GLBA Privacy Notice

Gramm-Leach-Bliley Act Privacy Notice

Last updated: January 3, 2026

Why We Provide This Notice

The Gramm-Leach-Bliley Act (GLBA) is a federal law that requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data.

AB Foundry LLC, doing business as OneBudget ("OneBudget," "we," "us," or "our"), is committed to protecting your financial privacy. This notice describes how we collect, use, share, and protect your personal financial information in compliance with GLBA.

Information We Collect

We collect nonpublic personal information about you from the following sources:

Information You Provide

  • Phone number for account authentication
  • Budget preferences and category assignments
  • Income sources and bill information you manually enter

Information from Your Financial Institutions (via Plaid)

  • Bank account information (account numbers, institution names)
  • Transaction history and descriptions
  • Account balances and available funds
  • Account holder names
  • Merchant and vendor information

Information About Your Transactions

  • Spending patterns and category allocations
  • Recurring payment schedules
  • Income patterns and paycheck schedules

How We Use Your Information

We use your personal financial information to provide and improve our budgeting services:

  • Provide Core Services: Categorize transactions, calculate budgets, detect recurring bills and income, and compute safe-to-spend amounts
  • Authentication: Verify your identity and secure your account
  • Insights and Analysis: Generate spending reports, trend analysis, and budget recommendations
  • Notifications: Send budget alerts, bill reminders, and spending notifications
  • Customer Support: Respond to your inquiries and resolve issues
  • Service Improvement: Analyze usage patterns to improve our features and user experience

Information Sharing

We share your information only with service providers necessary to operate OneBudget. We do not sell your information to third parties.

Service Providers We Share With:

  • Plaid: Financial data aggregation to securely connect your bank accounts (read-only access)
  • Amazon Web Services (AWS): Cloud infrastructure for secure data storage and processing
  • Anthropic: AI categorization services (receives only merchant names, descriptions, and amounts—no account numbers or credentials)
  • Twilio: SMS verification for authentication (receives only phone numbers)
  • RevenueCat/Stripe: Payment processing for Premium subscriptions (payment data goes directly to Stripe, not through our servers)
  • Cloudflare: Security and content delivery (does not access financial data)

Legal Disclosures:

We may disclose your information when required by law, such as in response to a court order, subpoena, or other legal process, or to protect our rights and property.

We never sell, rent, or trade your personal financial information to third parties for marketing purposes.

How We Protect Your Information

We maintain physical, electronic, and procedural safeguards to protect your nonpublic personal information:

Encryption

  • AES-256 encryption for all data at rest in our DynamoDB database
  • TLS 1.3 encryption for all data in transit
  • Bank-grade encryption standards throughout our infrastructure

Access Controls

  • Limited employee access to customer data (only when necessary for support or legal compliance)
  • All data access is logged and monitored
  • Multi-factor authentication for administrative access

Credential Protection

  • We NEVER store your bank login credentials—Plaid uses secure OAuth tokens
  • Passwords are salted and hashed using PBKDF2 key derivation (never stored in plain text)
  • Brute force attack prevention on login attempts

Infrastructure Security

  • AWS infrastructure with ISO 27001, SOC 2, and PCI Level 1 certifications
  • Regular security monitoring and incident response
  • Terraform-managed infrastructure for consistency and security
  • Cloudflare DDoS protection and web application firewall

For complete security details, see our Security page.

Your Rights and Choices

You have the following rights regarding your personal financial information:

  • Access: Request a copy of the information we have about you
  • Correction: Request correction of inaccurate information
  • Deletion: Delete your account and all associated data at any time from Settings
  • Export: Download your transaction data in CSV format
  • Disconnect Accounts: Remove bank connections via Plaid at any time
  • Opt-Out of Communications: Manage notification preferences in Settings

Opt-Out Rights

Under GLBA, you have the right to opt out of certain information sharing. However, because we do not share your information with third parties for marketing purposes and only share with service providers necessary to operate our service, there are no information-sharing practices from which you can opt out at this time.

If our information-sharing practices change, we will update this notice and provide you with opt-out options as required by law.

Data Retention

We retain your financial information as follows:

  • Active Accounts: Transaction data retained for up to 2 years to provide historical analysis
  • Expired Accounts: Limited retention period to allow account reactivation
  • Deleted Accounts: All data completely and irreversibly destroyed (not just marked inactive)
  • Legal Requirements: Some data may be retained longer if required by law

Former Customers

If you are a former customer (closed your account), we continue to protect your information in accordance with the practices described in this notice for any data that remains in our systems before final deletion.

Changes to This Notice

We reserve the right to modify this GLBA Privacy Notice at any time. We will notify you of material changes by email or through a prominent notice in the Service at least 30 days before the changes take effect.

We will provide you with a new notice annually if our information-sharing practices change in a way that requires additional opt-out opportunities.

Questions or Concerns

If you have questions about this GLBA Privacy Notice or how we handle your financial information, please contact us:

AB Foundry LLC (d/b/a OneBudget)

1021 E Lincolnway Suite 9643

Cheyenne, WY 82001

Privacy: privacy@onebudget.ai

Security: security@onebudget.ai

Related Documents:

© 2026 AB Foundry LLC (d/b/a OneBudget). All rights reserved.