Privacy Policy
Last updated: April 12, 2026
1. Introduction
This Privacy Policy describes how CyriLiNa.IT LLC ("we," "our," or "us") collects, uses, stores, and protects your personal and financial information when you use SharkFinEnhance™, whether self-hosted or through our hosted service.
By using SharkFinEnhance™, you agree to the collection and use of information in accordance with this policy.
2. Information we collect
2.1 Account information
- Email address
- Password (stored as bcrypt hash — we cannot see your password)
- Two-factor authentication secrets (encrypted)
- Profile information: name, address, phone (optional)
2.2 Financial data via Plaid®
When you connect bank accounts through Plaid, we collect:
- Account names, types, and balances
- Transaction history (date, amount, merchant, category)
- Account and routing numbers (masked)
- Institution information
- Investment holdings and positions (if Plaid Investments enabled)
- Liability details: credit cards, mortgages, student loans (if Plaid Liabilities enabled)
2.3 Financial data via SimpleFIN®
When you connect accounts through SimpleFIN, we collect:
- Account names, types, and balances
- Transaction history (date, amount, description, payee, memo)
SimpleFIN access is read-only. You maintain your own SimpleFIN subscription and control which institutions are shared.
2.4 Financial data via SnapTrade™
When you connect brokerage accounts through SnapTrade, we collect:
- Brokerage account details and balances
- Investment holdings (positions, quantities, market values)
- Investment transactions (buys, sells, dividends)
- Order history
2.5 Manual data
- Manually created accounts and assets
- Custom categories, tags, and budgets
- Bills and savings goals
- Transaction notes and categorizations
2.6 Technical data
- IP addresses (for security and rate limiting)
- Login timestamps and user agent
- Failed login attempts
3. How we use your information
- Provide services: Display accounts, transactions, budgets, portfolio, and financial insights
- AI features: Analyze spending patterns for budget suggestions and transaction categorization (see Section 6)
- Security: Authenticate users, detect fraud, prevent unauthorized access
- Communications: Send household invitations and security alerts
4. Data storage and security
We implement industry-standard security measures:
- Encryption at rest: Sensitive data encrypted with AES-256-GCM
- Encryption in transit: All communications over HTTPS/TLS
- Password security: Bcrypt hashing with salt
- Access controls: JWT tokens with 2-hour expiration, refresh token rotation
- Rate limiting: Protection against brute force attacks
- Account lockout: Automatic lockout after 5 failed login attempts
- IP banning: Automatic ban after 10 failed attempts
- Two-factor authentication: TOTP-based MFA available for all accounts
- Audit logging: All data access is logged with timestamps and IP addresses
5. Self-hosted vs. hosted
5.1 Self-hosted installations
When you run SharkFinEnhance™ on your own infrastructure, your data never touches our servers. We have no access to your financial data, login credentials, or any information stored in your installation. You are fully responsible for the security and backup of your data.
5.2 Hosted service
When you use our hosted service at sharkfinenhance.xyz:
- Your data is stored on our infrastructure, encrypted at rest
- CyriLiNa.IT LLC staff have technical access to the database but are bound by this privacy policy not to access individual user data without authorization
- All data access is audit-logged
- We will never sell, share, or monetize your financial data
6. AI data processing
6.1 Self-hosted with own Ollama
When you run your own Ollama server, AI processing is fully local. No financial data leaves your network.
6.2 CyriLiNa Private AI™ add-on
If you use the CyriLiNa Private AI™ add-on, your transaction descriptions, amounts, and categories are sent to our Ollama server for processing. This data is:
- Processed in memory only — never logged or stored on the AI server
- Never sent to third-party AI providers (OpenAI, Google, Anthropic, etc.)
- Discarded immediately after processing
6.3 Third-party AI (bring your own key)
If you choose to connect OpenAI, Anthropic, or other third-party AI providers using your own API keys, your financial data is sent to those providers for processing. Their privacy policies apply. This is your choice and responsibility — we do not send data to third-party AI providers unless you explicitly configure it.
7. Data retention
| Data type | Retention | Deletion trigger |
|---|
| Account credentials | Until account deletion | User request |
| User profile | Until account deletion | User request |
| Bank connections | Until disconnected | User disconnects or deletes account |
| Transaction history | Until account deletion | Account deletion |
| Categories & budgets | Until account deletion | Account deletion |
| Login history | 90 days | Automatic expiration |
| Failed login attempts | 24 hours | Automatic reset |
| IP ban records | 1 hour | Automatic expiration |
| Refresh tokens | 7 days | Expiration or logout |
| Audit logs | 1 year | Automatic expiration |
8. Third-party services
8.1 Plaid®
We use Plaid Inc. to connect to financial institutions. Plaid's privacy policy applies to data they collect. View Plaid's End User Privacy Policy. To manage your Plaid data directly, visit my.plaid.com.
8.2 SimpleFIN®
SimpleFIN provides read-only access to your financial data. You maintain your own SimpleFIN subscription. View SimpleFIN's Security Policy.
8.3 SnapTrade™
We use SnapTrade to connect to brokerage accounts. SnapTrade's privacy policy applies to data they process. View SnapTrade's Privacy Policy.
8.4 Email services
We use SMTP email services for household invitations and security notifications. Only your email address is shared with our email provider for delivery purposes.
9. Your rights
You have the right to:
- Access: Request a copy of all data we store about you
- Correction: Update or correct your personal information
- Deletion: Request deletion of your account and all associated data
- Disconnect: Remove bank/brokerage connections at any time
- Export: Download your data in a portable format
- Withdraw consent: Revoke access to financial data at any time
To exercise these rights, visit your Profile settings or contact us directly.
10. Data sharing
We do not sell your personal or financial data. We do not use analytics trackers or telemetry.
We may share data only in these circumstances:
- Household members: Accounts/transactions you explicitly share
- Service providers: Plaid, SimpleFIN, SnapTrade for connectivity; email provider for notifications
- CyriLiNa Private AI™: If you use this add-on, transaction data is processed on our AI servers (see Section 6.2)
- Legal requirements: When required by law or to protect our legal rights
11. Children's privacy
SharkFinEnhance™ is not intended for users under 18 years of age. We do not knowingly collect personal information from children.
12. Changes to this policy
We may update this Privacy Policy periodically. We will notify you of material changes by posting the updated policy and changing the "Last updated" date.
13. Contact us
If you have questions about this Privacy Policy or your data:
Email: privacy@sharkfinenhance.xyz
Company: CyriLiNa.IT LLC