Legal
Privacy Policy
Effective Date: February 27, 2026 · Company: LYDRA Inc. · Product: LYDRA Finance
At LYDRA Inc., your privacy is not a compliance checkbox — it is a foundational design principle. This Privacy Policy explains what data we collect, why we collect it, how we use it, and what rights you have over your information. Please read it carefully.
Section 01
Who We Are
LYDRA Finance is a product of LYDRA Inc., a corporation incorporated under the laws of Canada. We operate the LYDRA Finance web application, iOS application, and Android application — collectively referred to as the "Service" or "Platform."
For privacy inquiries, you may contact us at [email protected].
Section 02
Scope and Application
This Privacy Policy applies to all users of LYDRA Finance, including users of the web application at lydrafinance.com, the iOS mobile application, and the Android mobile application, regardless of the country from which you access the Service.
This policy applies to data collected from the time you create an Account or begin using the Service and continues until your Account and all associated data are permanently deleted.
Section 03
Information We Collect
Information You Provide Directly
- Account Information: When you register, we collect your email address and password (stored as a secure hash — never in plain text).
- Financial Data: Transactions you log including merchant names, amounts, dates, categories, tags, currency, and notes.
- Uploaded Files: Receipt images (JPEG, PNG, etc.) and PDF documents you submit for AI processing. These files are stored securely and are accessible only to your authenticated session. They are never publicly accessible.
- Voice Input: Audio recordings submitted through the voice input feature for AI transcription and data extraction.
- Chat Input: Text messages submitted through the chat input feature for AI data extraction or AI Financial Assistant interactions.
- Budget and Category Settings: Budget amounts, custom categories, and preferences you configure within the Service.
Information Collected Automatically
- Session Data: Login timestamps, session tokens, and authentication state used to maintain your logged-in session securely.
- Platform Analytics: General usage metrics collected by our own first-party analytics system, including pages visited, features used, and interaction patterns. This data does not identify you personally and is not shared with any third party.
- Device and Technical Data: Browser type, operating system, device type, and IP address, collected to ensure compatibility and security.
- Cookies and Local Storage: We use cookies and browser local storage for session management, user preferences, and functionality. See Section 8 for full details.
Information We Do Not Collect
- Payment card numbers, bank account credentials, or any financial credentials used at checkout — these are handled exclusively by Stripe, Google Pay, or Apple Pay and never transmitted to our servers.
- Bank account login credentials — we do not connect to your bank or financial institution.
- Social media profiles or third-party login data — we do not support social login.
- Precise real-time geolocation data.
Section 04
How We Collect Information
We collect information through the following methods:
- Direct submission: When you register, log transactions, upload receipts, use voice input, or interact with the AI Financial Assistant.
- Automatic collection: Through cookies, session tokens, and our first-party analytics system as you navigate and use the Service.
- AI processing: When you submit data through any input method, that data is sent for AI extraction and processing before being presented back to you for confirmation.
Section 05
How We Use Your Information
| Purpose | Data Used | Legal Basis (where applicable) |
|---|
| Providing and maintaining the Service | Account info, financial data, uploaded files | Contract performance |
| AI-powered data extraction and categorization | Receipts, PDFs, voice recordings, chat input | Contract performance / Consent |
| Displaying dashboards, charts, and insights | Financial data, categories, budgets | Contract performance |
| Session authentication and security | Email, session tokens, IP address | Legitimate interests |
| Communicating with you (service emails, plan notifications, policy updates) | Email address | Contract performance / Legal obligation |
| Improving the Service (platform analytics) | Anonymized usage data | Legitimate interests |
| Compliance with legal obligations | As required by applicable law | Legal obligation |
We do not use your data for advertising, do not sell your data to any third party, and do not use your financial data to train AI models.
Section 06
How We Share Your Information
We do not sell, rent, or trade your personal information. We share your data only in the following limited circumstances:
Service Providers
- AI Processing Provider: Your submitted input data (images, PDFs, voice, chat text) is transmitted to our AI processing provider for extraction. Processed results are returned to you for confirmation before being stored. Raw input files are not retained after processing.
- Secure File Storage Provider: Receipt images and PDF files you upload are stored with a third-party cloud storage provider. The provider stores raw files but has no access to your account, your extracted transaction data, or any other personal information. Files are never publicly accessible and are permanently deleted when you delete your account.
- Stripe, Inc.: Processes web payment transactions. Stripe receives your payment method details directly. We receive only a transaction confirmation and subscription status.
- Google LLC (Google Pay): Processes Android app payments.
- Apple Inc. (Apple Pay / In-App Purchase): Processes iOS app payments.
Legal Disclosure
We may disclose your information if required to do so by applicable law, court order, or at the request of a competent governmental authority. We will endeavor to notify you of such requests where legally permitted to do so.
Business Transfers
In the event of a merger, acquisition, reorganization, or sale of all or substantially all of LYDRA Inc.'s assets, your data may be transferred to the acquiring entity. We will notify you via email prior to your data being transferred and will provide you with the option to delete your Account before the transfer takes effect.
We do not use Google Analytics, Facebook Pixel, or any other third-party advertising or analytics SDK. We use self-hosted Plausible Analytics — cookieless, privacy-first, and running entirely on our own servers. No data is shared with any external entity.
Section 07
AI Processing
LYDRA Finance uses AI to power its intelligent input features. When you use any AI input method (image/photo upload, PDF upload, voice recording, or chat input), the content of your submission is processed by our AI provider to extract and structure your financial data.
What the AI Receives
- The content of your uploaded receipt image or PDF
- Transcribed or raw voice input
- Text submitted through the chat input field
The Confirmation Step
After the AI processes your submission, the extracted data (merchant name, amount, date, category, and other relevant fields) is returned and displayed to you for review. You may edit any field before confirming. The transaction is only written to your database after your explicit confirmation. This design ensures you always have full control over what is stored.
AI Data Retention
LYDRA Inc. does not retain raw AI input files or processing logs after the extraction result is returned to you. We do not use your submitted data to train or fine-tune any AI model.
AI Feature Availability
AI features (receipt scanning, voice input, PDF parsing, chat input, batch scan, and the AI Financial Assistant) are available on the Pro Plan only. Users on the Free Plan can track income and expenses manually and retain full access to their transaction history, dashboard, and filters — but cannot submit data through AI input methods until upgrading to Pro.
Section 08
Analytics and Cookies
Our Analytics System
We use Plausible Analytics, a self-hosted, open-source, cookieless analytics tool running entirely on our own servers. It collects fully anonymized data such as page views, referral sources, and general platform interaction. No personal data is collected, no cookies are set, no data is shared with any external party, and no consent banner is required.
Cookies We Use
| Cookie Type | Purpose | Duration |
|---|
| Session Cookie (Authentication) | Maintains your logged-in session securely | Session / Configurable expiry |
| Preference Cookie | Stores your UI preferences such as currency selection and theme | Up to 12 months |
We do not use third-party advertising cookies, tracking pixels, or analytics cookies from external providers such as Google Analytics.
Local Storage
We use browser local storage for certain preference persistence (such as newsletter dismissal state). This data is stored locally on your device and is not transmitted to our servers.
Section 09
Data Retention and Deletion
Active Accounts
We retain your data for as long as your Account is active or as necessary to provide the Service. If your account is inactive for an extended period, we will notify you before taking any action.
Deleted Accounts — Zero Retention Policy
When you delete your Account, all of your data is permanently and immediately destroyed. This includes all transactions, uploaded receipts, budget settings, categories, tags, analytics history, and any other information associated with your Account. All stored files are also permanently deleted as part of this process. There are no backups retained anywhere. The deletion is irreversible. LYDRA Inc. cannot recover your data after deletion under any circumstances.
You may delete your Account at any time using the Kill Switch in your account settings. This action takes effect immediately with no delay and no support ticket required.
Retained Data After Deletion
The only information that may be retained after Account deletion is:
- Aggregated, fully anonymized analytics data collected via Plausible Analytics (self-hosted, cookieless, no personal data collected) that cannot be linked back to any individual
- Records required by applicable Canadian law (e.g., transaction records for tax or legal compliance purposes, retained only to the extent legally required)
Section 10
Security Measures
We implement and maintain the following technical security measures to protect your data:
- Database Isolation: Each user's data is stored in a strictly isolated manner. Your financial data is never co-mingled with another user's data.
- Password Security: Passwords are never stored in plain text. All credentials are protected using industry-standard hashing before storage.
- Secure File Storage: Uploaded receipt files are stored securely and are never publicly accessible. Files are only accessible to your authenticated session and are permanently deleted when you delete your account.
- Secure Session Management: Sessions are managed with expiry and rotation on re-authentication to prevent session hijacking.
- No Payment Data Storage: We never receive, store, or process your card number or banking credentials. All payment data is handled by Stripe, Google Pay, or Apple Pay.
- Kill Switch: A single action in your account settings permanently destroys all of your data immediately, with no delay.
While we take reasonable steps to protect your data, no system is completely immune to security threats. In the event of a data breach that affects your personal information, we will notify you and any applicable regulatory authority as required by Canadian law.
Section 11
Your Privacy Rights
Depending on your jurisdiction, you may have the following rights regarding your personal data:
- Right of Access: You may request a copy of the personal data we hold about you.
- Right to Rectification: You may correct inaccurate or incomplete personal data through your account settings at any time.
- Right to Erasure: You may delete your Account and all associated data at any time using the Kill Switch. This is immediate and permanent.
- Right to Restrict Processing: You may request that we limit how we process your data in certain circumstances.
- Right to Data Portability: You may export your transaction data at any time as a formatted .xlsx file using the Export feature available on the Pro Plan.
- Right to Object: You may object to certain processing of your data based on legitimate interests.
- Right to Withdraw Consent: Where processing is based on your consent, you may withdraw consent at any time without affecting the lawfulness of prior processing.
To exercise any of these rights, contact us at [email protected]. We will respond to verifiable requests within the timeframes required by applicable Canadian privacy law (PIPEDA and applicable provincial legislation).
If you are a resident of the European Economic Area or the United Kingdom, additional rights under the GDPR or UK GDPR may apply to you. If you are a California resident, additional rights under the CCPA may apply. Please contact us to make a rights request specific to your jurisdiction.
Section 12
Children's Privacy
The Service is not directed at individuals under the age of 18. We do not knowingly collect personal information from children under 18. If you believe we have inadvertently collected such information, please contact us immediately at [email protected] and we will take prompt steps to delete the information and terminate the associated account.
Section 13
International Data Transfers
LYDRA Inc. is incorporated in Canada. By using the Service, you acknowledge that your data may be processed and stored in Canada and, in the case of AI processing, may be transmitted to servers located in multiple jurisdictions globally.
When your data is transferred outside of Canada or your home jurisdiction, we rely on applicable legal mechanisms such as standard contractual clauses or equivalency decisions to ensure your data receives an adequate level of protection.
Section 14
Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes, we will:
- Email you at the address associated with your Account at least 14 days before the changes take effect
- Display a notice within the Service
- Update the Effective Date at the top of this page
Your continued use of the Service after the effective date of any updated Privacy Policy constitutes your acceptance of the updated policy. If you do not agree, you may delete your Account at any time.