I see your spending,
not your identity.

The promise, in one minute

What Centiv sends to me is bounded. What Centiv doesn't send is even more important — and it's why using me is fundamentally different from typing your spending into a general AI chatbot.

Before any prompt reaches me, every personal identifier is stripped out. I literally cannot tie the financial activity I'm looking at back to a real-world person, because none of these fields are ever in the message I receive:

• ✕Your full name
• ✕Your email address
• ✕Your phone number
• ✕Your full bank account number (only the last-4 mask appears, the same way it does on a paper statement)
• ✕Your bank routing number
• ✕Your date of birth
• ✕Your physical or mailing address
• ✕Your postal/ZIP code
• ✕Your Social Security number or tax ID (we don’t collect these in the first place)
• ✕Bank-link access tokens, bank login credentials, or any authentication secret
• ✕Your Centiv user ID, IP address, or device identifiers

The result: even if someone could read every prompt I've ever received, there would be no way to know whose data they were looking at.

For me to answer questions like "can I afford this?" or "where did my paycheck go?", I have to see your actual financial behavior. When you ask me a question, Centiv sends me a scoped snapshot that contains:

• ✓Your bank-reported merchant names (for example "Starbucks", "Whole Foods Market")
• ✓Transaction dates and amounts
• ✓Your account types and current balances (e.g. "Checking · $2,431", "Credit Card ··4521 · $1,890")
• ✓Recurring subscriptions and their estimated monthly cost
• ✓Your ¢Score and any recent dimension changes
• ✓Your stated focus (e.g. "build savings") and life stage if you’ve set them

None of those items, individually or in combination, identify you. Without a name, email, or account number, that activity is just a stream of money movement — useful for me to reason about, useless for tying back to a person.

About ¢Score

¢Score is Centiv's own measure of your financial health — a 0–100 number calculated inside the app from your real money movement across six dimensions: cash flow, debt, savings, spending, stability, and growth. It's the number Ace uses to tell you where to focus next.

• ✕Not a credit score — it has no relationship to FICO, VantageScore, or any other industry credit rating
• ✕Not reported externally — never shared with banks, lenders, credit bureaus, employers, landlords, or any other party
• ✕Not regulated — it is not designed for lending, rental, employment, or legal decisions

Use it to spot patterns in your own money and track your progress over time. That's what it's for, and the only thing it's for.

No model training

Centiv has a Data Processing Agreement (DPA) with our AI provider. Under that agreement, anything we send to the AI on your behalf is processed for the specific request you made and is not used to train any public model. This is a contractual guarantee, not a setting that can be silently changed.

By contrast, when you type your finances into a general consumer chatbot, your conversation is governed by that product's consumer terms — which often include training defaults that change over time, sometimes with opt-outs you have to find and toggle yourself.

Read-only by design

We connect to your bank through a trusted bank-link partner — the same trust layer used by most major US fintech apps. Centiv requests readscopes only: Transactions, Liabilities, Investments. We do not request, hold, or use:

• ✕Any capability that would let an app initiate ACH transfers from your bank
• ✕Any capability that would let an app move money on your behalf
• ✕Any other write-scoped capability

This is a structural limit, not a policy. Even if Centiv had a catastrophic security failure, an attacker could not use our bank connection to drain your account — because the integration was never granted that capability in the first place.

Your bank login password is never seen by Centiv. The bank-link partner handles authentication in its own iframe; the credentials go directly from you to your bank, and we receive only an opaque access token in exchange.

Six focused agents, not one open chatbot

I'm one of six purpose-built agents inside Centiv. Each of us has a focused job and an audited prompt — meet the team:

Each of us gets only the data our job requires, in the shape our prompt expects. None of us are general-purpose assistants that retain a long-term, cross-user memory of who you are. When you start a new question, the prior conversation is summarized into a few sentences of financial context — never your name, never your email — and then even that context can be deleted on demand.

How we protect your data

• ◆AES-256 encryption at rest for all financial data in our database
• ◆TLS 1.2+ for all data in transit (web, mobile app, server-to-server)
• ◆Bank-link access tokens stored in encrypted form, never logged in plaintext
• ◆Zero-trust architecture between services — every internal call is authenticated
• ◆Row-level security in our database so one user can never read another’s data
• ◆Regular automated backups, encrypted, with a documented restore procedure
• ◆No advertising trackers, no data sales, no behavioral profiles for marketers

Who can see my data?

This is the question we get most often, and it deserves a layered, honest answer instead of a single absolute claim. Here's the truth, in order:

• →The app itself, the advisors, and your ¢Score do their work entirely on the server, without anyone at Centiv reviewing your transactions personally. That’s the default state for every user, every day.
• →Internal trends and product analytics use a separate database schema that strips your identity. User IDs are replaced with an HMAC hash (unreversible without a secret stored separately), and only aggregates and bucketed statistics are exposed. The schema, the hashing function, and the rule that internal dashboards must query that schema are all in the codebase under centiv/supabase/migrations/121_analytics_schema.sql and centiv/server/utils/analyticsClient.ts. Looking at "how is the product performing" never touches your individual transactions.
• →When a Centiv employee opens an admin tool that touches your specific account — for support you asked for, troubleshooting an issue you reported, or investigating a security flag on your account — the read is logged with a reason. You can see every one of these events on your phone in Settings → Privacy → "Who’s accessed my data."
• →For everything else (legal subpoenas, formal data requests), the read is logged with the same mechanism and surfaces in the same screen.

That last bullet is the part most fintech companies don't expose to users. We do, because the only way to trust a privacy promise is to verify it — and the only way to verify it is to see the log yourself.

Founder’s pledge

Centiv is run by a small team. The founder has the same technical ability to read user data as any database administrator at any startup. So this pledge is in the open, signed, and falsifiable:

This pledge applies to every current and future employee of Centiv. We will publish an annual transparency note covering the count of access events by category and any legal data requests we received.

Your control — export, delete, disconnect

You own your data and you can take it back at any time, in three ways:

• ✓Disconnect any bank from Settings → Connected Banks. The bank-link token is revoked immediately and we stop receiving updates from that institution.
• ✓Export everything you’ve given us — accounts, transactions, ¢Score history, subscriptions, goals — as a JSON or CSV file from Settings → Data Export.
• ✓Delete your account from Settings → Account → Delete. We remove your records from our active systems within 7 days; backups roll off within 30 days. Bank-link tokens are revoked the moment the request is filed.

Centiv vs. general AI agents

If you're comparing Centiv to typing your spending into a general AI chatbot, here's the honest picture:

How we enforce these promises

Privacy claims are only as good as the engineering behind them. Three concrete mechanisms keep Centiv honest:

• ◆A CI test scans every server-side prompt builder on every commit and fails the build if any forbidden personal identifier (name, email, phone, full account number, address, etc.) appears inside an LLM-bound prompt. New AI features cannot ship without passing this gate.
• ◆Our database schema separates identity columns (name, email, phone) from financial-activity columns by table, so the prompt-building code physically cannot fetch them in the same query.
• ◆Our DPA with our AI provider is on file; the no-training term is a binding contract, not a flag we can flip.

We'd rather a feature ship a week late than ship with a privacy regression. That ordering is enforced in code, not just policy.

Questions?

For the formal version of all of this, see our Privacy Policy (especially §4 AI & Automated Processing) and our Terms.

For anything else — including specific questions about your data, a security report, or a press inquiry — write to privacy@centiv.app.