NestDuck

1 Information We Collect

Information You Provide Directly

• Account Information: Name, email address, password (encrypted), phone number (optional), and profile preferences.
• Financial Data: Income amounts, expense transactions, bill details, debt information, savings goals, budget categories, and other financial data you manually enter.
• Uploaded Documents: Paystubs, bills, mortgage statements, and other financial documents you choose to upload for AI-powered parsing.
• Household Information: Information about household members you invite to collaborate, including their names and email addresses.
• Communications: Messages you send to our AI assistant (Ducky) via SMS, email, or in-app chat, and any support inquiries you submit.

Information Collected Automatically

• Usage Data: Features used, pages visited, time spent in app, and interaction patterns.
• Device Information: Device type, operating system, browser type, IP address, and unique device identifiers.
• Log Data: Access times, error logs, and referring URLs.

Important: NestDuck does not connect to your bank accounts or access your bank login credentials. All financial data in NestDuck is manually entered by you or extracted from documents you upload.

2 How We Use Your Information

We use the information we collect to:

• Provide the Service: Create and manage your account, display your financial data, and enable household collaboration features.
• Power AI Features: Generate personalized financial insights, answer your questions via Ducky AI assistant, and parse uploaded documents.
• Improve the Service: Analyze usage patterns to enhance features, fix bugs, and develop new functionality.
• Communicate With You: Send important account notifications, security alerts, and (with your consent) product updates.
• Ensure Security: Detect and prevent fraud, abuse, and unauthorized access.
• Legal Compliance: Comply with applicable laws and respond to legal requests.

3 AI & Your Data

🤖 How AI Works in NestDuck

NestDuck uses AI to provide personalized financial insights and assistance. We want to be completely transparent about how this works.

What You Should Know

• AI Processing Location: Your financial data is processed on our secure, private servers. We use third-party AI providers (such as Anthropic and OpenAI) for certain AI features, but we only send anonymized or minimal context necessary to generate responses.
• No Training on Your Data: Your personal financial data is never used to train third-party AI models. Our AI providers have contractual obligations not to use your data for model training.
• AI-Generated Content: Insights, suggestions, and responses from Ducky are AI-generated and should not be considered professional financial, legal, or tax advice.
• SMS/Email AI: When you communicate with Ducky via SMS or email, your messages are processed by our AI system. Message content is encrypted and retained only as long as necessary to provide the service.

4 Data Sharing & Disclosure

We do not sell, rent, or trade your personal information to third parties for marketing purposes. Ever.

We may share your information only in the following limited circumstances:

Service Providers

We work with trusted service providers who help us operate NestDuck. These include cloud hosting (AWS), email delivery, error monitoring, and AI processing services. All service providers are bound by strict confidentiality agreements and are only permitted to use your data to provide services to us.

Household Members

If you use NestDuck's collaboration features, financial data within your household is shared with other household members you invite. You control who has access to your household.

Legal Requirements

We may disclose your information if required by law, subpoena, court order, or government request. We may also disclose information when we believe disclosure is necessary to protect our rights, your safety, or the safety of others; investigate fraud; or respond to a government request.

Business Transfers

If NestDuck is involved in a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify you of any such change and any choices you may have regarding your information.

5 Data Security

We implement industry-standard security measures to protect your data:

Encryption at Rest

AES-256 encryption for all stored data

Encryption in Transit

TLS 1.3 for all data transmission

Secure Infrastructure

SOC 2 compliant cloud infrastructure (AWS)

Access Controls

Role-based access with audit logging

Authentication

Secure password hashing, MFA, and passkeys supported

Regular Audits

Ongoing security assessments and vulnerability scanning

While we implement robust security measures, no method of electronic storage or transmission is 100% secure. We cannot guarantee absolute security but are committed to protecting your data to the best of our ability.

6 Data Retention

• Account Data: Retained as long as your account is active. Upon account deletion, we delete or anonymize your data within 30 days, except as required by law.
• Financial Data: Retained as long as your account is active to provide the Service.
• Uploaded Documents: Processed documents are retained only as long as necessary to provide parsing services. Original documents may be deleted immediately after processing upon your request.
• AI Conversation History: SMS and email conversations with Ducky are retained for 90 days to provide context for ongoing assistance, then automatically deleted.
• Backup Data: Backups are retained for up to 30 days for disaster recovery purposes.

7 Your Privacy Rights

You have the following rights regarding your personal data:

Right to Access

Request a copy of the personal data we hold about you.

Right to Correction

Request correction of inaccurate or incomplete personal data.

Right to Deletion

Request deletion of your personal data, subject to legal retention requirements.

Right to Data Portability

Export your data in a machine-readable format (CSV, JSON).

Right to Opt-Out

Opt out of marketing communications at any time.

To exercise these rights, contact us at our contact page or email privacy@nestduck.com. We will respond within 30 days.

8 California Privacy Rights (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

• Right to Know: You can request disclosure of the categories and specific pieces of personal information we collect, the sources of collection, our business purposes, and categories of third parties with whom we share data.
• Right to Delete: You can request deletion of your personal information, subject to certain exceptions.
• Right to Opt-Out of Sale: We do not sell your personal information, so this right does not apply.
• Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights.
• Right to Limit Use of Sensitive Information: You can limit how we use sensitive personal information.

To make a request, contact us at privacy@nestduck.com or call 1-800-XXX-XXXX. You may designate an authorized agent to make requests on your behalf.

9 European Privacy Rights (GDPR)

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, you have additional rights under the General Data Protection Regulation (GDPR):

• Legal Basis: We process your data based on: (a) your consent, (b) performance of a contract, (c) our legitimate interests, or (d) legal compliance.
• Right to Restrict Processing: You can request restriction of processing in certain circumstances.
• Right to Object: You can object to processing based on legitimate interests.
• Right to Lodge Complaint: You have the right to lodge a complaint with your local supervisory authority.

Data Controller: NestDuck, LLC is the data controller for your personal data.

10 Cookies & Tracking Technologies

We use cookies and similar technologies to provide and improve our Service:

Essential Cookies

Required for core functionality like authentication and security. Cannot be disabled.

Analytics Cookies

Help us understand how you use NestDuck to improve the Service. Can be disabled.

Preference Cookies

Remember your settings and preferences. Can be disabled.

You can manage cookie preferences through our cookie consent banner or your browser settings. Note that disabling certain cookies may affect Service functionality.

11 Children's Privacy

NestDuck is not intended for children under 18 years of age. We do not knowingly collect personal information from children under 18. If you are a parent or guardian and believe your child has provided us with personal information, please contact us immediately at privacy@nestduck.com. If we discover we have collected information from a child under 18, we will promptly delete that information.

12 International Data Transfers

NestDuck is based in the United States. If you are accessing our Service from outside the United States, please be aware that your data will be transferred to, stored, and processed in the United States and potentially other countries where our service providers operate.

For transfers from the EEA/UK, we rely on Standard Contractual Clauses approved by the European Commission to ensure adequate protection for your data.

13 Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will:

• Update the "Last Updated" date at the top of this page
• Notify you via email (for significant changes)
• Post a prominent notice in the Service

Your continued use of NestDuck after changes become effective constitutes acceptance of the updated policy.

Privacy Policy

The Quick Version