1. Introduction

Steadfast Financial, LLC ("Steadfast HSA," "we," "us," or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our platform at https://steadfasthsa.com (the "Service"). Please read this policy carefully. If you disagree with its terms, please do not use the Service.

The Service stores sensitive personal data, including health-adjacent information (medical expense receipts) and financial data (transaction information if you use the Plaid integration). We take the protection of this data seriously and apply heightened care to its handling.

This Policy applies to all users of the Service, including visitors to our website, registered account holders, and subscribers. It does not apply to third-party websites or services that may be linked from the Service.

2. Information We Collect

2.1 Information You Provide Directly

2.2 Information Collected Automatically

2.3 Information from Third-Party Integrations

If you choose to use the following optional integrations, we collect additional data:

• BYOS Cloud Storage (Pro Plan only): When you connect a cloud storage service (Google Drive, Dropbox, OneDrive, or iCloud), we receive an access token to write your exported data to a designated folder. We do not read files from your cloud storage that you did not create through Steadfast HSA.

3. How We Use Your Information

We use the information we collect for the following purposes:

• Service Delivery: Process, store, and organize your expense records; provide receipt storage, data export, and all other Service features.
• Account Management: Create and manage your account, verify your identity, and process subscription payments.
• Service Improvement: Analyze aggregate, anonymized usage patterns to improve features, fix bugs, and enhance the user experience.
• Communications: Send you transactional emails (receipts, password resets, account notices), product updates, and service announcements. See Section 11 for marketing communications.
• Security and Fraud Prevention: Detect and prevent unauthorized access, abuse, or fraud.
• Legal Compliance: Comply with applicable laws, respond to legal process, enforce our Terms of Service, and protect the rights of users and third parties.

4. How We Share Your Information

4.1 Service Providers (Sub-processors)

We share your information with carefully selected third-party service providers who process data on our behalf to provide the Service. All sub-processors are contractually obligated to use your data only for the purposes we specify and to implement appropriate security measures.

4.2 Legal Requirements

We may disclose your information if required by law, court order, subpoena, or other legal process, or if we believe in good faith that such disclosure is necessary to: (a) comply with applicable law; (b) protect our legal rights; (c) respond to an emergency that threatens the safety of any person; or (d) investigate potential violations of our Terms of Service.

4.3 Business Transfers

If Steadfast HSA is involved in a merger, acquisition, or sale of substantially all of its assets, your information may be transferred as part of that transaction. We will provide notice of any such transfer and any changes to this Privacy Policy. Any acquirer will be required to honor the terms of this Privacy Policy for a minimum of 12 months following the transfer.

4.4 We Do Not Sell or Share Your Data

We do not sell, rent, trade, or otherwise share your personal information or health-adjacent data with third parties for their own marketing or commercial purposes. We do not participate in data broker exchanges. This commitment applies regardless of our subscriber count or the requirements of state privacy laws.

5. Health-Adjacent Data and the FTC Health Breach Notification Rule

The expense records and receipt images you store in Steadfast HSA may include health-adjacent information, such as the names of medical providers, dates of service, types of medical services, and information about prescription medications. While Steadfast HSA is a documentation tool and not a healthcare provider, we recognize the sensitivity of this data and apply heightened protections.

We believe the FTC Health Breach Notification Rule (16 CFR Part 318) applies to Steadfast HSA as a personal health record vendor. In the event of a breach of your unsecured health-adjacent data, we will:

• Notify you within 60 days of discovering the breach, as required by the Rule.
• Notify the Federal Trade Commission as required.
• For breaches affecting 500 or more users in a state, notify prominent media outlets as required.
• Provide you with a description of the breach, the categories of data affected, and the steps we are taking to investigate and remediate.

We will maintain a breach response plan and conduct regular testing of our incident response procedures. If you suspect unauthorized access to your account or data, please contact us immediately at privacy@steadfasthsa.com.

6. Data Retention

We retain your data for as long as your account is active or as needed to provide the Service. We are designed for long-term data retention — that is our core value proposition — and we will not delete your data without your explicit instruction or in the circumstances described below.

• Active Accounts: Your data is retained indefinitely while your account remains active, including Free Tier accounts. We believe your records belong to you and should persist as long as you need them.
• After Account Deletion: When you delete your account, we retain your data for 30 days to allow for recovery in case of accidental deletion. After 30 days, all personal data is permanently deleted from our systems and backups. We will confirm deletion upon request.
• Subscription Lapse: If a paid subscription lapses and your account is downgraded to Free Tier, your data is retained in full for 90 days. If the account is not reactivated, data exceeding Free Tier limits may be deleted after 90 days with prior email notice.
• Legal Hold: We may retain certain data longer if required by law or as part of a legal proceeding.
• Backup Retention: System backups are retained for up to 30 days, after which they are permanently deleted. Data deleted from your account will be removed from backups within this window.

7. Data Security

We implement commercially reasonable technical and organizational security measures to protect your data, including:

• Encryption in Transit: All data transmitted between your browser and our servers is encrypted using TLS 1.2 or higher.
• Encryption at Rest: All expense records and receipt files are encrypted at rest in our database and file storage systems.
• Access Controls: Strict role-based access controls limit which personnel can access production data. Developer access to production user data is logged and audited.
• Authentication Security: We support multi-factor authentication (MFA) for all user accounts and strongly encourage its use.
• Third-Party Security: Our cloud infrastructure providers (Cloudflare, Neon) maintain SOC 2 certifications and implement industry-standard security practices.

Despite these measures, no security system is impenetrable. We cannot guarantee that your data will never be accessed, disclosed, altered, or destroyed by unauthorized parties. You should use strong, unique passwords and enable MFA to protect your account.

8. Your Privacy Rights

8.1 Rights Available to All Users

Regardless of where you are located, you have the following rights with respect to your personal data:

• Right to Access: You may request a copy of all personal data we hold about you by contacting us at privacy@steadfasthsa.com or using the in-app data export feature.
• Right to Portability: You may export your complete expense history (CSV) and all receipt files (ZIP archive) at any time using the built-in export feature, at no charge and without limitation.
• Right to Correction: You may correct inaccurate personal data directly in the Service or by contacting us.
• Right to Deletion: You may request deletion of your account and all associated data through your Account Settings or by contacting us. See Section 6 for retention timelines.
• Right to Withdraw Consent: Where processing is based on your consent (e.g., Plaid integration, marketing emails), you may withdraw consent at any time through your Account Settings.

8.2 California Residents (CCPA/CPRA)

If you are a California resident, the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), provides you with the following additional rights:

• Right to Know: You have the right to know what categories of personal information we collect, the purposes for which we use it, and whether we share it with third parties.
• Right to Delete: You have the right to request deletion of personal information we have collected from you, subject to certain exceptions.
• Right to Correct: You have the right to correct inaccurate personal information.
• Right to Opt Out of Sale or Sharing: We do not sell or share personal information for advertising purposes, so there is nothing to opt out of. However, you may submit a request to verify this at privacy@steadfasthsa.com.
• Right to Limit Use of Sensitive Personal Information: You have the right to direct us to limit the use of sensitive personal information to only what is necessary to provide the Service.
• Non-Discrimination: We will not discriminate against you for exercising your CCPA rights.

To exercise your California rights, submit a verifiable consumer request to privacy@steadfasthsa.com. We will respond within 45 days.

8.3 Washington State Residents (My Health MY Data Act)

Washington's My Health MY Data Act (MHMDA) provides additional protections for consumer health data. As a platform that processes health-adjacent data, we comply with MHMDA's requirements:

• We do not collect, process, share, or sell consumer health data beyond what is necessary to provide the Service.
• We do not use geofencing or location tracking in connection with health data.
• Washington residents may request to confirm whether we process their health data, obtain a copy, request deletion, and withdraw consent to processing.

To exercise your MHMDA rights, contact us at privacy@steadfasthsa.com.

8.4 Submitting Privacy Requests

To exercise any of the rights described above, you may:

• Use the in-app tools in Account Settings (fastest method for most requests).
• Email us at privacy@steadfasthsa.com with the subject line "Privacy Request."

We may need to verify your identity before processing your request. We will respond to verified requests within 45 days. If we need more time, we will notify you within the initial 45-day period. We will not charge a fee for reasonable requests.

9. Cookies and Tracking Technologies

We use cookies and similar tracking technologies to operate the Service. Cookies are small text files placed on your device when you visit our website.

9.1 Types of Cookies We Use

• Strictly Necessary Cookies: Required for the Service to function, including session management and authentication. These cannot be disabled.
• Functional Cookies: Remember your preferences (e.g., date format, display settings). Can be disabled, but some features may not work properly.
• Analytics Cookies: Help us understand how users interact with the Service (via PostHog). We configure analytics to avoid capturing the content of your expense records or receipt files. Can be opted out.

We do not use advertising cookies or tracking pixels for third-party advertising.

9.2 Cookie Consent and Control

When you first visit the Service, we will present a cookie consent banner where you can choose which non-essential cookies to accept. You can update your preferences at any time through the Cookie Settings option in the website footer. You can also control cookies through your browser settings, though disabling cookies may affect Service functionality.

9.3 Do Not Track

Some browsers include a "Do Not Track" (DNT) feature. We currently do not respond to DNT signals, as there is no consistent industry standard for compliance. We do honor your cookie preferences as set through our consent manager.

10. Children's Privacy

The Service is intended for adults (18 years of age or older) only. We do not knowingly collect personal information from children under 13. If you are under 18, do not use the Service.

The Service includes a "family member tracking" feature that allows you to associate expenses with your dependents (including minor children) for categorization purposes. This feature does not create accounts for minor children, and we do not collect any direct personal information from children — the information is entered by the adult account holder.

If we become aware that we have inadvertently collected personal information from a child under 13, we will promptly delete that information. If you believe a child has provided personal information to us, please contact us at privacy@steadfasthsa.com.

11. Communications and Email Marketing

11.1 Transactional Emails

We will send you transactional emails related to your account and the Service, including: account verification, password reset, payment receipts, subscription renewal reminders, data deletion warnings, and security alerts. You cannot opt out of transactional emails while your account is active.

11.2 Product and Marketing Emails

We may send you product updates, feature announcements, educational content about HSA strategy, and occasional promotional emails. You may opt out of marketing emails at any time by:

• Clicking the "Unsubscribe" link in any marketing email.
• Updating your email preferences in Account Settings.
• Contacting us at privacy@steadfasthsa.com.

We will honor unsubscribe requests within 10 business days. We will continue to send you transactional emails after you unsubscribe from marketing communications.

11.3 CAN-SPAM Compliance

All commercial email we send complies with the CAN-SPAM Act, including: accurate sender information, honest subject lines, physical mailing address in every email, and a functioning unsubscribe mechanism.

12. International Users

The Service is intended for use by residents of the United States only. Our servers and operations are located in the United States. By using the Service from outside the United States, you consent to the transfer of your data to the United States, where data protection laws may differ from those in your home country.

We do not knowingly accept users from the European Economic Area (EEA), United Kingdom, or Canada without ensuring compliance with applicable local law (GDPR, UK GDPR, or CASL). If you access the Service from these regions, please be aware that we are not currently configured for full GDPR or CASL compliance. We may implement appropriate safeguards in the future as we expand internationally.

13. Third-Party Links and Services

The Service may contain links to third-party websites, and our integrations (Plaid, BYOS providers) connect to third-party services. This Privacy Policy does not apply to those third-party sites or services. We encourage you to review the privacy policies of any third parties you interact with. We are not responsible for the privacy practices of third parties.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or for other operational reasons. If we make material changes, we will:

• Post the updated Policy on our website with a new Effective Date.
• Notify you by email at least 30 days before the changes take effect.
• For changes involving how we handle health-adjacent data, we will also provide an in-app notice.

Your continued use of the Service after the effective date of the updated Policy constitutes your acceptance of the changes. If you disagree with any changes, you must stop using the Service and may request deletion of your data as described in Section 8.

15. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact our Privacy team: