Privacy Policy

Last updated: March 2026

Introduction

Less Panic ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our bill tracking service.

Information We Collect

Account Information

When you create an account, we collect:

  • Email address
  • Password (stored securely using bcrypt hashing)
  • Name (optional)
  • Timezone preference

Financial Information

When you use Less Panic, you may provide:

  • Account names and balances
  • Recurring bill and income routines
  • Category selections

When you connect a bank account through Plaid, we receive and store transaction data including transaction descriptions, merchant names, amounts, dates, categories, pending status, and payment channels.

Important: We never store your bank login credentials. If you connect banks through LunchMoney or Plaid, authentication happens directly with your bank, and we only receive secure access tokens. Plaid access tokens are encrypted at rest.

Integration Data

If you connect third-party services:

  • LunchMoney: We receive account balances and transaction data via your API key
  • Plaid: When connected, we receive and store:
    • Account names, types, balances, and last four digits of account numbers
    • Transaction data: descriptions, merchant names, amounts, dates, categories, pending status, and payment channels
    Data is synced automatically via a daily sync and real-time webhooks. Transactions are used for automatic bill matching. Plaid transaction data is stored in our database and retained while your account is active.

Email Forwarding

If you use email forwarding for bill extraction:

  • Emails are received via Cloudflare Email Workers and forwarded to our secure servers
  • We extract: sender address, subject line, and email body (HTML and text)
  • Attachments are discarded and never stored
  • Emails are stored for 90 days then permanently deleted
  • Your unique forwarding address cannot be changed once you receive your first email

Usage Information

We automatically collect:

  • Log data (IP address, browser type, pages visited)
  • Device information
  • Usage patterns (features used, time spent)
  • Analytics data via Google Analytics (pages visited, time on site, referral sources) - marketing site only

How We Use Your Information

We use your information to:

  • Provide and maintain the Less Panic service
  • Process your recurring bills and transfers
  • Sync with connected financial accounts
  • Send service-related notifications
  • Improve our service and develop new features
  • Respond to your requests and support inquiries
  • Protect against fraud and unauthorized access

Information Sharing

We do not sell, rent, or trade your personal information to third parties. We may share information with:

  • Service providers: Companies that help us operate the Service, including:
    • Amazon Web Services (AWS) — cloud hosting and database infrastructure
    • Cloudflare — CDN, DDoS protection, and email routing
    • Stripe — payment processing (we never store your full card details)
    • Plaid — bank account connections and transaction syncing
    • Google — OAuth authentication and Gmail integration
    • Google Gemini — AI-powered bill extraction from forwarded emails. When you use the email forwarding feature, email content (sender, subject, and body text) is sent to Google's Gemini API for processing. Google's use and retention of this data is governed by Google's API Terms of Service. We do not send bank credentials, passwords, or payment card numbers to AI services. You control which emails you forward and should avoid forwarding emails containing sensitive information beyond what is necessary for bill extraction (see our Terms of Service Section 7 for your responsibilities).
  • Analytics: Google Analytics for marketing site usage analysis (app does not use analytics tracking)
  • Legal requirements: When required by law, legal process, or governmental request, or to protect our rights, safety, or property
  • Business transfers: In connection with a merger, acquisition, or sale of assets, in which case your data would remain subject to this Privacy Policy

Data Security

We implement industry-standard security measures:

  • Passwords are hashed using bcrypt
  • Third-party integration credentials encrypted at rest with AES-256-GCM
  • Database encrypted at rest (AWS managed AES-256)
  • All data transmitted over HTTPS
  • CSRF protection on all forms
  • Rate limiting on sensitive operations
  • Two-factor authentication available
  • MFA required before connecting bank accounts

While we take commercially reasonable steps to protect your data, no method of electronic storage or transmission is 100% secure. We cannot guarantee absolute security of your data.

Data Breach Notification

In the event of a data breach that affects your personal information, we will notify affected users via email and/or through the Service in accordance with applicable law. Where required, we will also notify relevant regulatory authorities within the timeframes mandated by applicable data protection laws.

Data Retention

We retain your data for as long as your account is active. If you delete your account, your data is permanently removed after a 7-day recovery period.

Plaid data: Plaid transaction data is retained while your account is active and deleted when you delete your account. Plaid access tokens are encrypted at rest and retained until you disconnect the integration or delete your account. When you disconnect a Plaid connection, the access token and all associated account data are removed from our systems. Transaction history is retained for your records unless you delete your account. Note that Plaid may independently retain data about your bank connections in accordance with Plaid's End User Privacy Policy. To request deletion of data held by Plaid, contact Plaid directly through their Plaid Portal.

Your Rights

Depending on your location, you may have the following rights regarding your personal data:

  • Access: Request a copy of the personal data we hold about you
  • Portability: Request an export of your data in a commonly used format (contact [email protected])
  • Correction: Request correction of inaccurate or incomplete data
  • Deletion: Delete your account and all associated data through your account settings
  • Disconnect integrations: Remove third-party connections at any time, which deletes stored access tokens
  • Opt out of non-essential emails: Manage notification preferences from your profile settings
  • View your data: Access your synced bank transactions, routines, and account information within the app

To exercise any of these rights, contact us at [email protected]. We will respond to requests within 30 days.

For California Residents (CCPA)

If you are a California resident, the California Consumer Privacy Act (CCPA) provides you with additional rights:

  • Right to Know: You may request details about the categories and specific pieces of personal information we have collected about you
  • Right to Delete: You may request deletion of your personal information, subject to certain exceptions
  • Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA rights
  • No Sale of Personal Information: We do not sell your personal information as defined under the CCPA. We do not share your personal information for cross-context behavioral advertising

For Users in the European Economic Area (GDPR)

If you are located in the EEA, UK, or Switzerland, you have additional rights under the General Data Protection Regulation (GDPR):

  • Legal basis: We process your data based on: your consent (e.g., connecting integrations), contract performance (providing the Service), and legitimate interests (improving the Service, security)
  • Right to restrict processing: You may request that we limit how we use your data
  • Right to object: You may object to our processing of your data based on legitimate interests
  • Data transfers: Your data is stored on servers in the United States. By using the Service, you consent to the transfer of your data to the US
  • Supervisory authority: You have the right to lodge a complaint with your local data protection authority

Cookies

We use essential cookies for authentication and session management. Our marketing site uses Google Analytics cookies to understand how visitors find and use our website. We do not share data with advertising networks.

You can opt out of Google Analytics by using our cookie preferences banner or by installing the Google Analytics Opt-out Browser Add-on.

Children's Privacy

Less Panic is not intended for users under 18 years of age. We do not knowingly collect information from children.

Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or through the Service at least 30 days before changes take effect. Your continued use of the Service after the effective date constitutes your acceptance of the revised policy.

Limitation of Liability

To the maximum extent permitted by applicable law, Less Panic shall not be liable for any unauthorized access to, use of, or alteration of your personal data, or for any data breach, security incident, or data loss arising from circumstances beyond our reasonable control, including but not limited to acts of third parties, cyberattacks, or failures of third-party service providers. Our total liability arising out of or related to this Privacy Policy shall be subject to the limitations set forth in our Terms of Service.

Governing Law

This Privacy Policy is governed by the laws of the Commonwealth of Virginia, United States, consistent with our Terms of Service.

Contact Us

If you have questions about this Privacy Policy or wish to exercise your data rights, please contact us at:

[email protected]