section 5 for details.
Send notifications: Push and email alerts about spending changes, new insights, or account activity (only if you opt in).
Process payments: Manage your subscription through Stripe.
Improve the Service: Analyze aggregated, de-identified usage patterns to improve features.
Legal compliance: Comply with applicable Canadian laws and regulations.

    We do not: sell your data to third parties, share your financial information with advertisers, use your data to make automated decisions that have legal or similarly significant effects on you, or build advertising profiles.
  

4. Legal Basis for Processing

We process your personal information on the following grounds under applicable Canadian privacy law (PIPEDA and provincial equivalents):

Consent: You consent to data collection when you create an account and connect your bank accounts.
Contractual necessity: Processing required to provide the Service you signed up for.
Legitimate interests: Improving our Service, preventing fraud, and maintaining security — where these interests don't override your privacy rights.
Legal obligation: Where required by Canadian law.

5. Third-Party Service Providers

We share limited data with trusted providers who help us deliver the Service. All providers are bound by data processing agreements.

Plaid (Open Banking)

Used to connect to your bank accounts with read-only access. Plaid handles your banking credentials and retrieves account and transaction data on our behalf. Plaid is a U.S.-based company; financial data retrieved through Plaid is processed and stored in the United States and is therefore subject to U.S. law. Plaid maintains SOC 2 Type II, ISO 27001, and ISO 27701 certifications. Plaid End User Privacy Policy →

OpenAI

Your financial data (account balances, transaction summaries, goals) is included in prompts sent to OpenAI's API to power the AI assistant and generate insights. OpenAI may process this data on servers outside Canada. We do not send your name, email, or banking credentials to OpenAI — only anonymized financial context. OpenAI Privacy Policy →

Stripe

Used to process subscription payments. Stripe collects and stores your payment card details — Cerebral never sees or stores your full card number. Stripe Privacy Policy →

Resend

Used to send transactional emails (waitlist confirmations, account notifications). Your email address is shared with Resend for this purpose only. Resend Privacy Policy →

PostHog

Used for product analytics — understanding how users interact with the app so we can improve it. Data is de-identified and aggregated. PostHog Privacy Policy →

Railway & Vercel

Our backend runs on Railway and our web app is hosted on Vercel. Your data is stored on servers within these platforms. We configure these services to encrypt data at rest and in transit.

6. Data Storage and Security

Your data is stored on servers in Canada and the United States. We implement the following security measures:

AES-256-GCM encryption for sensitive personal data at rest
TLS 1.2+ encryption for all data in transit
Access controls limiting which team members can access production data
Regular dependency updates and vulnerability monitoring

No method of electronic storage or transmission is 100% secure. While we use commercially reasonable measures, we cannot guarantee absolute security.

7. Data Retention

Account data: Retained while your account is active and for 90 days after deletion, then permanently deleted.
Financial data: Transaction and account data is deleted within 30 days of account deletion.
Anonymized analytics: May be retained indefinitely in aggregated, de-identified form.
Legal holds: We may retain data longer if required by law or to resolve disputes.

8. Your Rights

Under PIPEDA and applicable provincial privacy laws (including Quebec's Law 25), you have the right to:

Access: Request a copy of the personal information we hold about you.
Correction: Request correction of inaccurate information.
Deletion: Request deletion of your account and personal data.
Portability: Request your data in a portable format (Quebec residents: this right applies under Law 25).
Withdraw consent: Withdraw consent at any time by deleting your account or contacting us. Note that withdrawing consent may prevent us from providing the Service.
Complaint: File a complaint with the Office of the Privacy Commissioner of Canada at priv.gc.ca, or with Quebec's Commission d'accès à l'information if you are a Quebec resident.

To exercise any of these rights, email us at contact@cerebralwealth.app. We will respond within 30 days.

9. Children's Privacy

Cerebral is not directed at individuals under the age of 18. We do not knowingly collect personal information from anyone under 18. If you believe a minor has provided us with personal information, please contact us and we will delete it promptly.

10. International Data Transfers

Some of our service providers (including OpenAI and Stripe) process data in the United States. By using Cerebral, you consent to your information being transferred to and processed in the United States, where privacy laws may differ from those in Canada. We ensure appropriate safeguards are in place through contractual agreements with these providers.

11. Data Breach Notification

In the event of a breach involving your personal information that poses a real risk of significant harm, we will notify you and the Office of the Privacy Commissioner of Canada as required by PIPEDA. Quebec residents will also be notified in accordance with Law 25 requirements.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or through the app at least 14 days before the changes take effect. Continued use of the Service after the effective date constitutes acceptance of the updated policy.

13. Contact Us

For any privacy questions, requests, or concerns:

Email: contact@cerebralwealth.app
Privacy Officer: Cerebral Wealth Inc.
Website: cerebralwealth.app

We are committed to resolving privacy concerns promptly and transparently.