How Carlo handles your data.

Information you provide directly

• Account information— name, email address, and password when you create an account.
• Financial goals and profile— income, savings targets, planned purchases, retirement timeline, and other details you enter to power your simulations.
• Support communications— messages you send us through email or in-app support.

Information from Plaid

When you connect a financial account through Plaid, we receive the following categories of data from your financial institution via Plaid’s API:

• Account information— account name, type (checking, savings, credit, investment), and institution name.
• Balance data— current and available balances for each connected account.
• Transaction data— transaction history including date, amount, merchant name, and category.

We do not receive or store your bank login credentials. Plaid uses OAuth-based connections to securely access your data from your financial institution. For details on how Plaid handles your data, see Plaid’s End User Privacy Policy.

Information collected automatically

• Usage data— pages visited, features used, simulations run, and interaction patterns.
• Device and browser information— browser type, operating system, screen resolution, and language preferences.
• Log data— IP address, access times, referring URLs, and server logs.

Information processed through AI Gateway

When you use Carlo’s natural-language features, the content of your requests — and the parts of your stored data necessary to answer them, which may include account balances, transaction summaries, and the goals and figures in your profile — is sent from Carlo’s servers to Vercel AI Gateway, Carlo’s AI provider layer. AI Gateway routes the request to the selected model with zero data retention enforcement enabled. Under ZDR, Gateway and the routed model infrastructure process prompts and outputs transiently for inference and do not retain them after the request. The copy you see in the product is stored in Carlo-controlled account storage. We log request metadata (model used, latency, token counts, error state) for product reliability, abuse prevention, and unit economics.

See Section 04 for details on AI Gateway, ZDR routing, and what is stored outside Carlo-controlled systems.

• Financial simulation and scenario modeling— your connected account data, goals, and profile power Carlo’s projections and “what if” scenarios. This is the core product.
• Personalized projections— we use your real financial data to make projections specific to your situation rather than generic estimates.
• Product improvement— aggregate, de-identified usage data helps us understand which features matter and where to invest.
• Communications— account-related emails (password resets, security alerts) and, with your consent, product updates.
• Security and fraud prevention— protecting your account and detecting anomalous activity.

We use a small number of third-party services to operate Carlo:

• Plaid— connects your bank accounts and provides financial data. Plaid acts as a data processor on our behalf and is contractually required to protect your data. Plaid processes your data in accordance with its own End User Privacy Policy.
• Vercel— hosts our application infrastructure. Vercel processes data in accordance with its Privacy Policy.
• Vercel AI Gateway— Carlo’s AI provider layer. Carlo does not integrate directly with individual model vendors in product code; all model calls route through AI Gateway with zero data retention enforcement enabled. Vercel documents Gateway ZDR behavior and model-route eligibility in its Zero Data Retention documentation.
• PostHog— provides product analytics and session replay. Carlo records app sessions, including on-screen text and form or chat input, to understand early-user behavior and improve AI workflows. Carlo does not use analytics tools that track you across websites.

Carlo uses AI models only through Vercel AI Gateway. Gateway is the provider layer between Carlo and the selected model. Carlo configures every AI Gateway request with zero data retention enforcement, which we treat as the gold-standard privacy posture for AI inference: prompts, outputs, and sensitive data are processed transiently and are not retained outside Carlo-controlled storage.

What we send

The minimum content needed to answer your request. This may include the natural-language text you type, relevant financial figures from your profile, and selected balance or transaction context from your connected accounts. We do not send your name, email, password, or Plaid access tokens to AI Gateway or the routed model infrastructure.

What happens outside Carlo

• Single provider layer— Carlo sends model requests to Vercel AI Gateway, not directly to individual model vendors. Gateway handles model routing and ZDR enforcement for each selected model.
• Zero data retention routing— Carlo enables AI Gateway’s zero data retention option on model calls. If Vercel does not have a ZDR-compliant route for the requested model, the request fails instead of being sent through a non-ZDR route.
• Gateway deletion— Vercel states that AI Gateway does not retain prompts, outputs, or sensitive data, and deletes user data after requests complete.
• No BYOK exception— Carlo does not route user-selected models through user-supplied provider keys or direct vendor integrations. Requests use Carlo’s Gateway configuration, where Gateway can enforce ZDR eligibility.
• Routed model infrastructure— model infrastructure receives the request only through Gateway for inference. Under ZDR routing, it is not allowed to retain prompts or outputs after the request.

Our AI subprocessors

If we add or replace AI subprocessors or materially change AI Gateway routing, we will update this list and notify you in accordance with Section 11 of this policy.

We do not sell your personal or financial data. Period. We will never sell, rent, or trade your information to third parties for their marketing purposes.

We share data only in these limited circumstances:

• Service providers— with the third-party services listed above, only to the extent necessary for them to perform their function.
• Legal requirements— if required by law, subpoena, or court order.
• Safety— if we believe disclosure is necessary to protect the rights, property, or safety of Carlo, our users, or the public.
• Business transfers— in connection with a merger, acquisition, or sale of assets, your data would transfer to the successor entity under the same privacy commitments.

We retain your data for the duration of your active account. When you delete your account:

• Personal and financial data is deleted within 30 days of your request.
• Backups containing your data are purged within 30 days of the deletion request.
• Prompts and AI-generated responses are sent through AI Gateway with zero data retention enforcement. Gateway and routed model infrastructure do not retain inference payloads; carlo.finance retains the product copy in your account for as long as the conversation, projection, or scenario it belongs to is retained.
• Aggregate, de-identified data that cannot identify you may be retained for product analytics.

For detailed retention periods by data category, see our Data Retention & Disposal Policy.

You have the right to:

• Accessyour data — request a copy of all personal data we hold about you.
• Correctyour data — update inaccurate or incomplete information.
• Deleteyour data — request deletion of your account and all associated data. We process deletion requests within 30 days.
• Portyour data — receive your data in a structured, commonly used, machine-readable format.
• Disconnectfinancial accounts — revoke Plaid’s access to your financial institution at any time, either through Carlo or directly through your bank.

To exercise any of these rights, contact us at privacy@carlo.finance. We will respond within 30 days.

We take the security of your financial data seriously. Our protections include:

• Encryption in transit— all data transmitted between your browser and our servers is encrypted using TLS 1.2 or higher.
• Encryption at rest— stored data is encrypted using AES-256 or equivalent.
• Access controls— internal access to user data is restricted to authorized personnel on a need-to-know basis using role-based access controls.
• No credential storage— we never see or store your bank login credentials. All financial account connections go through Plaid’s secure OAuth flow.

For a full description of our security practices, see our Security Policy.

Carlo is not directed to children under 13. We do not knowingly collect personal information from children under 13. If you believe a child under 13 has provided us with personal information, please contact us at privacy@carlo.finance and we will promptly delete it.

If you are a California resident, the California Consumer Privacy Act (CCPA) provides you with additional rights:

• Right to know— you can request the categories and specific pieces of personal information we have collected.
• Right to delete— you can request deletion of your personal information, subject to certain exceptions.
• Right to opt out of sale— we do not sell personal information. There is nothing to opt out of.
• Non-discrimination— we will not discriminate against you for exercising your CCPA rights.

To exercise your CCPA rights, contact us at privacy@carlo.finance. We will verify your identity and respond within 45 days.

We may update this Privacy Policy from time to time. When we make material changes, we will:

• Update the “Last updated” date at the top of this page.
• Notify you by email if the changes are significant (for example, a new category of data collection or a new third-party service with access to financial data).
• Post a notice in the application for at least 30 days before material changes take effect.

If you have questions about this Privacy Policy or how we handle your data: