Privacy Policy

Stewardly (“Stewardly,” “we,” “us”) is a personal finance planning tool currently in a private beta. This policy describes what information we collect when you use the Service, how we use it, and the choices you have. It applies to the website at stewardly.app and any related pages.

Your financial data is encrypted on your device before it leaves. The key that decrypts it is derived from your password and never touches our servers. That means the operator of Stewardly (that’s us) cannot read your scenarios, account balances, incomes, or expenses — only you can.

We do collect anonymized, noise-added cohort signals so the product can tell you things like “users your age typically save X%.” Those signals are designed so no single contribution can be tied back to you, and cohort queries only return results when at least 20 people qualify. The full mechanism is described below.

Information you provide

• Waitlist email. When you request access from the homepage, we store the email address you submit.
• Account information. When you create an account, we store your name, email address, and a salted password hash (managed by our authentication provider). An account is required to use Stewardly.
• Encrypted planning data.The scenarios, accounts, income, expenses, goals, and other inputs you enter into Stewardly are encrypted on your device using a key derived from your password, then stored on our servers as opaque ciphertext. We cannot decrypt this data. If you forget both your password and your recovery code, your encrypted data is unrecoverable — by us or by anyone.
• Anonymous cohort contributions.If you opt in, your device computes a small set of bucketed signals (for example: your age bucket paired with your household model) on a debounced schedule. Each signal is passed through a local differential-privacy mechanism (k-ary randomized response) on your device before being sent, so a single row is plausibly a coin flip. Rows are keyed by an HMAC pseudonym derived from your encryption key — the server cannot link rows across different signals or back to your account. You’re asked whether to contribute at signup (default on); you can turn this off at any time under Account → Cohort insights, and your device will stop contributing immediately. Because your preference is stored inside your encrypted config, the server does not know whether you participate.

Information collected automatically

• Session cookies. Our authentication provider sets cookies required to keep you signed in. These are strictly necessary; the Service does not work without them.
• IP address (submission only). When you submit the waitlist form, we briefly record the IP address of the request to prevent automated abuse. These records are not tied to your account and are retained for a short window.
• Server logs. Our hosting and database providers generate standard operational logs (request timestamps, status codes, error traces) as part of running the Service.

We do not use third-party advertising or tracking cookies. We do not run behavioral analytics during the beta.

On signup, your browser generates a random 256-bit data key. That data key encrypts everything you enter into Stewardly using AES-256-GCM. The data key itself is protected two ways:

• Wrapped with a key derived from your password (Argon2id, 64 MiB memory, 3 iterations).
• Wrapped with a key derived from a one-time recovery code shown to you during signup. This is the only fallback if you forget your password.

Only the two wrapped forms are ever sent to our servers. The data key itself lives in your browser’s memory until you sign out or close the tab. On a fresh visit you’ll be asked to enter your password again so the key can be re-derived locally.

Cohort signals are how we can surface “users like you” comparisons without seeing any individual’s data. Three protections compose to make this work:

• Local differential privacy. Each bucketed answer is passed through k-ary randomized response on your device. With a probability that depends on the metric, the sent value is a uniformly random bucket instead of the true one. Any single row is plausibly noise.
• Unlinkable pseudonyms.Each metric is keyed by a purpose-bound HMAC of your encryption key. Two rows under different metrics cannot be linked back to the same user without the key — which we don’t have.
• k-anonymity floor. Cohort queries are served by a database function that returns zero rows if the matching cohort has fewer than 20 contributors. This is enforced in the database, not by application code, so it cannot be bypassed by a query rewrite.

Cohort rows carry no user identifier. They expire automatically after a short window unless refreshed by your device, so abandoned accounts do not leave residue.

• To operate the Service and keep you signed in.
• To store and return your planning data across sessions.
• To compute and display the cohort benchmarks described in Section 5 — the “people like you” comparisons that appear inside the Service.
• To analyze aggregate, de-identified trends for product improvement, and to publish aggregate statistics or insights (which do not identify any individual) in communications such as blog posts, research, or marketing.
• To contact you about beta access, security matters, or important changes to the Service.
• To protect the Service from spam, abuse, and unauthorized access.
• To comply with legal obligations when applicable.

We do not sell your personal information, and we do not share it with third parties for their own marketing. Aggregated and de-identified data derived from the Service is not your personal information; our rights in such data are described in the Terms of Service.

Stewardly uses the following service providers to operate. Each acts as a data processor on our behalf and is bound by its own security and privacy commitments. A current, authoritative list lives on our Subprocessors page.

• Supabase— authentication and database hosting (United States region). Data is encrypted in transit (TLS) and at rest.
• Vercel— web application hosting and delivery.

If you access Stewardly from outside the United States, please note that the information we collect will be processed and stored on servers in the U.S.

• Access & export.You can view all the data you’ve entered directly inside the app — your browser decrypts it on demand. A machine-readable export is available on request; we cannot generate one without your participation, because decryption happens on your device.
• Correction. You can edit any information you entered at any time from within the app.
• Deletion. You can request deletion of your account by contacting us. Deletion removes your authentication record and the encrypted ciphertext blobs stored against your account. Abandoned cohort contributions expire on their own and are swept by a scheduled cleanup.
• Waitlist removal.If you’ve joined the waitlist and would like to be removed, contact us with the email you submitted.

We retain your account and planning data for as long as your account is active, or as needed to provide the Service. Waitlist emails are retained until access is granted or you request removal. Abuse-prevention records (e.g., recent waitlist IPs) are retained for a short window, typically no longer than a few days. Operational logs are retained according to our providers’ standard retention schedules.

In addition to the end-to-end encryption described in section 4, we rely on the following controls:

• Transport-layer encryption (TLS) for every connection between your device and our providers.
• Row-level security on all user-scoped database tables, so one user’s row cannot be read by another user’s session even in the event of a query bug.
• The cohort-contribution table is inaccessible to direct reads and writes; all access goes through auditable database functions that enforce the k-anonymity floor.
• Scoped service credentials and no third-party analytics or advertising trackers during the beta.

No system is perfectly secure, and we cannot guarantee that the Service will be free from unauthorized access or other security failures. The design choices above are intended so that even a successful compromise of our servers would not expose any user’s plaintext planning data.

Stewardly is not directed to children under 13, we do not knowingly allow children under 13 to create accounts, and we do not knowingly collect personal information directly from children under 13. Account creation is restricted to users 18 and older.

Stewardly does permit account holders to model accounts and goals that relate to minors in their household (for example, 529 plans, Coverdell ESAs, and UTMA/UGMAcustodial accounts). If you enter information about a minor, you represent that you are the parent or legal guardian of that minor and that you consent on the minor’s behalf to the collection and processing of that information as described in this policy. Like all other planning inputs, information you enter about a minor is encrypted on your device before it reaches our servers and cannot be read by Stewardly.

If you believe a child under 13 has created an account or provided us with information directly, please contact us and we will delete it.

We may update this Privacy Policy from time to time. When we do, we will revise the “Last updated” date above. If changes are material, we will take reasonable steps to notify you (for example, by email or an in-app notice). Your continued use of the Service after changes are posted constitutes acceptance of the updated policy.

For privacy questions, requests, or concerns, reach out to us using the contact information provided within the Service.