Privacy Policy

Effective date: 12 June 2026 Last updated: 12 June 2026

This Privacy Policy explains how BMRTECKBUSINESS LLC ("we", "us", "our"), the maker of the Piggy application ("App"), collects, uses, shares, and protects information about you ("you", "user"). By using the App you agree to the practices described here.

If you have questions, contact us at contact@bmrteck.com.

1. Summary (the short version)

We do not store your bank transactions, balances, incomes, or expenses on our servers. When you connect a bank, that financial data is fetched from our data provider and delivered to your device — it is not persisted in our database.
The only sensitive item we keep server-side is an encrypted access credential for your bank connection, protected with AES-256-GCM encryption at rest.
We use trusted third parties to connect to your bank (e.g. Plaid) and to manage subscriptions (RevenueCat) and notifications (Firebase).
You can disconnect a bank or delete your account at any time, which removes the stored credential and revokes access.

2. Information we collect

2.1 Information you provide

Account information: such as your email address or the identifier from your sign-in method when you create an account.
Support communications: messages you send us.

2.2 Information created when you connect a financial account

When you choose to link a bank or financial account, you authenticate directly with our data aggregation provider (such as Plaid) or your bank — we never see or store your online banking username or password. After a successful connection we store:

An encrypted access token / item identifier issued by the provider (encrypted at rest with AES-256-GCM);
The institution name and identifier, and the connection status.

We use that token only to retrieve your account and transaction data on demand and pass it to your device. We do not retain that transaction or balance data on our servers.

2.3 Information collected automatically

Device and push tokens (e.g. a Firebase Cloud Messaging token) to deliver notifications.
Subscription/purchase events from our payments partner (RevenueCat / the app stores) to manage your plan. We receive purchase metadata, not your full card details.
Basic technical/diagnostic data needed to operate and secure the service (e.g. server logs, error reports).

2.4 "Bring Your Own Key" AI features

If you use AI features, you may supply your own third-party AI provider API key. Where applicable, that key and your AI requests are handled to provide the feature you requested. Do not share data with AI features that you do not wish to send to that third-party AI provider, who processes it under their own terms.

3. How we use information

We use information to:

Provide, operate, and maintain the App and its bank-connection features;
Authenticate you and secure your account;
Process and manage subscriptions and entitlements;
Send you notifications you have enabled;
Provide customer support;
Detect, prevent, and address fraud, abuse, and security incidents;
Comply with legal obligations.

We do not sell your personal information, and we do not use your financial data for advertising.

We share information only with:

Financial data providers — to establish and maintain your bank connections and to retrieve data you request. We currently use Plaid.
- When you connect via Plaid, you also agree to Plaid's handling of your data. See the Plaid End User Privacy Policy.
Infrastructure providers — hosting and network delivery (e.g. our server host and Cloudflare).
Payments / subscriptions — RevenueCat and the Apple App Store / Google Play to process and verify purchases.
Messaging — Google Firebase for push notifications.
AI provider you choose — only if you use BYOK AI features, and only with the key you supply.
Legal / safety — when required by law, or to protect our rights, users, or the public.

We do not otherwise sell, rent, or trade your personal information.

5. How we protect information

No persistence of financial data: transactions, balances, incomes, and expenses are streamed to your device and not stored in our database.
Encryption at rest: the bank access credential we store is encrypted with AES-256-GCM.
Encryption in transit: all traffic between the App, our servers, and providers uses TLS 1.2 or higher.
Access controls: role-based access and multi-factor authentication protect our administrative systems.

No method of transmission or storage is 100% secure, but we work to protect your information using industry-standard safeguards.

6. Data retention

We keep personal information only as long as needed to provide the service and meet legal obligations. Because we do not store your financial transactions, there is little financial data to retain. When you disconnect a bank or delete your account, we revoke and delete the associated access credential. See our Data Retention Policy for details.

7. Your rights and choices

Depending on where you live (e.g. under GDPR or CCPA/CPRA), you may have the right to:

Access the personal information we hold about you;
Correct or update inaccurate information;
Delete your information ("right to be forgotten");
Withdraw consent / disconnect a financial account at any time;
Object to or restrict certain processing;
Request a copy of your data (portability);
Lodge a complaint with a data protection authority.

To exercise any right, contact contact@bmrteck.com. You can disconnect a bank or delete your account directly in the App at any time. We will not discriminate against you for exercising these rights.

By connecting a financial account, you explicitly consent to the collection, processing, and storage described in this policy, including the on-demand retrieval of your financial data via our providers. You may withdraw consent at any time by disconnecting the account or deleting your account.