Privacy Policy

Last updated: May 30, 2026 · Effective: May 30, 2026

liway ("we", "our", or "us") provides a personal-finance tool that helps you see how much money is safe to spend before your next paycheck. This Privacy Policy explains what information we collect, how we use it, who we share it with, where it is stored, how long we keep it, and the choices you have. By creating a liway account or using the liway website or mobile apps, you agree to the practices described here.

If you have questions, contact connect@liway.app.

Who we are

liway is operated by Liway LLC, a Colorado limited liability company. We can be reached at connect@liway.app for any privacy questions, data requests, or general support. The product is currently available only in the United States.

Summary

If you want the short version:

• We collect your email, a hashed password, what you tell us about your money (or what your bank tells us via Plaid), and limited operational metadata.
• We use that information to compute your leeway — how much room you have between now and payday — and to keep your account secure.
• We do not sell, rent, or share your data with advertisers or data brokers. We do not run ads. We do not use third-party tracking or analytics SDKs.
• You can edit, export, or delete everything we hold about you at any time. Deletion is immediate and cascades across every system we use.
• All production data lives in the United States with SOC 2 Type II service providers.

Detailed disclosures follow.

Information we collect

We collect only what we need to compute your leeway and operate the service. There are four categories.

1. Account information

• Email address (your login identifier and the address we send transactional emails to)
• A bcrypt hash of your password (we never store the plain-text password)
• Account creation timestamp and email-verification status

2. Financial inputs you enter

• Current account balance
• Paycheck amount and date
• Upcoming bills (name, amount, due date, account)
• Estimated spending until your next paycheck

These values are editable from inside the app at any time.

3. Bank account data (when you connect a bank via Plaid)

If you choose to link a bank account, our integration partner Plaid handles the bank login on our behalf. Plaid returns the following to liway:

• Account names and types (checking, savings, etc.)
• Current account balances (read-only)
• A Plaid-issued access token that lets liway refresh balances later
• Transaction history — see below

We never see, store, or transmit your bank login credentials. Those go directly from your device to Plaid. See Plaid's End User Privacy Policy at plaid.com/legal for how Plaid handles bank credentials.

How liway uses Plaid Transactions

We access your bank-account transaction history through Plaid for the sole purpose of automatically detecting recurring patterns that drive the leeway calculation:

• Recurring paychecks — date, amount, and cadence of incoming deposits, so you don't have to enter your paycheck manually.
• Recurring bills — name, amount, due date, and account of outgoing recurring debits, so you don't have to enter your bills manually.
• Average discretionary spending — a rolling daily average computed from non-bill outflows, used to forecast the runway between now and payday.

Individual transactions are never displayed to you in the app, and they are never used for advertising, profiling, or shared with any third party. The transactions table stores the rows needed to re-run detection if Plaid sends an update; nothing else is done with that data.

You can disconnect your bank at any time (Settings → Disconnect). On disconnect we revoke the Plaid connection at Plaid before removing the local record.

4. Operational metadata

We log a small set of operational events to keep the service secure and observable. None of this is sold or shared for advertising; it stays inside our hosting providers' logs:

• Server-side access logs (from our hosting platform) — request method, path, response status, timestamp; request bodies are not logged.
• Authentication audit logs — sign-in, sign-out, password change, account-deletion attempts (success and failure), with the associated user ID and a coarse timestamp.
• Plaid item-status events — connection created, refreshed, expired, revoked.
• Email-send audit (from our transactional-email provider) — recipient address, template name, delivery status.

We do not collect location data, contacts, photos, advertising identifiers, or any signal from third-party tracking SDKs (we run none). We do not fingerprint your device.

What we do not collect

• Bank login credentials (Plaid handles these securely; we never see them)
• Account numbers or routing numbers (Plaid does not surface these to us under the products we use)
• Location data
• Contacts, photos, microphone, camera, or other on-device data
• Advertising identifiers (IDFA, AAID) — we don't run ads
• Third-party analytics or attribution signals — no Google Analytics, Mixpanel, PostHog, or any equivalent tracker; no hosting-platform analytics modules either
• Cross-site cookies

How we use your information

We use the information described above to:

• Authenticate you when you sign in (email verification at sign-up; password at routine login; multi-factor steps for password reset and account deletion)
• Compute and display your leeway, risk level, and projections
• Detect recurring paychecks, recurring bills, and discretionary-spending averages from Plaid transactions (as described above)
• Refresh balances from connected bank accounts (when you've opted into Plaid)
• Send you transactional emails — email verification, password reset, account-deletion confirmation
• Maintain audit logs of security-sensitive actions for breach-investigation and abuse-prevention purposes
• Respond to your support requests

We do not use your information for advertising, profiling, behavior modeling, or selling to third parties.

Who we share information with

We share information only with the service providers that make liway work. These providers are bound by their own privacy policies and security commitments, and they act as data processors on our behalf. Every provider that handles production user data holds a current SOC 2 Type II report.

We rely on the following categories of providers (and we name the ones you interact with directly, plus the ones the app stores require us to name):

• Bank connection — Plaid. We use Plaid for bank linking and read-only balance + transaction retrieval. You interact with Plaid directly via the Plaid Link UI when you connect a bank. See Plaid’s End User Privacy Policy.
• App distribution — Apple App Store and Google Play. They receive limited install / purchase metadata per platform policies; they do not receive liway-stored user data.
• Cloud hosting — runs the liway API and admin dashboard
• Managed database — stores account, financial, and bank-link data with encryption at rest
• Transactional email — delivers verification, password-reset, and account-deletion emails
• DNS — resolves liway.app and its subdomains; no user data processed at edge
• Source control + CI — hosts the codebase and runs deploy workflows; does not hold production user data

A complete, named list of subprocessors — including provider identity, role, data scope, current certifications, and the U.S. region each one operates in — is maintained internally and made available on request to connect@liway.app. We update the internal list whenever a vendor is added, replaced, or removed; this privacy policy does not need to be re-issued for vendor changes.

We do not sell or rent your information to anyone. We do not share it with advertisers, data brokers, or marketing partners. We do not participate in any data co-op, lookalike-audience program, or attribution exchange. This stance also reflects our obligations under the Plaid Developer Policy, which prohibits the sale of data accessed through Plaid.

Where your data is stored

All production data is stored and processed in the United States. Application servers and the primary database both run in U.S. East regions. Email-delivery and DNS providers use globally distributed networks, but neither processes data-bearing user content beyond what is necessary for delivery. Specific region details for each subprocessor are available on request at connect@liway.app.

If you access liway from outside the United States, your data is still transmitted to and stored in the United States.

How long we keep your data

We keep your data while your account is active. Two events cause deletion.

When you delete your account

You can delete your account from the Settings screen at any time. Deletion is gated by password reauthentication, a one-time email code (six-digit OTP), and a type-to-confirm step. On confirmation, the deletion cascade fires immediately:

• We revoke your Plaid connection at Plaid (/item/remove) before removing the connection record on our side.
• We delete every row that references your user ID across the user, financial, prediction, Plaid, refresh-token, and verification-token tables.
• We log the deletion action to an internal audit log (records the timestamp and the fact that a deletion occurred; does not contain your personal data).

There is no recovery window today. We are evaluating adding a 30-day soft-delete grace period in a future release; if added, this policy will be updated.

Inactive accounts

We do not automatically delete inactive accounts today. If you have not signed in for an extended period and would like your data removed, contact connect@liway.app.

Your rights and choices

You have the following rights for as long as you have an account with us. We honor them for all users, regardless of state of residence:

• Access. Every value liway stores about you is visible inside the app. You can also request a complete export (see "Data portability" below).
• Edit / correct. Financial inputs, bills, paycheck details, and account info are editable from inside the app at any time. For other changes, contact connect@liway.app.
• Disconnect your bank. From Settings, at any time. We revoke the Plaid connection at Plaid on disconnect.
• Delete your account. From Settings; this triggers the immediate cascade described above.
• Opt out of "sale" of personal information. We don't sell personal information, so there is nothing to opt out of. Our practices on this point apply to everyone, not just California residents.
• Withdraw consent. Disconnecting your bank, deleting individual records, or deleting your account are all operationally equivalent to withdrawing consent for the affected data.

Data portability

We do not have a built-in data-export feature today. If you would like a complete export of the data we hold about you, contact connect@liway.app; we will fulfill the request manually within 30 days. The export covers all data described under "Information we collect".

Submitting a privacy request

The fastest way to exercise any of the rights above is connect@liway.app. Please indicate (a) the right you are exercising, and (b) the email address on the account. We may ask you to verify the request by clicking a link sent to that email address.

State privacy notices

California (CCPA / CPRA)

liway does not currently meet the revenue or data-volume thresholds that trigger formal CCPA / CPRA applicability. As a posture choice, we honor the underlying consumer rights described above for all users, regardless of California residency. If liway grows past the thresholds, this policy will be updated to add the formal CCPA-mandated disclosures.

If you are a California resident and would like to exercise any of the rights described above, contact connect@liway.app.

Other states

Several states (Colorado, Connecticut, Virginia, Utah, Texas, others) have enacted comprehensive privacy laws. As above, our user-facing rights and operational posture (no data sale, no targeted advertising, full deletion right) apply to all users regardless of state. We update this section as state-specific obligations crystallize.

International users

liway is available only in the United States. We do not knowingly collect data from users outside the U.S. GDPR is not in scope today. If liway expands to the EU or UK, this section is updated before any non-US launch.

Children's privacy

liway is not intended for children under 13. We do not knowingly collect personal information from anyone under 13. If you become aware that a child under 13 has provided us with personal information, please contact connect@liway.app and we will delete it. We do not target advertising to children — we do not run advertising at all.

Security

We take reasonable measures to protect your information:

• All connections to liway use HTTPS / TLS 1.2 or better; HSTS is enforced on all liway.app subdomains.
• Passwords are stored only as bcrypt hashes; we never store plain-text passwords.
• Authentication uses short-lived signed access tokens and longer-lived signed refresh tokens; refresh tokens on mobile are stored in the device's secure enclave (iOS Keychain / Android Keystore).
• Email verification at sign-up gates access to any authenticated route (including bank linking); the verification link is single-use and time-bounded.
• Account deletion requires password reauthentication PLUS a one-time email code PLUS a type-to-confirm step (anti-hijack protection).
• Production data lives in managed cloud-hosting and database providers that operate SOC 2 Type II controls; volume-level encryption at rest is enforced by the database provider.
• Access to production systems is restricted to authorized personnel with multi-factor authentication enabled on every account.
• Deploys to production are run only by CI workflows (no human runs deploys locally); branch protection on the main branch blocks force pushes and direct deletions.

No system is perfectly secure. If we discover a breach affecting your personal information, we will notify you in accordance with applicable law, with a target customer-notification time of 72 hours from the time the breach is confirmed.

Changes to this policy

We may update this policy from time to time. Material changes will be communicated by updating the "Last updated" date at the top of this page and, for significant changes, by emailing you at the address on your account before the change takes effect. Older versions are preserved in the project's source-control history.

Contact

For privacy questions, support, or data-rights requests:

connect@liway.app

Liway LLC
Colorado, USA