The TL;DR
I don't sell your data. I don't use it to train AI models. I don't share it with advertisers. Your transactions, notes, photos, and reflections are encrypted on your phone before they reach my servers, with a key only you control.
I don't connect to your bank, so there's no financial data flowing through third parties like Plaid. You can export everything I have about you anytime, or delete your account and everything goes with it. If you live in California or the EU, you have additional rights described below.
If you have questions, email [email protected].
The full version below covers the details required by law.
1. Who I am
Carlo is operated by Integral Organization Development, LLC, a New York limited liability company that I solely own and operate. Carlo is a one-person company by design, and the personal voice throughout this document reflects that.
Throughout this Privacy Policy, "I," "me," "my," and "Carlo" refer to Integral Organization Development, LLC. All commitments in this Policy are made by and enforceable against the LLC, not against me personally. The LLC is the contracting party for all purposes.
You can reach me at [email protected] or by mail at:
Integral Organization Development, LLC
418 Broadway # 11611
Albany, NY 12207
2. What information I collect
Account information. When you sign up, I collect your name, email address, and authentication identifier from Apple Sign-In or Google Sign-In. I don't collect your password — authentication is handled by Apple or Google.
Encrypted application data. When you use Carlo, you create data: transactions, payee names, notes, photos, voice-derived entries, charitable giving records, reflections, budgets, and bills. This data is encrypted on your device using AES-256-GCM with a per-user encryption key before it leaves your device. I see only ciphertext on my servers.
Voice transcripts. When you use voice entry, your audio is sent to Groq for transcription under their Zero Data Retention policy, meaning Groq does not retain your audio after transcription. The transcript is then encrypted on your device before being stored.
AI-parsed data. Voice transcripts are sent to Anthropic's Claude API for parsing into structured transaction fields. Anthropic processes this data under their commercial terms; they do not use it to train models.
Subscription information. If you subscribe, RevenueCat processes your subscription status. I see your subscription state (active, expired, etc.) but not your payment details, which are handled by Apple or Google.
Device and usage information. I collect the minimum technical information necessary to operate the app: device type, OS version, and app version. Carlo does not currently use a third-party analytics or crash-reporting service. I don't track your behavior across other apps or websites.
3. How I use this information
I use your information only to:
- Provide the Carlo service to you
- Process subscriptions and respond to your support requests
- Improve Carlo (debug crashes, fix bugs, plan features)
- Comply with legal obligations
I don't:
- Sell your data
- Share your data with advertisers
- Use your data to train AI models
- Use your data to build profiles for any third party
- Track your activity across other apps or websites
4. How your data is protected
Encryption. Your transactions, notes, payees, photos, reflections, and other sensitive data are encrypted on your device with AES-256-GCM using a per-user data encryption key (DEK) before they are sent to my servers. The key that unlocks your data is wrapped with a master key stored privately in your own iCloud or Google account — in a private app area, not a file you'll see in the Files app or Drive — that my servers do not have access to.
What this means in plain terms: My servers contain ciphertext that I cannot decrypt without your master key. Your master key lives in your cloud account, not mine.
Recovery. You also have a 12-word recovery phrase that derives the same master key independently — it's not a second secret, it's another way to obtain the one key that unlocks your data. I don't have access to this phrase.
No bank connections. I don't connect to your bank accounts. I don't use Plaid, MX, Yodlee, or any other financial aggregator. Your bank does not share information with Carlo, because there is no connection to share through.
Founder access disclosure. As Carlo's operator, I have administrative access to the infrastructure, but not to your financial data. It's encrypted with a key derived from a recovery phrase only you hold, and that key never reaches my servers in a form I can use. I'm not asking you to trust that I won't look. I built it so I can't.
What protects your key. Because your master key lives in your own iCloud or Google account so it can sync across your devices, anyone who can sign into that account can unlock your Carlo data — the same way they could reach your photos or email. The strongest thing you can do to protect your finances is protect that account with a strong, unique password and two-factor authentication. On iPhone, turning on Advanced Data Protection for iCloud goes further, making your key end-to-end encrypted to Apple as well. To turn it on: Settings > [your name] > iCloud > Advanced Data Protection.
"End-to-end encrypted" means Carlo can't read your data — not that someone with your Apple or Google password couldn't.
Subpoena exception. If I'm compelled by a valid legal process, I may be required to provide the encrypted data I hold. I can't provide your master key (I don't have it) and therefore cannot provide plaintext.
5. Where your data is stored
Your encrypted data is stored on servers operated by Supabase, located in US West (Oregon). Your photos are stored in Supabase Storage. Your encryption master key is stored privately in your own iCloud or Google account (a private app area, not a browsable file) — on Apple or Google's infrastructure, not mine.
6. Who I share data with
I share data only with third parties that help me operate Carlo, each under contracts that limit their use of the data:
- Supabase — encrypted database and storage hosting
- Cloudflare — DNS and CDN for carlo.money
- Groq — voice transcription (Zero Data Retention)
- Anthropic — AI parsing of voice transcripts (no training)
- RevenueCat — subscription management
- Apple and Google — authentication and platform services
- Postmark — transactional email (account-related notifications)
- Notion — internal tracking of feedback you choose to send me (including any screenshot you attach)
I don't share data with advertisers, data brokers, analytics companies, or any third party for marketing purposes.
7. Data retention
I retain your encrypted data for as long as your account is active. When you delete your account, I delete all data associated with you from my database, storage, and the encryption key registry within 30 days. Backups containing your data may persist for up to 90 days before they expire from rotation, after which all traces are removed.
Anonymous, aggregated metrics (such as total app installs) may be retained indefinitely.
8. Your rights
You can, at any time:
- Export your data. Tap Settings → System Backup. You receive a ZIP file containing all your data in plaintext (decrypted on your device for export).
- Delete your account. Tap Settings → Delete Account. This permanently removes all your data within 30 days.
- Correct your data. Edit any transaction, payee, note, or other information directly in the app.
If you are in the European Union or United Kingdom (GDPR)
In addition to the rights above, you have the right to:
- Access the personal data I hold about you (use System Backup, or email me)
- Rectification (correct inaccurate data)
- Erasure ("right to be forgotten" — use Delete Account, or email me)
- Restriction of processing
- Data portability (use System Backup for a machine-readable export)
- Object to processing
- Lodge a complaint with your supervisory authority
My legal basis for processing your data is the performance of a contract (providing you with the Carlo service you subscribed to). For processing that goes beyond what's necessary for the service, I rely on your consent.
International data transfers from the EU/UK to the United States are governed by Standard Contractual Clauses approved by the European Commission. See Supabase's Data Processing Addendum for the specific contractual terms.
To exercise any of these rights, email [email protected]. I'll respond within 30 days.
If you are in California (CCPA/CPRA)
You have the right to:
- Know what personal information I collect about you (this policy)
- Delete your personal information (use Delete Account, or email me)
- Correct inaccurate personal information
- Opt out of sale or sharing of your personal information (I don't sell or share — this is a non-issue for Carlo)
- Limit the use of sensitive personal information
- Non-discrimination for exercising your rights
To exercise these rights, email [email protected].
9. Children
Carlo is not intended for users under the age of 13. I don't knowingly collect data from children under 13. If you believe a child under 13 has created a Carlo account, please contact me and I'll delete the account.
For users under 18, I recommend involving a parent or guardian in financial app usage.
10. International data transfers
If you are outside the United States, your data may be transferred to and processed in the United States, where Supabase's infrastructure is located. I rely on Standard Contractual Clauses approved by the European Commission to provide appropriate safeguards for international transfers from the EU/UK. See Supabase's Data Processing Addendum for the specific contractual terms.
11. Changes to this policy
I may update this policy from time to time. If I make material changes, I'll notify you in the app and update the "Effective Date" at the top. Continued use of Carlo after changes constitutes acceptance of the updated policy.
12. Contact
Email [email protected] with any questions, requests, or complaints.
Integral Organization Development, LLC
418 Broadway # 11611
Albany, NY 12207