1. Introduction

Tonic Works LLC ("Company", "we", "us", or "our") operates the Felt mobile application ("App", "Service"). We are committed to protecting your privacy and ensuring the security of your personal information. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our App.

By using Felt, you agree to the collection and use of information in accordance with this Privacy Policy. If you do not agree with our policies and practices, please do not use the App.

2. Information We Collect

2.1 Information You Provide Directly

We collect information that you provide directly to us when you:

Account Information:

• Email address
• Display name
• Password (stored securely using industry-standard encryption)
• Apple ID information (when using Sign In with Apple)

Financial Data:

• Transaction amounts
• Transaction categories
• Transaction dates
• Satisfaction ratings (1-5 scale)
• Notes and descriptions
• Custom categories you create
• Bank and card transaction data imported via Plaid (when you connect an account)

Preferences:

• Default currency settings
• Notification preferences
• Summary settings (weekly/monthly summaries)

2.2 Information Collected Automatically

When you use the App, we automatically collect certain information:

Usage Data:

• App features you access
• Time and date of your activities
• Interaction patterns
• Error logs and crash reports

Device Information:

• Device type and model
• Operating system version
• Unique device identifiers
• Mobile network information

Analytics Data:

• Transaction creation events
• Feature usage statistics
• Performance metrics
• User engagement data

2.3 Information from Third-Party Services

Firebase Services:

• Authentication data (managed by Firebase Authentication)
• Analytics data (managed by Firebase Analytics)

App Stores:

• Subscription purchase information
• Payment transaction data (processed by Apple/Google)

Sign In with Apple:

• When you use Sign In with Apple, Apple may provide us with your name and email address (or a private relay email address if you choose to hide your email)
• We use this information solely for account creation and authentication purposes
• Apple's collection and use of your information is governed by Apple's Privacy Policy
• You can manage your Apple ID and revoke access through your Apple account settings

Plaid (Bank and Card Linking):

• When you connect a bank or card account via Plaid Link, Plaid securely connects to your financial institution on your behalf
• We receive and store: transaction data (amounts, dates, merchant names, categories), institution name, and account identifiers (account type, last 4 digits)
• We never receive or store your bank credentials; authentication is handled entirely by Plaid
• Plaid's collection and use of your information is governed by Plaid's End User Privacy Policy: https://plaid.com/legal/#end-user-privacy-policy

3. How We Use Your Information

We use the collected information for the following purposes:

3.1 Service Provision

• To create and manage your account
• To process and store your financial transactions (including those you manually enter and those imported from linked bank or card accounts)
• To import and sync transactions from your connected bank and card accounts via Plaid
• To provide analytics and insights (joy per dollar calculations, category statistics)
• To provide premium subscription features
• To generate data exports (CSV and PDF formats) for premium users
• To generate AI-powered spending analysis reports using Google Gemini AI

3.2 Service Improvement

• To analyze usage patterns and improve App functionality
• To develop new features and services
• To fix bugs and technical issues
• To optimize App performance

3.3 Communication

• To send you technical notices and updates
• To respond to your support requests
• To send you important information about your account
• To notify you about changes to our services or policies

3.4 Legal Compliance

• To comply with applicable laws and regulations
• To respond to legal requests and court orders
• To protect our rights and prevent fraud
• To enforce our Terms and Conditions

4. Data Storage and Security

4.1 Data Storage

Your data is stored using Firebase services:

• Firebase Authentication: Stores your account credentials securely
• Cloud Firestore: Stores your transactions, categories, and user preferences
• Firebase Cloud Storage: Stores exported data files (CSV/PDF) temporarily (deleted after 2 days)
• Firebase Analytics: Stores anonymized usage analytics

All data is stored in secure, encrypted databases with access controls.

4.2 Security Measures

We implement appropriate technical and organizational measures to protect your personal information:

• Encryption: Data in transit is encrypted using TLS/SSL
• Access Controls: Access to your data is restricted to authorized personnel only
• Authentication: Secure password hashing and authentication protocols
• Regular Audits: We regularly review our security practices
• Data Backup: Regular backups to prevent data loss

However, no method of transmission over the internet or electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your information, we cannot guarantee absolute security.

4.3 Data Retention

We retain your information for as long as:

• Your account is active
• Necessary to provide you services
• Required by law or to resolve disputes
• Necessary to enforce our agreements

You may request deletion of your data at any time (see Section 8: Your Rights).

5. Data Sharing and Disclosure

5.1 We Do Not Sell Your Data

We do not sell, rent, or trade your personal information to third parties for marketing purposes.

5.2 Service Providers

We may share your information with trusted third-party service providers who assist us in operating the App:

Firebase (Google):

• Authentication, database, storage, and analytics services
• Subject to Google's Privacy Policy: https://policies.google.com/privacy

Google Gemini AI (Google):

• AI-powered analysis of your spending data for PDF export reports
• Transaction data (amounts, categories, satisfaction ratings, notes) is sent to Gemini API for analysis
• Subject to Google's Privacy Policy: https://policies.google.com/privacy
• Data is processed according to Google's Generative AI Privacy Notice: https://ai.google.dev/gemini-api/docs/safety-privacy

RevenueCat (when applicable):

• Subscription management and payment processing
• Subject to RevenueCat's Privacy Policy: https://www.revenuecat.com/privacy

Apple (Sign In with Apple):

• Authentication services when you choose to use Sign In with Apple
• Apple may provide us with your name and email address (or a private relay email address)
• Subject to Apple's Privacy Policy: https://www.apple.com/privacy/
• You can manage your Apple ID and revoke access through your Apple account settings

Plaid:

• Bank and card account linking and transaction import services
• When you connect an account, we share your user ID with Plaid to establish the connection; Plaid retrieves transaction data from your financial institution and provides it to us
• We store Plaid access tokens and transaction data on our servers; we do not share your Plaid data with other third parties
• Subject to Plaid's End User Privacy Policy: https://plaid.com/legal/#end-user-privacy-policy
• You can disconnect linked accounts at any time through the App; upon disconnect or account deletion, we revoke access with Plaid and delete stored connection data

These service providers are contractually obligated to:

• Use your information only to provide services to us
• Maintain the confidentiality and security of your information
• Comply with applicable privacy laws

5.3 Legal Requirements

We may disclose your information if required by law or in response to:

• Court orders or legal processes
• Government requests or investigations
• Enforcement of our Terms and Conditions
• Protection of our rights, property, or safety
• Protection of the rights, property, or safety of our users

5.4 Business Transfers

In the event of a merger, acquisition, or sale of assets, your information may be transferred to the acquiring entity, subject to the same privacy protections.

5.5 Aggregated and Anonymized Data

We may share aggregated, anonymized, or de-identified data that cannot reasonably be used to identify you for:

• Research and analytics purposes
• Service improvement
• Industry reports

6. Third-Party Services

6.1 Firebase Services

Felt uses Firebase services provided by Google. Your use of Firebase services is subject to Google's Privacy Policy. We use Firebase for:

• Authentication: Secure user authentication
• Firestore: Database storage
• Cloud Storage: Temporary storage of exported data files (CSV/PDF)
• Analytics: Usage analytics and crash reporting

6.2 Google Gemini AI

Felt uses Google Gemini AI (Gemini 2.5 Flash-Lite model) to generate AI-powered spending analysis reports for premium users who request PDF exports. When you request a PDF export:

• Your transaction data (amounts, categories, satisfaction ratings, notes, dates) is sent to Google's Gemini API
• Gemini AI analyzes your spending patterns and generates personalized insights
• The analysis is included in your PDF export report
• Transaction data is processed according to Google's Generative AI Privacy Notice
• Data sent to Gemini is not used to train Google's models (as per Google's API terms)
• For more information, see: https://ai.google.dev/gemini-api/docs/safety-privacy

6.3 Sign In with Apple

Felt uses Sign In with Apple for authentication when you choose to use this feature:

• Your authentication is handled by Apple
• Apple may provide us with your name and email address (or a private relay email address if you choose to hide your email)
• We use this information solely for account creation and authentication purposes
• Apple's collection and use of your information is governed by Apple's Privacy Policy: https://www.apple.com/privacy/
• You can manage your Apple ID and revoke access through your Apple account settings
• If you revoke access to Sign In with Apple, you may lose access to your account unless you have set up an alternative authentication method

6.4 App Store Providers

When you purchase premium subscriptions:

• Apple App Store or Google Play Store processes payments
• Payment information is handled by the app store, not by us
• Subscription management is handled through your device's app store settings

6.5 Bank and Card Linking (Plaid)

Felt uses Plaid to allow you to connect your bank and card accounts for transaction import. Bank linking is available in the United States and Canada.

How it works:

• When you tap "Add account" in Connected Accounts, you are directed to Plaid Link, a secure interface where you select your financial institution and authenticate with your credentials
• Plaid connects to your institution on your behalf and retrieves transaction data
• We never receive or store your bank login credentials; authentication is handled entirely by Plaid
• We receive and store: transaction amounts, dates, merchant names, categories, institution name, and account identifiers (e.g., account type, last 4 digits)

What we store:

• Transaction data imported from linked accounts (stored with your other transactions)
• Connection metadata (institution name, account identifiers) so you can identify and manage connected accounts

Your control:

• You can connect up to 1 account (free users) or 3 accounts (premium users)
• You can disconnect any linked account at any time through Settings → Connected Accounts
• Upon disconnect, we revoke the connection with Plaid and stop syncing; your already-imported transactions remain unless you delete your account
• Upon account deletion, we revoke all Plaid connections and delete all associated data

Plaid's role:

• Plaid acts as an intermediary between you and your financial institution
• Plaid's collection and use of your information is governed by Plaid's End User Privacy Policy: https://plaid.com/legal/#end-user-privacy-policy

6.6 Data Export Feature

Premium users can export their transaction data in CSV or PDF format:

• CSV Exports: Raw transaction data in comma-separated format
• PDF Exports: Formatted reports with AI-generated spending insights
• Exported files are stored temporarily in Cloud Storage
• Files are automatically deleted after 2 days
• Signed download URLs expire after 2 days
• Rate limits apply: 1 CSV export and 1 PDF export per day

6.7 Links to Other Services

The App may contain links to third-party websites or services. We are not responsible for the privacy practices of these third parties. We encourage you to review their privacy policies.

7. Children's Privacy

Felt is not intended for children under the age of 13. We do not knowingly collect personal information from children under 13. If you are a parent or guardian and believe your child has provided us with personal information, please contact us immediately. If we become aware that we have collected personal information from a child under 13, we will take steps to delete such information promptly.

8. Your Rights and Choices

You have the following rights regarding your personal information:

8.1 Access and Correction

• Access: You can access your data through the App at any time
• Correction: You can update or correct your account information and transaction data through the App
• Data Export: Premium users can export their transaction data in CSV or PDF format through the App settings

8.2 Deletion

• Account Deletion: You can delete your account through the App settings
• Data Deletion: Upon account deletion, we will delete your personal information, including:
  • All transaction data (manual and imported from linked accounts)
  • All Plaid connection data; we revoke access with Plaid so they stop accessing your accounts
  • Subject to: legal retention requirements, backup systems (data may persist for a limited time), and anonymized analytics data (which cannot be deleted as it cannot identify you)
• Disconnecting Linked Accounts: You can disconnect a bank or card account at any time through Settings → Connected Accounts. This revokes the connection with Plaid; your already-imported transactions remain until you delete them or delete your account

8.3 Opt-Out Options

• Analytics: You can opt out of analytics tracking through your device settings
• Notifications: You can manage notification preferences in the App settings
• Marketing: We do not send marketing communications, but if we do in the future, you can opt out

8.4 California Privacy Rights

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):

• Right to know what personal information we collect
• Right to delete your personal information
• Right to opt-out of the sale of personal information (we do not sell your data)
• Right to non-discrimination for exercising your privacy rights

To exercise these rights, please contact us using the information in Section 11.

8.5 European Privacy Rights (GDPR)

If you are located in the European Economic Area (EEA), you have additional rights under the General Data Protection Regulation (GDPR):

• Right to access your personal data
• Right to rectification of inaccurate data
• Right to erasure ("right to be forgotten")
• Right to restrict processing
• Right to data portability
• Right to object to processing
• Right to withdraw consent

To exercise these rights, please contact us using the information in Section 11.

9. International Data Transfers

Your information may be transferred to and processed in countries other than your country of residence. These countries may have data protection laws that differ from those in your country. By using the App, you consent to the transfer of your information to these countries.

We ensure appropriate safeguards are in place for international data transfers, including:

• Standard contractual clauses
• Adequacy decisions by relevant authorities
• Other legally recognized transfer mechanisms

10. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect:

• Changes in our practices
• Changes in applicable laws
• New features or services
• Feedback from users

We will notify you of material changes by:

• Posting the updated Privacy Policy in the App
• Updating the "Last Updated" date
• Providing notice through the App or via email (if applicable)

Your continued use of the App after changes become effective constitutes acceptance of the updated Privacy Policy. If you do not agree to the changes, you should stop using the App and delete your account.

11. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our privacy practices, please contact us:

Tonic Works LLC
Email: tonicworksllc@gmail.com
Website: https://www.tonicworks.dev/felt/privacy.html

For privacy-related requests, please include:

• Your name and email address
• A description of your request
• Any relevant account information

We will respond to your request within a reasonable timeframe, typically within 30 days.

12. Data Protection Officer

If you are located in the EEA and wish to contact our Data Protection Officer, please use the contact information provided in Section 11.