Privacy Policy

Effective date: May 22, 2026  ·  Last updated: May 22, 2026

1. Who We Are

Paidly.to ("Paidly.to," "we," "us," or "our") is an independent iOS application that helps individuals track recurring bills and payment due dates. We are not affiliated with any bank, financial institution, or financial services provider.

If you have questions about this Privacy Policy, contact us at privacy@paidly.to.

2. Information We Collect

2a. Bill and Payment Data (On-Device)

When you add bills manually or import them from your bank, Paidly.to stores the following information locally on your device only, encrypted using SQLCipher (AES-256):

• Biller names, amounts, and due dates
• Payment history and notes
• Account numbers (stored separately in the iOS Keychain)
• Notification preferences

This data is never transmitted to our servers and is not accessible to us.

2b. Bank Data via Plaid

If you choose to link a bank account, Paidly.to uses Plaid, a trusted financial data network, to access your bank information on your behalf. When you connect a bank, Plaid may access:

• Transaction history (to detect recurring bills and subscriptions)
• Account balances and account details
• Credit card minimum payment amounts and due dates
• Loan and mortgage payment information

Bank linking is entirely optional. You may use Paidly.to without connecting any bank account.

Plaid's handling of your data is governed by Plaid's End User Privacy Policy. We encourage you to review it.

2c. Server-Side Data (Plaid Connection Tokens)

Paidly.to requires a small backend server exclusively because of how Plaid's API works — not by choice. Plaid's security model requires that your bank connection credentials (called access tokens) be held on a server, never inside a mobile app. Every call to retrieve your bank data must be made server-side using both your connection token and Paidly.to's own Plaid credentials. There is no architecture where a mobile app can fetch data directly from Plaid without a server in the middle.

Because of this requirement, our server stores only:

• Plaid item IDs and encrypted access tokens (required to retrieve your data from Plaid)
• Institution name and connection date

These tokens are stored in an encrypted PostgreSQL database (AES-256-GCM) on Render (our hosting provider). We do not store your actual bank account numbers, full transaction history, or any personally identifiable information on our servers. If you do not link a bank account, nothing is stored on our server at all.

2d. Information We Do Not Collect

Paidly.to does not collect:

• Your name, email address, or phone number
• Device identifiers or advertising IDs
• Location data
• Usage analytics or crash reports (beyond what Apple provides)
• Any data for advertising or marketing purposes
• Payment card numbers or billing information (all subscription billing is handled directly by Apple)

3. How We Use Your Information

We use the information described above solely to provide the Paidly.to service, specifically to:

• Display your bills, due dates, and payment history within the app
• Send local push notifications before bill due dates
• Connect to Plaid to retrieve bank and transaction data on your request
• Enable end-to-end encrypted multi-device sync (if you choose to use it)
• Process your subscription through Apple's In-App Purchase system (Apple handles all payment data; we receive only a confirmation of your subscription status)

We do not use your financial data for credit scoring, underwriting, employment screening, tenant screening, advertising, or any other purpose beyond the bill-tracking service you requested.

4. How We Share Your Information

We do not sell, rent, or share your personal or financial data with any third party, except as follows:

Plaid

When you link a bank account, we share your request with Plaid so that Plaid can retrieve the relevant bank data. Plaid acts as an independent data processor and is governed by its own privacy policy.

Infrastructure Providers

Our server runs on Render (render.com). Render hosts our API server and PostgreSQL database. Render may have incidental access to server data in the course of providing hosting services. Render's privacy policy governs their data handling.

Legal Requirements

We may disclose information if required by law, regulation, court order, or government authority, or to protect the rights, property, or safety of Paidly.to, our users, or the public.

5. Data Retention

• On-device bill data — retained until you delete it from the app or uninstall Paidly.to.
• Plaid access tokens — retained on our server until you disconnect the bank account from within the app, at which point they are permanently deleted.
• Delete All My Data — using Settings → Delete All My Data in the app will permanently delete all bill data from your device and all Plaid connection tokens from our server.

6. Data Security

We take the security of your data seriously:

• On-device bill data is encrypted at rest using SQLCipher (AES-256). The encryption key is stored in the iOS Keychain and never leaves your device.
• Account numbers are stored separately in the iOS Keychain, protected by the Secure Enclave.
• Communications between the app and our server use TLS (HTTPS) encryption in transit.
• Plaid access tokens are stored encrypted (AES-256-GCM) in our database with access controls restricting access to authorized systems only.
• Plaid access tokens are automatically rotated when Plaid detects a security event. Our server listens for Plaid's signed rotation webhooks and immediately replaces any rotated token — the old token is invalidated on Plaid's side at the same time.
• We do not have access to your bank login credentials. These are handled directly by Plaid.

No method of transmission or storage is 100% secure. If you believe there has been a security incident involving your Paidly.to data, please contact us immediately at privacy@paidly.to.

7. Your Rights and Choices

Disconnecting Your Bank

You can disconnect any linked bank account at any time from Settings → Connected Banks → Remove. This deletes the Plaid access token from our server and removes all bills associated with that account from your device.

To also remove your connection from Plaid's systems, visit my.plaid.com.

Deleting All Your Data

You can permanently delete all bill data and bank connections at once from Settings → Delete All My Data. This action cannot be undone.

California Residents (CCPA)

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA):

• Right to Know — the categories and specific pieces of personal information we have collected about you.
• Right to Delete — request deletion of your personal information (use the in-app Delete All My Data feature or contact us at privacy@paidly.to).
• Right to Opt-Out of Sale — we do not sell personal information, so there is nothing to opt out of.
• Right to Non-Discrimination — we will not discriminate against you for exercising any CCPA rights.

To exercise any of these rights, contact us at privacy@paidly.to. We will respond within 45 days.

8. Children's Privacy

Paidly.to is not directed to children under the age of 13. We do not knowingly collect personal information from children under 13. If you believe a child under 13 has provided information to us, please contact us at privacy@paidly.to and we will promptly delete it.

9. Third-Party Links and Services

The app may display links to biller payment websites or allow you to open your bank's app. These third-party services have their own privacy policies, and we are not responsible for their data practices.

10. Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we will update the "Last updated" date at the top of this page. If changes are material, we will provide notice through the app. Your continued use of Paidly.to after any changes constitutes acceptance of the updated policy.

11. Contact Us

For any privacy-related questions, data requests, or concerns, please contact: