Privacy Policy – EZBay / PayDown

1. Information We Collect

1.1 Information You Provide Directly

Email address (waitlist): When you sign up for the PayDown waitlist on our website, we collect your email address. This is the only information we collect during the waitlist phase.

Account credentials: When you create a PayDown account, we collect your email address. Passwords are hashed using bcrypt before storage — we never store your password in plain text.

Email address changes: When you request to change your account email, we temporarily store the new email address in a pending state until you verify it via a confirmation link. The pending address is discarded if not verified within 24 hours.

1.2 Financial Data via Plaid

PayDown uses Plaid to connect to your financial institutions. Through this connection we may receive:

Credit card account names, balances, and credit limits
Transaction history (merchant name, amount, date, category)
Statement data (billing cycle dates, minimum payment due, interest charged)
Payment history
Annual Percentage Rates (APRs) as reported by your institution

We never receive or store your bank login credentials. Authentication with your financial institution is handled entirely by Plaid's secure Link flow. Plaid's own privacy policy governs how Plaid processes your data and is available at plaid.com/legal/privacy-policy/.

Financial data is stored in our servers solely to perform PayDown's interest-allocation calculations and to display your account information within the app. It is not used for any other purpose.

Automatic periodic updates: Once you have connected a financial account, PayDown automatically refreshes certain liability data — including credit limits and APRs — on a quarterly basis to keep your calculations accurate. These updates use the same Plaid connection you authorized and do not require additional action from you. You may revoke this access at any time by disconnecting the account in Settings.

1.3 Biometric Authentication Data

PayDown supports Face ID, Touch ID, and fingerprint authentication. Biometric data is processed entirely on your device by the operating system (iOS or Android). We receive only a success or failure result from the device's secure enclave. No biometric data is ever transmitted to or stored on our servers.

For your security, if PayDown has been in the background for more than 15 minutes, the app will require biometric re-authentication (or your device passcode) before restoring access to your data.

1.4 Authentication Tokens

When you log in, we issue short-lived JSON Web Tokens (JWTs) with a 15-minute expiry and long-lived refresh tokens (30 days) that are stored in our database. Refresh tokens are rotated on every use. Tokens are stored on your device in the platform's secure storage (iOS Keychain / Android Keystore).

1.5 Usage Analytics

Our website uses Google Analytics to collect anonymized usage data, including pages visited, time on page, and general geographic region (country/region level). IP addresses are anonymized. Google Analytics data is governed by Google's privacy policy at policies.google.com/privacy. You can opt out of Google Analytics across all websites using the Google Analytics Opt-out Browser Add-on.

1.6 Information We Do Not Collect

PayDown does not collect advertising identifiers, precise location data, contacts, photos, microphone or camera data, or any information unrelated to your use of the app. We do not track you across third-party apps or websites.

1.7 Push Notification Tokens

When you grant notification permission to PayDown, we collect your Expo push notification token. This token identifies your device for push delivery and enables us to send you payment reminders, weekly check-ins, and payoff celebrations. Push notification tokens are retained while your account is active.

1.8 Error Reporting and Crash Diagnostics

PayDown automatically collects crash reports and error diagnostics via Sentry to improve app reliability. Reported data includes device type, OS version, app version, stack traces, and error metadata. No financial data (transactions, balances, card numbers, or personal information) is included in error reports. Sentry's privacy policy is available at sentry.io/privacy/.

1.9 AI-Generated Insights

If you have enabled the AI email preference in your notification settings, PayDown sends a summary of your financial data — including account balances, credit utilization percentages, and spending patterns — to Anthropic, PBC ("Anthropic"), a third-party artificial intelligence provider, to generate a personalized financial health review. If you have an active paydown commitment, the review includes commitment-specific progress updates; otherwise, you receive a general financial health check. Anthropic processes this data solely to produce your review and does not use it to train AI models. No raw transaction details (merchant names, individual purchase amounts) are sent unless required for the summary. Anthropic's privacy policy is available at anthropic.com/privacy.

2. How We Use Your Information

2.1 To Provide and Operate the Service

Financial data retrieved via Plaid is used exclusively to calculate interest allocations, true cost figures, payment progress, and debt-reduction projections within the PayDown app. This data is not used for profiling, advertising, or any secondary purpose.

If you have enabled the AI email preference in your notification settings, a subset of your financial data is also processed by Anthropic's AI service to generate a personalized financial health review delivered to you by email. This content is generated by artificial intelligence and is not financial advice. See Section 1.9 for details on what data is shared.

2.2 Administrative Access and Account Management

Authorized EZBay personnel may access limited account information — such as your name, email address, card nicknames, and sync status — for service operations, troubleshooting, account management, and enforcement of our Terms of Service. Administrative personnel do not have access to your account balances, individual transactions, payment history, or detailed financial records through our internal tools. All administrative actions are logged in an audit trail for security and compliance purposes.

In certain circumstances, authorized administrators may also: (a) disable or re-enable user accounts; (b) revoke all active sessions associated with a user account for security purposes; and (c) trigger data recalculations to correct errors. These actions are taken only when necessary for security, compliance, or service integrity, and each action is recorded in the audit trail.

2.3 To Communicate With You

Your email address collected during waitlist sign-up will be used only to notify you when PayDown launches and, if you consent, to send infrequent product updates. You may opt out at any time by emailing support@ezbay.com with the subject line "Unsubscribe" or by clicking the unsubscribe link in any email we send.

Your account email may also be used to send security-related notifications such as password-reset emails and, in the event of a data breach, breach notification emails. We may also send push notifications (payment reminders, weekly check-ins, and payoff celebrations) if you have enabled notifications on your device. You can disable push notifications via device settings or in-app notification preferences.

2.4 To Authenticate You Securely

JWT tokens are used to authenticate your identity for each API request. Biometric data is used on-device solely to unlock access to your app session.

2.5 To Improve the Service

Anonymized analytics data from our website helps us understand which features users value and how to improve the product. Analytics data is not linked to your account or financial data. Crash reports and error diagnostics via Sentry help us identify and fix reliability issues.

2.6 To Comply With Legal Obligations

We may process your personal information where necessary to comply with applicable law, regulatory requirements, or to respond to legal process.

3. How We Share Your Information

3.1 We Do Not Sell Your Data

We do not sell, rent, or trade your personal information to any third party, ever. This includes your financial data, email address, and any other information described in this policy.

3.2 Service Providers

We share data with a limited number of service providers who help us operate the service:

Plaid Technologies, Inc. — Acts as our data access intermediary to retrieve your financial data from your financial institutions. Plaid is a service provider under applicable law and is contractually prohibited from using your data for purposes beyond providing the service to us.
Expo Application Services (650 Industries, Inc.) — Processes push notification tokens to deliver push notifications to your device. Expo is a service provider and is contractually prohibited from using your data for any purpose beyond push notification delivery.
Sentry (Functional Software, Inc.) — Collects error reports and crash diagnostics to monitor and improve app reliability. Sentry is a service provider and does not use error reports for any purpose beyond service improvement and security monitoring.
Google LLC (Google Analytics) — Receives anonymized, aggregated website usage data for analytics purposes.
Apple Inc. / Google LLC (App Stores) — App distribution platforms that may collect information under their own privacy policies. Their policies govern that data.
Cloud infrastructure providers — Our database and API servers are hosted on cloud infrastructure. Hosting providers have access to server data for operational purposes only and are bound by data processing agreements.
Anthropic, PBC — Processes summarized financial data to generate the optional financial health review email. Anthropic acts as a data processor and is contractually prohibited from using your data to train models or for any purpose other than generating your personalized review.

3.3 Legal Requirements

We may disclose your information if required by law, court order, subpoena, or other legal process. We may also disclose information when we believe disclosure is necessary to protect the rights, property, or safety of EZBay, our users, or the public, or to prevent fraud or other illegal activity.

3.4 Business Transfers

In the event of a merger, acquisition, reorganization, or sale of all or a portion of our assets, your information may be transferred as part of that transaction. We will notify you before your personal information is subject to a materially different privacy policy.

3.5 With Your Consent

We may share your information with third parties for any other purpose with your explicit prior consent.

3.6 User-Directed Sharing

PayDown allows you to share read-only access to your credit card data (transactions, payments, statements, and interest calculations) with another PayDown user of your choosing. Sharing is initiated by you via a secure invite link; you control which cards to share and with whom.

How sharing works: You generate a secure invite link and share it with another PayDown user (typically a spouse or financial partner). The recipient must create their own PayDown account and explicitly accept the invite. Once accepted, they can view your shared financial data but cannot modify, delete, sync it with their bank, or perform any other action on your account.

What is not shared: The recipient does NOT receive access to your bank login credentials, Plaid access tokens, account connection details, or any other sensitive information. Shared users only see your financial data.

Revoking access: You can revoke a shared user's access at any time from your account Settings. Revocation takes effect immediately, and the shared user will no longer be able to view your data. Shared users may also remove shared cards from their own view at any time.

Account deletion: If you delete your account, all sharing relationships are automatically removed.

Legal basis: For users subject to GDPR, the legal basis for sharing is Article 6(1)(a) — your explicit consent. You may withdraw this consent at any time by revoking access.

Not a sale of data: User-directed sharing is not a "sale" of personal information under the CCPA/CPRA or similar data privacy laws. The shared user is a consumer of the same service, not a third-party data buyer.

4. Data Security

We implement administrative, technical, and physical safeguards to protect your personal information against unauthorized access, alteration, disclosure, or destruction. Specific measures include:

Encryption in transit: All communication between the app and our servers uses HTTPS/TLS.
Encryption at rest: Sensitive data fields are encrypted at rest in our database.
Password security: Passwords are hashed using bcrypt with a cost factor of 12 before storage. Plain-text passwords are never stored.
Token rotation: Refresh tokens are rotated on every use. A previously used or revoked token cannot be replayed.
Biometric isolation: Biometric templates remain within the device's secure enclave and are never transmitted.
Access controls: Access to production data is restricted to authorized personnel on a need-to-know basis. Administrative actions are logged in an audit trail to ensure accountability and detect unauthorized access.

No method of transmission over the Internet or method of electronic storage is 100% secure. While we use commercially reasonable measures to protect your data, we cannot guarantee absolute security. If you believe your account has been compromised, please contact us immediately at support@ezbay.com.

Breach notification: In the event of a data breach that compromises your personal information, we will notify affected users by email and, where required by applicable law, notify the relevant regulatory authorities within the timeframes prescribed by law (e.g., 72 hours under GDPR, "without unreasonable delay" under US state breach notification laws). Breach notifications will describe the nature of the breach, the categories of data affected, and the steps we are taking in response.

5. Data Retention

We retain your personal information for the following periods:

Financial transaction data: Retained while your account is active and for 30 days following a verified account deletion request, after which it is permanently deleted. If your account is suspended or disabled, data is retained according to these retention periods unless you request deletion. If an account remains disabled indefinitely, data is retained per the standard retention periods unless you explicitly request deletion.
Email addresses (waitlist): Retained until you unsubscribe or request deletion. We do not retain waitlist emails after you have been notified of launch and unsubscribed.
Account email address: Retained while your account is active and for up to 30 days after account deletion, except where we are required by law to retain it longer.
Authentication tokens: Refresh tokens are invalidated and deleted upon account deletion or manual session revocation.
Sync operation logs: Sync logs older than 90 days are periodically purged as part of routine data maintenance. These logs contain operational metadata (sync timestamps, success/failure status) and do not contain financial data.
Expired sessions: Expired session records older than 30 days are periodically purged. Active sessions are retained while your account is active.
Administrative audit logs: Audit logs of administrative actions are retained for 2 years or as required by law, whichever is longer.
Analytics data: Google Analytics data is retained per Google's standard retention settings (26 months by default).
AI-processed data: Financial summaries sent to Anthropic for generating your financial health review are processed transiently and are not retained by Anthropic after generating your review, per Anthropic's data processing terms.

After the applicable retention period, data is securely deleted or irreversibly anonymized.

6. Your Rights and Choices

Regardless of where you live, you have the following baseline rights with respect to your personal information:

Access: You may request a copy of the personal information we hold about you.
Correction: You may request that we correct inaccurate personal information.
Deletion: You may request that we delete your account and all associated personal data. To submit a deletion request, email support@ezbay.com with the subject line "Account Deletion Request." We will process your request within 30 days and confirm deletion in writing.
Opt out of email communications: You may unsubscribe from marketing emails at any time by emailing us or clicking the unsubscribe link in any email.
Disable AI spending review emails: You may disable the AI email preference in the app's notification settings at any time. Disabling this preference stops the delivery of AI-generated financial health reviews without affecting other account functionality.
Disable push notifications: You may disable push notifications via your device's notification settings or through the in-app notification preferences.
Disconnect bank account: You may revoke PayDown's access to your financial institution at any time through the app's Settings or by contacting Plaid directly at my.plaid.com.
Disable biometric login: You may disable biometric authentication at any time in the app's Security settings.
Opt out of analytics: You may opt out of Google Analytics using the Google Analytics Opt-out Browser Add-on.

Additional rights may be available to you depending on your jurisdiction. See the Regional Supplements below.

We will not discriminate against you for exercising any of your privacy rights.

7. Children's Privacy

PayDown is not directed at children under the age of 13 (or under 16 in certain jurisdictions). We do not knowingly collect personal information from children. If you are a parent or guardian and believe your child has provided us with personal information, please contact us at support@ezbay.com and we will promptly delete it.

8. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or applicable law. When we make material changes, we will update the effective date at the top of this page and, where required by law, provide you with notice (for example, by email or in-app notification).

We encourage you to review this policy periodically. Continued use of PayDown after changes are posted constitutes your acceptance of the revised policy.

9. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or how we handle your personal information, please contact us:

EZBay
Email: support@ezbay.com

We aim to respond to all privacy-related inquiries within 5 business days.

10. Regional Supplements

The following supplements apply to residents of specific jurisdictions and supplement (but do not replace) the global policy above. In the event of a conflict, the regional supplement controls for residents of that jurisdiction.

United States

Supplement for United States Residents — Gramm-Leach-Bliley Act (GLBA)

Notice Regarding Nonpublic Personal Financial Information

PayDown is subject to the Gramm-Leach-Bliley Act (GLBA), which governs how we handle nonpublic personal financial information (NPI) — information about you that we obtain in connection with providing a financial product or service, including financial account data accessed via Plaid.

Categories of NPI We Collect

Information you provide (email address, account credentials)
Information from Plaid transactions (transaction records, balances, APRs, statement data)
Information from your use of the service (in-app activity related to your financial accounts)

How We Share NPI

We do not share your NPI with non-affiliated third parties for marketing purposes. Plaid is a service provider (not a data sale or non-affiliated sharing) under GLBA, and is contractually bound to use your data only to facilitate PayDown's services.

We may share NPI as permitted or required by law — for example, in response to a subpoena, to prevent fraud, or to protect against liability.

Your Opt-Out Rights

Because we do not share NPI with non-affiliated third parties for marketing, there is nothing to opt out of under GLBA's opt-out requirements. If our practices change, we will provide a new GLBA notice and opt-out opportunity.

Safeguards

We have implemented a comprehensive information security program that contains administrative, technical, and physical safeguards appropriate to the size and complexity of our business and the sensitivity of the NPI we maintain. See Section 4 (Data Security) for details.

California

Supplement for California Residents — CCPA / CPRA

This supplement applies to California residents and is provided pursuant to the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 (collectively, "CCPA/CPRA").

Categories of Personal Information We Collect

In the preceding 12 months, we have collected the following categories of personal information:

Category	Examples	Purpose	Retention
Identifiers	Email address, account ID	Account creation, authentication, service communications	Duration of account + 30 days
Financial account information (Sensitive PI)	Bank account balances, credit card transaction history, APRs, statement data	Core service — interest allocation calculations	Duration of account + 30 days
Biometric identifiers (Sensitive PI)	Face ID / Touch ID authentication templates	On-device app authentication only — never transmitted	Stored on device only; deleted when feature is disabled
Internet or network activity	Anonymized website usage data (pages visited, session duration)	Website analytics (Google Analytics)	Up to 26 months (Google Analytics standard)
Inferences	None — we do not draw inferences about your characteristics or preferences	N/A	N/A

Sensitive Personal Information

We collect the following sensitive personal information (as defined by CPRA):

Financial account data: Credit card account information and transaction history obtained via Plaid. Used solely to provide the core PayDown service.
Biometric identifiers: Face ID / Touch ID templates stored on your device only. Never transmitted. Used only for local app authentication.

We use and disclose sensitive personal information only for purposes permitted under CPRA — specifically, to perform the services you requested. We do not use sensitive personal information for inferring characteristics or for any secondary purpose.

We Do Not Sell or Share Your Personal Information

We do not sell your personal information and we do not share it for cross-context behavioral advertising. We have not done so in the preceding 12 months.

Your California Privacy Rights

Right to Know: You have the right to know what personal information we have collected about you, the categories of sources, the business purposes, and the categories of third parties with whom we share it.
Right to Delete: You have the right to request deletion of your personal information, subject to certain exceptions.
Right to Correct: You have the right to request that we correct inaccurate personal information we maintain about you.
Right to Opt Out of Sale/Sharing: You have the right to opt out of the sale or sharing of your personal information. We do not sell or share personal information, so there is nothing to opt out of at this time.
Right to Limit Use of Sensitive PI: You have the right to limit our use and disclosure of sensitive personal information to what is necessary to perform the service. We already limit use in this manner.
Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA/CPRA rights.

How to Submit a California Privacy Request

Email support@ezbay.com with the subject line "California Privacy Request" and specify the right you wish to exercise. We will verify your identity before processing your request. We will respond within 45 days; if we need an extension, we will notify you within the initial 45-day period.

Authorized agents may submit requests on your behalf. We may require written authorization or power of attorney.

Shine the Light

California Civil Code Section 1798.83 ("Shine the Light") permits California residents to request information about whether we have disclosed personal information to any third parties for their own direct marketing purposes. We do not share personal information with third parties for their own direct marketing purposes.

Canada

Supplement for Canadian Residents — PIPEDA

This supplement applies to Canadian residents and is provided pursuant to the Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial privacy legislation.

Consent

We obtain your consent at account creation for the collection, use, and disclosure of your personal information as described in this policy. Where we collect sensitive personal information — specifically, financial data via Plaid — we obtain your explicit, informed consent through the Plaid authorization flow before any data is accessed. You may withdraw your consent at any time (subject to legal or contractual restrictions) by contacting us, though withdrawal may affect our ability to provide the service.

Identifying Purposes

We identify the purpose for collecting personal information at or before the time of collection. The primary purposes are: providing the PayDown financial analysis service, authenticating users, and notifying waitlist subscribers at launch.

Accountability

EZBay is responsible for all personal information under its control. Privacy inquiries and requests may be directed to our Privacy Officer at: support@ezbay.com.

Cross-Border Data Transfers

Your personal information may be transferred to and processed in the United States, where EZBay's servers are located. By using PayDown, you acknowledge that your information may be subject to access by U.S. law enforcement and regulatory authorities under applicable U.S. laws. We take contractual and technical measures to provide equivalent protection for your personal information in transit and at rest.

Access and Correction

Upon written request, we will provide you with access to your personal information, inform you of how it has been used and to whom it has been disclosed, and correct any inaccuracies. To make a request, contact support@ezbay.com.

Mexico

Aviso de Privacidad — Residentes de México (LFPDPPP)

Este aviso de privacidad se emite en cumplimiento de la Ley Federal de Protección de Datos Personales en Posesión de los Particulares (LFPDPPP) y su Reglamento.

Responsable del Tratamiento

EZBay es el responsable del tratamiento de sus datos personales. Para ejercer sus derechos o hacer consultas, puede contactarnos en: support@ezbay.com.

Datos Personales Recabados

Correo electrónico
Datos financieros (mediante la plataforma Plaid, con su autorización expresa)
Datos biométricos: almacenados exclusivamente en su dispositivo, nunca transmitidos a nuestros servidores

Datos Personales Sensibles

Los datos financieros y biométricos tienen el carácter de datos personales sensibles conforme a la LFPDPPP. Su tratamiento requiere su consentimiento expreso, el cual se obtiene mediante el flujo de autorización de Plaid y la configuración de autenticación biométrica en su dispositivo, respectivamente.

Finalidades del Tratamiento

Finalidades necesarias: Prestación del servicio PayDown (cálculo de costos reales de crédito), autenticación de usuarios.
Finalidades secundarias: Notificación de lanzamiento del servicio (solo para suscriptores de la lista de espera, con posibilidad de cancelar la suscripción).

Derechos ARCO

Usted tiene derecho a Acceder, Rectificar, Cancelar u Oponerse al tratamiento de sus datos personales (derechos ARCO). Para ejercer dichos derechos, envíe su solicitud a support@ezbay.com indicando: nombre completo, correo electrónico registrado, derecho que desea ejercer y descripción clara de su solicitud. Responderemos dentro de los plazos establecidos por la ley.

Transferencias de Datos

Sus datos personales podrán ser transferidos a Plaid Technologies, Inc. (prestador de servicios tecnológicos) únicamente para la prestación del servicio. No realizamos transferencias con fines comerciales o de mercadotecnia. Sus datos podrán ser procesados en los Estados Unidos de América.

Modificaciones al Aviso de Privacidad

Cualquier cambio a este aviso será publicado en esta página con la nueva fecha de vigencia.

United Kingdom

Supplement for United Kingdom Residents — UK GDPR

This supplement applies to residents of the United Kingdom and is provided pursuant to the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

Data Controller

EZBay is the data controller for personal information collected through the PayDown app and website. Contact: support@ezbay.com.

Lawful Bases for Processing

Contract performance (Article 6(1)(b)): Processing your financial data, account credentials, and authentication tokens is necessary to perform the PayDown service you have contracted for.
Consent (Article 6(1)(a)): Processing your email address for waitlist notifications and processing analytics data are based on your consent. You may withdraw consent at any time without affecting the lawfulness of prior processing.
Legitimate interests (Article 6(1)(f)): We process certain data for fraud prevention, security monitoring, and service improvement where our legitimate interests are not overridden by your rights.

For biometric data (where applicable), we rely on your explicit consent under Article 9(2)(a) UK GDPR, and that data is processed exclusively on your device.

Your Data Subject Rights

Right of access — Request a copy of your personal data (Article 15).
Right to rectification — Request correction of inaccurate data (Article 16).
Right to erasure ("right to be forgotten") — Request deletion (Article 17).
Right to restriction of processing — Request that we limit processing in certain circumstances (Article 18).
Right to data portability — Receive your data in a structured, commonly used, machine-readable format (Article 20).
Right to object — Object to processing based on legitimate interests or for direct marketing (Article 21).

To exercise any of these rights, email support@ezbay.com. We will respond within one calendar month.

Right to Lodge a Complaint

You have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk or by calling 0303 123 1113, if you believe we have not handled your personal information in accordance with UK GDPR.

International Data Transfers

Your personal data may be transferred to and processed in the United States. We rely on the UK's International Data Transfer Agreement (IDTA) or Standard Contractual Clauses (SCCs) as the legal mechanism for such transfers, where applicable.

European Union

Supplement for European Union Residents — GDPR

This supplement applies to residents of the European Economic Area (EEA) and is provided pursuant to Regulation (EU) 2016/679 (General Data Protection Regulation, "GDPR").

Data Controller

EZBay is the data controller within the meaning of Article 4(7) GDPR. Contact: support@ezbay.com.

Lawful Bases for Processing

Processing Purpose	Lawful Basis (GDPR Article 6)
Providing the financial tracking service (account management, calculations)	Article 6(1)(b) — Performance of a contract
Waitlist email notifications	Article 6(1)(a) — Consent
Website analytics (Google Analytics)	Article 6(1)(a) — Consent
Security monitoring, fraud prevention	Article 6(1)(f) — Legitimate interests
Compliance with legal obligations	Article 6(1)(c) — Legal obligation
Processing financial account data (special category via Plaid)	Article 9(2)(a) — Explicit consent (via Plaid authorization)
Processing biometric data (on-device only)	Article 9(2)(a) — Explicit consent; processed solely on device
Generating financial health review via Anthropic AI	Article 6(1)(a) — Consent (enabled via aiEmail preference toggle in notification settings)
Administrative access and audit logging	Article 6(1)(f) — Legitimate interests (service operations, fraud prevention, compliance)

All Eight Data Subject Rights

Right of access (Art. 15): Request confirmation of whether we process your data and obtain a copy. Email support@ezbay.com.
Right to rectification (Art. 16): Request correction of inaccurate or incomplete personal data.
Right to erasure (Art. 17): Request deletion where data is no longer necessary, consent is withdrawn, or processing was unlawful.
Right to restriction of processing (Art. 18): Request that processing be restricted in certain circumstances.
Right to data portability (Art. 20): Receive your personal data in a structured, commonly used, machine-readable format and transmit it to another controller.
Right to object (Art. 21): Object to processing based on legitimate interests at any time. You have an unconditional right to object to direct marketing.
Rights related to automated decision-making (Art. 22): We do not make solely automated decisions with legal or similarly significant effects. This right is therefore not applicable at this time.
Right to withdraw consent (Art. 7(3)): Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.

To exercise any right, email support@ezbay.com. We will respond within one calendar month (extendable by a further two months for complex requests, with notice to you).

Right to Lodge a Complaint

You have the right to lodge a complaint with your lead supervisory authority under Article 77 GDPR. To find your local supervisory authority, visit the European Data Protection Board directory at edpb.europa.eu.

Data Protection Impact Assessment (DPIA)

We have conducted Data Protection Impact Assessments for the processing of biometric data (even though it is processed solely on-device) and for financial account data accessed via Plaid, as these involve special categories of data and large-scale processing potentially posing high risk to individuals' rights and freedoms.

International Transfers

Personal data may be transferred to the United States for processing. We rely on the EU Standard Contractual Clauses (SCCs) adopted by the European Commission as the transfer mechanism for such transfers. Plaid's processing of EU residents' financial data is subject to the EU-US Data Privacy Framework, to which Plaid has certified.

Germany

Ergänzende Hinweise für Nutzer in Deutschland — BDSG + DSGVO

All provisions of the EU GDPR Supplement above apply to residents of Germany. The following additional provisions apply pursuant to the Bundesdatenschutzgesetz (BDSG).

Datenschutzbeauftragter (Data Protection Officer)

EZBay is not currently required to designate a Data Protection Officer as we do not meet the thresholds under Article 37 GDPR or § 38 BDSG (we do not engage in large-scale systematic monitoring or large-scale processing of special categories of data as a core activity). Privacy inquiries may be directed to our privacy team at support@ezbay.com.

Datensparsamkeit (Data Minimization)

In accordance with the principle of Datensparsamkeit under the BDSG and Article 5(1)(c) GDPR, we strictly limit the collection, use, and retention of personal data to what is directly necessary and proportionate to the specified purpose. Financial data retrieved via Plaid is processed only for the direct purpose of providing interest-allocation calculations and is not used for any secondary purpose.

Beschwerderecht

Sie haben das Recht, eine Beschwerde bei der zuständigen Datenschutz-Aufsichtsbehörde einzureichen. Die Bundesdatenschutzbeauftragte (BfDI) erreichen Sie unter bfdi.bund.de. Je nach Ihrem Wohnsitz ist möglicherweise die jeweilige Landesbehörde zuständig.

Japan

Supplement for Residents of Japan — Act on the Protection of Personal Information (APPI)

This supplement applies to residents of Japan and is provided pursuant to the Act on the Protection of Personal Information (個人情報の保護に関する法律, "APPI") as amended effective 2022.

Business Operator

EZBay (handling personal information as a Personal Information Handling Business Operator under the APPI). Contact: support@ezbay.com.

Purposes of Use

We use personal information for the following specific purposes:

Providing and operating the PayDown financial analysis service
User authentication and account management
Notifying waitlist registrants of the PayDown service launch
Responding to user inquiries and support requests
Improving the service based on anonymized usage data
Complying with applicable legal obligations

We will not use personal information beyond these purposes without obtaining separate consent.

Sensitive Personal Information (要配慮個人情報)

Biometric data (Face ID / Touch ID templates) constitutes sensitive personal information under the APPI. Such data is collected only with your explicit consent and is stored exclusively on your local device. It is never transmitted to our servers. We process this information only for the purpose of local app authentication.

Financial account data retrieved via Plaid may also constitute sensitive personal information. It is collected only through Plaid's explicit authorization flow, which constitutes your consent under the APPI.

Third-Party Provision

We do not provide personal information to third parties without separate consent, except where:

Required or permitted by law
Necessary to protect human life, body, or property, and consent cannot be obtained
The third party is a consigned processor acting on our instructions (e.g., Plaid as our data access provider; cloud infrastructure operators)

Cross-border transfer of personal information to processors in the United States is conducted with appropriate safeguards consistent with APPI requirements.

Data Subject Rights

You have the following rights under the APPI. To exercise them, contact support@ezbay.com:

Disclosure (開示): Request disclosure of the retained personal information we hold about you.
Correction (訂正): Request correction of inaccurate personal information.
Deletion (削除): Request deletion of your personal information where the purpose of use has been achieved or exceeded.
Cessation of use (利用停止): Request that we stop using or providing your personal information in certain circumstances.

Supervisory Authority

The Personal Information Protection Commission (個人情報保護委員会, PPC) supervises compliance with the APPI. You may consult the PPC at ppc.go.jp.

App Store Compliance

App Store Compliance Notice

Apple App Store

PayDown complies with Apple App Store Review Guidelines Section 5.1 (Privacy). Our collection and use of personal information, including data types accessible via Plaid and on-device biometric authentication, are disclosed in this policy and in Apple's App Store privacy nutrition label for the PayDown app. We request only the permissions necessary to provide the service.

Google Play

PayDown complies with the Google Play Developer Program Policies regarding user data, including the requirement to provide a prominent disclosure of data collection practices. Sensitive permissions are used only for the purposes disclosed in this policy.

Account Deletion

In accordance with Apple App Store and Google Play requirements for apps that support account creation, users may request account deletion in either of the following ways:

By email: Send a request to support@ezbay.com with the subject line "Account Deletion Request." We will process your request within 30 days and confirm deletion in writing.
In-app (coming in a future update): Settings → Account → Delete Account. This in-app deletion flow is planned for a future release and will initiate immediate deletion of your account and associated data.

Account deletion removes all personal data including your email address, financial transaction data, and authentication tokens from our servers within 30 days.