← Back

Privacy Policy

Last updated: April 3, 2026

1. Introduction

Statify.me ("we," "us," or "our") is operated by Springrock Ventures LLC. This Privacy Policy explains how we collect, use, store, share, and protect your information when you use our website at statify.me and related services (the "Service").

By using the Service, you agree to the collection and use of information in accordance with this policy. If you do not agree, please do not use the Service.

2. Information We Collect

2.1 Account Information

When you create an account, we collect:

  • Email address
  • Name (if provided via OAuth or profile settings)
  • Profile image (from your OAuth provider)
  • Username (if you set one)

2.2 Financial Data (Business Product)

When you connect financial services through our business product, we collect and process:

  • Via Plaid: Bank account balances, transaction history (amounts, dates, merchant names, categories), and account metadata (account name, institution name, account type). We access this data through Plaid's secure API. We never receive or store your bank login credentials — authentication is handled entirely within Plaid's secure widget.
  • Via Stripe Connect: Revenue metrics, subscription data, customer counts, refund data, and product performance data from your Stripe account. Access is read-only.
  • Via Shopify: Order data, revenue, product performance, and customer metrics from your Shopify store. You provide your own Admin API token with read-only scopes.
  • Via Google Analytics / Plausible: Website traffic metrics including sessions, pageviews, conversion rates, traffic sources, and top pages.
  • Via Beehiiv / ConvertKit: Newsletter subscriber counts, email open rates, click rates, and broadcast performance.
  • Via QuickBooks: Profit and loss data, expense categories, revenue, and account balances.

2.3 Personal Stats Data (Consumer Product)

When you connect personal services, we collect:

  • Spotify: Top tracks, artists, genres, and recently played history
  • GitHub: Repository data, contribution activity, and programming languages
  • Strava: Activity data including runs, rides, distances, and times
  • Last.fm: Scrobble history, top artists, and top tracks
  • Steam: Game library, playtime, and achievements
  • Chess.com: Ratings, win/loss records, and puzzle scores
  • Garmin: Golf, running, cycling, swimming, and hiking activity data

2.4 Payment Information

Payment processing is handled entirely by Stripe. We do not receive, process, or store credit card numbers or bank account details for payment purposes. Stripe's privacy policy governs payment data.

2.5 Automatically Collected Information

We use only essential cookies for authentication (session token and CSRF protection). We do not use tracking cookies, analytics cookies, or advertising cookies.

3. How We Use Your Information

We use collected information solely to:

  • Authenticate your identity and maintain your account
  • Generate dashboards, stat cards, and wrapped reports that you request
  • Display your public profile (if you choose to set a username)
  • Send transactional emails (magic links, weekly digests if subscribed)
  • Process subscription payments via Stripe
  • Improve the Service (aggregate, anonymized usage patterns only)

We do NOT:

  • Sell your data to any third party
  • Use your financial data for advertising, profiling, or credit decisions
  • Share your data with third parties for their marketing purposes
  • Initiate financial transactions or move money on your behalf
  • Use your data for any purpose other than providing the Service to you

4. How We Protect Your Information

  • Encryption in transit: All connections use TLS 1.2 or higher. HSTS is enforced across all endpoints.
  • Encryption at rest: Our database (PostgreSQL) and cache (Redis) use AES-256 encryption at rest. OAuth tokens and Plaid access tokens are stored in encrypted database columns.
  • Access controls: Production infrastructure requires multi-factor authentication. The production database is not directly accessible by humans — only by the application service account within a private network.
  • Data isolation: Every database query is scoped to your user ID. No customer can access another customer's data through the application.
  • Read-only access: All third-party integrations use read-only permissions. We never modify your data on any connected service.
  • Credential security: We never receive your bank login credentials. Plaid Link handles bank authentication in a secure, sandboxed widget. We never see or store your bank username or password.

5. Third-Party Services

We use the following third-party service providers to operate the Service:

ProviderPurposeData Shared
Plaid Inc.Financial data aggregationBank credentials handled by Plaid (we never see them)
Stripe Inc.Payment processingPayment details handled by Stripe (we never see card numbers)
Render Inc.Application hostingAll application data (encrypted)
Upstash Inc.Redis cachingTemporary session and cache data (encrypted)
Resend Inc.Email deliveryEmail addresses for transactional emails

Each provider maintains their own privacy policy and security certifications. Our hosting providers (Render, Upstash) are SOC 2 certified. Plaid is SOC 2 Type II and ISO 27001 certified.

6. Data Retention

  • Account data: Retained while your account is active.
  • Financial data (Plaid): Transaction detail is retained as rolling 90-day windows. Monthly aggregate snapshots are retained while your account is active.
  • Integration data: Stats from connected services are refreshed hourly and retained while the integration is connected.
  • OAuth tokens: Retained while the integration is connected. Deleted immediately upon disconnection.
  • Upon account deletion: All personal data, financial data, tokens, reports, and snapshots are permanently deleted within 30 days. Database backups containing your data are purged within 7 days.

7. Your Rights

You can exercise the following rights directly from your Settings page:

  • Access & export: Download a complete copy of all your data as a JSON file from Settings.
  • Deletion: Permanently delete your account and all associated data from Settings.
  • Disconnect: Revoke access to any individual integration at any time. Disconnecting immediately deletes the access token and all synced data for that service.
  • Portability: Your data export is provided in machine-readable JSON format.
  • Correction: You can update your profile information at any time through Settings.
  • Opt-out: Unsubscribe from email digests via the link in any email or the toggle in Settings.

8. California Residents (CCPA/CPRA)

If you are a California resident, you have the right to:

  • Know what personal information we collect and how it is used
  • Delete your personal information — use the "Delete account" button in Settings
  • Download a copy of your data — use the "Download my data" button in Settings
  • Opt out of the sale or sharing of personal information — we do not sell or share your data (see our Do Not Sell or Share page)
  • Non-discrimination for exercising your privacy rights

You can exercise most of these rights directly from your Settings page. For additional requests, contact privacy@statify.me. We will respond to verifiable requests within 45 days as required by law.

9. European Residents (GDPR)

If you are in the European Economic Area, our legal bases for processing are:

  • Consent: You consent to data collection when you connect each integration
  • Contract performance: Processing necessary to provide the Service
  • Legitimate interest: Transactional emails and service improvements

Data is processed and stored in the United States. Transfer is governed by standard contractual clauses or your consent at signup. You may contact your local supervisory authority if you have concerns.

10. Children

The Service is not directed at children under 16. We do not knowingly collect personal information from children under 16. If we become aware that we have collected data from a child under 16, we will delete it immediately. If you believe a child under 16 has provided us with personal information, contact us at privacy@statify.me.

11. Data Breach Notification

In the event of a data breach that affects your personal information, we will notify affected users via email and, where required by law, notify applicable regulatory authorities within the required timeframe.

12. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email to the address associated with your account. The "Last updated" date at the top of this page reflects the most recent revision.

13. Contact Us

For privacy-related inquiries: