Privacy Policy
Curious Loop · Effective March 1, 2026 · Last updated March 16, 2026
Scope
This privacy policy applies to all users of the Curious Loop payment monitoring service, including California residents. It describes how we collect, use, disclose, and protect your personal information. If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA), described in the “Your California Privacy Rights” section below.
Categories of Personal Information Collected
We collect the following categories of personal information as defined by the CCPA:
| Category | Examples | Sold or Shared? |
|---|---|---|
| Identifiers | Name, email address, phone number | No |
| Financial information | Bank account identifiers (via Plaid tokens), transaction data (merchant names, amounts, dates, categories, MCC codes) | No |
| Internet / electronic network activity | Log data, access times, pages viewed | No |
Sources of Personal Information
- Directly from you – information provided during account registration
- Financial institutions – transaction data retrieved via Plaid
- Automatically – usage and log data collected when you interact with the service
Purposes for Collection and Use
- Monitor transactions for prohibited merchant activity
- Send SMS alerts when flagged transactions are detected
- Provide transaction history and reporting through the application
- Communicate service updates and account notifications
Categories of Third Parties and Disclosures
We disclose personal information to the following categories of third parties solely to operate the service:
- Twilio – phone number and alert content for SMS delivery
- Plaid – bank account credentials for secure account linking and transaction retrieval
- Infrastructure providers – hosting and database services necessary to run the application
These providers access only the data necessary to perform their functions and are bound by their own privacy policies and contractual obligations.
Sale or Sharing of Personal Information
We do not sell or share your personal information as defined by the CCPA/CPRA. We have not sold or shared personal information in the preceding 12 months.
Sensitive Personal Information
Financial information, including bank account identifiers and transaction data, may be considered sensitive personal information under the CPRA. We use this data solely to provide the transaction monitoring service and do not use it for purposes beyond what is necessary to deliver the service. You have the right to limit the use of your sensitive personal information as described in the rights section below.
Data Retention
- Account information – retained for as long as your account is active, deleted within 30 days of account closure
- Transaction data – retained for as long as your account is active, deleted within 30 days of account closure
- Usage data – retained for up to 12 months, then automatically purged
Data may be retained longer where required by law.
Data Security
We use industry-standard measures to protect your data, including encryption in transit and at rest, secure credential storage, and regular security reviews.
Your California Privacy Rights
If you are a California resident, you have the following rights under the CCPA/CPRA:
- Right to Know – you may request the categories and specific pieces of personal information we have collected about you, the sources, the purposes, and the third parties with whom we have disclosed it
- Right to Delete – you may request that we delete the personal information we have collected about you, subject to certain legal exceptions
- Right to Correct – you may request that we correct inaccurate personal information we hold about you
- Right to Opt-Out of Sale/Sharing – we do not sell or share your personal information; however, you may exercise this right at any time via our Do Not Sell or Share My Personal Information page
- Right to Limit Use of Sensitive PI – you may request that we limit the use of your sensitive personal information (such as financial data) to what is necessary to provide the service
- Right to Opt Out of SMS – you may opt out of SMS alerts at any time by replying STOP or through your account settings
How to Exercise Your Rights
You may submit a verifiable consumer request through either of the following methods:
- Email us at privacy@curiousloop.io
We will verify your identity before fulfilling any request. We may ask you to confirm your email address or provide additional information. We will respond to verifiable requests within 45 days. If we need additional time, we will notify you of the extension and the reason.
You may also designate an authorized agent to submit a request on your behalf. The agent must provide written authorization signed by you, and we may require you to verify your identity directly with us.
Non-Discrimination
We will not discriminate against you for exercising any of your privacy rights. You will not receive different pricing, a different quality of service, or be denied service for making a privacy request.
Changes to This Policy
We review and update this privacy policy at least annually. We may update it more frequently as needed. The “Last updated” date at the top of this page reflects the most recent revision. Continued use of the service after changes constitutes acceptance of the revised policy.
Contact Us
If you have questions about this privacy policy or wish to exercise your rights:
- Email: privacy@curiousloop.io
- General inquiries: contact@curiousloop.io