Pocket Watch Financial

Privacy Policy

Effective May 18, 2026

Pocket Watch Financial (“Pocket Watch”, “we”, “us”) is a personal-finance application that projects your cash runway and tracks your spending. This Privacy Policy describes what information we collect, how we use it, who we share it with, and the choices you have. It applies to all users of the service.

We're a small, individually-operated project — not a large corporation — and we've written this policy in plain language because we want you to actually be able to read it.

1. Information we collect

Account information

  • Your email address (required to sign in).
  • If you use Google / Microsoft / Facebook sign-in, the basic profile data those providers return (name, email, profile photo URL). We do not receive your password from any social provider.
  • A display name you choose, your timezone, and a “safety buffer” dollar amount — all entered by you.

Financial data (via Plaid)

When you connect a bank account, we use Plaid Inc. to securely retrieve information from your financial institution. Specifically, we receive and store:

  • Account names, types, last-four digits, and institution names.
  • Current and available balances.
  • Credit limits, APR, statement day (where applicable).
  • Minimum payment amount and next payment due date (for credit cards and loans, when provided by your bank).
  • Transaction history (date, amount, description, merchant, pending status).

We do not receive your bank username, password, or any other login credentials. Those go directly from you to Plaid, who handles authentication on your behalf.

Information you create in the app

  • Recurring bills, paychecks, installment plans, category budgets you enter.
  • Manual transactions you add (for cash spend, etc.) and any re-categorizations you apply.
  • Manual accounts (for store credit cards, cash, etc.).

Technical data

  • Session cookies set by Supabase to keep you signed in. These are strictly necessary; without them, you cannot use the service.
  • A theme preference cookie (light/dark/auto) so the visual theme persists across visits.
  • Standard server logs (request IP, timestamp, user-agent) retained for security and debugging purposes only.

We do not use third-party analytics, advertising, tracking pixels, or behavioral profiling tools. We do not currently run any marketing or remarketing pixels.

2. How we use your information

  • To project your cash runway and surface spending insights.
  • To automatically categorize your transactions and recurring bills.
  • To detect overspending against the budgets you set.
  • To authenticate you and keep your session valid across requests.
  • To send transactional emails (sign-in magic links, account changes).
  • To investigate bugs and security incidents.

We do not sell, rent, or trade your personal information. We do not use your data to train any general-purpose AI model. We do not show you ads.

3. AI-assisted categorization (optional)

If the deployment you're using has Anthropic Claude integration enabled (controlled by an environment variable, not by you), we may send transaction descriptions — and only descriptions, never account numbers, balances, or amounts beyond what's in the merchant string — to Anthropic to classify them into a category (Groceries, Dining Out, etc.). Anthropic does not retain the data for training and operates under its own privacy policy. If AI categorization isn't configured, no data is sent.

4. Use of Plaid

We use Plaid Inc. (“Plaid”) to gather your data from financial institutions. By using our service, you grant Pocket Watch and Plaid the right, power, and authority to act on your behalf to access and transmit your personal and financial information from the relevant financial institution. You agree to your personal and financial information being transferred, stored, and processed by Plaid in accordance with the Plaid End User Privacy Policy.

You can disconnect a linked account at any time from the Manage accounts screen. Disconnecting deletes the account and all transactions associated with it from our database.

5. Who we share data with

We share data only with service providers we need to operate:

  • Supabase — hosts our Postgres database and handles authentication. Data is encrypted in transit (TLS) and at rest. Supabase Privacy Policy.
  • Plaid Inc. — bank-data aggregator (see Section 4).
  • Anthropic PBC — only when AI categorization is configured (see Section 3).
  • Identity providers (Google / Microsoft / Facebook) — only if you choose to sign in through one of them, and only for authentication.

We may also disclose information when required by law (subpoena, court order) or to protect against fraud, abuse, or imminent harm. We will notify you of any legal request unless legally prohibited from doing so.

6. How we protect your data

  • All traffic to and from our service is encrypted with HTTPS / TLS.
  • Data at rest in our Postgres database is encrypted by Supabase.
  • Plaid access tokens are additionally encrypted using Supabase Vault — even with database access, the raw tokens are not directly readable.
  • Row-Level Security policies in Postgres ensure each household's data is isolated from other users at the database layer.
  • We follow least-privilege principles: client-side code uses a publishable key with limited scope; the secret key bypassing RLS is used only server-side, never exposed to your browser.

No system is perfectly secure. If we discover a breach affecting your data, we will notify you and applicable regulators within the timeframes required by law.

7. Data retention & deletion

We keep your data as long as your account is active. You can:

  • Disconnect individual accounts from the Manage accounts screen — this deletes the account and its transactions from our database immediately.
  • Delete your entire account by emailing us at chicagoarkouda@gmail.com. We will purge your household's data — accounts, transactions, bills, categories, rules — within 30 days. Server log entries may persist up to 90 days for security purposes, then are also destroyed.

8. Your rights

Depending on where you live, you may have rights under laws like the California Consumer Privacy Act (CCPA), the EU General Data Protection Regulation (GDPR), or similar regulations. These include:

  • The right to know what personal information we have about you.
  • The right to a portable copy of that information.
  • The right to correct inaccurate information.
  • The right to delete your information.
  • The right to opt out of any sale or sharing of personal information (we do not sell or share for advertising purposes).
  • The right not to receive discriminatory treatment for exercising these rights.

To exercise any of these rights, email chicagoarkouda@gmail.com. We will verify your identity before fulfilling the request and respond within 30 days (or sooner if required by your jurisdiction).

9. Children

Pocket Watch is not directed to children under 18. We do not knowingly collect personal information from children. If you believe a child has provided us information, please email us and we will delete it.

10. International transfers

Our service and the data it processes are hosted in the United States. If you access the service from outside the U.S., your data will be transferred to and processed in the U.S. By using the service, you consent to this transfer.

11. Changes to this policy

We may update this policy from time to time. If we make material changes, we will update the “Effective” date at the top and, for substantive changes, notify you by email or via a banner in the app before the change takes effect. Continued use of the service after a change constitutes acceptance of the updated policy.

12. Contact

Questions, requests, or complaints about this policy or your data should be sent to chicagoarkouda@gmail.com.