Legal

Privacy Policy

Operated by Iron Vector Labs LLC

Effective Date: February 28, 2026

Privacy at a glance

We do not sell your personal information.
We use no advertising or tracking technologies. The marketing website uses Vercel Analytics — cookieless, no personal data collected.
The app uses one strictly necessary session cookie for login.
IP addresses are used only in-memory for rate limiting and are never persisted.

1. Introduction

CardTotal (“we,” “us,” or “our”) is a personal credit card spending dashboard that helps you track balances, plan expenses, and manage household budgets.

Iron Vector Labs LLC is the data controller responsible for personal data collected through CardTotal.

This Privacy Policy explains what information we collect, how we use it, how long we retain it, and your rights regarding your data.

By using CardTotal, you agree to the practices described in this policy.

2. Information We Collect

2.1 Account Information

Email address: used to identify your account and send verification codes
Password: stored only as a one-way cryptographic hash using bcrypt (cost factor 10); we never store plaintext passwords
Timezone preference

2.2 Financial Data (via Plaid)

CardTotal connects to financial institutions through Plaid Technologies, Inc.

We receive and store:

Credit card account names
Last four digits of account numbers (“masks”)
Account types
Current balances
Available credit
Credit limits
Pending transactions
Statement data
Plaid access token (encrypted at rest using AES-256-GCM)

We do not store:

Full account numbers
Full card numbers
Bank login credentials
Social Security numbers

Your use of Plaid Link is also subject to Plaid’s Privacy Policy.

2.3 User-Generated Data

Spending goals
Planned expenses
Pending payment records
Card nicknames
Family plan configuration (roles, members, card visibility settings)

2.4 Authentication & Security Data

Session tokens
Temporary two-factor authentication (2FA) codes
WebAuthn / passkey public key credentials (public key and counter only)

Biometric data never leaves your device.

2.5 Technical & Security Data — IP Addresses

IP addresses are used solely for rate limiting and abuse prevention.

IP addresses:

Exist only in the in-memory rate limiter inside serverless functions
Are stored temporarily in a Map keyed by IP with a {count, resetAt} record
Have a maximum lifetime of 1 hour
Are never written to disk or stored in any database
Are cleared automatically when the serverless instance is recycled
Are isolated per function instance

In practice, IP address data is typically retained for only a few minutes to one hour and is never persisted.

3. Cookies and Tracking Technologies

Application (Logged-In App)

CardTotal uses one strictly necessary cookie:

Secure session cookie

Required for authentication and maintaining login state.

This cookie:

Is essential for the app to function
Does not track users across websites
Is not used for advertising
Is not shared with third parties

No analytics cookies, advertising cookies, tracking cookies, or third-party tracking scripts are used.

Marketing Website

The CardTotal marketing website uses Vercel Analytics for privacy-friendly page view tracking. Vercel Analytics:

Sets no cookies
Does not collect personal data or IP addresses
Does not track users across websites
Is not used for advertising or remarketing

The marketing website does not embed advertising pixels or third-party tracking scripts.

4. How We Use Your Information

We process your data to:

Authenticate your identity
Maintain secure sessions
Display credit card balances and spending data
Calculate budgeting metrics
Enable Family Plan visibility settings
Prevent abuse and unauthorized access
Send transactional emails (verification, invitations)
Maintain internal operational metrics using aggregated, non-identifiable statistics

We do not sell personal information.

We do not use financial data for advertising or marketing.

6. Data Security

We implement reasonable safeguards including:

AES-256-GCM encryption of Plaid tokens
bcrypt password hashing
TLS encryption (HTTPS)
Short-lived session tokens
In-memory IP-based rate limiting
WebAuthn / passkey support

No system is completely secure.

7. Data Retention

Account data: Until account deletion
Plaid data and balance history: Until deletion or disconnect
User-generated goals: Until deleted by user
Session tokens: 30 days or logout
2FA tokens: 10 minutes
IP addresses: Minutes to 1 hour maximum (never persisted)
Encrypted backups: Up to 30 days before permanent deletion

When you delete your account, all associated data is deleted within 30 days, including encrypted backups.

8. Your Privacy Rights

Colorado and certain other U.S. residents may have the right to:

Access their personal data
Correct inaccurate data
Delete personal data
Obtain a portable copy of personal data
Opt out of targeted advertising (CardTotal does not engage in targeted advertising)

How to exercise rights

Email support@ironvectorlabs.com with your request from the email associated with your account.

Appeals (Colorado requirement)

If we deny your request, you may appeal the decision by replying to our response within 45 days.
We will respond to appeals within 45 days.
If your appeal is denied, you may contact the Colorado Attorney General at coag.gov/resources/colorado-privacy-act.

9. Children’s Privacy

CardTotal is not directed to children under 13 and does not knowingly collect personal data from children under 13.

The “child” role in the Family Plan is a visibility feature under supervision of the primary account holder.

10. Data Breach Notification

If we discover a breach affecting personal information, we will notify affected users in accordance with applicable law.

11. Changes to This Policy

We may update this policy periodically. Material changes will be reflected by updating the effective date.

12. Contact Us

Iron Vector Labs LLC

Email: support@ironvectorlabs.com

Website: cardtotal.net