Privacy Policy

The TL;DR

I don't sell your data. I don't use it to train AI models. I don't share it with advertisers. Your transactions, notes, photos, and reflections are encrypted on your phone before they reach my servers, with a key only you control.

I don't connect to your bank, so there's no financial data flowing through third parties like Plaid. You can export everything I have about you anytime, or delete your account and everything goes with it. If you live in California or the EU, you have additional rights described below.

If you have questions, email alex@carlo.money.

The full version below covers the details required by law.

1. Who I am

Carlo is operated by Integral Organization Development, LLC, a New York limited liability company that I solely own and operate. Carlo is a one-person company by design, and the personal voice throughout this document reflects that.

Throughout this Privacy Policy, "I," "me," "my," and "Carlo" refer to Integral Organization Development, LLC. All commitments in this Policy are made by and enforceable against the LLC, not against me personally. The LLC is the contracting party for all purposes.

You can reach me at alex@carlo.money or by mail at:

Integral Organization Development, LLC
418 Broadway # 11611
Albany, NY 12207

2. What information I collect

Account information. When you sign up, I collect your name, email address, and authentication identifier from Apple Sign-In or Google Sign-In. I don't collect your password — authentication is handled by Apple or Google.

Encrypted application data. When you use Carlo, you create data: transactions, payee names, notes, photos, voice recordings, charitable giving records, reflections, budgets, and bills. This data is encrypted on your device using AES-256-GCM with a per-user encryption key before it leaves your device. I see only ciphertext on my servers.

Voice transcripts. When you use voice entry, your audio is sent to Groq for transcription under their Zero Data Retention policy, meaning Groq does not retain your audio after transcription. The transcript is then encrypted on your device before being stored.

AI-parsed data. Voice transcripts and receipt photos are sent to Anthropic's Claude API for parsing into structured transaction fields. Anthropic processes this data under their commercial terms; they do not use it to train models.

Subscription information. If you subscribe, RevenueCat processes your subscription status. I see your subscription state (active, expired, etc.) but not your payment details, which are handled by Apple or Google.

Device and usage information. I collect technical information necessary to operate the app: device type, OS version, app version, crash reports, and basic usage analytics. I don't track your behavior across other apps or websites.

3. How I use this information

I use your information only to:

• Provide the Carlo service to you
• Process subscriptions and respond to your support requests
• Improve Carlo (debug crashes, fix bugs, plan features)
• Comply with legal obligations

I don't:

• Sell your data
• Share your data with advertisers
• Use your data to train AI models
• Use your data to build profiles for any third party
• Track your activity across other apps or websites

4. How your data is protected

Encryption. Your transactions, notes, payees, photos, reflections, and other sensitive data are encrypted on your device with AES-256-GCM using a per-user data encryption key (DEK) before they are sent to my servers. The key that unlocks your data is wrapped with a master key stored in your iCloud Drive (iOS) or Google Drive (Android), in a file my servers do not have access to.

What this means in plain terms: My servers contain ciphertext that I cannot decrypt without your master key. Your master key lives in your cloud account, not mine.

Recovery. You also have a 12-word recovery phrase that can derive the master key independently. I don't have access to this phrase.

No bank connections. I don't connect to your bank accounts. I don't use Plaid, MX, Yodlee, or any other financial aggregator. Your bank does not share information with Carlo, because there is no connection to share through.

Founder access disclosure. As Carlo's operator, I technically have administrative access to my infrastructure (Supabase, Cloud storage, etc.) just as every app's operator does. I commit to never accessing your data outside of essential support situations, and only with your explicit permission. My long-term goal is an architecture where this is structurally impossible — that work is on the roadmap.

Subpoena exception. If I'm compelled by a valid legal process, I may be required to provide the encrypted data I hold. I can't provide your master key (I don't have it) and therefore cannot provide plaintext.

5. Where your data is stored

Your encrypted data is stored on servers operated by Supabase, located in US West (Oregon). Your photos are stored in Supabase Storage. Your encryption master key is stored in your iCloud Drive or Google Drive — Apple or Google's infrastructure, not mine.

6. Who I share data with

I share data only with third parties that help me operate Carlo, each under contracts that limit their use of the data:

• Supabase — encrypted database and storage hosting
• Cloudflare — DNS and CDN for carlo.money
• Groq — voice transcription (Zero Data Retention)
• Anthropic — AI parsing of transcripts and receipts (no training)
• OpenAI — voice transcription fallback (where applicable)
• RevenueCat — subscription management
• Apple and Google — authentication and platform services
• Postmark — transactional email (account-related notifications)

I don't share data with advertisers, data brokers, analytics companies, or any third party for marketing purposes.

7. Data retention

I retain your encrypted data for as long as your account is active. When you delete your account, I delete all data associated with you from my database, storage, and the encryption key registry within 30 days. Backups containing your data may persist for up to 90 days before they expire from rotation, after which all traces are removed.

Anonymous, aggregated metrics (such as total app installs) may be retained indefinitely.

8. Your rights

You can, at any time:

• Export your data. Tap Settings → System Backup. You receive a ZIP file containing all your data in plaintext (decrypted on your device for export).
• Delete your account. Tap Settings → Delete Account. This permanently removes all your data within 30 days.
• Correct your data. Edit any transaction, payee, note, or other information directly in the app.

If you are in the European Union or United Kingdom (GDPR)

In addition to the rights above, you have the right to:

• Access the personal data I hold about you (use System Backup, or email me)
• Rectification (correct inaccurate data)
• Erasure ("right to be forgotten" — use Delete Account, or email me)
• Restriction of processing
• Data portability (use System Backup for a machine-readable export)
• Object to processing
• Lodge a complaint with your supervisory authority

My legal basis for processing your data is the performance of a contract (providing you with the Carlo service you subscribed to). For processing that goes beyond what's necessary for the service, I rely on your consent.

International data transfers from the EU/UK to the United States are governed by Standard Contractual Clauses approved by the European Commission. See Supabase's Data Processing Addendum for the specific contractual terms.

To exercise any of these rights, email alex@carlo.money. I'll respond within 30 days.

If you are in California (CCPA/CPRA)

You have the right to:

• Know what personal information I collect about you (this policy)
• Delete your personal information (use Delete Account, or email me)
• Correct inaccurate personal information
• Opt out of sale or sharing of your personal information (I don't sell or share — this is a non-issue for Carlo)
• Limit the use of sensitive personal information
• Non-discrimination for exercising your rights

To exercise these rights, email alex@carlo.money.

9. Children

Carlo is not intended for users under the age of 13. I don't knowingly collect data from children under 13. If you believe a child under 13 has created a Carlo account, please contact me and I'll delete the account.

For users under 18, I recommend involving a parent or guardian in financial app usage.

10. International data transfers

If you are outside the United States, your data may be transferred to and processed in the United States, where Supabase's infrastructure is located. I rely on Standard Contractual Clauses approved by the European Commission to provide appropriate safeguards for international transfers from the EU/UK. See Supabase's Data Processing Addendum for the specific contractual terms.

11. Changes to this policy

I may update this policy from time to time. If I make material changes, I'll notify you in the app and update the "Effective Date" at the top. Continued use of Carlo after changes constitutes acceptance of the updated policy.

12. Contact

Email alex@carlo.money with any questions, requests, or complaints.

Integral Organization Development, LLC
418 Broadway # 11611
Albany, NY 12207