Privacy Policy.
Version 3.1 · Effective Date: May 27, 2026 · Last Updated: June 25, 2026
This policy lays out, in plain English first and full legal detail below, exactly what CostMe collects, why, who can see it, and how to see, export, or delete any of it.
Plain-English summary
The short version.
CostMe is built to be honest about what it collects and why. Here is the full list, in plain English:
- What you type into the app - prices, categories, vault decisions, chat messages with Amy. We store these so the app works.
- How you use the app - anonymized session patterns, decision velocity, time-of-day buckets. We use these to make Amy more helpful and to find product bugs.
- Your account - email, encrypted password or Apple ID, subscription tier. Standard stuff.
We do not sell your individual data or personal information. We do not run advertising trackers. We never share your name, email, conversations with Amy, item names, merchant names, or your money amounts with anyone other than the service providers strictly required to run CostMe - a large language model provider generates Amy's replies, an encrypted database service stores your account and chat data, a cloud hosting provider runs the app, and Apple/Stripe handle billing. Your data is stored on our servers, and your Amy messages are processed by a third-party LLM; CostMe is not a “stays only on your device” app. For the full list of providers, see our sub-processors page and Section 14.
We may license anonymized aggregate data(bucketed, hashed, and de-identified) - e.g., “users in the 25-34 age bracket resisted 38% of $100+ impulses in Q2” - for academic behavioral-economics research, partner trend reports, and the public Impulse Index. Aggregate data is de-identified to the point that it cannot reasonably be linked back to you. You can opt out from Settings → Data Sharing at any time. See §15.
You can see, export, and delete everything we hold from the in-app Settings. The detail below explains the exact technical mechanics for users, regulators, and lawyers who need them.
Section 1
1. Introduction
This Privacy Policy (“Policy”) describes how CostMe (the “Service,” “we,” “us,” or “our”) collects, uses, discloses, and otherwise processes personal information when you access or use the CostMe mobile application, this website, the progressive web app (“PWA”), and any related services or features (collectively, the “Service”). By accessing or using the Service, you acknowledge that you have read, understood, and agree to be bound by this Policy.
This Policy applies to information collected through the Service and does not apply to information collected by third parties through other applications, websites, or services that may be linked to or from the Service.
Section 2
2. Information We Collect
We collect the following categories of information:
2.1 Information You Provide
Account credentials (email, hashed password, Apple ID opaque token); profile inputs (age band, income band, country); financial inputs (prices, categories, vault decisions, savings activity); chat messages and uploaded documents submitted to Amy; profile probe responses (Section 4); referral codes; support correspondence.
2.2 Automatically Collected Information
Device identifiers (Apple IDFV; we do not use IDFA), operating system version, app version, session timestamps, screen views, feature engagement counts, error codes, and aggregated behavioral signals derived from your interaction patterns (Section 4).
2.3 Information From Third Parties
Sign-in identity from Apple (when you use Sign in with Apple, we receive the opaque user ID and, if you elect to share it, your email); subscription status from Apple StoreKit and, on the PWA, our web payment processor; crash diagnostic data from our crash-reporting provider (Section 9); and, if you enable push notifications, a device push token from Apple Push Notification service (iOS) or Google Firebase Cloud Messaging (Android and PWA) (Section 10A).
Section 3
3. Amy (AI Assistant) Data Path
What is collected.
When you send a message to Amy, the message text and any attached document (e.g., a bank statement or receipt you choose to upload) are transmitted to our backend infrastructure and forwarded to our large-language-model (“LLM”) provider for the sole purpose of generating a response. Amy supports any natural language the underlying LLM supports; we do not restrict input language.
Why.
To generate Amy's responses; to maintain conversational context within a session; to enable the memory retrieval features described in Section 5.
Who has access.
(a) Our LLM inference provider - generates responses from your prompts and attachments. Bound by a data processing addendum that prohibits the provider from using your prompts, attachments, or generated responses to train their underlying models. (b) Our cloud hosting provider - hosts the backend that proxies messages. (c) Our database provider - stores chat history. No other party. Specific vendor identities are available on request to support@costme.io for users who need them for GDPR Article 13 / CCPA disclosures.
Retention.
You can delete any individual conversation (Settings → Amy → Delete Conversation), any uploaded document, or your entire account at any time, and doing so removes that content from your account and from the Service you see. We also keep our own server-side copy of chat content to operate, secure, and improve the Service - and we may retain that copy indefinitely, including after you delete a conversation or close your account, except where the law requires us to erase it. Where you exercise a verifiable right to erasure under GDPR or CCPA, we action it within thirty (30) days, subject to the legal exceptions described in “Your rights” below.
Your controls.
You can avoid all LLM processing by not using Amy. The rest of the Service (calculator, vault, insights, manual entry, badges) functions without sending any data to our LLM provider. You can delete individual conversations or your full chat history at any time.
AI accuracy disclaimer.
Amy's responses are generated by an AI system and may be inaccurate, incomplete, or out of date (“hallucinations”). Amy is not a substitute for professional financial, medical, tax, legal, insurance, or investment advice. See the CostMe Terms of Service for full AI-limitations disclosure.
Section 4
4. Behavioral Profile & Profile Probe
What is collected.
CostMe builds a behavioral profile derived from how you interact with the app: response style signals (e.g., terse vs. expansive), timing patterns (time-of-day and day-of-week buckets you tend to open the app), decision velocity (how long you typically spend on a vault decision), and category-level engagement. All signals are stored as bucketed, categorical values - not raw timestamps, not raw keystroke streams.
The profile probe is a library of up to fifteen (15) optional questions that you may answer in-app (e.g., “what triggers your impulse spending?”). Your answers are stored on our backend and used as additional context for Amy.
Why.
To let Amy adapt her communication style, surface the right research at the right time, and personalize nudges. To improve the product over time.
Who has access.
CostMe engineering (operations only); our LLM provider receives a derived prompt context (bucketed labels only - never raw data, never PII) when generating Amy responses.
Retention.
Stored for the life of your account; deleted within thirty (30) days of account deletion.
Your controls.
The profile is user-viewable and user-editablefrom Settings → Behavioral Profile. You may edit any bucket, decline to answer any probe question, or reset the profile entirely. You may also disable behavioral profiling (the app will fall back to a generic Amy without personalization).
Section 5
5. Memory Retrieval (RAG) & Embeddings
What is collected.
To let Amy remember context from previous conversations, we generate vector embeddings of selected past messages and store them in a server-side vector database. When you send a new message, we run a similarity search to retrieve relevant prior context and include that context in the prompt sent to the LLM. This is known as retrieval-augmented generation (RAG).
Why.
So Amy can recall what you told her last week without you having to repeat yourself.
Who has access.
Stored server-side by our database provider. Embeddings are scoped to your account and never shared cross-user. Retrieved context is passed to our LLM provider as part of the generation prompt (under the same data processing addendum cited in Section 3).
Retention.
Embeddings are deleted when the underlying message is deleted, when you clear Amy's memory (Settings → Amy → Clear Memory), or when you delete your account.
Your controls.
Clear individual memories or all memories at any time. Memory retrieval can be disabled entirely; Amy will then operate session-only.
Section 6
6. Research Library Access Logs
What is collected.
CostMe ships an in-app research library of approximately one hundred (100) peer-reviewed behavioral-finance studies. When you open a study or when Amy cites a study, we log the study identifier, timestamp (bucketed), and the subscription tier on which access occurred.
Why.
To enforce tier gating; to understand which studies are most useful so we can prioritize editorial updates.
Who has access.
CostMe engineering, internal only.
Retention.
Aggregated indefinitely (no identifying information retained); per-user logs purged within ninety (90) days.
Your controls.
Reading studies does not trigger any external transmission. Logs are part of standard usage data.
Section 7
7. Country & Locale Inference
What is collected.
Your device locale (e.g., en-US, fr-CA) and country code, read from the operating system. We use these to infer the appropriate currency symbol, decimal separator, tax-agency context for Amy (e.g., IRS vs. CRA vs. HMRC), and crisis-resource hotline (Section 8 of Terms).
Why.
So Amy speaks the right currency and references the right agencies and emergency lines for your jurisdiction.
Who has access.
The locale string is sent to the LLM as part of the system prompt. We do not collect or infer your precise location (no GPS, no IP geolocation beyond country-level).
Retention.
Refreshed on each launch; no separate persistence.
Your controls.
Change your device locale in iOS Settings to change CostMe's behavior.
Section 8
8. Safety Classifier
What is collected.
Messages you send to Amy are passed through an in-house safety classifier that scores them for crisis signals (e.g., expressions of self-harm intent, severe financial distress). The classifier outputs a bucketed risk label (e.g., none, elevated, crisis). Raw message content is not exposed to any third-party safety service.
Why.
To surface appropriate crisis resources (988, Samaritans, Lifeline, IASP - see Terms § Crisis & Safety), to refuse harmful requests, and to log aggregate trend data to improve safety responses.
Who has access.
Classifier runs server-side on our infrastructure. Bucketed labels (never raw content) are written to our internal metrics store. No safety data is shared with third parties other than the LLM provider that already processes the message under Section 3.
Retention.
Bucketed risk labels retained for up to thirteen (13) months for safety trend analysis; deleted with your account.
Your controls.
The safety classifier cannot be disabled (it is a core safety feature). If you prefer Amy not analyze your messages at all, do not use Amy.
Section 9
9. Crash & Error Reporting
What is collected.
When the app crashes or encounters an unhandled error, a diagnostic report is sent to our crash-reporting provider. Before upload, the report is PII-stripped client-side: the user identifier, request body, server-name, device name, and locale-specific identifiers are redacted or replaced with opaque hashes. The report retains the stack trace, OS version, app version, and a deterministic crash fingerprint.
Why.
To find and fix bugs.
Who has access.
CostMe engineering and our crash-reporting provider, bound by that provider's published data processing terms.
Retention.
Ninety (90) days, then purged from the provider.
Your controls.
Crash reporting can be disabled in Settings → Privacy → Crash Reports (default: on).
Section 10
10. Product Analytics
What is collected.
A first-party event stream records aggregate behavioral signals - screen views, feature engagement, vault decisions, paywall interactions, retention markers. Events are written using bucketing and de-identification techniques so individual users cannot be identified from the data. No item names, merchant strings, or raw amounts are stored - only categorical labels and bucketed bands.
Why.
To measure product health, find drop-off points, and decide what to build next.
Who has access.
CostMe engineering and product team. No third-party analytics data is collected or transmitted. The product analytics layer is first-party only; any third-party integration would require updating this policy before activation.
Retention.
Aggregated indefinitely; per-event detail purged after thirteen (13) months.
Your controls.
Analytics can be disabled in Settings → Privacy → Analytics (default: on). Existing aggregate counters are not unwound, but no new events will be recorded for your session.
Section 10A
10A. Push Notifications
What is collected.
If you enable push notifications, your device generates a push token, an anonymous identifier assigned by your operating system. On iOS, the token is issued by Apple Push Notification service (APNs). On Android and the PWA, the token is issued by Google Firebase Cloud Messaging (“FCM”). We store the token server-side to deliver alerts to your device.
What we send.
Push notifications are used only for factual, user-requested alerts: upcoming subscription renewal reminders (for example, “Your monthly subscription renews in 4 days”) and account security alerts. We never send engagement nudges, streak warnings, promotional offers, or pattern-shift notifications via push.
Who has access.
The notification payload and your device push token are transmitted to Apple APNs (iOS) or Google Firebase Cloud Messaging (Android and PWA) as required to route the notification to your device. Google's handling of FCM data is governed by Google's Privacy Policy.
Data location.
Push tokens are processed on Google's global infrastructure (FCM) and Apple's infrastructure (APNs). CostMe does not retain push tokens beyond the period needed to deliver notifications. Google manages FCM token retention per their own privacy policy.
Legal basis.
Legitimate interest for subscription renewal reminders; user request for security alerts. Push notifications require explicit opt-in consent from your device operating system before any token is generated or shared.
Your controls.
Push notifications are off by default. Enable or disable them at any time from your device notification settings. Disabling notifications removes our ability to deliver push alerts; it does not affect any other part of the Service.
Section 11
11. Billing & Subscription Data
What is collected.
On iOS, subscription purchases are processed through Apple StoreKit; CostMe receives the subscription identifier, transaction status, expiry date, and tier (Jade / Opal / Flint). On the PWA (when shipped), purchases are processed through Stripe; CostMe receives the Stripe customer ID, subscription ID, status, and tier. We do not store full card numbers, CVVs, or banking credentials - those are held by Apple or Stripe.
Why.
To activate premium features and honor your subscription tier across devices.
Who has access.
Apple Inc. (iOS purchases); Stripe Inc. (PWA purchases); CostMe engineering for entitlement validation.
Retention.
Retained for the life of the subscription plus the retention period required by tax and accounting law (up to seven (7) years).
Your controls.
Cancel or manage your subscription through the App Store (iOS) or the Stripe customer portal (PWA). See the Terms of Service for refund policy.
Section 12
12. Couples Mode (V1.6+, Opt-In)
What is collected.
In V1.6 and later, an optional Couples modeallows two consenting accounts to share selected financial context (e.g., shared vault decisions, joint savings goals). Sharing is opt-in by both parties; each user must independently accept a pairing invitation.
Why.
So partners can coordinate on shared spending decisions.
Who has access.
You and your paired partner. CostMe engineering for operations.
Retention.
Shared data is retained for the life of the pairing. Either party may dissolve the pairing at any time, after which the shared dataset is split: each party retains a copy of the data they personally contributed.
Your controls.
Couples mode is off by default. You can dissolve the pairing, revoke specific permissions, or pause sharing from Settings → Couples.
Section 13
13. How We Use Information
We use information to (a) provide, maintain, operate, and improve the Service; (b) personalize Amy and in-app content; (c) communicate with you (service notices, security alerts, opt-in marketing); (d) process transactions and manage subscriptions; (e) detect, investigate, and prevent fraud, abuse, and crisis situations; (f) comply with law; and (g) for any other purpose disclosed at collection.
We do not use your personal information to train our own AI models, and we do not permit our LLM provider to do so under the Data Processing Addendum cited in Section 3.
Section 14
14. Sharing of Information
14.1 Service Providers.
We share information only with the categories of providers strictly necessary to run the Service: our AI inference provider (Amy responses), cloud hosting provider (backend), database provider (account, chat history, memory), payment processors (in-app and web billing), crash-reporting provider (debug telemetry), and push notification delivery providers (Apple Push Notification service for iOS; Google Firebase Cloud Messaging for Android and PWA) when you enable push alerts. Each is bound by its published data-processing terms. The current list of sub-processors is published on our sub-processors page for users who require it for GDPR Article 13 / CCPA disclosures, and is also available on request to support@costme.io.
14.2 Legal Requirements.
We may disclose information where required by law or to protect rights, safety, or the integrity of the Service.
14.3 Business Transfers.
In a merger, acquisition, reorganization, or asset sale, information may transfer as part of the transaction, subject to this Policy.
14.4 With Your Consent.
We share information you direct us to share (e.g., Couples mode pairing).
14.5 What We Never Share or Sell.
We never share, sell, license, or otherwise transfer:
- Your name, email, phone number, or any identifier that could be tied back to you
- Your individual purchase amounts, item names, or merchant strings
- Your individual conversations with Amy or memory embeddings
- Anything that could reasonably identify you personally
We do not engage in cross-context behavioral advertising. We do not load third-party ad pixels, marketing-attribution SDKs, or data-broker integrations. We do not sell “personal information” as defined under the California Consumer Privacy Act (Cal. Civ. Code § 1798.140) or analogous statutes - see Section 18.2 for the CCPA- specific treatment.
14.6 What We May Share or License (Anonymized Aggregate Data).
We may share or license anonymized aggregate data with:
- Academic researchers studying behavioral economics, household finance, or impulse-control interventions
- Partner brands, retailers, and financial institutions in the form of aggregate trend reports (e.g., “users in the 25-34 age bracket resisted 38% of $100+ impulses in Q2”)
- The press, marketing, and the public CostMe Impulse Index - aggregate statistics about how CostMe's user base behaves in aggregate
“Aggregate” means all of the following apply before any data leaves CostMe:
- Bucketed - amount brackets, age bands, time-of-day windows; never exact dollar figures, exact ages, or precise timestamps
- Hashed - no reversible user identifiers are included
- Cohort suppression - no row, bucket, or statistic represents an individually identifiable user; small cohorts are suppressed
- Time-truncated - to the hour or day, never the second; long-tail timestamps are stripped
Once data has been processed through these steps it is irreversibly de-identified and no longer constitutes “personal information” under CCPA, “personal data” under GDPR Art. 4(1) and Recital 26 (which excludes truly anonymous information from scope), or equivalent definitions elsewhere. We treat de-identified data as outside the rights described in Section 17, but we will not attempt to re-identify it and we contractually require recipients to do the same.
14.7 Your Right to Opt Out of Aggregate Sharing.
You can exclude your bucketed contributions from any aggregate dataset that we share or license externally at any time from Settings → Data Sharing → “Include my anonymized data in research”. Opting out reduces the coverage of our shared datasets but does not affect your in-app experience, your subscription, or any other feature. Opt-out is forward-looking; data already incorporated into a published aggregate cannot be unwound, but no further contributions will be made.
Section 15
15. Retention
Per-feature retention is described in the relevant section above. In general: account data persists until you delete your account; you can delete chat history from your account at any time, while the server-side copy we keep may be retained indefinitely (see “Retention” under the Amy section); behavioral profile until account deletion; embeddings until you clear memory; safety bucketed labels for thirteen (13) months; crash reports for ninety (90) days; per-user analytics detail for thirteen (13) months. Aggregated, de-identified statistics may be retained indefinitely.
Section 16
16. Security
We maintain administrative, technical, and physical safeguards including TLS 1.2+ in transit, AES-256 encryption at rest for stored chat content, hashed credentials, scoped row-level security in the database, and Apple App Check / device attestation for API requests. No system is perfectly secure; we will notify affected users of any breach in accordance with applicable law.
Section 17
17. Your Rights & Controls
17.1 In-App Controls.
From Settings you can: view and edit your behavioral profile; delete individual chat conversations or all conversations; clear Amy's memory; disable crash reporting; disable analytics; disable behavioral profiling; opt out of having your bucketed data included in shared aggregate datasets (Settings → Data Sharing - see § 14.7); export your data; delete your account.
17.2 Statutory Rights.
Depending on your jurisdiction you may have the following rights, subject to verification and lawful exceptions: access, rectification, deletion, portability, restriction of processing, objection to processing, withdrawal of consent, the right to lodge a complaint with a supervisory authority, and the right not to be subject to a decision based solely on automated processing that produces legal effects. See Section 18 for region-specific detail.
17.3 How to Exercise Rights.
Submit a request from in-app Settings, or email support@costme.io. We will verify your identity and respond within thirty (30) days where applicable law does not prescribe a shorter period.
17.4 Automated Decision-Making.
Amy's outputs, behavioral profiling, and nudges are decision-support - they do not produce legal effects concerning you. You may opt out of behavioral profiling at any time (Section 4).
Section 18
18. Regional Riders
18.1 GDPR (European Economic Area + EEA-adjacent).
Under the EU General Data Protection Regulation you have the rights of access, rectification, erasure (“right to be forgotten”), restriction, portability, objection, and the right not to be subject to a decision based solely on automated processing that produces legal effects concerning you. Our lawful bases for processing are: contract (account, subscriptions), consent (optional features including Couples mode and opt-in marketing), legitimate interest (security, fraud prevention, de-identified product analytics), and legal obligation (tax retention). You may lodge a complaint with your national supervisory authority.
18.2 CCPA / CPRA (California).
California residents have the right to know what personal information is collected, the right to delete, the right to correct, the right to opt out of the sale or sharing of personal information, the right to limit use of sensitive personal information, and the right to non-discrimination for exercising any of the above.
CostMe does not sell “personal information” as defined under the California Consumer Privacy Act (Cal. Civ. Code § 1798.140(ad)) and we do not “share” personal information for cross-context behavioral advertising as defined under CPRA § 1798.140(ah). We may share or license de-identified, aggregated data with research partners, brands, and the public Impulse Index as described in Section 14.6; under CCPA § 1798.140(m) and § 1798.145(a)(5) such transfers are not “sales” or “sharing” because the data has been irreversibly de-identified, we have implemented technical safeguards (bucketing, hashing, aggregation thresholds, time-truncation) to prohibit re-identification, we contractually prohibit recipients from attempting to re-identify the data, and we publicly commit to maintain and use the data only in de-identified form. To exercise your rights, see Section 17.3; to opt out of having your bucketed data included in aggregate datasets we share externally, see Section 14.7.
18.3 UK DPA 2018 / UK GDPR.
The rights described in Section 18.1 apply, enforced by the UK Information Commissioner's Office (ICO).
18.4 Australian Privacy Principles (APP).
We comply with the thirteen Australian Privacy Principles under the Privacy Act 1988. The Office of the Australian Information Commissioner (OAIC) is the supervisory authority. You may request access and correction of your personal information per APP 12 and APP 13.
18.5 PIPEDA (Canada).
We comply with the Personal Information Protection and Electronic Documents Act and applicable provincial equivalents (Québec Law 25, Alberta PIPA, BC PIPA). You may file a complaint with the Office of the Privacy Commissioner of Canada or the relevant provincial commissioner.
18.6 Other U.S. State Laws.
Residents of Colorado, Connecticut, Virginia, Utah, Texas, Oregon, Montana, and other U.S. states with comprehensive privacy laws have rights substantially similar to those described above. We honour valid requests in accordance with each applicable statute.
Section 19
19. Children
The Service is intended for users aged 18 years and older. We do not knowingly collect personal information from children under the age of 13 (or the applicable digital age of consent in your jurisdiction). If we become aware that we have collected such information without verifiable parental consent, we will delete it. Parents/guardians are responsible for ensuring minors do not access the Service notwithstanding the launch-gate age verification.
Section 20
20. International Data Transfers
The Service is operated from Canada and processed on infrastructure located in Canada, the United States, and the European Union (depending on the provider and region). Where we transfer personal information from the EEA, UK, or Switzerland to a jurisdiction not subject to an adequacy decision, we rely on Standard Contractual Clauses or other lawful transfer mechanisms.
Section 21
21. Cookies & Tracking (Web/PWA)
The CostMe website and PWA use only the following cookies:
- Strictly necessary - authentication session, CSRF protection. Cannot be disabled.
- Functional - UI preferences (e.g., dark mode, locale). May be cleared from your browser.
- First-party analytics - aggregate page view counts, bucketed and de-identified. No third-party trackers.
We do not set advertising cookies. We do not load third-party tracking pixels.
Section 22
22. Data Processing Agreements (B2B / Institutional)
For business, employer, university, or institutional deployments of CostMe (anticipated future offering), CostMe will execute a Data Processing Agreement (“DPA”) with the customer, including Standard Contractual Clauses where applicable. Contact support@costme.io to request a DPA.
Section 23
23. Changes to This Policy
We may update this Policy. The “Last Updated” date above reflects the most recent revision. Material changes will be notified within the Service before they take effect. Continued use after the effective date of a change constitutes acceptance.
Section 24
24. Contact
For questions, requests, or to exercise your rights, contact us at support@costme.io.
See also: Terms of Service · EULA · Legal index