Privacy Policy

1. Introduction

LazeeFish ("we," "us," or "our") operates the personal finance tracking application available at lazeefish.com. This Privacy Policy explains what information we collect, how we use it, and your rights regarding that information.

By creating an account and using LazeeFish, you agree to the collection and use of information as described in this policy.

2. Information We Collect

Account information. When you register, we collect your email address and, if you use password authentication, a one-way cryptographic hash of your password (we never store your password in plain text). If you sign in with Google, we receive your email address and a Google-issued identifier.

Bank connection data. When you connect a bank account through Plaid, Plaid provides us with an access token representing your connection. We store this token securely to retrieve your transactions. We do not store your bank login credentials.

Transaction data. We import and store transaction records from your connected bank accounts, including merchant names, amounts, and dates. You may also add manual transactions. All transaction data is stored exclusively in association with your account.

Usage and log data. We record authentication events (sign-in, sign-out, registration) and data-import events (Plaid syncs) along with your IP address and browser user-agent. This data is used for security monitoring and debugging.

Registration attribution data. When you create an account, we may collect the page you registered from, the URL you arrived from (referrer), and any marketing attribution parameters present in the URL (such as UTM source, medium, and campaign). We also collect the Google Analytics client identifier (_ga cookie) if Google Analytics is active in your browser. This information is used solely to understand which marketing channels bring users to LazeeFish and to improve our acquisition efforts. It is never sold or used for third-party advertising.

Website analytics data. We use Google Analytics 4 on our public-facing website (lazeefish.com). Google Analytics collects information such as pages visited, time spent on pages, approximate geographic location (country/region), browser type, and device type. This data is aggregated and is not linked to your LazeeFish account. It is collected when you visit our marketing pages, not inside the signed-in application. You can opt out using Google's opt-out browser add-on or a standard ad-blocker.

3. How We Use Your Information

• To provide and operate the LazeeFish service, including importing and displaying your transactions.
• To authenticate you and secure your account.
• To detect and investigate unauthorized access or misuse.
• To improve the reliability and performance of the application.
• To understand which marketing channels bring users to LazeeFish (using attribution data collected at registration).

Automated transaction categorization. LazeeFish uses machine learning to automatically categorize imported bank transactions. The system analyzes your transaction history — merchant names, amounts, dates, and the envelopes you have previously used — to predict how new transactions should be categorized and post them automatically to your budget envelopes. This automated processing does not produce legal or similarly significant decisions about you; its purpose is to reduce the manual effort required to maintain your budget. You can review, correct, or override any automated categorization at any time through the application.

We do not sell, rent, or share your personal or financial data with third parties for advertising or marketing purposes.

4. Third-Party Services

Plaid. Bank account connectivity is provided by Plaid Inc. When you link a bank account, you interact directly with Plaid's interface and agree to Plaid's End User Privacy Policy (plaid.com/legal). Plaid transmits transaction data to us on your behalf; we do not share your data back to Plaid beyond what is required to maintain the connection.

Google OAuth. If you choose to sign in with Google, your authentication is handled by Google's OAuth 2.0 service. We receive only your email address and a stable identifier from Google. Google's Privacy Policy applies to that interaction (policies.google.com/privacy).

Google Analytics. We use Google Analytics 4 on our public marketing website to understand visitor behavior and measure the effectiveness of our marketing. Google Analytics may set cookies and collect data about your visit. This service is governed by Google's Privacy Policy. Analytics data is not connected to your LazeeFish account or your financial information.

Cloudflare Turnstile. Our contact form uses Cloudflare Turnstile for spam and bot prevention. When you submit the contact form, Turnstile verifies your submission by transmitting a token to Cloudflare's verification servers. Cloudflare processes this data in accordance with its Privacy Policy (cloudflare.com/privacypolicy). No personal data from your LazeeFish account is shared with Cloudflare during this process.

5. Cookies and Authentication

LazeeFish uses a single HttpOnly cookie (lf_auth) to store a signed JSON Web Token (JWT) that authenticates your session. This cookie is not accessible to JavaScript and is not used for advertising or tracking. It expires when your session ends or the token's validity period lapses.

6. Data Storage and Security

Your data is stored in a PostgreSQL database hosted on servers located in the United States. We use industry-standard practices including encrypted connections (TLS), hashed passwords (bcrypt), and access controls to protect your information.

No method of electronic transmission or storage is 100% secure. While we strive to protect your data, we cannot guarantee absolute security.

7. Data Retention

We retain your account and financial data for as long as your account is active. If you request deletion of your account, we will remove your personal information and financial records within 30 days, except where retention is required by applicable law or for legitimate security purposes (e.g., fraud investigation logs).

8. Your Rights

You may request access to, correction of, or deletion of your personal data at any time by contacting us at the address below. You may also disconnect a bank account at any time through the Bank Connections settings in the application, which will revoke Plaid's access token for that institution.

9. Children's Privacy

LazeeFish is not intended for use by anyone under the age of 13. We do not knowingly collect personal information from children. If you believe a child has provided us with their information, please contact us and we will promptly delete it.

10. Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we will update the "Last updated" date at the top of this page. Continued use of LazeeFish after changes are posted constitutes your acceptance of the updated policy.

11. Contact Us

If you have questions or requests regarding this Privacy Policy, please contact us at privacy@lazeefish.com.