Legal

Privacy Policy

Effective Date: April 25, 2026 · Last Updated: April 28, 2026

ZhanPlan LLC · Tampa, Florida · support@zhanplan.com

ZhanPlan LLC (“ZhanPlan,” “we,” “us,” or “our”) is a Florida limited liability company headquartered in Tampa, Florida. We operate the ZhanPlan personal finance platform available at zhanplan.com and through our mobile applications (collectively, the “Services”). This Privacy Policy describes what personal information we collect, how we use and share it, how we protect it, and the rights available to you. By creating an account or using the Services, you agree to this Privacy Policy. If you do not agree, please do not use the Services.

Because you entrust us with sensitive financial information, we have designed this policy to be comprehensive and transparent. We encourage you to read it fully.

1. Information We Collect

We collect information you provide directly, information generated automatically when you use the Services, and in limited cases information from third parties.

1.1 Account and Registration Information

Name and email address
Password (stored as a secure hash — we never see your plain-text password)
Country, time zone, and language preference
Household size and other optional profile details you choose to provide

1.2 Financial Data You Enter Manually

ZhanPlan is a manual-entry financial tool. The financial data in your account exists because you typed it in or imported it. This includes:

Monthly budget amounts and actual spending by category
Expense and income log entries (date, merchant, amount, category, notes)
Net worth items (asset and liability names, types, and values)
Cash flow entries (recurring income and expense items)
Debt accounts (name, balance, interest rate, minimum payment)
Savings goals and progress
Financial health scores and self-assessments
Retirement and forecast planning inputs

This data is stored in your account and is not shared with financial institutions or third parties except as described in this Policy.

1.3 Uploaded Documents and Images

CSV files exported from your bank (parsed client-side and stored as individual transaction records)
PDF bank statements (uploaded to our servers, text extracted by AI, then the original PDF is discarded — we store only the extracted transactions you approve)
Receipt photos (uploaded via the receipt scanner feature, analyzed by AI, then discarded — we store only the transaction data you save)

1.4 Payment Information

Subscription payments are processed by Stripe, Inc. (PCI DSS Level 1 Certified). ZhanPlan does not store, transmit, or have access to your full payment card number, CVV, or full bank account number. We receive only a tokenized reference, the last four digits of your card, and the card brand from Stripe. Your billing address is stored by Stripe for fraud prevention purposes.

1.5 Device and Usage Data

Device type, operating system, browser type and version
Screen resolution and language settings
IP address and approximate geographic location derived from IP
Pages and features accessed, time spent, and interaction patterns
Referring URL and in-app navigation paths
Crash reports and diagnostic data

Usage analytics are collected by Vercel Analytics, which is cookieless and does not track you across websites. See Section 7 and our Cookie Policy for details.

1.6 Support and Communications

Messages, emails, and attachments you send to support@zhanplan.com
In-app feedback or bug reports
Survey responses

1.7 Third-Party Sign-In

If you sign in using Apple or Google, we receive your name and email address from that provider. We do not receive your password or payment information from these providers.

1.8 Bank Account Connection via Plaid (Optional)

If you choose to use the Auto Sync feature, ZhanPlan uses Plaid Financial LLC (“Plaid”) to securely connect to your financial institution. This is entirely optional — ZhanPlan works fully without it.

When you connect a bank account through Plaid:

Plaid receives your bank login credentials directly and securely — ZhanPlan never sees or stores your bank username or password
Plaid retrieves your account information (account name, type, last-four digits) and recent transaction history on your behalf
ZhanPlan stores only the transactions Plaid returns to us — we store them in a pending review queue where you approve, categorize, and edit them before they are added to your spending log
ZhanPlan stores a Plaid access token (an encrypted reference, not your credentials) to enable future transaction syncs
You can revoke bank access at any time from the Auto Sync page, which permanently deletes the access token

Plaid’s Privacy Policy

By connecting your bank account through Plaid, you agree to Plaid’s End User Privacy Policy, available at plaid.com/legal/privacy-statement/. Plaid is an independent data processor and their data practices are governed by their own policy, not ours.

What We Do NOT Collect

We do not store your bank login credentials or passwords — when using Auto Sync, credentials go directly to Plaid and are never transmitted to or stored by ZhanPlan
We do not collect Social Security numbers, Tax Identification Numbers, or government-issued ID numbers
Bank account linking is entirely optional — ZhanPlan is fully functional as a manual-entry tool without it
We do not collect full payment card numbers or CVV codes
We do not collect medical or health information
We do not knowingly collect data from children under 13

2. Sensitive Personal Information

Under the California Privacy Rights Act (CPRA) and similar laws, certain categories of personal information are classified as “Sensitive Personal Information” (Sensitive PI) and receive heightened protection. The financial data you enter into ZhanPlan — including your income, expenses, account balances, debts, net worth, and financial goals — constitutes Sensitive Personal Information.

How we use Sensitive PI: We use your financial data exclusively to provide the Services to you — to display, analyze, and help you manage your personal finances. We do not use your financial data for cross-context behavioral advertising, to build advertising profiles, or to sell to data brokers.

Your right to limit: You have the right to direct ZhanPlan to limit the use of your Sensitive Personal Information to what is strictly necessary to provide the Services. To exercise this right, email support@zhanplan.com with the subject “Limit Use of Sensitive PI.” Note that limiting such use will significantly restrict or prevent functionality of the Services.

3. AI-Powered Features and Data Processing

ZhanPlan offers optional AI-powered features powered by OpenAI’s API. These features are entirely optional — the core budgeting, tracking, and planning features of ZhanPlan work without them. When you use AI features, the following data is sent to OpenAI, LLC:

AI Financial Coach (Pro plan, /dashboard chat): A structured summary of your financial data — including budget totals, spending categories, net worth snapshot, and goals — is sent to OpenAI’s GPT-4o model to generate coaching responses. We do not send raw transaction lists or exact account numbers.

Smart Categorization (Bank Import): Unrecognized merchant names from your imported bank CSV or PDF are sent to GPT-4o-mini for category suggestions. Merchants are sent in batches without your name or account identifiers.

Receipt Scanner (Pro plan): When you use the photo receipt import feature, your receipt image is sent to OpenAI’s Vision API for text extraction. The image is processed in real-time and is not stored by ZhanPlan after processing.

PDF Bank Statement Import: The extracted text from your uploaded bank statement PDF is sent to GPT-4o-mini for transaction parsing. The original PDF is discarded after text extraction.

Important: OpenAI Data Practices

Per OpenAI’s API usage policy, OpenAI does not use data submitted through its API to train or improve its AI models. Data sent via API is subject to OpenAI’s Privacy Policy available at openai.com/privacy. You can avoid sending data to OpenAI entirely by not using the AI features listed above.

4. How We Use Your Information

Provide, operate, secure, and maintain the Services
Create, manage, and authenticate your account
Display and analyze the financial data you enter
Process subscriptions, billing, and renewals via Stripe
Deliver AI-powered features when you choose to use them
Send transactional and account-related email (password reset, payment receipts, subscription reminders)
Send marketing and promotional communications (you may opt out at any time)
Respond to support requests and provide customer service
Detect, prevent, and investigate fraud, security incidents, and abuse
Measure, analyze, and improve the Services and develop new features
Comply with legal obligations and enforce our Terms of Service
Protect the rights, property, and safety of ZhanPlan, our users, and the public
Fulfill any purpose for which you provide information or to which you explicitly consent

5. Our Service Providers

We share personal information with the following categories of service providers who perform services on our behalf. Each provider is contractually required to protect your information and use it only for the specified purpose.

Provider	Purpose	Data Involved	Location
Supabase, Inc.	Database & Authentication (SOC 2 Type II, ISO 27001)	All account & financial data	United States
Plaid Financial LLC	Bank Account Connection — Auto Sync feature (optional, see Section 1.8)	Bank credentials (processed by Plaid only, never stored by ZhanPlan), account info, transaction history	United States
Cloudflare, Inc.	Network Security & DDoS Protection (SOC 2 Type II, ISO 27001)	IP address, traffic metadata (not financial data)	United States
Stripe, Inc.	Payment Processing (PCI DSS Level 1)	Billing address, payment token, subscription status	United States
OpenAI, LLC	AI Features (optional — see Section 3)	Financial summaries, merchant names, receipt images, statement text	United States
Resend, Inc.	Transactional Email Delivery	Email address, email content	United States
Vercel, Inc.	Web Hosting & Privacy-First Analytics	Device data, pages visited (no PII, no cookies)	United States

6. How We Share Your Information

We do not sell your personal financial data. We do not share your financial data for cross-context behavioral advertising.

6.1 Service Providers. We share information with the providers listed in Section 5 and other vendors who perform services on our behalf (security monitoring, fraud prevention, customer support tools). These providers access only the information needed to perform their function and are prohibited from using it for other purposes.

6.2 Legal and Safety Disclosures. We may disclose information when we believe in good faith that disclosure is necessary to: (a) comply with applicable law, regulation, legal process, or government request; (b) enforce our Terms of Service or other agreements; (c) detect, prevent, or address fraud, security, or technical issues; or (d) protect the rights, property, or safety of ZhanPlan, our users, or the public.

6.3 Business Transfers. If ZhanPlan is involved in a merger, acquisition, asset sale, bankruptcy, or corporate reorganization, your information may be transferred as part of that transaction. We will provide notice before your information is transferred and becomes subject to a materially different privacy policy.

6.4 With Your Consent. We may share information for any other purpose with your explicit consent or at your direction.

6.5 Aggregate and De-Identified Data. We may share aggregated or de-identified information that cannot reasonably be used to identify you for research, analytics, or reporting purposes. We will not attempt to re-identify de-identified data.

7. Cookies and Tracking Technologies

We have designed ZhanPlan to minimize tracking. Here is exactly what we use:

Strictly Necessary (Session Cookies): Supabase sets an authentication session cookie (“sb-[project]-auth-token”) to keep you logged in. This cookie contains only your encrypted session token. It is required for the Services to function and cannot be disabled without logging out.

Functional (Local Storage): We store your cookie consent choice and UI preferences in your browser’s local storage. This data never leaves your device.

Analytics (Vercel Analytics — Cookieless): We use Vercel Analytics for aggregated usage statistics. Vercel Analytics does not use cookies, does not collect personally identifiable information, does not track you across websites, and does not build advertising profiles. Data is aggregated and anonymized at collection.

What We Do NOT Use: We do not use advertising cookies, social media tracking pixels (Meta, TikTok, Pinterest, etc.), Google Analytics, or any cross-site behavioral tracking technology.

We honor the Global Privacy Control (GPC) signal. For full details, see our Cookie Policy.

8. Data Security

We implement administrative, technical, and physical safeguards to protect your information, including:

All data transmitted between your device and our servers is encrypted using TLS 1.3
All data stored in Supabase is encrypted at rest using AES-256
Row-Level Security (RLS) in our database ensures your data can only be accessed by authenticated sessions tied to your account
Your password is never stored in plain text — it is hashed by Supabase Auth using bcrypt
Payment card data is never stored on our servers — Stripe handles all card data under PCI DSS Level 1 certification
Access to production systems by ZhanPlan personnel is logged, limited, and subject to internal access controls
Security dependencies are monitored and critical patches are applied promptly

Who Is Responsible for Infrastructure Security

Your data is protected by a stack of enterprise-certified platforms, each independently audited and responsible for their own infrastructure security:

Supabase (SOC 2 Type II, ISO 27001) — database encryption, backups, authentication security
Cloudflare (SOC 2 Type II, ISO 27001, PCI DSS) — network security, DDoS protection, SSL/TLS enforcement
Vercel (SOC 2 Type II, ISO 27001) — application hosting and server infrastructure
Stripe (PCI DSS Level 1, SOC 2 Type II) — all payment card data; ZhanPlan never sees your card number

In the event of a security incident originating from the infrastructure of these certified providers — events outside ZhanPlan LLC's direct control — the security responsibility and liability lies primarily with the relevant certified platform under its own certifications and service agreements. ZhanPlan LLC's liability for such third-party infrastructure incidents is limited to the maximum extent permitted by law and as described in our Terms of Service.

No security system is impenetrable. Despite our safeguards and those of our certified platform partners, we cannot guarantee the absolute security of your information. You are responsible for keeping your account credentials confidential and for notifying us promptly at support@zhanplan.com of any suspected unauthorized access. For our full security practices, see our Security Policy.

9. Data Breach Notification

In the event of a security breach that is reasonably likely to result in harm to you, we will:

Notify affected users within 30 days of discovering the breach (as required by California and Florida law)
Notify the relevant EU/UK supervisory authority within 72 hours where required by GDPR or UK GDPR
Send breach notifications to the email address associated with your account
Describe in the notice: the type of information affected, the approximate date of the incident, the steps we are taking to address it, and what you can do to protect yourself
Work with law enforcement and cybersecurity professionals to investigate and remediate the breach

To report a security vulnerability, email support@zhanplan.com with the subject “Security Vulnerability.” We will acknowledge your report within 48 hours.

10. Data Retention

We retain personal information for as long as your account is active and as needed to provide the Services, comply with our legal obligations, resolve disputes, and enforce our agreements.

Data Category	Retention Period	Basis
Account profile & preferences	Duration of account + 30 days after deletion	Service provision
Financial data you enter	Duration of account + 30 days after deletion	Service provision
Payment & billing records	7 years	Tax & legal compliance
Support communications	3 years from resolution	Business records
Receipt images (AI scanner)	Discarded after processing (not stored)	Privacy by design
PDF uploads (bank import)	Discarded after text extraction	Privacy by design
Usage analytics	Aggregated only, no personal data retained	Service improvement
Backup archives	30 days rolling	Disaster recovery

11. Account Deletion and Data Portability

How to delete your account:

In the app: go to Dashboard → Profile → Account Settings → Delete Account, or
By email: send “Account Deletion Request” to support@zhanplan.com

What happens: We will complete the deletion within 30 days of your request. Your profile, financial data, preferences, and account records will be permanently deleted from active systems.

What we retain after deletion: Payment records required by law (up to 7 years for tax compliance), records we are legally required to retain, and de-identified aggregate data that cannot be linked back to you.

Data portability: You may request an export of your financial data at any time by emailing support@zhanplan.com. We will provide a copy in a portable format within 30 days.

App Store in-app purchases: If you subscribed via the Apple App Store or Google Play, you must also cancel your subscription through that store. Account deletion does not automatically cancel app store subscriptions.

12. International Data Transfers

ZhanPlan is based in the United States. Our service providers (Supabase, Stripe, OpenAI, Resend, Vercel) are also primarily located in the United States. If you access the Services from outside the United States, your information will be transferred to and processed in the United States, which may have data protection laws that differ from those in your jurisdiction. For transfers of personal data from the European Economic Area, the United Kingdom, or Switzerland, we rely on Standard Contractual Clauses (SCCs) or other appropriate safeguards approved under applicable law. To obtain a copy of the applicable transfer safeguards, contact support@zhanplan.com.

13. Your Privacy Rights — All Users

Regardless of where you live, you may request:

Access: a summary of the personal information we hold about you
Correction: correction of inaccurate or incomplete information
Deletion: deletion of your personal information, subject to legal retention requirements
Portability: a copy of your data in a portable, machine-readable format
Opt-out of marketing: unsubscribe from marketing communications at any time
Appeal: if we decline your request, you may appeal by replying to our decision or emailing support@zhanplan.com

To submit a request, email support@zhanplan.com with your request and sufficient information to verify your identity. We respond within the timeframe required by applicable law (generally 30–45 days). We will not discriminate against you for exercising your privacy rights.

14. California Privacy Rights (CCPA / CPRA)

This section applies to California residents and supplements the rest of this Privacy Policy. References to “CPRA” include both the original California Consumer Privacy Act and the California Privacy Rights Act amendments effective January 1, 2023.

14.1 Categories of Personal Information Collected (Last 12 Months)

Identifiers: name, email address, account ID, IP address, device ID
Customer Records: billing address, payment token
Sensitive Personal Information: financial data you enter (income, expenses, balances, debts, net worth, goals)
Commercial Information: subscription plan, purchase history
Internet / Electronic Activity: pages visited, features used, session data, click patterns
Geolocation Data: approximate city/region derived from IP address
Inferences: financial health inferences derived from the data you enter
Audio / Electronic Communications: support emails and messages

14.2 Sensitive Personal Information We Collect

Under CPRA, the following data we collect qualifies as Sensitive Personal Information: your personal financial account contents — specifically, the income, expense, budget, net worth, debt, and savings data you enter into ZhanPlan. We use this Sensitive PI solely to provide the Services. We do not use it to infer characteristics unrelated to the Services, for advertising, or for sale to third parties. You have the right to limit our use of your Sensitive PI (see Section 2).

14.3 Sources of Personal Information

Directly from you (account registration, financial data entry, support messages)
Automatically from your device (usage data, device information)
From third-party sign-in providers (Apple, Google) if you use SSO
From Stripe (subscription and payment status updates)

14.4 Business Purposes for Collection

Providing and improving the Services, payment processing, fraud prevention, customer support, analytics, sending service-related communications, legal compliance, and enforcing our Terms of Service.

14.5 Third Parties That Receive Personal Information

See Section 5 (Service Providers) and Section 6 (How We Share). We share with service providers under written contracts that restrict their use to the specified purpose.

14.6 Sale and Sharing of Personal Information

We do not sell your personal financial data. We do not share your financial data for cross-context behavioral advertising. However, to the extent Vercel Analytics uses IP-derived data to produce aggregated analytics reports, this may technically constitute “sharing” of online identifiers under CPRA. You may opt out at any time by: (a) enabling the Global Privacy Control (GPC) signal in your browser; or (b) emailing support@zhanplan.com with the subject “Do Not Sell or Share.”

14.7 Your CPRA Rights

Right to Know: what personal information we collect, use, share, and sell
Right to Delete: deletion of your personal information (with limited exceptions)
Right to Correct: correction of inaccurate personal information
Right to Portability: obtain a copy of your data in a usable format
Right to Opt-Out of Sale/Sharing: opt out of the sale or sharing of your personal information
Right to Limit Use of Sensitive PI: restrict use of your financial data to what is needed to provide Services
Right to Non-Discrimination: we will not penalize you for exercising any CPRA right
Right to Appeal: if we deny your request, you may appeal by replying to our response email

Response time: 45 days from verification, extendable by an additional 45 days with notice.

14.8 Shine the Light (California Civil Code § 1798.83)

California residents may request information once per year about personal information we disclosed to third parties for their direct marketing purposes during the preceding calendar year. To make such a request, email support@zhanplan.com with the subject “California Shine the Light.” We do not currently share personal information with third parties for their direct marketing purposes.

14.9 California Minors (California Business & Professions Code § 22581)

Registered users who are California residents under age 18 may request removal of content or information publicly posted on the Services. Contact support@zhanplan.com. Note that ZhanPlan requires users to be 18 or older to create an account.

15. Florida Digital Bill of Rights (FDBR)

ZhanPlan LLC is headquartered in Florida. Under the Florida Digital Bill of Rights (SB 262, effective July 1, 2023), Florida residents have the following rights:

Right to Access: confirm whether we process your personal data and obtain a copy
Right to Correct: correct inaccuracies in your personal data
Right to Delete: delete personal data you have provided or we have obtained about you
Right to Portability: obtain a portable copy of your data in a machine-readable format
Right to Opt-Out of Targeted Advertising: opt out of the processing of personal data for targeted advertising (ZhanPlan does not engage in targeted advertising of users' personal data)
Right to Opt-Out of Sale: opt out of the sale of your personal data (ZhanPlan does not sell personal data)
Right to Opt-Out of Profiling: opt out of profiling that produces legal or similarly significant effects (ZhanPlan does not engage in such profiling for external purposes)

To exercise Florida FDBR rights, email support@zhanplan.com. We will respond within 45 days, extendable by 45 days with notice. If we decline your request, you may appeal by responding to our decision email, and we will provide a final determination within 60 days.

16. EEA, UK, and Switzerland — GDPR / UK GDPR

If you are located in the European Economic Area, the United Kingdom, or Switzerland, the following applies in addition to the rest of this Privacy Policy.

Legal Bases. We process your personal data based on: (a) performance of a contract with you (operating your account and providing the Services); (b) compliance with legal obligations; (c) our legitimate interests (securing the Services, improving features, direct marketing of ZhanPlan to you), where not overridden by your fundamental rights; and (d) your consent where specifically required (e.g., marketing emails, optional cookies).

Data Subject Rights. In addition to the rights in Section 13, you have the right to object to processing based on legitimate interests, the right to restriction of processing, and the right to withdraw consent at any time without affecting the lawfulness of prior processing.

Right to Lodge a Complaint. You have the right to lodge a complaint with your local data protection supervisory authority (for example, the ICO in the UK or your national DPA in the EU).

International Transfers. Transfers of EEA/UK personal data to the United States and our US-based service providers rely on Standard Contractual Clauses. Contact support@zhanplan.com to obtain a copy.

17. Apple App Store and Google Play — Data Disclosure

The following is a summary of ZhanPlan’s data practices as required for Apple App Store App Privacy disclosures and Google Play Data Safety disclosures.

Data Used to Track You

None. ZhanPlan does not track users across third-party apps or websites for advertising purposes. We do not use advertising SDKs or cross-app tracking identifiers.

Data Linked to You

Contact Info: Email address, name
Identifiers: Account ID, device identifier (for session security)
Financial Info: Financial data you manually enter (budgets, expenses, income, net worth, goals, debts)
Purchases: Subscription plan, transaction history
Usage Data: Features accessed, session activity
Diagnostics: Crash reports

Data Not Linked to You

Performance Data: Aggregated, de-identified analytics via Vercel Analytics (no personal data, no cookies)

This disclosure is provided for informational purposes per Apple’s App Privacy guidelines (App Store Review Guidelines §5.1.1) and Google Play’s Data Safety guidelines.

18. Children's Privacy

The Services are not intended for individuals under 18 years of age, and we do not knowingly collect personal information from anyone under 13. If we learn that we have collected personal information from a child under 13, we will delete it promptly. If you believe a child has provided us personal information, contact us at support@zhanplan.com. Parents or guardians may contact us to request review or deletion of a minor’s information.

19. Third-Party Sites and Services

The Services may contain links to third-party websites, services, or applications (such as payment providers, app stores, or sign-in providers). When you click those links or use those services, their own privacy policies apply — not this one. We are not responsible for the privacy practices or content of third-party services. We encourage you to review the privacy policies of any third-party services you use in connection with ZhanPlan.

20. Marketing Communications

We may send you promotional emails about ZhanPlan features, new plans, financial tips, or other news. You may opt out of marketing emails at any time by: (a) clicking the “unsubscribe” link at the bottom of any marketing email; or (b) emailing support@zhanplan.com. Opting out of marketing does not opt you out of transactional and account-related messages, which we are entitled to send as part of providing the Services.

21. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. For material changes — such as new types of data collection, new sharing practices, or changes that significantly affect your rights — we will notify you in advance (at least 30 days where practicable) via email and/or a prominent notice within the Services. The “Last Updated” date at the top of this page reflects the most recent revision. Your continued use of the Services after the effective date of any changes constitutes your acceptance of the updated Privacy Policy. If you do not agree to the changes, you must stop using the Services and may request deletion of your account.

22. Contact Us — Privacy Requests

ZhanPlan LLC — Privacy Officer

Tampa, Florida, United States

Email: support@zhanplan.com

Web: zhanplan.com/privacy

Response times: California (CPRA) — 45 days; Florida (FDBR) — 45 days; GDPR — 30 days; General requests — 30 days. When you submit a request, we will verify your identity before processing it. Verification may require you to confirm your registered email address and provide additional information to prevent unauthorized requests.