Privacy Policy
Effective date: May 25, 2026
Contents
TechForest LLC ("we", "us", "RetireQuest") operates this privacy-first retirement planning platform. This policy explains what data we collect, why we collect it, and your rights as a user.
1. Data We Collect
We collect only what is necessary to provide the service:
- Account data: Email address (via Google OAuth or password registration) and an optional hero/character name. We do not collect your full legal name, street address, SSN, or account numbers.
- Financial planning data: Loan amounts and APRs, monthly expense categories and amounts, investment fund types and amounts, and savings balances. All financial data is anonymous — no bank account numbers or policy numbers are collected or stored.
- Location: City and state only, used solely for cost-of-living comparisons. No street address is collected.
- Usage data: IP address and session information for security and fraud prevention. We do not use third-party analytics that track cross-site behavior.
- Cookies: One essential authentication cookie (httpOnly, secure) that maintains your login session. See our Cookie Policy for details.
2. How We Use Your Data
- Providing and improving the retirement planning service
- Authenticating your account and maintaining session security
- Calculating cost-of-living comparisons using BLS CPI data
- Detecting and preventing fraudulent or abusive activity
We do not sell, rent, or trade your data to third parties.
3. Third-Party Services
We use the following service providers to operate RetireQuest. Each receives only the data necessary to provide their specific function.
- Google OAuth: Used for sign-in. Governed by Google's Privacy Policy.
- Stripe: Payment processing. Stripe receives your email address and payment card details (handled under PCI-DSS compliance) to process Pro subscriptions. Stripe also stores subscription state tied to your account. Governed by Stripe's Privacy Policy.
- Mastercard Open Banking (Finicity): Used to connect brokerage accounts when you opt in to account linking. Finicity receives OAuth authorization tokens and may access account balance and transaction data you explicitly authorize. Finicity is only engaged if you choose to link a brokerage account. Governed by Mastercard's Privacy Policy.
- Cloudflare: CDN, API proxy, and web analytics. Cloudflare serves the frontend and proxies all API traffic. It may log request metadata (IP address, user agent, URLs) for performance and security purposes. The Cloudflare Web Analytics beacon collects anonymized page-view data without using cookies or cross-site tracking. Governed by Cloudflare's Privacy Policy.
- Supabase: PostgreSQL database hosting. Your data is stored in a Supabase-managed database. Governed by Supabase's Privacy Policy.
- Vercel: Frontend hosting. Vercel may log request metadata (IP, user-agent) for CDN and security purposes. Governed by Vercel's Privacy Policy.
- Google Cloud Platform: Backend hosting via Cloud Run. Governed by Google Cloud's Privacy Notice.
4. Data Retention
Your account data is retained for as long as your account is active. If you request account deletion, all personal data will be permanently deleted within 30 days. Financial planning data (expenses, loans, investments) is deleted immediately upon account deletion.
5. Your Rights
You have the right to:
- Access: Request a copy of all data we hold about you.
- Correction: Update inaccurate data through your account settings.
- Deletion: Request permanent deletion of your account and all associated data.
- Portability: Export your financial planning data in JSON or CSV format.
6. California Residents (CCPA)
California residents have additional rights under the California Consumer Privacy Act:
- Right to know what personal information is collected and how it is used
- Right to delete personal information
- Right to opt out of the sale of personal information
We do not sell personal information to any third party. The third-party service providers listed in Section 3 are engaged as "service providers" under CCPA — they receive data only to perform specific functions on our behalf and are contractually prohibited from using it for other purposes. To exercise your rights, contact us at [email protected].
7. European Users (GDPR)
If you are located in the European Economic Area, our lawful basis for processing your data is:
- Contract: Processing necessary to provide the service you signed up for.
- Legitimate interest: Security monitoring and fraud prevention.
The third-party service providers listed in Section 3 act as "data processors" under GDPR — they process data solely on our documented instructions and are bound by data processing agreements.
In the event of a data breach that poses a risk to your rights, we will notify the relevant supervisory authority within 72 hours and affected users without undue delay.
8. Children
RetireQuest is not directed at children under 13. We do not knowingly collect personal information from children under 13. If we learn we have done so, we will delete that information immediately.
9. Changes to This Policy
We may update this policy from time to time. We will notify you of significant changes by posting a notice in the app or by email. Your continued use of RetireQuest after the effective date constitutes acceptance of the updated policy.
10. Contact
For privacy requests, data access, or deletion requests:
- Email: [email protected]
See also: Terms of Service · Cookie Policy