Privacy Policy

Last updated: June 7, 2026

Privacy Policy

Last Updated: February 15, 2026

Blue Bonsai ("we," "us," or "our") operates the Blue Bonsai personal finance application (the "Service"). This Privacy Policy explains how we collect, use, store, and protect your information when you use our Service.

By creating an account or using Blue Bonsai, you agree to the collection and use of information as described in this policy.

---

1. Information We Collect

1.1 Account Information

When you create an account, we collect:

  • Your name (first and last)
  • Email address
  • Password (securely hashed — we never store or have access to your plaintext password)

1.2 Financial Profile Information

During onboarding, our AI assistant collects information you voluntarily provide to personalize your budgeting experience, including:

  • Income source, amount, and pay frequency
  • Housing situation and monthly housing costs
  • Family and dependent information
  • Monthly expense estimates (utilities, transportation, food, healthcare, subscriptions, etc.)
  • Existing financial products (credit cards, loans, insurance coverage)
  • Emergency fund and retirement contribution status

1.3 Financial Data via Plaid

When you connect a bank account, we use Plaid Inc. ("Plaid") to access your financial data. We receive:

  • Account names, types, and last four digits of account numbers
  • Account balances (available and current)
  • Transaction history (amounts, dates, merchant names, categories, pending status)
  • Transaction location data (merchant address, city, state, postal code) when available from your financial institution
  • Institution names and identifiers
Important: We never receive, access, or store your bank login credentials. All bank authentication is handled directly and securely by Plaid. By using our Plaid integration, you also agree to Plaid's End User Privacy Policy.

1.4 User-Generated Content

As you use the Service, we store content you create:

  • Transaction notes and annotations
  • Receipt attachments (images and PDFs, up to 5 MB each)
  • Budget envelope configurations and categorization rules
  • Conversations with our AI assistant

1.5 AI Interaction Data

When you interact with our AI assistant ("Miyagi"), we collect:

  • Messages you send and responses you receive
  • Feedback you provide on AI responses (e.g., thumbs up/down ratings)
  • Financial questions and topics you discuss

1.6 Technical Information

We automatically collect limited technical data necessary to operate the Service:

  • Browser type and user agent (recorded with consent actions for audit purposes)
  • Session data stored temporarily in your browser (cleared when you close the tab)

We do not use third-party analytics, tracking pixels, advertising cookies, or behavioral tracking tools.

---

2. How We Use Your Information

We use your information solely to provide and improve the Service:

  • Deliver core features: Connect bank accounts, sync transactions, track budgets, and manage envelopes
  • Personalize your experience: Tailor budget suggestions, spending insights, and AI assistant responses based on your financial profile
  • AI-powered analysis: Analyze your transactions to detect income patterns, categorize spending, and generate financial insights
  • Communications: Send transactional emails only (account verification, password resets) — we do not send marketing emails or newsletters
  • Maintain security: Verify your identity, protect against fraud, and enforce our terms
  • Improve the Service: Use aggregated, de-identified usage patterns and AI feedback to improve our features and AI assistant quality

We do not use your data for advertising, marketing profiling, or credit decisions.

---

3. AI Processing and Your Data

Blue Bonsai uses Google Vertex AI (Gemini models) to power our AI assistant and financial analysis features. When the AI processes your data:

  • Your first name is shared for personalized conversation
  • Summarized transaction data (amounts, merchants, categories, dates) is sent for financial analysis
  • Your conversation history is sent to maintain context within a session
  • Financial profile responses are shared during onboarding to personalize your setup

All AI processing occurs through Google Vertex AI on Google Cloud Platform infrastructure. Your data is processed in accordance with Google Cloud's Data Processing Terms. Google does not use your data to train its general AI models.

---

4. How We Store and Protect Your Data

4.1 Data Storage

  • All data is stored on Google Cloud Platform (Firestore database, region: us-central1)
  • Receipt attachments are stored in Firebase Cloud Storage with owner-only access controls
  • Data is encrypted in transit (TLS) and at rest (AES-256)
  • All data is stored and processed within the United States

4.2 Security Measures

  • Plaid access tokens are encrypted before storage in our database
  • Firestore security rules enforce strict user-ownership — you can only access your own data
  • Rate limiting is applied to AI chat, email sending, and API endpoints
  • Plaid webhook requests are verified using cryptographic signature validation
  • Administrative access is restricted and authenticated

4.3 Data Retention

We retain your data for as long as your account is active. If you delete your account, we will delete your personal data within 30 days, except where we are required by law to retain certain records (e.g., for tax, legal, or regulatory purposes). Anonymized, aggregated data that cannot be used to identify you may be retained indefinitely to improve the Service.

---

5. How We Share Your Data

We do not sell, rent, or trade your personal or financial data to third parties.

We share data only with the following service providers, solely to operate the Service:

| Service Provider | Data Shared | Purpose |
|---|---|---|
| Plaid Inc. | Bank account connection data | Secure bank connectivity and transaction syncing |
| Google Cloud Platform / Firebase | All application data | Infrastructure, database, authentication, file storage |
| Google Vertex AI | First name, transaction summaries, conversation history | AI assistant and financial analysis |
| Brevo (Sendinblue) | Email addresses only | Transactional email delivery (verification, password resets) |

Each service provider processes data on our behalf and is contractually obligated to protect your data and use it only for the purposes we specify.

We may also disclose your information if required to do so by law, or if we believe in good faith that such action is necessary to:

  • Comply with a legal obligation, court order, or subpoena
  • Protect the safety of our users or the public
  • Protect our rights or property
  • Prevent fraud or enforce our Terms & Conditions

---

6. Cookies and Tracking Technologies

Blue Bonsai uses minimal tracking technologies:

  • Session storage: We use browser session storage (not cookies) to maintain your state during onboarding. This data is automatically cleared when you close the browser tab.
  • Authentication: Firebase Authentication manages secure session tokens to keep you logged in.
  • No third-party tracking: We do not use Google Analytics, advertising pixels, social media trackers, or any other third-party analytics or tracking services.
  • No advertising: We do not display ads or share data with advertising networks.

---

7. Your Rights and Choices

You have the following rights regarding your data:

  • Access: View your financial data, transaction history, and profile information within the app at any time.
  • Correction: Update your profile information through the app settings.
  • Deletion: Delete individual transactions, notes, and receipt attachments. You may also request deletion of your entire account and all associated data by contacting us at privacy@bluebons.ai.
  • Disconnect accounts: Disconnect any linked bank account at any time through the app settings.
  • Data portability: Request an export of your data by contacting us at privacy@bluebons.ai.

California Residents (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act and the California Privacy Rights Act:

  • Right to know: You may request details about the categories and specific pieces of personal information we have collected about you, the categories of sources, the business purposes for collection, and the categories of third parties with whom we share it.
  • Right to delete: You may request deletion of your personal information, subject to certain legal exceptions.
  • Right to correct: You may request correction of inaccurate personal information.
  • Right to non-discrimination: We will not discriminate against you for exercising any of your privacy rights.
  • No sale or sharing: We do not sell or share your personal information as defined by the CCPA/CPRA. We do not use your data for cross-context behavioral advertising.

To exercise any of these rights, contact us at privacy@bluebons.ai. We will respond to verifiable requests within 45 days.

---

8. Financial Data and the Gramm-Leach-Bliley Act (GLBA)

As a service that accesses consumer financial data, we are committed to the principles of the Gramm-Leach-Bliley Act:

  • We collect financial data only for the purpose of providing our budgeting and financial tracking services
  • We do not disclose your nonpublic personal financial information to non-affiliated third parties except as described in this policy
  • We maintain administrative, technical, and physical safeguards to protect the security and confidentiality of your financial information
  • We limit access to your financial information to those who need it to provide services to you

---

9. Children's Privacy

Blue Bonsai is not intended for use by anyone under the age of 18. We do not knowingly collect personal information from children under 18. If we become aware that we have collected data from a child under 18, we will take steps to delete that information promptly. If you believe a child has provided us with personal information, please contact us at privacy@bluebons.ai.

---

10. International Users

The Service is operated from and data is stored in the United States. If you access the Service from outside the United States, please be aware that your information will be transferred to, stored, and processed in the United States, where data protection laws may differ from those of your jurisdiction.

---

11. Third-Party Links and Services

Our Service may contain links to third-party websites or services (such as Plaid's interface for bank connections). We are not responsible for the privacy practices of these third parties. We encourage you to review their privacy policies before providing any personal information. Key third-party privacy policies:


---

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. When we make material changes, we will:

  • Update the "Last Updated" date at the top of this page
  • Notify you via email or through the Service
  • Where required, obtain your consent to the updated policy

Your continued use of the Service after changes take effect constitutes your acceptance of the updated policy. If you do not agree with the changes, you should stop using the Service and request account deletion.

---

13. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

  • Email: privacy@bluebons.ai
  • Website: https://bluebons.ai

We aim to respond to all privacy-related inquiries within 30 days.

---

Blue Bonsai is a personal finance management tool. We are not a bank, financial institution, or licensed financial advisor. Our AI assistant provides informational guidance only and should not be considered professional financial, tax, or legal advice.