Privacy & Security Policy

Most budgeting apps connect to your bank through a service called Plaid. It's convenient — transactions appear automatically without any manual entry. But Plaid sees every transaction you make across every connected account. In 2022, Plaid paid $58 million to settle a class-action lawsuit over collecting and selling user financial data without meaningful consent. I decided the convenience of Plaid or any other bank connection service wasn't worth the risk to Carlo users.

Carlo has no bank sync. You enter transactions yourself. This is a deliberate choice, not a missing feature — the research is clear that manually recording what you spend creates a level of awareness that automatic sync quietly removes.

There are no ads in Carlo. No ad network, no tracking pixel, no data broker. No exceptions.

The thing most developers won't say

Your data is protected by Row Level Security — a Postgres feature that enforces ownership at the database engine level, not just in app code. Even a raw database query only returns rows belonging to the authenticated user.

That said: Carlo runs on Supabase, a hosted database. Your transactions, budgets, accounts, and bills live on that server. I am the database administrator. Technically, I could access your data.

I don't. But you deserve to know that capability exists. Any developer who doesn't tell you this is leaving something important out.

That said — it won't always be this way. Full end-to-end encryption is on the roadmap for version 2. When that ships, email/password users will have data that is mathematically impossible for anyone — including me — to read. Google sign-in users will have strong encryption at rest. This section will be updated when that ships.

Security

Carlo has completed a comprehensive internal security assessment — seven audit passes covering every line of code, every database policy, and every server-side function. Here's what that means for you.

Your sensitive information is encrypted on your device. Your auth session, email address, and income data are stored in your device's encrypted keychain — the same secure storage used by banking apps. Not in plain device storage.

Your account can be deleted completely. Tapping "Delete Account" triggers a server-side process that verifies your identity and removes all of your data — transactions, categories, budgets, everything — before removing your account. Your data is actually gone, not just hidden.

We never see your financial data in our logs. Voice entry transcriptions and parsed transactions are processed server-side but never written to any log. Your spoken words don't persist anywhere beyond the moment of processing.

No known security vulnerabilities in any of the software Carlo is built on.

The result of our assessment: zero critical, high, or medium findings. Every issue identified was resolved before this section was written.

Carlo is a solo-built app, not a bank. We don't claim SOC 2 certification or formal third-party accreditation. What we do claim is that we take this seriously, we audit our own work, and we fix what we find.

Your voice data

When you use voice entry, your recording is used once to convert your words to text, then deleted immediately. The text — not the audio — is briefly used to parse your transaction, then gone. Carlo never stores your voice recordings. It doesn't know what you sound like. It just heard what you spent.

Questions

If you have a question about your data, email directly: [email protected]. I'll actually respond.

Alex Marcus
New York, NY