Stoke

Privacy Policy

Effective Date: May 2, 2026 Last Updated: June 9, 2026

This Privacy Policy explains how we collect, use, store, and protect your information when you use the Service. The Service is a cash flow forecasting product currently offered as Stoke Money. "We", "us", and "our" refer to the operator of the Service. "Stoke Money" is the current product name and "VoidHQ" is the brand name under which it is published; both are subject to change, and references to the Service in this Privacy Policy apply regardless of the operating product or brand name.

By creating an account and using the Service, you agree to the practices described in this policy. If you do not agree, please do not use the Service.

1. Information We Collect

Information You Provide

  • Account information: your email address (used to sign in and to send you account-related email) and passkey credentials used for authentication
  • User-created content: cash flow forecast streams, recurring rules, manual transactions, and application settings (e.g., currency preference, forecast horizon, safety buffer)
  • Feedback: messages you submit through the in-app feedback form
  • Waitlist: if you join the waitlist, your email address

Information Collected Through Plaid

When you connect a financial institution through Plaid, we receive the following data depending on the products you authorize:

  • Account details: account name, type (checking, savings, credit, loan, investment), balances, and institution name
  • Transactions: transaction history (up to 24 months), including amount, date, merchant name, and category
  • Recurring transactions: detected recurring payments, subscriptions, and deposits
  • Investment holdings: brokerage and investment account positions, balances, and securities data
  • Liabilities: loan details including balances, interest rates, minimum payments, and repayment terms

You authorize this data collection through Plaid's consent flow (Plaid Link) before any financial data is accessed. You may disconnect any linked institution at any time.

Information Collected Automatically

  • Session data: encrypted session cookies required for authentication
  • Security data: hashed IP addresses, retained for a limited time for rate limiting and abuse prevention
  • Analytics data: usage patterns and interactions to improve the Service (see Section 5)

2. How We Use Your Information

We use your information solely to provide and improve the Service:

  • Display your financial accounts, balances, and transactions
  • Generate cash flow forecasts and projections
  • Detect and surface recurring income and expenses
  • Show investment holdings as part of your financial overview
  • Provide loan payment analysis and optimization insights
  • Improve the Service through aggregated, anonymized usage analytics

We do not sell, rent, or share your personal or financial data with third parties for advertising or marketing purposes.

3. Third-Party Service Providers

We use the following third-party providers to operate the Service. These providers access your data only as necessary to perform their functions:

ProviderPurposeData Accessed
Plaid (end user privacy policy)Bank account linking and financial data retrievalFinancial account data, transactions, investments, liabilities
VercelApplication hosting and serverless computeApplication requests and logs
SupabaseDatabase hosting (PostgreSQL)All stored application data (encrypted at rest)
StripeSubscription payment processingEmail address, billing address, and payment information (payment card details are handled directly by Stripe; we never store them)
ResendTransactional email (sign-in links, account notifications)Email address and email content

4. Data Storage and Security

  • Location: All data is stored in the United States
  • Encryption in transit: All connections use TLS 1.2 or higher
  • Encryption at rest: Financial data is stored in an encrypted database. Plaid access tokens are encrypted at the application level before storage
  • Authentication: User accounts are protected with passkey (WebAuthn) authentication, which is phishing-resistant and inherently multi-factor (device possession plus biometric or PIN verification)
  • Access controls: Production infrastructure access is restricted and protected with multi-factor authentication

5. Cookies and Analytics

  • Session cookie: We use a single encrypted session cookie (iron-session) for authentication. This is strictly necessary and cannot be disabled
  • Analytics: We use Vercel Web Analytics to understand how the Service is used. It does not use cookies; analytics data is aggregated and does not include your financial data

We do not use advertising cookies or third-party tracking for marketing purposes.

6. Your Rights

Depending on your jurisdiction, you may have the following rights:

All Users

  • Access: View all data we hold about you within the application
  • Deletion: Delete your account and all associated data from Settings. Deletion is permanent and includes all transactions, linked accounts, forecast streams, Plaid access tokens, and settings
  • Disconnect: Remove any linked financial institution at any time, which revokes the Plaid access token for that institution
  • Export: Request a copy of your data (transactions, accounts, forecast streams) by contacting us; we will provide it in a structured, machine-readable format where reasonably feasible

European Economic Area (EEA) Users

Under the GDPR, you additionally have the right to:

  • Rectification: Request correction of inaccurate data
  • Restriction: Request that we limit processing of your data
  • Portability: Receive your data in a structured, machine-readable format
  • Withdraw consent: Withdraw your consent for data processing at any time by disconnecting linked institutions or deleting your account
  • Lodge a complaint: File a complaint with your local data protection authority

Our legal basis for processing your data is:

  • Consent: You explicitly authorize financial data collection through Plaid Link
  • Legitimate interest: Processing is necessary to provide the Service you requested

California Users

Under the CCPA, you have the right to:

  • Know what personal information we collect and how it is used
  • Request deletion of your personal information
  • Opt out of the sale of personal information (we do not sell your data)
  • Non-discrimination for exercising your privacy rights

7. Data Retention

  • We retain your data for as long as your account is active
  • When you delete your account, all data is permanently deleted from our production systems, including financial data, forecast streams, linked account credentials, and settings
  • Deleted data may persist in encrypted database backups for a limited period (no more than 35 days) before those backups expire
  • When you disconnect a financial institution, the associated Plaid access token is revoked and deleted
  • Records of payment transactions are retained by Stripe as required for tax, accounting, and legal compliance
  • We do not otherwise retain your data after account deletion

8. International Data Transfers

Your data is stored and processed in the United States. If you access the Service from outside the United States, your information will be transferred to and processed in the United States. By using the Service, you consent to this transfer.

For EEA users, this transfer is necessary for the performance of the Service you have requested.

9. Children's Privacy

The Service is intended for users who are 18 years of age or older. We do not knowingly collect information from anyone under 18. If we learn that we have collected data from a user under 18, we will promptly delete their account and associated data.

10. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you through the Service before the changes take effect. Your continued use of the Service after changes are posted constitutes your acceptance of the updated policy.

11. Contact Us

If you have questions about this Privacy Policy or wish to exercise your rights, contact us at:

Email: privacy@stoke.money

The Service is currently published under the brand name VoidHQ as the product Stoke Money. Both names are subject to change.