Privacy Policy

Effective: April 25, 2026 · Last updated: June 7, 2026

This Privacy Policy explains what data Cilantro collects, how we use it, and what choices you have. Cilantro is a personal-finance iOS and Android app operated by Highloop LLC ("we", "us"). If you have any question about this policy, email support@highloop.co.

1. What we collect

Information you provide

• Account credentials: your email address and password (the password is stored only as a salted bcrypt hash).
• Your first and last name, captured at signup. Your first name is shown to your household partner inside the app.
• Settings you choose inside the app: base currency, privacy preferences, pinned questions, manual category overrides, account nicknames, and notes.
• In-app feedback messages and any screenshots you attach to them, used solely to respond to your support request.

Financial data we read on your behalf, with your consent

• Connected institution and account metadata (institution name, account name, type, account-number mask, balance).
• Transaction history (date, amount, merchant, category, pending status, and the city / region of the charge when provided by your bank). We never collect precise GPS coordinates.
• Account-holder identity returned by Plaid Identity (name and contact email of the people on the account), used to detect joint accounts so a partner's joint card is auto-detected as shared. Only retrieved when Plaid returns more than one name on an account.
• Auto-detected travel: when your spending pattern indicates a trip (lodging anchor + away-from-home transactions), Cilantro records the trip's destination city and region so the recap card can label it. Trip detection runs only on data already collected above.
• For accounts you connect, the access token issued to Cilantro by Plaid. Access tokens are stored encrypted at rest using AES-256-GCM with a server-held key. Cilantro never sees your bank credentials — Plaid collects them directly and exchanges them for an access token (see §3).

Information generated by your use of Cilantro

• Questions you ask the AI assistant inside the Ask tab.
• App diagnostics (errors, response times, crash reports) collected to improve the product. Includes the app version and OS version reported by your device at sign-in. We do not collect device-identifying advertising IDs.
• Push notification tokens (Apple Push Notification service on iOS, Firebase Cloud Messaging on Android) used solely to deliver Cilantro notifications you've opted into. Tokens are not shared with any other service.

Information about household sharing

Cilantro lets you invite a partner to form a Cilantro household. When you and your partner are both in a household:

• Your partner can see metadata for any account you've marked shared (institution, account type, balance, transactions on that account), and you see the same for theirs. Each of you controls which accounts to share via Settings → Linked Banks.
• Charges either partner flags become visible to the other inside the transaction detail, including any note you typed when flagging.
• Auto-detected trips that fall within the shared period are visible to both partners.
• A single Cilantro Plus subscription covers your household: if one of you subscribes, the other automatically receives Plus access. If either partner leaves the household or the subscriber cancels, this share grant ends at the same time the subscription does. See Terms §6a.
• Leaving the household flips every shared account back to private and ends the partner's visibility immediately.

2. How we use your data

We use your data only to:

• Authenticate you and operate your Cilantro account.
• Power the features inside the Cilantro app: dashboard, search, anomaly detection, subscriptions, forecast, money flow, year-in-review, trip recaps, household sharing, and natural-language Q&A.
• Power Cilantro's AI features — the Ask question-and-answer feature, your weekly spending recap, and plain-language explanations of individual transactions and subscriptions — through Anthropic's API (the maker of Claude). These features are off until you turn them on. Only after you grant explicit in-app consent ("AI insights") do we send the data needed to generate them — your transactions, account balances, and account names. Anthropic acts solely as a data processor on our behalf: it does not use your data to train its models, and retains it only briefly to process your request. You can turn AI insights off at any time in Settings, which immediately stops any further data being sent. See Anthropic's Privacy Policy and Commercial Terms.
• Send transactional and notification email (account verification, password reset, weekly digest if enabled) through our email provider, SendGrid.
• Send push notifications you have opted into via APNs (iOS) and FCM (Android).
• Detect and prevent abuse (sign-up rate limiting, anomaly investigation).
• Comply with legal obligations and respond to valid legal process.

We do not sell, rent, share, or otherwise disclose your personal information to advertisers, data brokers, or marketers. We do not use your transaction data to build advertising audiences. We do not train external machine-learning models on your transaction history. We do not sell, share, or disclose data collected via Plaid.

3. Third-party services and sub-processors

• Plaid Inc. — our financial-data provider. Plaid connects your bank accounts and provides account + transaction data. Plaid collects your bank credentials directly; Cilantro never sees them. Plaid's collection and use of data is governed by the Plaid End User Privacy Policy. We do not sell or share data sourced from Plaid.
• Anthropic, PBC — our third-party AI provider; powers the Ask feature, the weekly recap, and transaction/subscription explanations. We send your transactions, account balances, and account names only after you grant explicit in-app consent, and never before. Anthropic acts solely as a data processor under our commercial agreement: it does not use your data to train its models and retains it only as long as needed to return a response — protections equivalent to those in this policy. Inputs and outputs are subject to Anthropic's Privacy Policy and Commercial Terms.
• Google Cloud (Google LLC) — hosts Cilantro's backend and database in the United States.
• SendGrid (Twilio Inc.) — delivers transactional email (account verification, password reset, subscription receipts, optional digests). See Twilio's Privacy Notice.
• Sentry (Functional Software, Inc.) — collects application error and crash reports to help us diagnose bugs. We configure Sentry to strip request bodies and personal identifiers before they reach Sentry. See Sentry's Privacy Policy.
• Apple Inc. (APNs, StoreKit, App Store) and Google LLC (FCM, Play Billing, Google Play) — handle push delivery and subscription billing on their respective platforms. Cilantro never receives or stores payment card information; all subscription billing flows through Apple's or Google's systems.

4. Data security

• All connections to Cilantro use TLS in transit.
• Plaid access tokens are encrypted at rest with AES-256-GCM using a server-held key.
• User passwords are stored as bcrypt hashes; we never see your plaintext password.
• Access to production data is limited to authorized engineering staff and is logged.
• The Cilantro app requires device-level biometric or passcode confirmation before initiating a new bank connection.

5. Data retention

We retain your data while your account is active. You can disconnect any linked institution at any time from Settings → Linked Banks; doing so deletes the corresponding access token, accounts, and transaction history from Cilantro and revokes the token at Plaid. To delete your entire account and all associated data, see Delete your account for the full process; deletion completes within 30 days, and a 30-day soft-delete window lets you restore the account before purge if you change your mind.

5a. Cookies and tracking

This website does not set tracking cookies, run analytics pixels, or embed third-party advertising tags. The Cilantro app does not include third-party SDKs that send data to advertisers or data brokers. The only cookie set anywhere is a session cookie for staying signed in, served on a same-origin first-party basis.

6. Your rights

Depending on where you live, you may have the right to:

• Access the personal data we hold about you.
• Correct inaccurate data.
• Delete your data ("right to erasure" / CCPA "right to delete").
• Port your data to another service.
• Object to or restrict certain processing.

To exercise any of these rights, email support@highloop.co. We may request information to verify your identity before fulfilling the request, and we will respond within 45 days. We do not discriminate against users who exercise these rights.

6a. Your California privacy rights (CCPA / CPRA)

If you are a California resident, the California Consumer Privacy Act ("CCPA") as amended by the California Privacy Rights Act ("CPRA") gives you the rights below. The same or similar rights apply if you live in Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Virginia (VCDPA), or Texas (TDPSA); we honor them in the same way.

Categories of personal information we collect (in CCPA terms):

• Identifiers — name, email, account ID, IP address.
• Customer records — your linked-bank metadata (institution, account type, balances).
• Commercial information — your transactions, detected subscriptions, trip records.
• Internet or network activity — app diagnostics, error logs, push tokens.
• Geolocation data — coarse city / region from transaction metadata. We do not collect precise geolocation.
• Sensory information — screenshots you attach to a feedback message.
• Inferences — anomaly classifications, "this looks like income vs. an expense" categorizations, household-share state.
• Sensitive personal information (under CPRA) — your account login credentials (bcrypt hash + email) and your financial information (account balances + transactions).

Sources: directly from you, from Plaid when you connect a bank, from your device.

Purposes: operating the Cilantro service, authentication, billing through Apple / Google, support, fraud prevention, legal compliance.

Recipients: the sub-processors named in §3. We do not disclose personal information to any other party.

"No sale or share" statement: we do not sell your personal information, and we do not share it for cross-context behavioral advertising, as those terms are defined under the CCPA / CPRA. We have not done so in the preceding 12 months.

Right to limit use of sensitive personal information: we use sensitive personal information (account credentials, financial information) only for the purposes listed above, all of which are necessary to operate the service you signed up for. We do not infer characteristics about you from sensitive PI.

You may submit a verifiable consumer request to know, delete, or correct by emailing support@highloop.co. You may designate an authorized agent to submit a request on your behalf; we will require written proof of the agent's authority. We will respond within 45 days as required by law.

7. Children and age

Cilantro is not directed to anyone under 18 years of age and we do not knowingly collect personal information from anyone under 18. Our Terms of Service §2 require users to be 18 or older. If we learn we have collected personal information from a person under 18, we will delete it.

8. International users

Cilantro is operated from and offered only to residents of the United States. If you are located outside the U.S., please do not create an account. By using the app you understand that your data is processed in the U.S.

9. Changes to this policy

We will post any changes to this policy at this URL and update the "Last updated" date above. Material changes will also be notified in-app or by email.

10. Contact

Highloop LLC · support@highloop.co