Privacy policy · last updated 2026
Privacy, in plain English.
What I don’t collect
No bank logins. No Account Aggregator pulls. No payslip OCR. No screen scraping. No SMS reading for transaction parsing. None of it. Privacy-by-design isn’t a tagline — it’s the architecture.
What I do collect
What you tell me, manually: your income or allowance, your essentials (rent, mess, transport), your deductions (only if you ask Splex about tax), and the goals you set. Plus a hashed email + token for sign-in.
Where it lives
Encrypted at rest in my Postgres database hosted by Railway in the EU/US (depending on region routing). Refresh tokens are stored as bcrypt hashes. I never see them again after issue.
Who I share it with
No one. I don’t sell user data. I don’t share it with brokers, marketers, lenders, or insurers. The only third-party processors that touch it are: OpenAI/Anthropic (for Splex coaching responses, anonymized prompt context), Pinecone (RAG search, no PII), and Firebase (auth + push, Google’s standard data terms apply).
Your controls
Export your data at any time from Profile → Settings → Export. Delete your account from Profile → Settings → Delete. Deletion wipes your profile, goals, plans, and chat history within 7 days.
Children
Splexo is for users 18 and over. I don’t knowingly collect data from anyone younger. If you believe a minor created an account, email hello@splexo.in and I’ll delete it.