Privacy Policy
Effective April 6, 2026
This Privacy Policy explains how 993 Cooper LLC ("we," "us," "our") collects, uses, stores, and protects your information when you use the Scylla platform at app.scylla.finance (the "Service"). We take your privacy seriously and are committed to being transparent about our data practices.
We collect only what we need to provide the Service. We do not sell your data. We do not use tracking cookies. We do not serve ads. Your financial data is encrypted at rest, transmitted over TLS, and accessible only to you.
1. Information We Collect
Information you provide
- Account information: Name, email address, and password when you register.
- Multi-factor authentication: TOTP enrollment data for your authenticator app.
- Support communications: Any messages you send to us via email.
Information from connected accounts
- Bank account data: Account names, types, balances, and institution information retrieved through Plaid.
- Transaction data: Transaction descriptions, amounts, dates, categories, and merchant information retrieved through Plaid.
Information collected automatically
- Usage data: Pages visited, features used, and timestamps of activity within the Service.
- Device data: Browser type, operating system, screen resolution, and IP address.
- Error data: Application errors and performance metrics sent to our error tracking service (Sentry) to help us fix bugs.
2. How We Use Your Information
We use the information we collect to:
- Provide the Service: Display your financial data, generate dashboards, track budgets, and manage goals.
- Secure your account: Authenticate logins, detect unauthorized access, and enforce multi-factor authentication.
- Improve the Service: Understand usage patterns, diagnose errors, and develop new features.
- Communicate with you: Send transactional emails (invitations, password resets, security alerts) and notify you of material changes to the Service or these policies.
We do not use your data to serve advertisements, build advertising profiles, or sell to data brokers. We do not share your personally identifiable financial data with any third party except as described in Section 5.
3. Plaid & Bank Connections
Scylla uses Plaid to connect your bank accounts. When you link an account, you interact directly with Plaid's interface (Plaid Link) and authorize Plaid to retrieve your financial data from your institution.
What Plaid accesses on your behalf:
- Account and routing numbers (for account identification only)
- Account balances
- Transaction history
- Account holder name and institution information
Plaid's handling of your data is governed by Plaid's End User Privacy Policy. We encourage you to review it. Once Plaid transmits your data to Scylla, it is stored and protected according to the practices described in this policy.
You can disconnect any linked bank account at any time from within the Service. When you disconnect an account, we stop retrieving new data from that institution. Previously retrieved transaction data is retained until you request deletion.
4. Data Storage & Security
We implement multiple layers of security to protect your data:
| Layer | Implementation |
|---|---|
| Encryption in transit | All connections use TLS 1.2+ (HTTPS). HTTP requests are redirected to HTTPS. |
| Encryption at rest | Personally identifiable information (PII) is encrypted in the database using pgcrypto. |
| Authentication | Username/password with mandatory TOTP multi-factor authentication. Passwords are hashed with bcrypt. |
| Access control | Entity-level access controls ensure users can only view data for entities they are authorized to access. |
| Infrastructure | PostgreSQL database hosted on Hetzner Cloud in Ashburn, Virginia (United States). Cloudflare provides CDN, DDoS protection, and WAF. |
| Session management | Secure, HttpOnly, SameSite=Strict session cookies. Sessions expire after inactivity. |
While we implement industry-standard security measures, no system is perfectly secure. We cannot guarantee absolute security and encourage you to use a strong, unique password and keep your TOTP authenticator device secure.
5. Third-Party Services
We use the following third-party services to operate Scylla:
| Service | Purpose | Data shared |
|---|---|---|
| Plaid | Bank account connections and transaction retrieval | You authenticate directly with Plaid. Plaid accesses your bank data per its own policy. |
| Cloudflare | CDN, DNS, DDoS protection, WAF | IP addresses, request metadata (standard for web traffic proxied through Cloudflare). |
| Hetzner | Cloud server hosting (VPS) | All application data resides on Hetzner infrastructure. Hetzner provides the physical/virtual server; they do not access application-level data. |
| Sentry | Error tracking and performance monitoring | Error stack traces, browser/OS info, IP addresses. We configure Sentry to not capture PII or financial data in error reports. |
We do not share, sell, rent, or trade your personal information or financial data with any other third parties. We may disclose information if required by law, court order, or governmental authority, or if we believe disclosure is necessary to protect our rights, your safety, or the safety of others.
6. Data Retention
We retain your data as follows:
- Active account: Your data is retained for as long as your account is active and you continue to use the Service.
- Account deletion: When you request account deletion, we will remove your personal data and financial data within 30 calendar days.
- Backups: Encrypted backups may retain your data for up to 30 additional days after deletion before being overwritten by the backup rotation cycle.
- Aggregated data: We may retain anonymized, aggregated data (e.g., total number of users, feature usage counts) that cannot be used to identify you.
7. Your Rights
You have the right to:
- Access: Request a copy of the personal data we hold about you.
- Correct: Request correction of inaccurate data in your account.
- Delete: Request deletion of your account and associated personal data.
- Export: Download your financial data in a standard format through the Service's export features.
- Disconnect: Unlink any connected bank account at any time.
To exercise any of these rights, contact us at support@scylla.finance. We will respond to your request within 30 days.
8. Children's Privacy
Scylla is not intended for use by anyone under 18 years of age. We do not knowingly collect personal information from children under 18. If we learn that we have collected information from a child under 18, we will delete that information promptly. If you believe a minor has provided us with personal information, please contact us at support@scylla.finance.
9. Cookies
Scylla uses a single session cookie to keep you logged in. This cookie is:
- HttpOnly — not accessible to JavaScript (protects against XSS attacks).
- Secure — transmitted only over HTTPS.
- SameSite=Strict — not sent with cross-site requests (protects against CSRF attacks).
We do not use:
- Tracking cookies
- Analytics cookies (e.g., Google Analytics)
- Advertising cookies
- Third-party cookies of any kind
Because we use only a strictly necessary session cookie, no cookie consent banner is required.
10. Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes, we will notify you via the email address associated with your account at least 14 days before the changes take effect. We will also update the "Effective" date at the top of this page.
We encourage you to review this policy periodically. Your continued use of the Service after the effective date of any changes constitutes acceptance of the updated policy.
11. Contact
If you have questions about this Privacy Policy or our data practices, contact us at: