Privacy Policy

Last updated: March 5, 2026

1. Overview

Stache, a product of SAS Labs, which is a brand of SAS Ventures, a trade name of SAS Integrators LLC ("we", "our", "us"), respects your privacy. This policy describes what data we collect, how we use it, and your rights regarding that data. Stache is currently available to users in the United States only.

2. Data We Collect

Stache does not sell, rent, or trade your personal financial data. Financial information collected through the service is used solely to provide the features and functionality of the application.

Account Information

When you sign in with Google, we receive your name, email address, and profile photo. We do not receive or store your Google password.

Payment Information (Stripe)

We use Stripe to process subscription payments. When you subscribe, Stripe collects payment-related information including your name, billing address, email address, and payment method details. Stripe may also collect device, network, and fraud prevention data as described in Stripe's Privacy Policy. For Stripe payment processing, Stache acts as the data controller for the personal data you choose to provide, and Stripe acts as a data processor on our behalf. Stache does not store full payment card numbers.

Financial Data You Enter

Transactions, accounts, categories, receipts, statements, and other financial data you enter into Stache. This data is stored securely and is only accessible to you or anyone you choose to share it with.

Bank Account Connection (Plaid)

When you link a financial account through Plaid, Stache collects only the minimum financial data necessary to provide budgeting, reconciliation, and financial reporting features (such as account names, balances, transaction history, and account identifiers). Stache does not receive or store your financial institution login credentials. Authentication is handled entirely by Plaid. This data is accessed only with your explicit consent and is used solely to provide financial tracking features within Stache. Plaid processes data in accordance with its own Privacy Policy. If you disconnect a linked financial account, Stache deletes the Plaid connection credentials and stops retrieving new financial data. Financial records already imported into your account remain available as part of your personal financial history. For more information, see the Account Deletion section in the Terms of Service and the Data Retention section below.

Receipt Images & Documents

Uploaded receipts and statements are stored in secure cloud storage. Receipt images may be processed by AI (Anthropic Claude or Apple Intelligence) for text extraction. Your data is never used to train AI models. See Section 4 below for details on AI processing.

You are solely responsible for the content you upload. We discourage uploading highly sensitive data unrelated to financial record-keeping. We are not responsible for any regulatory obligations related to sensitive data you choose to store in the service.

3. How We Use Your Data

  • Providing and improving the Stache service
  • Authenticating your identity
  • Processing your financial transactions and generating reports
  • Extracting data from uploaded receipts and statements
  • Providing payment-related information with Stripe solely for processing subscription payments and fraud prevention
  • Sharing financial access credentials and related account data with Plaid solely for the purpose of retrieving authorized financial information
  • Communicating service updates or security notices
  • Sending occasional product updates and tips (only if you opt in)

We do not sell, rent, or share your personal or financial data with third parties for marketing purposes. We do not use your data for advertising or profiling.

4. AI Processing & Data Training

When you upload receipts or financial documents, or add transactions through a voice shortcut (e.g., Siri), Stache may use artificial intelligence to extract structured information such as merchant name, date, and transaction amount. Depending on your device, AI processing may occur on-device or through a cloud service.

On-Device Processing

  • Used when Stache is accessed through iOS (iPhone, iPad, Apple Watch) or macOS on a supported device
  • Stache may use on-device machine learning and Apple Intelligence features (when available) to analyze receipts or transactions locally on your device
  • Your data may be processed entirely on your device and no data is transmitted to external AI services

Cloud AI Processing

  • Used when Stache is accessed through the web, or when on-device processing is unavailable
  • Stache may use AI processing services such as Anthropic's Claude API to extract structured data
  • Only the specific receipt image, document, or text you uploaded is transmitted
  • No additional account data or financial history is included
  • AI service providers may retain submitted data for up to 7 days solely for abuse monitoring, after which the data is automatically deleted

Your data is never used to train AI models.Anthropic's commercial API terms explicitly prohibit using customer data for model training. Apple's on-device processing does not transmit data externally.

5. Data Storage & Security

Your data is stored in Supabase (hosted PostgreSQL) with:

  • AES-256 encryption at rest
  • TLS encryption in transit
  • Row-level security (RLS) ensuring users can only access their own data
  • HTTP security headers (HSTS, CSP, X-Frame-Options, etc.)

While we implement industry-standard security measures, no system is 100% secure. We encourage you to maintain your own backups. For additional information about Stache's security practices, please see our Security Overview.

6. Third-Party Services

We use the following third-party services that may process your data:

  • Google — Authentication (OAuth)
  • Supabase — Database storage, file storage, and backend infrastructure
  • Plaid — Financial account connectivity (optional)
  • Stripe — Payment processing
  • Apple — On-device AI processing capabilities
  • Anthropic — AI processing for receipt and document text extraction (when cloud processing is required)
  • Vercel — Application hosting and infrastructure
  • Cloudflare — DNS and content delivery

7. Cookies

Stache uses only essential cookies for authentication session management. We do not use tracking cookies, analytics cookies, or advertising cookies. Because we only use strictly necessary cookies required for the service to function, no cookie consent banner is required. Stripe may set technical cookies or similar identifiers necessary for secure payment processing and fraud prevention. These are not used for advertising or analytics.

8. Your Rights

You have the right to:

  • Access — View all data we store about you (available in-app)
  • Revoke — Disconnect financial accounts setup through Plaid at any time. Upon disconnection, we will cease retrieving new financial data.
  • Export — Download a complete backup of your data at any time via Settings
  • Delete — Delete your account and all associated data from Settings (30-day grace period, then permanent deletion)
  • Correct — Update or correct your information directly in the app, or contact us for assistance
  • Opt-out of sale — We do not sell your personal information. There is nothing to opt out of.
  • Communications — You may opt in or out of product update emails at any time via Settings. Transactional emails (security alerts, account deletion notices) are always sent regardless of this preference.

To exercise these rights, use the in-app Settings page or contact us.

9. California Privacy Rights (CCPA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):

  • The right to know what personal information we collect and how it is used (described in this policy)
  • The right to delete your personal information (available via Settings)
  • The right to opt-out of the sale of personal information — we do not sell your data
  • The right to non-discrimination for exercising your privacy rights

Categories of personal information collected: Identifiers (name, email), financial information (transactions, account data you enter), internet activity (authentication sessions). We collect this information directly from you. We do not collect information from third-party data brokers.

10. Data Retention

We retain your data for as long as your account remains active. When you request account deletion, your account enters a 30-day grace period during which you may cancel the deletion and restore your account. After the grace period expires, personal data, financial records, and uploaded files are removed from active systems. Data is removed from backup systems within 30 days thereafter. We do not retain backup copies of deleted accounts beyond 60 days. Payment transaction records may be retained as required for tax, accounting, or regulatory compliance. When you disconnect a linked financial account through Plaid, Stache removes the connection credentials and stops retrieving new financial data. Financial records that were already imported into your account remain part of your personal financial history until you delete them or delete your account.

11. Data Breach Notification

In the event of a data breach affecting personal information, we will notify affected users in accordance with applicable law. Notification will be provided via the email address associated with your account and, where appropriate, through in-app notice.

12. Children

Stache is not intended for use by anyone under the age of 18. We do not knowingly collect personal information from children.

13. Changes to This Policy

We may update this privacy policy from time to time. We will notify users of material changes through the application. Continued use after changes constitutes acceptance.

14. Contact

For questions about this privacy policy, your data, or to exercise your privacy rights, contact us at support@stache.finance.