Legal Documents

We collect information to provide, improve, and personalize the Service. Here is what we collect and why: Information you provide directly: • Account information: name, email address, password (hashed, never stored in plaintext) • Profile information: phone number, timezone, household composition • Entity data: the services, accounts, policies, and subscriptions you track, including provider names, costs, frequencies, renewal dates, and account identifiers you choose to enter • Documents: files you upload such as policy documents, bills, contracts, and receipts • Communications: messages you send through the AI assistant and support requests Information collected automatically: • Usage data: pages visited, features used, actions taken within the Service • Device information: browser type, operating system, screen resolution • Log data: IP address, access times, referring URLs • Cookies: essential cookies for authentication and session management Information from third parties: • Authentication providers: if you sign in with Google, we receive your name and email • Financial data providers: if you connect accounts through Plaid, we receive account balances and transaction categories (we never receive your banking credentials) We do not collect: • Social Security numbers • Banking credentials (login/password) • Credit card numbers (payment processing is handled by Stripe) • Biometric data • Location data beyond IP-based approximation

We use your data exclusively to provide and improve the Service. Specifically: Core Service delivery: • Displaying your tracked entities, costs, and upcoming payments • Generating dashboard summaries, reports, and financial forecasts • Powering the AI assistant with context about your financial situation • Sending payment reminders, renewal alerts, and action notifications • Enabling household sharing between family members you invite Service improvement: • Analyzing aggregate, anonymized usage patterns to improve features • Identifying and fixing bugs and performance issues • Developing new features based on how the Service is used Communications: • Sending transactional emails (password resets, security alerts, billing receipts) • Sending product updates and feature announcements (you can opt out) We never use your data to: • Display advertisements • Build advertising profiles • Train machine learning models on your personal data without consent • Sell to third parties • Influence provider recommendations (see our MFN Guarantee)

We share your data only in the following limited circumstances: With your explicit consent: • When you request a provider comparison or quote through our Brokerage Services, we share relevant information (coverage needs, property details, etc.) with the providers you choose to receive quotes from. You must approve each sharing event. Service providers (processors): • Neon (PostgreSQL database hosting) — stores your encrypted data • Vercel (application hosting) — serves the web application • Stripe (payment processing) — processes subscription payments • Postmark (email delivery) — sends transactional emails • Anthropic (AI services) — processes AI assistant queries (your data is sent per-query and is not retained by Anthropic for training) • Plaid (financial data) — facilitates bank account connections All service providers are bound by data processing agreements that limit their use of your data to providing services to 1Plan. Legal requirements: • We may disclose data if required by law, subpoena, court order, or government regulation • We may disclose data to protect the rights, safety, or property of 1Plan or its users We never share your data with: • Advertisers or ad networks • Data brokers • Marketing partners • Any party for purposes unrelated to providing the Service

When you use our provider comparison and switching features: What we share with providers: • Only the information necessary to generate an accurate quote (e.g., property value, coverage needs, vehicle information) • Your contact information, only when you choose to proceed with a quote • We never share your complete 1Plan profile, financial overview, or data from other domains How providers may use your data: • Provider use of your data is governed by their own privacy policies • We require partner providers to agree to data handling standards • You can review each provider's privacy policy before sharing data MFN Guarantee impact on privacy: • Our Most Favored Nation commitment means providers cannot pay for preferential data access • All providers receive the same data inputs for quote generation • No provider receives additional data as an incentive for partnership

If you choose to connect bank or financial accounts through Plaid: • 1Plan never receives your bank login credentials — Plaid handles authentication directly • We receive only the data categories you authorize: account names, balances, and transaction categories • We do not receive full account numbers, routing numbers, or individual transaction details unless specifically authorized • You can disconnect your financial accounts at any time from your 1Plan settings • Disconnecting revokes our access to your financial data through Plaid • Plaid's use of your data is governed by Plaid's own privacy policy (https://plaid.com/legal) We use Plaid data exclusively to: • Display account balances in your financial dashboard • Detect recurring charges and subscription patterns • Provide more accurate financial forecasting

We implement comprehensive security measures to protect your data: Encryption: • All data is encrypted in transit using TLS 1.3 (HTTPS) • All data is encrypted at rest using AES-256 encryption provided by our database and storage infrastructure • Passwords are hashed using bcrypt with a cost factor of 12 — we never store plaintext passwords Infrastructure security: • Our database is hosted on Neon, which provides automated backups, point-in-time recovery, and infrastructure-level encryption • Our application is deployed on Vercel with enterprise-grade security, DDoS protection, and automatic failover • All API endpoints require authentication via secure session tokens • File uploads are validated for type and size, stored in isolated user-scoped directories Application security: • Authentication powered by NextAuth.js with JWT session strategy • Password reset tokens expire after 1 hour and are single-use • Cross-Site Request Forgery (CSRF) protection on all authenticated endpoints • Input validation on all API endpoints using schema validation • Document access is restricted to the owning user with ownership verification on every request Monitoring: • We log authentication events and monitor for suspicious activity • Failed login attempts are tracked • We will notify you of any data breach within 72 hours of discovery Certifications: • We are pursuing SOC 2 Type II certification • We conduct regular security assessments and code reviews

You have the following rights regarding your personal data: Access: You may request a copy of all data we hold about you. Export: You may export your complete 1Plan data (entities, documents, settings, audit responses) in JSON or CSV format at any time from your account settings. Correction: You may update or correct any information in your account at any time. Deletion: You may permanently delete your account and all associated data. Upon deletion request, we will: • Immediately remove your data from active systems • Remove your data from backups within 30 days • Provide confirmation of deletion Portability: You may transfer your data to another service using our export feature. Opt-out: You may opt out of non-essential communications from your notification settings. You cannot opt out of transactional emails (security alerts, billing receipts) while your account is active. California residents (CCPA): You have additional rights including the right to know what personal information we collect, the right to delete, the right to opt-out of data sales (we never sell your data), and the right to non-discrimination for exercising your rights. European residents (GDPR): If applicable, you have the right to access, rectification, erasure, restriction of processing, data portability, and objection. Our legal basis for processing is contractual necessity and legitimate interest. To exercise any of these rights, contact privacy@1plan.com.

We retain your data only as long as necessary to provide the Service: Active accounts: Your data is retained for the duration of your account. We do not delete data from active accounts unless you request it. Deleted accounts: When you delete your account, we permanently remove your data within 30 days. This includes entities, documents, audit data, settings, and conversation history. Backups: Automated database backups may contain your data for up to 30 days after deletion. Backups are encrypted and access-restricted. Legal requirements: We may retain certain data longer if required by law (e.g., financial transaction records for tax reporting purposes), but only the minimum data necessary. Anonymized data: Aggregate, anonymized usage statistics (which cannot identify you) may be retained indefinitely for service improvement. Inactive accounts: Free tier accounts that have been inactive for 12 consecutive months will receive a notification email. If no activity occurs within 30 days of the notification, the account and associated data may be deleted.

The Service is not directed to children under 18. We do not knowingly collect personal information from children under 18. If you believe a child has provided us with personal information, please contact us at privacy@1plan.com and we will delete it promptly. Household members under 18 may be listed as dependents within a parent or guardian's account for the purpose of tracking family-related services (such as health insurance dependents or education savings). This information is entered and controlled by the parent or guardian, not the minor.

We use cookies and similar technologies as follows: Essential cookies (required): • Authentication session cookies — keep you signed in • CSRF tokens — prevent cross-site request forgery • Theme preference — stores your selected visual theme Analytics cookies (optional): • We use privacy-focused analytics to understand how the Service is used • Analytics data is aggregated and does not identify individual users • You can opt out of analytics cookies from your privacy settings We do not use: • Advertising cookies or tracking pixels • Third-party marketing cookies • Cross-site tracking technologies • Fingerprinting or device identification beyond standard cookies Your browser settings may allow you to block or delete cookies. Blocking essential cookies may prevent the Service from functioning correctly.

If you have questions about this Privacy Policy or our data practices: Email: privacy@1plan.com Legal inquiries: legal@1plan.com Security issues: security@1plan.com 1Plan, LLC Southern California, United States We aim to respond to all privacy inquiries within 5 business days.