Wilco Simple Plan — Privacy Policy
Effective date: 2026-04-29 Version: 1.0 Operator: Wilco Financial, LLC ("Wilco", "we", "us", "our") Contact: jgillett@wilcofin.com
This policy describes how Wilco collects, uses, shares, and protects information when you use the Wilco Simple Plan application — accessible on the web at wilcosimpleplan.com and as the Wilco Simple Plan iOS application distributed through the Apple App Store.
We treat the privacy of your personal and financial information as a foundational responsibility, not a compliance afterthought.
1. Information we collect
1.1 Information you provide directly
When you create an account or use the application, you provide:
- Account credentials: email address, name, and a password (which we store as a one-way bcrypt hash; the cleartext password is never persisted).
- Optional two-factor authentication: if you enable it, an encrypted authenticator-app secret. Recovery codes are stored as one-way bcrypt hashes.
- Plan data: financial assumptions, projections, goals, notes, and other content you create inside the application. Any plan-data we store is encrypted at rest with AES-256-GCM using a key derived per-tenant; we cannot read it without your tenant identifier.
- Account, income, expense, asset, and liability records you enter manually.
1.2 Information from connected financial institutions (via Plaid)
If you choose to link a bank account using Plaid, Wilco receives from Plaid:
- Institution metadata: the name and type of the institution you linked, and the linkage identifier issued by Plaid.
- Account information: account name, account type (checking, savings, credit card, etc.), the masked last digits of the account, and balance.
- Transactions: transaction date, description, merchant name (when available), amount, currency, and Plaid-assigned category.
We do not receive nor store your bank login credentials. Plaid manages the credential exchange directly with your financial institution; we receive only the data you authorized Plaid to share with us.
1.3 Information collected automatically
- Application logs: timestamps, IP address, user-agent string, and the URL path of requests you make to our servers. Used for security monitoring and operational diagnostics.
- Audit log entries: authentication events (login successes/failures, password changes, two-factor events, password resets), Plaid linking and removal events, and data-export events. Retained per § 7.
1.4 We do not knowingly collect
- Your bank login credentials (Plaid handles those, not us).
- Social Security numbers, government-issued ID numbers, or biometric identifiers.
- Information from children under 13. The application is not directed to children, and we do not knowingly collect children's data. If you believe a child has registered, contact us at the email above and we will delete the account.
2. How we use your information
We use the information described in § 1 for the following purposes only:
- To provide the service: authenticate you, render your plan, project your finances, and display data you choose to view.
- To process Plaid-derived data on your behalf: sync new transactions, update balances, categorize activity, and maintain the linkage you established.
- To communicate with you: send transactional emails for password resets and security notifications. We do not send marketing emails.
- For security and fraud prevention: rate-limit abusive activity, detect compromised accounts, audit access events.
- To meet legal obligations: respond to lawful requests from authorities; comply with applicable regulations.
We do not:
- Sell your information to third parties.
- Share your information with advertisers.
- Use your data to train machine-learning models.
- Use your data for purposes other than those listed above.
3. Who we share information with
We share your information only with the service providers we use to operate the application, and only the minimum necessary for them to perform their function. These providers are:
| Provider | Purpose | Data shared |
|---|---|---|
| Vercel | Application hosting and serverless runtime | All application traffic (encrypted at rest at Vercel) |
| Neon | Managed PostgreSQL database | All persisted application data (encrypted at rest by Neon) |
| Upstash | Managed Redis (rate-limit counters) | Hashed identifiers used for rate limiting (no plan or financial data) |
| Resend | Transactional email delivery | Email address and message body of transactional emails (e.g., password reset) |
| Plaid | Bank account aggregation and transaction sync | Account-link consent metadata and identifiers for accounts you choose to link; no other personal data |
| Apple | iOS application distribution | Whatever Apple collects from App Store users (subject to Apple's published privacy practices) |
Each of these providers is bound by an agreement that restricts their use of your data to performing the contracted service. They do not own, sell, or independently use your data.
We may also disclose information when legally compelled (subpoena, court order, regulatory request). We will, where lawful, give you advance notice if your data is the subject of such a request.
4. How we protect your information
Detailed technical practices are documented in our Information Security Policy (available on request). Highlights:
- Encryption in transit: all traffic between your browser/app and our servers uses TLS 1.2 or better. HTTP requests are redirected to HTTPS.
- Encryption at rest: all data is stored in databases and storage that are encrypted at rest by our hosting providers using AES-256. The most sensitive items (your plan data, your two-factor secret, your linked-bank access tokens) are additionally encrypted at the application layer with per-tenant or per-user keys.
- Authentication: passwords are hashed with bcrypt at a high work factor; two-factor authentication is available; new account creation is gated by an admin approval step.
- Access control: every database query is scoped to the tenant of the authenticated user; cross-tenant access is structurally prevented.
- Audit logging: authentication and significant data events are logged and retained.
- Rate limiting: automated abuse is throttled at multiple layers.
No system can guarantee absolute security. If we ever experience an incident affecting your data, we will notify affected users via email within 72 hours of confirmation, with a description of what occurred, what data was involved, and what you should do.
5. Your rights
You may at any time:
- Access the personal information we hold about you. The application surfaces most of it directly. For a complete export in machine-readable form, email us.
- Correct information that is inaccurate. Most fields are editable directly in the application; for those that are not, email us.
- Delete your account and all data associated with it. Email us; we honor verified deletion requests within 30 days. Some records (e.g., audit log entries pertaining to authentication) may be retained for the period required by applicable law and security practice.
- Export your data in a portable format. Email us; we will deliver a JSON archive of your records.
- Disconnect a linked bank at any time, removing the linkage and revoking Plaid's authorization. Use the Remove button on the Accounts page in the application; the connection is also automatically severed if no transactions sync for 60 consecutive days.
- Withdraw consent at any time. Cancellation is processed by deleting your account.
To exercise any of these rights, email jgillett@wilcofin.com with a description of your request. We will verify your identity (typically by sending a confirmation email to the address on file) before acting on the request.
5.1 California residents (CCPA / CPRA)
If you are a California resident, the rights described above satisfy California's "Right to Know," "Right to Delete," "Right to Correct," "Right to Opt Out of Sale," and "Right to Limit Use of Sensitive Information." We do not sell your information to anyone, so the "opt out of sale" right is satisfied by default.
5.2 Residents of other jurisdictions
If you reside in a jurisdiction with comprehensive privacy law (e.g., GDPR for the EU/EEA/UK; PIPEDA for Canada; LGPD for Brazil), the rights described above are intended to satisfy applicable equivalents. If you require an article-by-article mapping for compliance purposes, contact us.
6. Geographic scope
The application is currently offered to users in the United States. Data is processed in the United States by our service providers. If you access the application from outside the United States, you consent to your information being transferred to and processed in the United States.
7. Retention
| Category | Retention |
|---|---|
| Account record (user, email, password hash) | Retained while your account is active; deleted within 30 days of a verified deletion request. |
| Plan data, accounts, transactions | Retained while your account is active; deleted within 30 days of a verified deletion request. |
| Audit log entries pertaining to authentication | Retained indefinitely by default; subject to deletion on a verified user request. |
| Backup snapshots (database) | Retained for the rolling window provided by our database vendor (currently 7 days). After deletion, residual data in backups expires within that window. |
8. Cookies and similar technologies
The web application uses a single first-party session cookie to maintain your signed-in state. This cookie is httpOnly, Secure, and SameSite=Lax — it cannot be read by JavaScript and is not transmitted on cross-site requests. We do not set advertising or tracking cookies, and we do not use third-party analytics that track you across sites.
The iOS application stores its session token in iOS Keychain (expo-secure-store) and re-prompts for biometric authentication on cold start.
9. Children's privacy
The application is not directed to, and we do not knowingly collect information from, children under 13. If you are a parent or guardian and believe your child has provided information to us, contact jgillett@wilcofin.com and we will delete the account and its data.
10. Changes to this policy
We may update this policy as the application or applicable law evolves. Material changes will be communicated to active users by email at least 30 days before the change takes effect, and the Effective date at the top of this policy will be updated. The previous version will remain accessible on request.
11. How to contact us
For any privacy-related question, request, or concern:
Wilco Financial, LLC Attn: Jon Gillett, Founder jgillett@wilcofin.com
We will acknowledge your message within one business day and substantively respond within 30 days for most requests, sooner where possible.