Privacy Policy

This Policy provides information about data Commander Finance, LLC (“Commander,” “our,” “us,” “we”) collects, uses, and shares with third parties about you which is gathered through, during, and about your usage of the Product and Service and other Commander sites (the “App”), and our commitment to using and protecting the personal data we collect in a respectful fashion. We are deeply concerned with and focused on securing our customers’ data while still providing a valuable and stable service for those same customers long into the future. When you access and use the App, you acknowledge that you have read, understand, and agree to this Policy. Your use of the App and any dispute regarding privacy is subject to this Policy and the Terms of Service. As the App is still under active development during the beta period, we reserve the right until General Release to the public to update this Policy at any time of our choosing in accordance with our Privacy Core Values. If you wish to receive notices for changes to the Policy during this time, you must notify Commander in writing at [email protected] in order to register to receive notices. After General Release, we will notify you of any changes via email, in-App message, or through any other written means we deem appropriate at our sole discretion. This Policy applies to all users of the App. Please note that as described in our Terms of Service, the App is not currently available to residents of the European Economic Area (EEA). Some users may have additional rights depending on where they are located, which are detailed within this Policy under the section titled “Your State Privacy Rights.”

​

Our Privacy Core Values

Throughout the development and operation of the App, we seek to protect user privacy and security through the application of the following core values:

1. All user financial data belongs to the user, not Commander.
2. All user data shall be protected and secure at all times.
3. Any usage data we collect should be anonymized as much as possible, and that usage data should be geared exclusively towards improving the app.
4. User data should not be stored alongside Personally Identifiable Information (such as usernames, email addresses, or payment information).

As described in the “How We Use De-Identified and Aggregated Data” section below, Commander may derive aggregated, de-identified insights from user data for limited purposes such as research and marketing (such as for writing blog posts or generating statistics for our website). These derived insights do not constitute “user financial data” within the meaning of Core Value #1 because they cannot be used to identify any individual user or gain knowledge about any individual user’s finances. The raw, identifiable financial data from which these insights are derived always belongs to the user.

​

How We Protect Your Data

We use technical measures to protect your data at rest and in transit, and we use organizational and administrative safeguards to protect your data against internal misuse and abuse.

​

Our Lawful Bases for Processing Your Data

We process your personal information under the following lawful bases:

• Contractual Necessity. We process data necessary to provide the App and its features to you, as described in our Terms of Service. This includes your contact information, payment information, and the financial data you provide to use the App.
• Legitimate Interest. We process data to maintain the security, stability, and performance of the App, including error reports, server logs, anonymized usage data, and performance metrics. We balance these interests against your privacy rights and do not use this basis where those rights override our interests.
• Legal Obligation. We process data where required to comply with applicable laws, regulations, or enforceable governmental requests.
• Consent. Where required by applicable law, we obtain your consent before processing your data for specific purposes, such as sending non-essential communications. You may withdraw your consent at any time by contacting us at [email protected].

​

Types of Information We Collect

In order to provide the App to you we collect information directly from you, indirectly through the App, and from third-party platforms and services. In this Policy, Personal Information (also “user data” and “information”) refers to data that can be used by itself or in combination with other data we possess to identify you or gain knowledge about your finances.

​

Information Collected Directly from You to Administer the App

We collect information you give us to provide the App to you. This includes:

• Contact Information
  • Information provided when you create or update an account
  • Information provided to receive written updates from us about the App
• Payment Information
  • Information provided when signing up for a subscription

We may also collect other information which you directly and knowingly provide us, such as account avatars, names, or references to third-party authentication providers like Google or Microsoft.

​

Information Collected Directly from You for Your Use in the App

We collect information you give us to make the app work for you. This includes:

• Financial Transactions and associated data you provide, such as merchant name, payment method, physical transaction location, etc.
• Financial Accounts and associated data you provide, such as account name, institution, etc.
• Links to financial accounts through third-parties (such as Plaid) to provide you with automatic account update and synchronization functionality, as well as the Financial Transactions and Accounts imported through those links.
• Budgeting and financial planning data you provide, such as budgets, goals, and other financial plans.

We may also collect other information from you, either financial or otherwise, to enrich other information we collect and store on your behalf, such as transaction notes, financial plans, or other miscellaneous personal or financial information. This information is used to provide the app to you and is not used to identify you or sold to any third party.

​

Information Collected Indirectly from You

Through your usage of the App, we collect various data in an effort to find and correct issues in the App, as well as metrics to inform us when developing and tweaking new and updated features within the app. This data includes:

• App error reports
• Server log data generated while handling requests your App usage generates
• App performance data
• Masked and anonymized public IP addresses
• Anonymized usage data for features in the App
• Other anonymized data used for troubleshooting, performance, and app-wide usage tracking

​

Cookies and Tracking Technologies

The App uses the following categories of cookies and similar technologies:

• Strictly Necessary Cookies. These are required for the App to function, such as authentication tokens and session identifiers. These cannot be disabled.
• Performance and Analytics. We use analytics tools to collect anonymized usage and performance data. This data is used solely to improve the App and is not shared with third parties for advertising purposes.
• Local Storage. The App may use browser local storage or similar device-level storage to maintain your preferences and improve App performance.

We do not use advertising cookies or tracking pixels. We do not engage in cross-site tracking or behavioral advertising. You may manage cookie preferences through your browser or device settings. Disabling strictly necessary cookies may impair App functionality.

​

Information Collected from Third Parties about You

We collect information from third parties in order to provide the App to you as well as instrument the app for performance and usage data. In most if not all cases, these services are directly integrated within the app. The data we gather, such as updates to financial accounts, authentication provider records, and error/performance data, is then combined with information you directly provide us to better provide the App to you.

​

How We Use De-Identified and Aggregated Data

​

What De-Identified and Aggregated Data Means

“De-Identified Data” is data that has been processed so that it cannot reasonably be used to identify, relate to, describe, or be linked to any individual user. “Aggregated Data” is data that has been combined across multiple users and summarized so that no individual user’s information is distinguishable. We maintain the following safeguards when creating and using De-Identified and Aggregated Data:

• Technical Safeguards. We use industry-standard de-identification techniques and apply minimum aggregation thresholds to ensure that insights cannot be used to identify individuals. We do not produce or publish aggregated insights derived from cohorts of fewer than 50 users.
• Administrative Safeguards. We maintain internal policies and processes designed to prevent the re-identification of De-Identified Data.
• No Re-Identification. We do not attempt to, and we contractually prohibit any recipients of De-Identified Data from attempting to, re-identify individuals from De-Identified or Aggregated Data.

​

How We Use This Data

We may create and use De-Identified and Aggregated Data derived from information collected through the App for the following purposes:

• Product Improvement. Analyzing usage patterns and trends to improve existing features and develop new ones.
• Research and Publications. Publishing blog posts, reports, white papers, and other content that includes aggregated statistics, trends, and insights about personal finance behavior and patterns (for example, “Commander users who set monthly budgets saved an average of 12% more than those who did not”).
• Marketing. Using aggregated statistics and insights in Commander’s own marketing materials to describe the value and impact of the App.
• Industry Benchmarking. Creating anonymized benchmarks and financial trend data for informational purposes.

​

What We Do Not Do

De-Identified and Aggregated Data is not Personal Information as defined by this Policy or by applicable law. However, we want to be clear about the boundaries of how we use this data:

• We do not sell De-Identified or Aggregated Data to third parties.
• We do not use De-Identified or Aggregated Data to advertise third-party products or services to you.
• We do not provide De-Identified or Aggregated Data to third parties for the purpose of targeting, profiling, or making decisions about individual consumers.
• We do not share De-Identified or Aggregated Data with third parties except as described in the “Who We Share Personal Information With” section of this Policy.

Any use of De-Identified and Aggregated Data is subject to the Privacy Core Values set forth in this Policy.

​

Email Communications

We may send you emails for the following purposes:

• Administrative messages about your account
• Updates about the App and new features
• Surveys and feedback requests to improve our services
• Legal notices and policy updates

​

Managing Your Email Preferences

You may opt out of non-essential communications (surveys, feature updates) while still receiving important administrative and legal notices. Contact [email protected] to manage your email preferences.

​

Third-Party Advertising

We do not sell, share, or otherwise make available your Personal Information to third parties for advertising purposes. We do not use user data to advertise to you or to prospective customers. Advertisements are not shown on the App or on any Commander site.

​

Who We Share Personal Information With

In order to operate the App, we share access to your data in the following ways:

• With current and future members of our family of companies for the purposes described in this Policy
• With service providers who provide services to us (as outlined in our List of Subprocessors)
• To legal, governmental, or judicial authorities as instructed or required by those authorities and applicable laws, or in relation to a legal activity, such as in response to a subpoena or investigation of suspected illicit or illegal activities, or where we believe in good faith that users may be engaged in illegal activities, or where we are bound by contract or law to enable a customer or business partner to comply with applicable laws
  • We have not received any requests for data to date.
• In connection with, or during negotiations for, an acquisition, merger, asset sale, or other similar business transfer that involves all or substantially all of our assets or functions where Personal Data is transferred or shared as part of the business assets (provided that such party agrees to use or disclose such Personal Data in a manner consistent with this Policy or gains your consent for other uses or disclosures)
• With your consent or at your direction, such as when you choose to share information or publicly post content and reviews (for example, social media posts)
• With persons of your choosing and at your discretion, should the product you are subscribed to allow that functionality
• With business partners, third parties, or the general public we may also share De-Identified and Aggregated Data (as defined in the “How We Use De-Identified and Aggregated Data” section above) that does not and cannot identify you, subject to the limitations described in that section

​

Sale and Sharing of Personal Information

We do not sell your Personal Information to any third party, as “sell” is defined under applicable state privacy laws including the California Consumer Privacy Act (CCPA). We do not share your Personal Information for cross-context behavioral advertising purposes.

​

Choices You Can Make Regarding Your Data

In accordance with applicable law, you may have the right to:

1. Request confirmation of whether we are processing your data
2. Obtain access to or a copy of your Personal Data
3. Receive a portable copy of your Personal Data, or ask us to send that information to another organization (the “right of data portability”)
4. Seek correction or amendment of inaccurate, untrue, incomplete, or improperly processed Personal Data
5. Restrict our processing of your Personal Data
6. Object to our processing of your Personal Data
7. Request erasure of Personal Data held about you by us, subject to certain exceptions prescribed by law
8. Opt out of the sale or sharing of your Personal Data (though we do not sell or share Personal Data as defined by applicable law)
9. Opt out of certain non-essential communications from us while continuing to receive administrative and legal notices
10. Not be discriminated against for exercising any of these rights

To exercise any of these rights, please contact us at [email protected]. We will respond to verifiable requests within the time frames required by applicable law (generally within 45 days, with one 45-day extension if reasonably necessary). We may ask you to verify your identity before fulfilling a request. If you believe we have not adequately addressed your request, you have the right to lodge a complaint with your state’s attorney general or applicable regulatory authority.

​

Your State Privacy Rights

​

California Residents (CCPA/CPRA)

If you are a California resident, you have specific rights under the California Consumer Privacy Act, as amended by the California Privacy Rights Act (collectively, “CCPA”). The following disclosures supplement the information above. Categories of Personal Information Collected. In the preceding twelve (12) months, we have collected the following categories of Personal Information, as defined by the CCPA: Categories of Personal Information Sold or Shared. We have not sold or shared (as those terms are defined by the CCPA) any Personal Information in the preceding twelve (12) months, and we have no plans to do so. Categories of Personal Information Disclosed for a Business Purpose. We disclose Personal Information to our service providers and subprocessors as described in the “Who We Share Personal Information With” section above and in our List of Subprocessors. Your California Privacy Rights. As a California resident, you have the right to: know what Personal Information we collect, use, and disclose; request deletion of your Personal Information; opt out of the sale or sharing of your Personal Information (we do not sell or share); correct inaccurate Personal Information; and not be discriminated against for exercising your rights. You may exercise these rights by contacting us at [email protected]. Authorized Agents. You may designate an authorized agent to make requests on your behalf. The authorized agent must provide proof of written authorization and we may verify your identity directly. Shine the Light. California Civil Code Section 1798.83 permits California residents to request information about disclosure of Personal Information to third parties for direct marketing. We do not disclose Personal Information to third parties for direct marketing purposes.

​

Other State Privacy Rights

Residents of Colorado, Connecticut, Virginia, Texas, and other states with comprehensive privacy legislation may have additional rights similar to those described above, including the right to access, correct, delete, and obtain a copy of their Personal Information, as well as the right to opt out of targeted advertising, profiling, and sale of Personal Information. To exercise these rights, contact us at [email protected]. We will process requests in accordance with the applicable state law. If your request is denied, you may appeal the decision by contacting us at [email protected] with the subject line “Privacy Rights Appeal.”

​

Children’s Privacy

The App is not intended for use by children. As described in our Terms of Service, no one under 13 years of age may create an account or use the App. Users between 13 and 18 years of age may only use the App with verified parental or guardian consent. We do not knowingly collect Personal Information from children under 13. If we become aware that we have collected Personal Information from a child under 13, we will take steps to delete such information as quickly as possible in compliance with the Children’s Online Privacy Protection Act (COPPA) and other applicable laws. If you are a parent or guardian and believe your child under 18 has provided us with Personal Information without your consent, please contact us immediately at [email protected].

​

Our Retention Policies

We retain your Personal Data for the following periods:

• Account and Financial Data. For as long as you maintain an active account, and for 90 days following account deletion or termination, after which it is permanently deleted or de-identified. During this 90-day period, you may request reactivation of your account and restoration of your data.
• Payment and Billing Records. For the duration of your subscription plus 3 years following termination, as required for tax, accounting, and legal compliance purposes.
• Server Logs and Error Reports. For up to 12 months from the date of collection, after which they are permanently deleted.
• Anonymized, De-Identified, and Aggregated Data. This data, because it cannot identify you, may be retained indefinitely for product improvement, research, marketing, and other purposes described in the “How We Use De-Identified and Aggregated Data” section of this Policy.
• Communications Records. Records of communications between you and Commander (such as support requests) are retained for 3 years following your last interaction.
• Legal Hold. Notwithstanding the above, we may retain data for longer periods where required by law, regulation, or legal proceedings, or where retention is necessary in connection with lawful purposes such as active legal claims.

Once the applicable retention periods have concluded, we will permanently delete, destroy, or de-identify the relevant Personal Data so that it can no longer reasonably be tied to you.

​

Data Protection Officer

Our designated privacy contact for all matters related to this Policy and your Personal Data is:

Privacy Officer Commander Finance, LLC 1606 Headway Circle, Suite 9239 Austin, TX 78754 [email protected]

​

Data Transfers

Our company is headquartered in the United States and has operations, entities, and service providers worldwide. As a result, your Personal Data may be transferred to, stored in, or accessed from jurisdictions outside your home jurisdiction, including places that may not provide equivalent levels of data protection. We will take steps to ensure that your Personal Data receives an adequate level of protection wherever we process it.

​

Links to Other Websites

We may have links in the App that direct you to third-party sites and services not controlled by us. These sites may have their own privacy policies that would apply to your use of those sites and services. We are not responsible for and have no control over privacy policies, content, or use of any sites we do not control.

​

Governing Laws

This Policy and all disputes, claims, actions, suits, or other proceedings arising out of this Policy or relating in any way to it shall be governed by the laws of the State of Indiana and the United States of America, without regard to conflict of law principles.

​

Contact Us

To contact us regarding this Privacy Policy, please email [email protected]. To contact us regarding legal matters, please email [email protected].