Privacy Policy

Effective date: April 22, 2026

1. Introduction

Hoza (“Hoza,” “we,” “us,” or “our”) helps you save and invest more of what you earn by showing you where you actually spend it and making it easy to take action. We do this by securely connecting to your bank, credit card, and investment accounts — read-only — and surfacing the insights and next steps that turn awareness into outcomes. Hoza is operated by its founder as a sole proprietor based in Arizona, United States.

This Privacy Policy explains what information we collect when you use our mobile application and related services (collectively, the “Service”), how we use it, who we share it with, and the rights you have over it. By using the Service, you agree to the practices described in this Policy.

We do not sell your personal information. We do not share your financial data with advertisers, data brokers, or marketers, and we never will. Full stop.

2. Information We Collect

We collect information in three ways:

2.1 Information you give us directly

Account information: your email address and a password when you sign up. Passwords are hashed by our authentication provider (Supabase) and are never visible to us.
Profile & preferences: any spending limits, savings goals, notification preferences, or debts you choose to enter.
Support communications: if you email us, we keep the message and your reply address so we can respond and improve the Service.

2.2 Information we receive when you link a financial account

When you connect a bank, credit card, or investment account, our data aggregator Plaid collects information on our behalf under your explicit authorization. Plaid provides us with:

Account names, types (checking, savings, credit, brokerage), and current balances.
Transaction history, including amount, date, merchant name, and category.
A long-lived access token that lets us refresh the above data. We store this token encrypted; we never see your bank username, password, MFA codes, or account/routing numbers.

See Section 5 for more about how Plaid handles your data.

2.3 Information we collect automatically

Device tokens for push notifications — so we can send alerts you’ve opted into (e.g. spending limits, proactive nudges). Stored in our device_tokens table.
Technical & diagnostic data — IP address, device type, OS version, and crash reports. We use Sentry for crash reporting when enabled.
Usage activity — which screens you visit and which features you use, so we can fix bugs and improve the app. We do not track you across other apps or websites.

3. How We Use Your Information

We use your information to:

Provide the Service — show your balances, transactions, reports, and dashboards.
Generate personalized financial insights, including AI-generated suggestions from Anthropic’s Claude (see Section 6).
Send you push notifications and alerts you’ve opted into.
Authenticate you and keep your account secure.
Detect, prevent, and investigate fraud or abuse of the Service.
Comply with legal obligations and enforce our Terms of Service.
Communicate with you about updates, security issues, and support requests.

We do not use your information to serve ads, and we do not sell or rent it to third parties.

4. How We Share Your Information

We share information only with service providers who help us operate the Service, and only to the extent necessary. Each of the companies below is contractually bound to protect your information and use it only for the purpose we’ve engaged them for.

Provider	Purpose	What they receive
Plaid	Bank account connection & transaction data	Your bank credentials (held by Plaid, never us) and account/transaction data
Supabase	Database hosting & authentication	Your email, hashed password, and all application data
Anthropic	AI-generated insights (Claude API)	Anonymized transactions (amounts, categories, dates) — no name, email, or account numbers
Railway	API server hosting	All data passes through their infrastructure in transit
Expo	Push notification delivery	Your device push token and notification payload
Sentry	Crash & error reporting	Error stack traces and device metadata

We may also disclose information:

To comply with a valid subpoena, court order, or other legal process.
To protect the rights, safety, or property of Hoza, our users, or the public.
In connection with a merger, acquisition, or sale of assets — in which case we will notify you and give you the opportunity to delete your account before the transfer.

5. Our Relationship with Plaid

To connect your bank, credit card, or investment accounts, Hoza uses Plaid Inc. (“Plaid”). When you link an account, you enter your credentials directly into Plaid’s interface inside our app — Hoza never sees or stores them.

Plaid acts as our service provider for this purpose. Your use of Plaid within Hoza is subject to Plaid’s own End User Privacy Policy. You can review and revoke Plaid’s access at any time at my.plaid.com. Revoking access in Plaid will also stop Hoza from refreshing your data.

6. AI-Generated Insights (Anthropic Claude)

Hoza’s chat and proactive insights are powered by Anthropic’s Claude large language model. Before we send anything to Claude, we anonymize the data: we remove your name, email, and any account or routing numbers. Claude receives only aggregated financial context — amounts, categories, merchant names, and dates — so it can answer questions grounded in your actual spending without knowing who you are.

Anthropic processes this data on our behalf under a commercial API agreement that prohibits training their models on our API data. AI output may occasionally be inaccurate and should not be treated as financial, tax, or legal advice.

7. How We Protect Your Information

Encryption at rest: Plaid access tokens and sensitive transaction fields are encrypted at the column level in our database using PostgreSQL’s pgcrypto symmetric encryption.
Encryption in transit: all traffic between the app, our servers, and our providers uses TLS.
Row-level security: our database enforces per-user isolation at the row level, so one user’s data cannot be accessed under another user’s identity.
No credential storage: we never store your bank username, password, or multi-factor codes. Only Plaid handles those.
Screenshot protection: the app hides balance screens from your device’s app-switcher thumbnail.

No system is 100% secure. If we ever learn of a breach affecting your information, we will notify you as required by law.

8. Data Retention & Deletion

We keep your information for as long as your account is active, or as needed to provide the Service. You can delete your account at any time from Settings → Account → Delete account.

When you delete your account, we will:

Revoke all Plaid item connections immediately.
Purge your transactions, spending limits, debts, device tokens, and related records from our production database within 30 days.
Delete your authentication record from Supabase Auth.

Some information may persist in encrypted backups for up to 90 days before rotating out, and we may retain limited records required by law (for example, to demonstrate compliance with a subpoena or resolve a dispute).

9. Your Rights & Choices

Regardless of where you live, you can:

Access and export your data — email support@gethoza.com and we’ll send you a copy.
Correct inaccurate information — edit directly in the app, or ask us.
Delete your account and all associated data in Settings → Account → Delete account.
Disconnect a linked bank account at any time in the app or via my.plaid.com.
Opt out of push notifications in the app or your device settings.

10. California Privacy Rights

If you are a California resident, the California Consumer Privacy Act (as amended by the CPRA) gives you additional rights. In the past 12 months, we have collected the following categories of personal information:

Category	Examples	Collected?
Identifiers	Email, IP address, device ID	Yes
Financial information	Balances, transactions, account type (via Plaid)	Yes
Internet activity	App usage, crash logs	Yes
Inferences	Spending categories, financial journey stage	Yes
Sensitive personal information	Account login credentials — held by Plaid only, not us	No (not held by Hoza)
Biometric, geolocation, health, children’s data	—	No

Your California rights include:

Right to know what personal information we’ve collected about you.
Right to delete personal information we hold about you.
Right to correct inaccurate information.
Right to opt out of sale or sharing. We do not sell or share personal information for cross-context behavioral advertising, so there is nothing to opt out of.
Right to non-discrimination for exercising these rights.

To exercise any of these rights, email support@gethoza.com. We will verify your request by confirming ownership of the email address associated with your account. You may designate an authorized agent to make a request on your behalf.

11. Children’s Privacy

Hoza is intended for users 18 years of age or older. We do not knowingly collect personal information from anyone under 18. If you believe a child under 18 has provided us with personal information, please contact us at support@gethoza.com and we will delete it promptly.

12. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we’ll notify you in-app and update the effective date at the top of this page. Continued use of the Service after an update constitutes acceptance of the revised Policy.

13. Contact Us

Questions, requests, or concerns? Reach us at:

Email: support@gethoza.com
Mailing address: available on request — email us and we’ll provide it.