Back to Carlo

Privacy Policy

Effective date: April 8, 2026Last updated: April 8, 2026

Carlo Finance (“Carlo,” “we,” “us,” or “our”) operates the website carlo.finance and the Carlo financial decision simulator. This Privacy Policy explains what information we collect, how we use it, who we share it with, and what rights you have over your data.

We believe in being direct: we collect only what we need to run your simulations, we never sell your data, and we give you full control over deleting it. If anything in this policy is unclear, reach out to us at privacy@carlo.finance.

01

Information we collect

Information you provide directly

  • Account information— name, email address, and password when you create an account.
  • Financial goals and profile— income, savings targets, planned purchases, retirement timeline, and other details you enter to power your simulations.
  • Support communications— messages you send us through email or in-app support.

Information from Plaid

When you connect a financial account through Plaid, we receive the following categories of data from your financial institution via Plaid’s API:

  • Account information— account name, type (checking, savings, credit, investment), and institution name.
  • Balance data— current and available balances for each connected account.
  • Transaction data— transaction history including date, amount, merchant name, and category.

We do not receive or store your bank login credentials. Plaid uses OAuth-based connections to securely access your data from your financial institution. For details on how Plaid handles your data, see Plaid’s End User Privacy Policy.

Information collected automatically

  • Usage data— pages visited, features used, simulations run, and interaction patterns.
  • Device and browser information— browser type, operating system, screen resolution, and language preferences.
  • Log data— IP address, access times, referring URLs, and server logs.

02

How we use your information

  • Financial simulation and scenario modeling — your connected account data, goals, and profile power Carlo’s projections and “what if” scenarios. This is the core product.
  • Personalized projections— we use your real financial data to make projections specific to your situation rather than generic estimates.
  • Product improvement— aggregate, de-identified usage data helps us understand which features matter and where to invest.
  • Communications— account-related emails (password resets, security alerts) and, with your consent, product updates.
  • Security and fraud prevention— protecting your account and detecting anomalous activity.

03

Third-party services

We use a small number of third-party services to operate Carlo:

  • Plaid— connects your bank accounts and provides financial data. Plaid acts as a data processor on our behalf and is contractually required to protect your data. Plaid processes your data in accordance with its own End User Privacy Policy.
  • Vercel— hosts our application infrastructure. Vercel processes data in accordance with its Privacy Policy.
  • Analytics— we use privacy-respecting analytics to understand product usage. We do not use analytics tools that track you across websites.

04

Data sharing

We do not sell your personal or financial data. Period. We will never sell, rent, or trade your information to third parties for their marketing purposes.

We share data only in these limited circumstances:

  • Service providers— with the third-party services listed above, only to the extent necessary for them to perform their function.
  • Legal requirements— if required by law, subpoena, or court order.
  • Safety— if we believe disclosure is necessary to protect the rights, property, or safety of Carlo, our users, or the public.
  • Business transfers— in connection with a merger, acquisition, or sale of assets, your data would transfer to the successor entity under the same privacy commitments.

05

Data retention

We retain your data for the duration of your active account. When you delete your account:

  • Personal and financial data is deleted within 30 days of your request.
  • Backups containing your data are purged within 30 days of the deletion request.
  • Aggregate, de-identified data that cannot identify you may be retained for product analytics.

For detailed retention periods by data category, see our Data Retention & Disposal Policy.

06

Your rights

You have the right to:

  • Accessyour data — request a copy of all personal data we hold about you.
  • Correctyour data — update inaccurate or incomplete information.
  • Deleteyour data — request deletion of your account and all associated data. We process deletion requests within 30 days.
  • Portyour data — receive your data in a structured, commonly used, machine-readable format.
  • Disconnectfinancial accounts — revoke Plaid’s access to your financial institution at any time, either through Carlo or directly through your bank.

To exercise any of these rights, contact us at privacy@carlo.finance. We will respond within 30 days.

07

Security measures

We take the security of your financial data seriously. Our protections include:

  • Encryption in transit— all data transmitted between your browser and our servers is encrypted using TLS 1.2 or higher.
  • Encryption at rest— stored data is encrypted using AES-256 or equivalent.
  • Access controls— internal access to user data is restricted to authorized personnel on a need-to-know basis using role-based access controls.
  • No credential storage— we never see or store your bank login credentials. All financial account connections go through Plaid’s secure OAuth flow.

For a full description of our security practices, see our Security Policy.

08

Children’s privacy

Carlo is not directed to children under 13. We do not knowingly collect personal information from children under 13. If you believe a child under 13 has provided us with personal information, please contact us at privacy@carlo.finance and we will promptly delete it.

09

California residents

If you are a California resident, the California Consumer Privacy Act (CCPA) provides you with additional rights:

  • Right to know— you can request the categories and specific pieces of personal information we have collected.
  • Right to delete— you can request deletion of your personal information, subject to certain exceptions.
  • Right to opt out of sale— we do not sell personal information. There is nothing to opt out of.
  • Non-discrimination— we will not discriminate against you for exercising your CCPA rights.

To exercise your CCPA rights, contact us at privacy@carlo.finance. We will verify your identity and respond within 45 days.

10

Changes to this policy

We may update this Privacy Policy from time to time. When we make material changes, we will:

  • Update the “Last updated” date at the top of this page.
  • Notify you by email if the changes are significant (for example, a new category of data collection or a new third-party service with access to financial data).
  • Post a notice in the application for at least 30 days before material changes take effect.

11

Contact us

If you have questions about this Privacy Policy or how we handle your data:

Carlo Finance

Email: privacy@carlo.finance

Website: carlo.finance