Privacy Policy

Apexa Web App LLC · Effective April 6, 2026 · Version 2026-04

    Short version: We collect only what we need to run the service. We don't sell your data. You can export or delete everything at any time. Your biometric data never leaves your device.
  

1. Who We Are

Apexa Web App LLC ("Apexa", "we", "us") operates the Apexa financial platform accessible at apexa.com. We are incorporated in Puerto Rico, EIN 41-5230947.

For privacy questions: privacy@apexa.com

2. What Data We Collect

Category	What exactly	Why
Account data	Full name, email address, account type (creator/agency)	To create and identify your account
Authentication	Bcrypt password hash, WebAuthn public key (not biometric data), session JWTs	To securely verify your identity
Financial preferences	Tax %, invest %, spend % split settings, risk profile	To automate your income splitting
Subscription	Plan tier, Stripe customer ID, subscription status	To manage your billing
Consent records	Checkbox state, timestamp, IP address at signup	Legal compliance (CCPA, GLBA)
Access logs	Login timestamps, IP addresses, device user-agent	Security — detect unauthorised access
Usage data	Screen views, feature usage (anonymised)	Product improvement

3. What We Do NOT Collect

Biometric data — Face ID / fingerprint data never leaves your device. We only store the cryptographic public key.
Bank credentials — Handled entirely by Plaid (SOC 2 Type II certified). We store only the access token they provide.
Card numbers — Handled entirely by Stripe (PCI DSS Level 1). We never see your full card number.
Social Security Numbers — Not collected or stored at any point.
Passwords in plaintext — Passwords are one-way hashed with bcrypt before storage.

4. How We Use Your Data

Provide and improve the Apexa service
Automate your income splitting (tax, invest, spend)
Process subscription billing via Stripe
Send transactional emails (account changes, payment receipts)
Send product updates if you opted in (you can opt out anytime)
Detect fraud, abuse, and unauthorised access
Comply with legal obligations (tax reporting, GLBA)

5. Third Parties We Share Data With

Service	What they receive	Their privacy policy
Stripe	Name, email, payment method for billing	stripe.com/privacy
Plaid	Bank connection initiation (credentials handled entirely by Plaid)	plaid.com/legal
DriveWealth	Name, DOB, SSN for brokerage account opening only	drivewealth.com/privacy
Anthropic	Chat messages you send to Apexa AI (no PII injected)	anthropic.com/privacy
Airtable	Name, email at signup for CRM (optional, can opt out)	airtable.com/privacy

We do not sell, rent, or trade your personal data to any third party for advertising or marketing purposes.

6. Your Rights

Regardless of where you live, you have the following rights:

Right to access — Download everything we hold on you via Account → Privacy → Download My Data
Right to deletion — Delete your account and all data via Account → Privacy → Delete Account
Right to portability — Your export is in standard JSON format, machine-readable
Right to correction — Update your name and email in Account settings
Right to restrict processing — Contact privacy@apexa.com
Opt out of marketing — Uncheck marketing emails in Account settings or click Unsubscribe in any email

7. California Residents (CCPA)

California residents have additional rights under the California Consumer Privacy Act (CCPA):

Right to know what personal information is collected, used, shared, or sold
Right to delete personal information
Right to opt-out of sale of personal information (we do not sell personal information)
Right to non-discrimination for exercising CCPA rights

To exercise your CCPA rights, use the in-app controls or contact privacy@apexa.com. We will respond within 45 days.

8. Financial Privacy (GLBA)

As a financial technology company, we are subject to the Gramm-Leach-Bliley Act (GLBA). We collect and use nonpublic personal financial information only to provide the Apexa service. We do not share your financial information with unaffiliated third parties for marketing. Our security program includes encryption at rest and in transit, access controls, and audit logging.

9. Data Retention

Active account data — retained while your account is open
Deleted account data — purged immediately on deletion, except audit logs retained 90 days for legal compliance, then permanently deleted
Access logs — retained 12 months, then purged
Consent records — retained 7 years (legal requirement)
Stripe / Plaid tokens — deactivated and deleted within 30 days of account deletion

10. Security

All data in transit encrypted with TLS 1.2+
Passwords hashed with bcrypt (cost factor 12)
Sensitive fields encrypted at rest with AES-128 (Fernet)
WebAuthn / Passkey authentication — private keys never leave your device
Rate limiting on all authentication endpoints (10 attempts/min per IP)
CORS restricted to apexa.com — cross-origin requests blocked
PII filtered from server logs
All data access audited with timestamp and IP

11. Cookies & Tracking

Apexa uses only functional cookies required to keep you logged in (JWT stored in localStorage). We do not use advertising cookies, tracking pixels, or third-party analytics that profile you.

12. Children's Privacy

Apexa is not directed to children under 18. We do not knowingly collect personal information from anyone under 18. If you believe a minor has provided us data, contact privacy@apexa.com and we will delete it promptly.

13. Changes to This Policy

We will notify you of material changes via email and in-app notice at least 14 days before they take effect. The current version date is always shown at the top of this page.

14. Contact

For privacy questions, data requests, or concerns:

Email: privacy@apexa.com
Mail: Apexa Web App LLC, Puerto Rico, USA